| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libxt_limit.c: In function 'print_rate':
libxt_limit.c:124: error: 'INFINITY' undeclared (first use in
this function)
The default mode of glibc-2.15's <features.h> sets
"-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However,
on þe olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L".
Explicitly draw in the definition of INFINITY by always defining
_ISOC99_SOURCE. By doing this, we are moving off of the default set, so
_BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is
used in xt_hashlimit.h.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
$ ./configure --enable-static --disable-shared --enable-ipv4
--enable-ipv6 && make
[...]
make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by
"libext.a". Stop.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL
which was always false (true). real_name was never NULL, so cs->jumpto
would always be used, which rendered -j NOTRACK unusable, since the
chosen real name.revision is for example NOTRACK.1, which does not exist
at the kernel side.
# ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
dbg: Using NOTRACK.1
WARNING: The NOTRACK target is obsolete. Use CT instead.
iptables: Protocol wrong type for socket.
To reasonably support the extra-special verdict names, make it so that
real_name remains NULL when an extension defined no alias, which we can
then use to determine whether the user entered an alias name (which
needs to be followed) or not.
[ I have mangled this patch to remove a comment unnecessarily large.
BTW, this patch gets this very close to the initial target aliasing
proposal --pablo ]
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This regression was added by:
commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf
Author: Jan Engelhardt <jengelh@inai.de>
Date: Tue Sep 4 05:24:47 2012 +0200
iptables: support for target aliase
The result is that:
iptables -I INPUT -j ACCEPT
says:
iptables: No chain/target/match by that name.
This also breaks iptables-restore, of course. Jan, you'll have to explain me
how you have tested this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
extensions/GNUmakefile.in
Resolution: trivial, since this was a fuzz 3.
Reason: Line added from v1.4.15-16-g33710a5 was in vincinity of changes
from v1.4.15-22-g4496801.
|
| | | |
| | |
| | |
| | |
| | | |
References: http://bugs.debian.org/660748
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The module is obsolete, so point to CT --notrack instead.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The module is practically obsolete, so just pinpoint to the replacement
in short order.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
iptables.8 and ip6tables.8 had pretty much the same content, with a few
protocol-specific deviations here and there. Not only did that bloat the
manpages, but it also made it harder to spot differences. Separate out
the extension descriptions into a new manpage, which conveniently
features differences next to one another (cf. REJECT).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |\| | |
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch allows for match names listed on the command line to be
rewritten to new names and revisions, like we did for targets before.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Note that we do not need any print/save functions for the alias entries,
since the real CT entry will handle this.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch allows for target names listed on the command line to be
rewritten to new names and revisions.
As before, we will pick a revision that is supported by the kernel - now
including real_name in the search. This gives us the possibility to test
for many action names.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Alias support will require testing for more conditions, so move the
revision comparison code into a separate function where it can be
shared between matches and targets.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
It was/is a bit annoying that modifying xtables.h.in causes configure
to rerun. Split the @foo@ things into a separate file to bypass this.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
automake-1.12 wants that AM_PROG_AR be used when LT_INIT is.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While changing branches, one can hit errors like:
make[2]: *** CC libipt_CLUSTERIP.oo
No hay ninguna regla para construir el objetivo
`../include/net/netfilter/nf_nat.h', necesario para
`libipt_DNAT.oo'. Alto.
Pablo thinks dep files should be removed on `make clean`, and I
concur. (JFI, Note that native automake would not clear its ".deps"
directory.) Keep the "distclean: clean" line to keep invocations by
automake from the parent directory working.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
--limit-iface-out Match only on the packet's incoming device
Note that it says "incoming" when it should say "outcoming"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |/
|
|
|
|
|
|
|
|
| |
iptables -P INPUT
iptables v1.4.15: -X requires a chain and a policy
Try `iptables -h' or 'iptables --help' for more information.
Note that it says -X when we have used -P.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
tcp dpt:10flags: 0x17/0x02
^^
Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no --fragid option is given, the frag extension only matches
fragments with a zero-valued "Identification" field. This behavior
deviates from what other extensions do (they match all values in this
case) and is unexpected, and therefore changed by this patch.
Additionally, --fragid 0:4294967295 leads to no output on `iptables
-S` because part of the code thinks that this would be the default,
when it is not.
So, default to match all frag values, such that iptables -S not
outputting anything also becomes correct.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes compilation of libipq with headers from Linux
kernel 3.5:
In file included from libipq.c:34:0:
../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory
ip_queue is gone since Linux kernel 3.5. However, you can still use
new iptables versions with old Linux kernels. We have to keep libipq
in this tree for a while (1.5-2 years should be OK).
Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
This patch moves the parameter parsing to one function to reduce
one level of indentation. Jan Engelhardt likes this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes compilation of libipq with headers from Linux
kernel 3.5:
In file included from libipq.c:34:0:
../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory
ip_queue is gone since Linux kernel 3.5. However, you can still use
new iptables versions with old Linux kernels. We have to keep libipq
in this tree for a while (1.5-2 years should be OK).
Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It was possible to specify -A mychain -m hashlimit --hashlimit
600059/minute; this would convert to r->avg=0, which subsequently
causes a division by zero when printing with -S mychain.
1. Avoid division by zero in print_rate by printing infinity
instead.
2. Rewrite the test in parse_rate to properly reject too high rates.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| |
| |
| |
| |
| | |
More corrections of the strtoul kind.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| |
| |
| |
| |
| |
| | |
This is a small cleanup, reducing the two copies of X/Y parsing to
one.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Using only strtoul is prone to accept all values, including negative
ones which are not explicitly allowed. Therefore, use xtables_strtoui
with bounds checking.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| |
| |
| |
| |
| | |
Cherry-picked these from recent patches from Mr Dash Four.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |/
|
|
|
|
|
| |
save-restore syntax uses *table, not -t table.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This new option will be available in the Linux kernel 3.5
[ Pablo fixed coding-style issues and cleaned up this. Added
manpages as well ]
Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes parameter parsing in iptables-restore since time ago. The
problem has shown up with gcc-4.7. This version of gcc seem to perform more
agressive memory management than previous.
Peter Lekensteyn provided the following sample code similar to the one
in iptables-restore:
int i = 0;
for (;;) {
char x[5];
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}
Many may expect 0123 as output. But GCC 4.7 does not do that when compiling
with optimization enabled (-O1 and higher). It instead puts random data in the
first bytes of the character array, which becomes:
| 0 | 1 | 2 | 3 | 4 |
| RANDOM | '3' | '\0' |
Since the array is declared inside the scope of loop's body, you can think of
it as of a new array being allocated in the automatic storage area for each
loop iteration.
The correct code should be:
char x[5];
for (;;) {
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This reverts commit 44191bdbd71e685fba9eab864b9df25e63905220.
Apply instead a patch that really clarifies the bug in iptables-restore.
This should be good for the record (specifically, for distributors so
they can find the fix by googling).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch seems to be a mere cleanup that moves the parameter parsing
code to add_param_to_argv.
But, in reality, it also fixes iptables when compiled with gcc-4.7.
Moving param_buffer declaration out of the loop seems to resolve the
issue. gcc-4.7 seems to be generating bad code regarding param_buffer.
@@ -380,9 +380,9 @@
quote_open = 0;
escaped = 0;
param_len = 0;
+ char param_buffer[1024];
for (curchar = parsestart; *curchar; curchar++) {
- char param_buffer[1024];
if (quote_open) {
if (escaped) {
But I have hard time to apply this patch in such a way. Instead, I came
up with the idea of this cleanup, which does not harm after all (and fixes
the issue for us).
Someone in:
https://bugzilla.redhat.com/show_bug.cgi?id=82579
put some light on this:
"Yes, I ran into this too. The issue is that the gcc optimizer is
optimizing out the code that collects quoted strings in
iptables-restore.c at line 396. If inside a quotemark and it hasn't
seen another one yet, it executes
param_buffer[param_len++] = *curchar;
continue;
At -O1 or higher, the write to param_buffer[] never happens. It just
increments param_len and continues.
Moving the definition of char param_buffer[1024]; outside the loop
fixes it. Why, I'm not sure. Defining the param_buffer[] inside the
loop should simply restrict its scope to inside the loop."
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
