| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
MARK used to be limited to the mangle table, but there was no real
restriction.
References: http://marc.info/?l=netfilter-devel&m=126806510332668&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.
References: http://bugs.debian.org/572628
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Change dump_entry() signature defined in libip4tc.c to match prototype
declared in libiptc.c and another static dump_entry() function defined
in libip6tc.c. This function is not a part of the public libiptc API.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
The kernel has few restrictions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.
Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
References: https://bugzilla.novell.com/561177
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: https://bugzilla.novell.com/561179
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: https://bugzilla.novell.com/561180
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Antique software (see link) built as shared library requires objects
compiled with -fPIC, so the standard archive won't do.
References: http://bugs.debian.org/527733
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Sometimes there are users who wonder about when name resolutions/DNS
queries are done, so let's add that for completeness.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The two commands:
-A OUPUT -d 10.11.12.13/32 -j LOG
-R OUTPUT 1 -j LOG -d 10.11.12.13
will replace 10.11.12.13/32 by 10.11.12.13/0, which is not right.
(No regression, this problem was there forever.)
Reported-by: Werner Pawlitschko <werner.pawlitschko@arcor.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Using ranges in --ctexpire results in a parsing error:
conntrack: Bad value for "--expires" option: "1:1000"
The first value is parsed twice, after which the end pointer doesn't
point to the expected '\0' but to the colon.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
|
|
| |
From Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
| |
Specifying --random before --to-dest results in:
Multiple --to-destination not supported
Fix the flags check to only test the IPT_DNAT_OPT_DEST bit.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mask created for the -D rulespec is simply too small.
xtables_targets points to whatever target has last been loaded, so
xtables_targets->size is quite almost wrong, as we need to use the
size of the target for the specific rule that is about to be deleted.
This bug existed ever since iptables history is tracked, and requires
certain circumstances to be visible, where the deletion operation is
one. Furthermore, multiple userspace target extensions must have been
loaded, and a target B whose .size is smaller than the target A of
the rule we are about to delete must have been loaded more recently
than target A. The minimal testcase is (rule 60007 gets wrongly
removed)
*nat
-F
-X
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60007
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
-A POSTROUTING -p udp -j CONNMARK --set-mark 0
-D POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
COMMIT
References: http://bugzilla.netfilter.org/show_bug.cgi?id=606
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a ruleset that does not reset any chain policies/counters, such as
*filter
COMMIT
is sourced by iptables-restore, the previous policy and counters
(i.e. the ones read from the kernel) are reused. The counter skew
offsetting is wrong however, causing the read value to be readded to
the kernel value. This manifests itself in practice by the counter
value almost doubling everytime iptables-restore is called.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
Commit 332e4acc (iptables: accept multiple IP address specifications
for -s, d) broke the --disable-ipv6 configure option.
> ./.libs/libxtables.so: undefined reference to `in6addr_any'
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Reverse ranges like B-A cause packets to be generally never matched,
as an address S does not match >=B && <=A (except for the border case
where S=A=B).
The kernel module itself does not check for reverse ranges, and it
seems nicer to check that in userspace anyway.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Details for commit v1.4.5-11-ga10a12a:
"When upgraded to new lenny kernel from 2.6.24 from etch'n'half
iprange now does not allow to use single ip-address as its argument:
# iptables -A FORWARD -m iprange --src-range 192.168.0.0"
References: http://bugs.debian.org/547139
What we have here is that the user is now using iprange v1 from
previously v0.
Add recognition for single addresses to v1.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
| |
|
|
|
|
| |
[fill in details]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In file included from libiptc/libip4tc.c:117:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘iptc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip4tc.c: In function ‘dump_entry’:
libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:112:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘ip6tc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip6tc.c: In function ‘dump_entry’:
libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the two warnings in libiptc.c:
CC libiptc/libip4tc.lo
libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used
CC libiptc/libip6tc.lo
libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
Save a little disk space, they are initialized to zero anyway.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
References: http://bugs.debian.org/551272
[j.eng: modified --set-mss option description to be understandable]
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
| |
Linux systems that lack a MMU cannot call fork(). Fortunately, the
only place in iptables that uses fork() follows it by an exec(), so
we can easily convert the code to vfork().
References: http://bugzilla.netfilter.org/show_bug.cgi?id=614
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugs.debian.org/551867
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Debian still carries patches patches to the iptables nroff code touching
ASCII minuses, so I thought, what's it this time.
Eventually, this patch tries to straighten things once more, per
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Hyphens and
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Dashes .
Titles will get the em dash; all typed commands or parameters with a
hyphen get a minus (so that man(1) hyperlinking and copy-pasting does
work), but other mentions get the hyphen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
| |
Description: extraneous slash caused this lintian warning:
W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz
220: cannot use newline as a starting delimiter
W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz
1823: warning: `precedence'' not defined
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|