| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
"-vv" can be used to further increase the verbosity level. Document
this.
References: http://bugs.debian.org/616037
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ip6tables-apply points to iptables-apply (which is good). Since
iptables/ip6tables rule files are different, the reporter suggests
that the DEFAULT_FILE variable should depend on whether iptables-apply
or ip6tables-apply is run.
References: http://bugs.debian.org/547734
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
iptables no longer compiles for Linux 2.4 because it uses
linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for
Linux 2.6.
xtables.c:35:52: error: linux/magic.h: No such file or directory
xtables.c: In function 'proc_file_exists':
xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in
this function)
xtables.c:389: error: (Each undeclared identifier is reported only
once for each function it appears in.)
References: http://bugzilla.netfilter.org/show_bug.cgi?id=720
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| | |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=723
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I cannot delete a rule by matching it if the target of the rule is
RATEEST.
Copy-paste from terminal:
# iptables -t mangle -A PREROUTING -j RATEEST
--rateest-name somename --rateest-interval 250ms
--rateest-ewmalog 4s
# iptables -t mangle -D PREROUTING -j RATEEST
--rateest-name somename --rateest-interval 250ms
--rateest-ewmalog 4s
iptables: No chain/target/match by that name.
I saw in comments of the kernel code that the last part of the struct
xt_rateest_target_info is used only by kernel:
struct xt_rateest_target_info {
char name[IFNAMSIZ];
__s8 interval;
__u8 ewma_log;
/* Used internally by the kernel */
struct xt_rateest *est __attribute__((aligned(8)));
};
but in struct xtables_target, .size and .userspacesize are equal.
Simply correcting this solved the problem.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=724
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
xtables.c:320: alloc_fn: Calling allocation function "get_modprobe".
xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc".
xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)".
xtables.c:304: return_alloc: Returning allocated memory "ret".
xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()".
xtables.c:323: var_assign: Assigning: "modprobe" = "buf".
xtables.c:348: leaked_storage: Variable "buf" going out of scope
leaks the storage it points to.
xtables.c:348: leaked_storage: Returning without freeing "modprobe"
leaks the storage that it points to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
xtables.c:931: va_init: Initializing va_list "args".
xtables.c:938: missing_va_end: va_end was not called for "args".
xtables.c:947: missing_va_end: va_end was not called for "args".
xtables.c:961: missing_va_end: va_end was not called for "args".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in".
ip6tables-restore.c:463: check_after_deref: Dereferencing "in"
before a null check.
iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in".
iptables-restore.c:468: check_after_deref: Dereferencing "in" before a
null check.
iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in".
iptables-xml.c:873: check_after_deref: Dereferencing "in" before a
null check.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
libipq.c:232: var_tested_neg: Variable "h->fd" tests negative.
libipq.c:234: negative_returns: "h->fd" is passed to a parameter that
cannot be negative.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libiptc.c:407: dead_error_condition: On this path, the condition
"res > 0" cannot be false.
libiptc.c:396: at_least: After this line, the value of "res" is at
least 1.
libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as
false.
libiptc.c:396: new_values: Noticing condition "res < 0".
libiptc.c:425: new_values: Noticing condition "res < 0".
libiptc.c:407: new_values: Noticing condition "res > 0".
libiptc.c:435: dead_error_line: Execution cannot reach this statement
"return list_pos;".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
Cf. commit v1.4.11.1-5-g2dba676.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to the previous default expiry of 10 sec, "--hashlimit 1/min"
would allow matching up to 6/min if a properly timed. To do what the
user expects, the minimum expiry must equal the selected time quantum
however.
Cc: Jan Rovner <jan.rovner@diadema.cz>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
This is useful for the upcoming patch about per-instance auxiliary
data.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
Evil sed did not throw any warning whatsoever when it cannot find the
file.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Linux kernels up to and including 2.6.38, with the exception of longterm
releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug (*) whereby
IPv6 TOS mangling does not behave as documented and differs from the IPv4
version. The TOS mask indicates the bits one wants to zero out, so it needs to
be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its
mnemonics.
(*) Fixed by upstream commit:
1ed2f73d90fb49bcf5704aee7e9084adb882bfc5 (netfilter: IPv6: fix DSCP mangle code)
Signed-off-by: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
The section about MASQUERADE specifies that it takes a single option,
but in reality it takes two: --to-ports and --random.
Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
| |
These got lost on commit v1.4.11-12-g5c8f5b6.
Note: When /usr/include/libiptc/libiptc.h exists, this error is
masked away :-/ (IMO, #include-with-quotes "foo.h" should not
search system dirs...)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.
Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
These rulesets use practically all options (I may have missed some)
for verification that the new Guided Option Parser would take the same
input as the old open-coded ones did. They might come in handy at some
point.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
(Unclutter top-level dir)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Commit v1.4.11-4-gde791ff did not actually build the iptables-xml code
into the xtables-multi binary.
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
The word "occur" had ufortunately been removed in v1.3.8~23.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=707
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References; http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
This is where they belong, after all.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugs.debian.org/623112
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Open Build Service/rpmlint flagged the outdated address in the
license text :-)
iptables.x86_64: W: incorrect-fsf-address
/usr/share/doc/packages/iptables/COPYING
The Free Software Foundation address in this file seems to be outdated
or misspelled. Ask upstream to update the address, or if this is a
license file, possibly the entire file with a new copy available from
the FSF.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Due to iptables-xml being listed under IPV4 only, its symlink was not
created on `./configure --disable-ipv4 && make install`.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Commit v1.4.11~20 forgot to change the symlink target names to the new
executable name.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags
no-op code.
CC libiptc/libip4tc.lo
In file included from libiptc/libip4tc.c:118:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:113:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC xtables_multi-iptables-xml.o
iptables-xml.c: In function "do_rule_part":
iptables-xml.c:376:8: warning: variable "thisChain" set but not used
CC xtables_multi-ip6tables.o
ip6tables.c: In function "print_firewall":
ip6tables.c:552:10: warning: variable "flags" set but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Comparing against the kernel time zone has significant caveats. This
patch adds documentation about the issue, and makes --utc the default
setting for libxt_time.
Furthremore, throw a warning on using the "--localtz" option, to avoid
confusion with one's shell TZ environment variable, and rename it to
"--kerneltz" to be explicit about whose timezone will be used.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since xt_time is meant to work across many months, libc doing
automatic conversion from local time to UTC (during parse) is
unwanted, especially when --utc is specified. The same goes for
dumping.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
Only one is printed on save operation, which leads me to believe that
only one is meant to be used. The manpage seems to corroborate.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes this error:
NFQUEUE: option "--queue-num" can only be used once.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When ":n" or "n:" is specified, it will now be interpreted as "0:n"
and "n:<max>", respecitvely. nvals will always reflect the number of
(expanded) components. This restores the functionality of options that
take such partially-unspecified ranges.
This makes it possible to nuke the per-matchdata init functions of
some extensions and simply the extensions postparsing to the point
where it only needs to check for nvals==1 or ==2.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
..by moving type-based actions into their own function.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|