summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libxt_connlimit: support for dstaddr-supporting revision 1Jan Engelhardt2011-01-193-19/+106
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_connlimit: add a --connlimit-upto optionJan Engelhardt2011-01-182-30/+49
| | | | | | | | Direct specifications like "upto" are easier to grasp than "not above". This patch adds such an upto variant similar to what libxt_hashlimit already has. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_connlimit: reword help text to say prefix lengthJan Engelhardt2011-01-182-2/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_quota: print negation when it has been selectedJan Engelhardt2011-01-181-0/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: fix typo in error message of xtables_register_match()Li Yewang2011-01-091-1/+1
| | | | | Signed-off-by: Li Yewang <lyw@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_time: fix random --datestart skipsFlorian Westphal2011-01-091-0/+1
| | | | | | | | | | | | | | | | | | | | | Frank Lichtenheld points out that -m time --datestart ... sometimes messes up --datestart: $ iptables -A INPUT -m time --datestart 2010-11-24T16:50:00 -j ACCEPT $ iptables-save | grep 11 -A INPUT -m time --datestart 2010-11-24T16:50:00 -j ACCEPT $ iptables-save | iptables-restore $ iptables-save | grep 11 -A INPUT -m time --datestart 2010-11-24T15:50:00 -j ACCEPT --datestart moved by one hour. As the --timestart option does not care about DST, always set dst=0 when parsing --starttime input. Reported-by: Frank Lichtenheld <flichtenheld@astaro.com> Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libipt_REDIRECT: avoid dereference of uninitialized pointerStephen Beahm2011-01-081-1/+1
| | | | | | | | When using --to-ports with a port name instead of a numerical specification, a segfault occurs. References: http://bugzilla.netfilter.org/show_bug.cgi?id=691 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: do some option structure checkingJan Engelhardt2011-01-081-0/+17
| | | | | | | libxt_recent's use of numeric values >200 always looked worrisome. Now here is a validation routine for such. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipt_CLUSTERIP: const annotationsJan Engelhardt2011-01-081-3/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_sctp: fix a typoJan Engelhardt2011-01-081-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove no longer necessary default: casesJan Engelhardt2011-01-0879-230/+5
| | | | | | | Match and target parse functions now only get option characters they have defined themselves. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* ip[6]tables: only call target's parse function when option char is in rangeJan Engelhardt2011-01-082-0/+4
| | | | | | | Same as previous commit. Doing this actually allows to remove code that is no longer needed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* ip[6]tables: only call match's parse function when option char is in rangeJan Engelhardt2011-01-084-2/+12
| | | | | | | | | | | | | | | | | Normally, extensions use a "default:" case in switch(c) to just return if they do not handle c. Apparently, libip6t_hl does that too late and checks for hl-specific parsing state before it has established that c refers to one of its own options. Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic. One way to fix this is to move the flags checks into case '2', '3', '4'. Doing this replication feels bad, so as an alternative, let's just free extensions from having to deal with other extension's options passing thru. References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: reorder num_old substraction for clarityJan Engelhardt2011-01-081-4/+7
| | | | | | | | When going over this again, I noticed we happen to malloc too much. That is no problem, but I felt moving the num_old adjustment upwards makes things more clear, and also addresses the allocation. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: abort on empty interface specificationJan Engelhardt2011-01-082-0/+16
| | | | | | | | | | Fiedler Roman brings to attention that if, in a faulty script, "$some_variable" expands to an empty string, iptables should probably catch this most likely undesired invocation. If no/all interfaces were really desired, one can either omit -i completely, or use -i +. References: http://marc.info/?l=netfilter&m=129439862903487&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use C99/POSIX typesJan Engelhardt2011-01-0848-168/+168
| | | | | | "u_int" was a non-standardized extension predating C99 on some platforms. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xt_comment: remove redundant castJan Engelhardt2011-01-072-2/+2
|
* src: const annotationsJan Engelhardt2010-12-182-25/+27
| | | | | | Also one int -> uint here on the way through. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables-restore: resolve confusing policy error messageRob Leslie2010-12-182-2/+2
| | | | | | | | | | | | | When iptables-restore (and ip6tables-restore) is unable to set a chain's policy, it responds with a confusing message, e.g.: iptables-restore v1.4.9: Can't set policy "PREROUTING" on "ACCEPT" line 16: Bad built-in chain name This is due to the chain and policy arguments being used in the wrong order. The attached patch corrects this problem. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2010-12-1527-97/+337
|\
| * build: stop on error in subcommandJan Engelhardt2010-12-111-2/+2
| | | | | | | | | | | | | | make only evaluates $? of an entire shell invocation. As such, if any command in the chain can fail, $? needs to be thrown, and early so. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * Merge commit 'v1.4.10'Jan Engelhardt2010-12-061-1/+1
| |\
| | * Bump version to 1.4.10v1.4.10Patrick McHardy2010-10-291-1/+1
| | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | libxt_owner: output numeric IDs when save is requestedJan Engelhardt2010-12-061-3/+3
| | | | | | | | | | | | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=683 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | build: fix globbing of extensions in other localesJan Engelhardt2010-12-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | In the fi_FI locale, [a-z] would not include 'w', for example. Rectify this by using [[:alnum:]] (to counter against different ordering) and forcing the POSIX locale (so that the alphabet has at least the 26 base characters). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | socket: add support for revision 1Jan Engelhardt2010-12-032-7/+72
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | TPROXY: add support for revision 1Jan Engelhardt2010-12-031-28/+165
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | include: update files with headers from Linux 2.6.37-rc1Jan Engelhardt2010-12-0318-52/+86
| | | | | | | | | | | | Also includes the type change to __u{8,16,32} kernel types already.
| * | iptables: do not emit orig_opts twiceJan Engelhardt2010-11-281-0/+4
| | | | | | | | | | | | | | | | | | | | | This just happened to cross my eye; there was no error, but fixing this up saves a pitfall, and some memory. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | iptables: reset options at the start of each commandJan Engelhardt2010-11-282-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For each new command, iptables is supposed to start afresh with a blank option set (opts) that only contains the program-specific options (orig_opts), without any extension options. We failed to restore this pointer (in function do_command) after the previous free call in xtables_free_opts. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | libxt_conntrack: fix --ctdir save/dump output formatFlorian Westphal2010-11-171-4/+4
|/ / | | | | | | | | | | | | | | $ iptables-save | iptables-restore iptables-restore v1.4.6: conntrack: Bad value for "--ctdir" option: "ORIGINAL-j" Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge branch 'master' of git://dev.medozas.de/iptables into m2Jan Engelhardt2010-11-153-1/+4
|\ \
| * | iptables: fix longopt reecognition and workaround getopt(3) behaviorJan Engelhardt2010-11-153-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * On the first call to getopt, opts was NULL, so long options would not be recognized until a match/target was loaded. Whacky getopt behavior: * If the longopts parameter is NULL, getopt fails to recognize unknown options, such that `iptables-multi main --append` will print a garbage help message ("main needs an argument"). * If the longopts parameter is NULL on the first call, but not on subsequent calls, it completely screws up option parsing, taking the --dport in `iptables-multi main -A INPUT -p tcp --dport 1000` as --destination instead, but not accepting "--destination 1.2.3.4" either. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | Revert "Revert "libxtables: change option precedence order to be intuitive""Jan Engelhardt2010-11-154-32/+43
| | | | | | | | | | | | | | | This reverts commit e84f131b5f992577119bd3679241f69ec394e0a7. Solution follows.
* | | Revert "libxtables: change option precedence order to be intuitive"Patrick McHardy2010-11-154-43/+32
|/ / | | | | | | | | | | | | | | | | | | | | This reverts commit 600f38db82548a683775fd89b6e136673e924097. The commit breaks option parsing: iptables v1.4.9: host/network `port' not found Try `iptables -h' or 'iptables --help' for more information. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | libxt_TOS: avoid an undesired overflowing computationJan Engelhardt2010-11-021-8/+11
| | | | | | | | | | | | | | The @bits parameter was wrongly labeled and should have been @max already. This makes the - overflowing - 1<<bits redundant of course. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxtables: change option precedence order to be intuitiveJan Engelhardt2010-10-294-32/+43
|/ | | | | | | | | | | | | When using `-m mark --mark 2 -m connmark --mark 2`, the user currently gets an error about the (libxt_mark) --mark option being used twice. This is because libxt_connmark's option table does not override any previous options. This patch changes this behavior, since the current behavior does not allow connmark's option to be used at all, which is illogical. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: add Libs.private to pkgconfig filesJan Engelhardt2010-09-132-0/+2
| | | | | | | | This is needed when doing static linking. (pkg-config --static --libs libiptc) References: http://bugzilla.netfilter.org/show_bug.cgi?id=675 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: build with -Wl,--no-as-neededJan Engelhardt2010-09-133-2/+85
| | | | | | | | | Since libiptc does not reference any symbols in libip(4|6)tc, the linker may ignore the dependencies. Use --no-as-needed to explicitly force a DT_NEEDED entry. References: http://bugzilla.netfilter.org/show_bug.cgi?id=674 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: limit chain name length to be consistent with targetsJan Engelhardt2010-09-132-6/+6
| | | | | | | | | Creationg of chain names longer than the ones being able to jump to should be inhibited for consistency. References: http://marc.info/?l=netfilter-devel&m=128397022618316&w=2 Cc: Stig Thormodsrud <stig@vyatta.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables-xml: resolve compiler warningsJan Engelhardt2010-09-131-1/+1
| | | | | | | | iptables-xml.c: In function "parse_counters": iptables-xml.c:70:8: warning: assignment from incompatible pointer type iptables-xml.c:71:8: warning: assignment from incompatible pointer type Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: fix static linkingJan Engelhardt2010-08-032-2/+2
| | | | | | | | | | | | | | | | Gabor Z. Papp noted this link-time error when configuring with --enable-static: extensions/libext4.a(initext4.o): In function "init_extensions": extensions/initext4.c:144: undefined reference to "libxt_IDLETIMER_init" extensions/initext4.c:145: undefined reference to "libxt_TEE_init" Indeed, since the two modules did not use our special macro "_init" (which expands to libxt_foo_init), initext4.c could not find them by that name. Correct this. References: http://marc.info/?l=netfilter&m=128085480927924&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: remove unnecessary castJan Engelhardt2010-08-031-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'iptables-next'Patrick McHardy2010-08-03113-468/+1444
|\
| * libxt_quota: don't ignore the quota value on deletionChangli Gao2010-08-022-2/+2
| | | | | | | | | | | | | | | | Don't ignore the quota value on deletion, then we can remove a special rule everytime. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * doc: consistent use of markupJan Engelhardt2010-07-2314-120/+120
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * all: consistent syntax use in struct optionJan Engelhardt2010-07-2388-357/+429
| | | | | | | | | | | | Try to inhibit copypasting old stuff. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: minimal spelling updates to xt_cpuJan Engelhardt2010-07-231-2/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: remove extra empty line from xt_cpuJan Engelhardt2010-07-231-1/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: let man(1) autoalign the text in xt_cpuJan Engelhardt2010-07-231-2/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-16 02:04:37 +0000