summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: add negation tests for libxt_statisticJan Engelhardt2011-08-211-0/+4
| | | | | | | Note: it is valid to check cb->invert before calling xtables_option_parse. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_policy: remove superfluous inversionJan Engelhardt2011-08-211-2/+1
| | | | | | --dir cannot be inverted. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_physdev: restore inversion supportJan Engelhardt2011-08-212-3/+6
| | | | | | | | Bug origin is in commit v1.4.11~26^2~4. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_owner: restore inversion supportJan Engelhardt2011-08-212-1/+3
| | | | | | | | Bug origin is in commit v1.4.11~16^2~7. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipt_ttl: document that negation is availableJan Engelhardt2011-08-212-2/+2
| | | | | | Glitch since commit v1.2.1~75. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_dst: restore setting IP6T_OPTS_LEN flagJan Engelhardt2011-08-212-0/+5
| | | | | | Bug origin is in commit v1.4.11~26^2~18. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_hbh: restore setting IP6T_OPTS_LEN flagJan Engelhardt2011-08-212-0/+3
| | | | | | Bug origin is in commit v1.4.11~26^2~17. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: remove inversion from hashlimit rev 0Jan Engelhardt2011-08-211-11/+2
| | | | | | | Revision 0 indeed did not have inversion support, nor presence of --hashlimit-above. This glitch was added in v1.4.11~16^2~10. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_frag: restore inversion supportJan Engelhardt2011-08-212-0/+18
| | | | | | | | --fraglen also was not printed since v1.4.11~26^2~22. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtoptions: flag use of XTOPT_POINTER without XTOPT_PUTJan Engelhardt2011-08-211-1/+7
| | | | | | | When XTOPT_POINTER is used (and yields a non-zero offsetof), we can flag the absence of XTOPT_PUT. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: fix --ctproto 0 outputJan Engelhardt2011-08-211-4/+5
| | | | | | | | | | | First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER. (Next commit will flag this.) Furthermore, l4proto is of type uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not work => revert v1.4.12~1^2. Bug goes back to v1.4.12~1^2. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: default htable-expire must be in millisecondsJan Engelhardt2011-08-211-2/+2
| | | | | | Bug goes back to v1.4.12~3^2~11. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dscp: restore inversion supportJan Engelhardt2011-08-212-4/+5
| | | | | | References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: fix random output of ! on --dccp-optionJan Engelhardt2011-08-211-1/+1
| | | | | | | | | | | dccp-option tests info->typemask, but it really should look at info->invflags instead. This bug goes back to commit v1.3.4~11. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: provide man pages options in short help tooJan Engelhardt2011-08-212-2/+5
| | | | | | | | This omission goes back to commit v1.3.4~11. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: spell out option name on saveJan Engelhardt2011-08-211-1/+1
| | | | | | | | This glitch goes back to commit v1.3.4~11. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: fix deprecated intrapositional ordering of !Jan Engelhardt2011-08-211-4/+5
| | | | | | | | This bug goes back to v1.4.3~63. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: restore missing XTOPT_INVERT tags for optionsJan Engelhardt2011-08-212-2/+4
| | | | | | | | This regression goes back to v1.4.11~19^2. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: remove one misleading commentJan Engelhardt2011-08-211-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: clarify libxt_connlimit defaultsJan Engelhardt2011-08-211-1/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: fix space around argumentsDwight Davis2011-08-202-2/+3
| | | | | | | Fix oversight from commit v1.4.11~80. References: http://bugs.debian.org/637499 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_set: put differing variable names in directlyJan Engelhardt2011-08-202-18/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix typo in libxt_TRACEBernard Massot2011-08-201-1/+1
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=736 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_tcp: always print the mask partsJan Engelhardt2011-08-201-3/+1
| | | | | | | | | 0xFF is unlikely to happen (given that ALL translates to 0x3F at most), but assuming that through magic, 0xFF was put into memory, iptables -S/iptables-save would ignore printing it, practically outputting just one argument to --tcp-flags which currently wants two. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_set: update man page about kernel support on the featureJan Engelhardt2011-08-202-6/+4
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_u32: fix missing allowance for inversionJan Engelhardt2011-08-202-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-08-0911-64/+83
|\
| * libipq: add pkgconfig fileJan Engelhardt2011-08-084-1/+16
| | | | | | | | | | | | | | | | | | This is just to make sure that projects (still) using it do so with the right cflags, e.g. for when the include file ends up in a non-standard location due to ./configure having been called with --include=/somewhere/else. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: abort autogen on subcommand failureJan Engelhardt2011-08-011-1/+1
| | | | | | | | | | | | | | Needed to stop an automated build process when automake requirements are not fulfilled. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: strengthen check for overlong lladdr componentsJan Engelhardt2011-08-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ethermac[i] > UINT8_MAX is quite pointless, because ethermac[i] is just uint8_t. To catch values that are not in the range "00"-"ff", use a string length check (end-arg>2). I am willingly using 2 there, because no one is going to specify an Ethernet LL address as "0x00:0x24:0xbe:0xc2:0x7f:0x16" -- because it is always interpreted as hexadecimal anyway even without the 0x prefix. xtoptions.c: In function "xtopt_parse_ethermac": xtoptions.c:760:3: warning: comparison is always false due to limited range of data type xtoptions.c:766:2: warning: comparison is always false due to limited range of data type Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: workaround broken linux-headers on RHEL-5Jan Engelhardt2011-08-011-0/+2
| | | | | | | | | | | | | | maigc.h was not invented yet, but they do not ship proc_fs.h either, duh. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_string: define _GNU_SOURCE for strnlenJan Engelhardt2011-08-011-0/+1
| | | | | | | | | | | | | | | | | | On RHEL-5.6 and clones with its gcc-4.1.2 and glibc-2.5: libxt_string.c: In function "parse_string": libxt_string.c:84: warning: implicit declaration of function "strnlen" Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_TCPMSS: restore build with IPv6-less libcsJan Engelhardt2011-07-223-4/+5
| | | | | | | | | | | | | | Commit v1.4.10-149-gea2a02f added an netinet/ip6.h include, which is not available on systems without IPv6 header files. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * extensions: use multi-target registrationJan Engelhardt2011-07-222-56/+56
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Bump version to 1.4.12v1.4.12Patrick McHardy2011-07-221-1/+1
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-07-1110-112/+65
|\|
| * libxt_conntrack: move more data into the xt_option_entryJan Engelhardt2011-07-101-8/+6
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_conntrack: restore network-byte order for v1,v2Jan Engelhardt2011-07-101-7/+39
| | | | | | | | | | | | References: http://bugs.debian.org/632804 References: http://marc.info/?l=netfilter-devel&m=130999299016674&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: set clone's initial data to NULLJan Engelhardt2011-07-101-0/+1
| | | | | | | | | | | | | | Avoid a crash in xs_init_match when a clone's m->udata points at the parent. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * option: remove last traces of intrapositional negationJan Engelhardt2011-07-109-76/+0
| | | | | | | | | | | | Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: ignore whitespace in the multiaddress argument parserJan Engelhardt2011-07-091-0/+4
| | | | | | | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: properly reject empty hostnamesJan Engelhardt2011-07-091-26/+20
| | | | | | | | | | | | | | | | | | An empty hostname in the address list of an -s/-d argument, which may be the result of a typo, is interpreted as 0/0, which, when combined with -j ACCEPT, leads to an undesired opening of the firewall. References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-07-055-10/+4
|\|
| * iptables: restore negation for -fJan Engelhardt2011-07-051-1/+1
| | | | | | | | | | | | | | This move was missed in commit v1.4.11~77^2~6. References: http://bugs.debian.org/632695 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: the -m option cannot be invertedJan Engelhardt2011-07-042-6/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: fix version string in ip6tables.8Jan Engelhardt2011-07-041-1/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: install modules in arch-dependent locationJan Engelhardt2011-07-042-2/+2
| | | | | | | | | | | | | | Make it possible to have multiple types of ELF classes for the extension modules by putting them in an arch-dependent path. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-06-3026-162/+222
|\|
| * doc: mention multiple verbosity flagsJan Engelhardt2011-06-302-2/+4
| | | | | | | | | | | | | | | | "-vv" can be used to further increase the verbosity level. Document this. References: http://bugs.debian.org/616037 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables-apply: select default rule file depending on call nameMartin F. Krafft2011-06-301-12/+13
| | | | | | | | | | | | | | | | | | | | ip6tables-apply points to iptables-apply (which is good). Since iptables/ip6tables rule files are different, the reporter suggests that the DEFAULT_FILE variable should depend on whether iptables-apply or ip6tables-apply is run. References: http://bugs.debian.org/547734 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>