summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Bump version to 1.4.14v1.4.14Pablo Neira Ayuso2012-05-261-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add rateest match rulesFlorian Westphal2012-05-231-16/+12
| | | | | | | also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_rateest: output all options in save hookFlorian Westphal2012-05-221-21/+34
| | | | | | | | | | | | | | ipt-restore fails to parse the ipt-save output: zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5 (should be "--rateest-pps 5 --rateest-lt"). Also, the "delta" option was never shown in -save output, but twice in some cases when using "iptables -L". Also, the "b/pps1" option must be shown when "delta" option is used with relative mode. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip(6)tables-restore: make sure argv is NULL terminatedFlorian Westphal2012-05-142-2/+2
| | | | | | | | | | Else, argv[argc] may point to free'd memory. Some extensions, e.g. rateest, may fail to parse valid input because argv[optind] (with optind == argc) is not NULL. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libipt_ULOG: fix --ulog-cprangePablo Neira Ayuso2012-05-091-2/+2
| | | | | | | | | | | In 1f2474a libipt_ULOG: use guided option parser. A bug has been accidentally introduced in --ulog-cprange, limiting possible values from 1 to 50. However, that limit should be applied to --ulog-qthreshold. Reported-by: Gaurav Sinha <vgsinha@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libiptc: fix retry path in TC_INITMiguel GAIO2012-04-191-1/+1
| | | | | | | | | | | There is an issue on TC_INIT retry path: In error case, TC_FREE is called and close sockfd. The retry does not reopen then always fail. The proposing patch reopens sockfd in retry patch. Signed-off-by: Miguel GAIO <miguel.gaio@efixo.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: add --timeout optionPablo Neira Ayuso2012-04-023-12/+139
| | | | | | | | | | | | | | | | | | | | This patch adds the --timeout option to allow to attach timeout policy objects to flows, eg. iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \ -j CT --timeout custom-tcp-policy You need the nfct(8) tool which is available at: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git To define the cttimeout policies. Example of usage: nfct timeout add custom-tcp-policy inet tcp established 1000 The new nfct tool also requires libnetfilter_cttimeout: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Bump version to 1.4.13v1.4.13Pablo Neira Ayuso2012-03-271-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add nfacct matchPablo Neira Ayuso2012-03-273-0/+136
| | | | | | | | | | | | | | This patch provides the user-space iptables support for the nfacct match. This can be used as it follows: nfacct add http-traffic iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic nfacct get http-traffic See also man nfacct(8) for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mark newly opened fds as FD_CLOEXEC (close on exec)Maciej Żenczykowski2012-03-232-0/+15
| | | | | | | | | | | | | | | | | | By default, Unix-like systems leak file descriptors after fork/exec call. I think this seem to result in SELinux spotting a strange AVC log messages according to what I can find on the web. Fedora 18 iptables source includes this change. Maciej says: "iptables does potentially fork/exec modprobe to load modules. That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing. You can do automated inspection of what gets carried across such privilege changes and any unexpected open file descriptors flag problems, patches like this cut down on the noise." Signed-off-by: Maciej enczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: missing free() in function delete_entry()Franz Flasch2012-03-121-1/+3
| | | | | | | | Fixed a memory leak in the dry run path of function delete_entry(). Signed-off-by: Franz Flasch <franz.flasch@frequentis.com> Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: missing free() in function cache_add_entry()Franz Flasch2012-03-121-0/+1
| | | | | | | | Fixed a memory leak in the error path of function cache_add_entry(). Signed-off-by: Franz Flasch <franz.flasch@frequentis.com> Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "libiptc: Returns the position the entry was inserted"Pablo Neira Ayuso2012-03-012-5/+3
| | | | | | | | | This reverts commit d65702c5c5bbab0ef12298386fa4098c72584e6c. This is breaking my iptables scripts: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables: Incompatible with this kernel.
* libiptc: Returns the position the entry was insertedJonh Wendell2012-02-292-3/+5
| | | | Jan Engelhardt showed no objections to this patch.
* extensions: add IPv6 capable ECN match extensionPatrick McHardy2012-02-234-67/+66
| | | | | | | Patrick submitted this patch by 9th Jun 2011, I'm recovering and applying it to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add rpfilter moduleFlorian Westphal2012-02-233-0/+151
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable'Pablo Neira Ayuso2012-01-021-1/+1
|\
| * Bump version to 1.4.12.2v1.4.12.2Pablo Neira Ayuso2012-01-021-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: link on libxtables and check symbolsJan Engelhardt2011-12-312-11/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | Have each extension link against libxtables.so; with this, all home symbols are known at link time and we can use ld's --no-undefined to run the check, dropping the homebrew solution. By having libxtables.so required by extensions, package managers' automatic dependency discovery will become effective so that manual dependencies for distros with split extension packages (e.g. OpenWRT) will not be necessary anymore. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: use delayed expansion on the user-settable variablesJan Engelhardt2011-12-311-21/+21
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Update .gitignoreJan Engelhardt2011-12-312-9/+9
| | | | | | | | Split off extensions/.gitignore.
* | build: use AC_CONFIG_AUX_DIR and stash away toolsJan Engelhardt2011-12-312-10/+3
| |
* | Update .gitignoreJan Engelhardt2011-12-311-3/+3
| | | | | | | | Only ignore these paths if they are a directory.
* | Merge branch 'stable'Jan Engelhardt2011-12-311-1/+2
|\|
| * nfnl_osf: add missing libnfnetlink_CFLAGS to compile processJan Engelhardt2011-12-311-1/+2
| |
* | Merge branch 'stable'Pablo Neira Ayuso2011-12-231-17/+25
|\|
| * libxt_connbytes: fix handling of --connbytes FROMFlorian Westphal2011-12-231-17/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | quoting man page: match packets from a connection whose packets/bytes/average packet size is more than FROM and less than TO bytes/packets. if TO is omitted only FROM check is done. But, when TO was omitted, we did treat it like "x:x" which is not the same at all. Before commit 09631dc60ce41bc484a42fcf4d4ddf7036820bd1 (libxt_connbytes: use guided option parser), we failed to parse "--connbytes x" ('Bad range "x"'), but treated "x:" like "x:0xffffffff". Also, restore the "from must be smaller than to" check. Signed-off-by: Florian Westphal <fw@strlen.de>
* | Merge branch 'stable'Jan Engelhardt2011-12-1867-818/+1038
|\ \ | |/ |/|
| * libxt_recent: Add support for --reap optionTim Gardner2011-12-092-1/+21
| | | | | | | | | | | | | | | | Support for the reap option was merged in the kernel as of 2.6.35. Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
| * Merge branch 'stable'Pablo Neira Ayuso2011-11-012-1/+3
| |\
| * \ Merge branch 'stable'Pablo Neira Ayuso2011-09-281-0/+1
| |\ \
| * | | Improve readability of bitwise operationThomas Jarosch2011-09-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | CLUSTERIP: improve readability of bitwise operation Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | | Merge branch 'stable'Jan Engelhardt2011-09-197-23/+30
| |\ \ \
| * | | | ip6tables-restore: make code look alike with iptables-restoreJan Engelhardt2011-09-112-33/+30
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | libiptc: use a family-invariant xtc_ops struct for code reductionJan Engelhardt2011-09-117-2/+33
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | src: resolve old macro names that are indirectionsJan Engelhardt2011-09-1113-130/+128
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | libiptc: combine common types: _handleJan Engelhardt2011-09-1116-130/+122
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | No real API/ABI change incurred, since the definition of the structs' types is not visible anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | libiptc: replace ipt_chainlabel by xt_chainlabelJan Engelhardt2011-09-118-76/+76
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | libiptc: combine common typesJan Engelhardt2011-09-114-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make an xt_chainlabel type out of ipt_chainlabel and ip6t_chainlabel, and add backward-API #defines. The ABI naturally does not change either, so no soversion bump. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | libiptc: remove unused HOOK_DROPPING thingJan Engelhardt2011-09-112-15/+0
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | iptables-save: remove binary dumping dead codeJan Engelhardt2011-09-112-92/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Was never implemented, kill it. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | libiptc: resolve compile failureJan Engelhardt2011-09-111-20/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CC libip4tc.lo In file included from libip4tc.c:118:0: libiptc.c:70:8: error: redefinition of "struct xt_error_target" ../include/linux/netfilter/x_tables.h:69:8: note: originally defined here Remove libiptc's duplicate definition and substitute names. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | | Merge branch 'stable'Jan Engelhardt2011-09-114-9/+23
| |\ \ \ \
| * \ \ \ \ Merge branch 'master' of git://dev.medozas.de/iptablesJan Engelhardt2011-09-0843-324/+543
| |\ \ \ \ \
| | * | | | | include: refresh include files from kernel 3.1-rc3Jan Engelhardt2011-08-3140-292/+475
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| | * | | | | libxt_addrtype: add support for revision 1Jan Engelhardt2011-08-282-32/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but there was no corresponding iptables patch so far. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| | * | | | | libxt_addrtype: rename from libipt_addrtypeJan Engelhardt2011-08-282-0/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | | | | | libiptc: provide separate pkgconfig filesJan Engelhardt2011-12-186-7/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | | | | | doc: clarification on the meaning of -p 0Jan Engelhardt2011-12-182-7/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | | | | | libipt_SAME: set PROTO_RANDOM on all rangesJan Engelhardt2011-11-303-24/+34
| |_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolve the (justified) WTF remark to a clearer version of when/why PROTO_RANDOM needs to be set. Especially when --random is used before --to in SAME, it would have not been appleid.