summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libxt_NFQUEUE: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_icmp: add unit testPablo Neira Ayuso2013-10-071-0/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_helper: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_esp: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_dccp: add unit testPablo Neira Ayuso2013-10-071-0/+30
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_NFLOG: add unit testPablo Neira Ayuso2013-10-071-0/+19
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tos: add unit testPablo Neira Ayuso2013-10-071-0/+13
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcp: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_udp: add unit testPablo Neira Ayuso2013-10-071-0/+22
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_length: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_time: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_hashlimit: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CONNMARK: add unit testPablo Neira Ayuso2013-10-071-0/+7
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connmark: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlimit: add unit testPablo Neira Ayuso2013-10-071-0/+16
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connbytes: add unit testPablo Neira Ayuso2013-10-071-0/+21
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CLASSIFY: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CHECKSUM: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_AUDIT: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_comment: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_cluster: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_addrtype: add unit testPablo Neira Ayuso2013-10-071-0/+17
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_ah: add unit testPablo Neira Ayuso2013-10-071-0/+14
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_ah: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add iptables unit test infrastructurePablo Neira Ayuso2013-10-071-0/+311
| | | | | | This patch adds a python script to verify unit test cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: extensions/GNUMakefile.in use CPPFLAGSLaurence J. Lane2013-09-271-1/+1
| | | | | | | | | | "All other Makefiles add CPPFLAGS to ${COMPILE} (automake), but GNUmakefile.in doesn't set it." http://bugs.debian.org/665286 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_LOG: use generic syslog reference in manpageLaurence J. Lane2013-09-271-4/+2
| | | | | | | | | | | Fedora, ArchLinux, Ubuntu, and Debian, at the least, use alternative syslog daemons by default these days. Let's make the syslog reference generic. Reference: http://bugs.debian.org/567564 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masksPhil Oester2013-09-271-1/+1
| | | | | | | | | | | | | | As pointed out by Peter Hoelsken, rules created with non-standard masks such as 0.255.0.0, 0.0.255.0, etc. are displayed when output with iptables -L in CIDR notation as -1. This is because the cidr variable in xtables_ipmask_to_numeric is unsigned, and the return value of -1 from xtables_ipmask_to_cidr is therefore converted to UINT_MAX. Add a cast to workaround the issue. This closes netfilter bugzilla #854. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libxt_string.man add examplesLaurence J. Lane2013-08-241-0/+10
| | | | | | | | Add usage examples for string and hex string patterns. References: http://bugs.debian.org/699904 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables: libxt_recent.{c,man} dead URLLaurence J. Lane2013-08-242-4/+1
| | | | | | | Remove it. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: add software version to manpage first line at configure stagePablo Neira Ayuso2013-08-225-4/+6
| | | | | | | | | | | | This patch adds the software version to the first line of the following manpages: iptables-save.8 iptables-restore.8 iptables-apply.8 iptables-xml.1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: iptables-xm1.1 correct man sectionLaurence J. Lane2013-08-221-1/+1
| | | | | | | iptables-xml.8 was moved to iptables-xm1.1. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libip(6)t_REJECT.man default icmp typesLaurence J. Lane2013-08-222-7/+6
| | | | | | | | | | | | The extension man page shows "port-unreach" and "port-unreachable" as default icmpv6 and icomp reject-with types. Either and variations work fine for writing rules, but they are displayed as "icmp6-port-unreachable" and "icmp-port-unreachable". Let's make that consistent. http://bugs.debian.org/644819 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libxt_conntrack.man extraneous commasLaurence J. Lane2013-08-221-2/+2
| | | | | | | | | | | The first might work. The second doesn't. (The other corrections in the bug report are already implemented.) http://bugs.debian.org/654983 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libxt_hashlimit.man: correct addressLaurence J. Lane2013-08-221-1/+1
| | | | | | | | | Corrects an example address with subnet mask. http://bugs.debian.org/698393 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip[6]tables: fix incorrect alignment in commands_v_optionsPablo Neira Ayuso2013-08-142-2/+2
| | | | | | | | | | CMD_ZERO_NUM is 14, so it has to be defined in position 15 in the commands_v_options array. This does not manifests easily since commands from 9 to 14 have a very similar pattern in such array. Based on this patch: http://patchwork.ozlabs.org/patch/188153/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable-1.4.20'Pablo Neira Ayuso2013-08-081-0/+6
|\ | | | | | | | | | | To retrieve: iptables: state match incompatibilty across versions
| * iptables: state match incompatibilty across versionsPhil Oester2013-08-081-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As reported in Debian bug #718810 [1], state match rules added in < 1.4.16 iptables versions are incorrectly displayed by >= 1.4.16 iptables versions. Issue bisected to commit 0d701631 (libxt_state: replace as an alias to xt_conntrack). Fix this by adding the missing .print and .save functions for state match aliases in the conntrack match. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810 Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'stable-1.4.20'Pablo Neira Ayuso2013-08-081-1/+1
|\| | | | | | | | | | | To retrieve: iptables: correctly reference generated file
| * iptables: correctly reference generated fileLutz Jaenicke2013-08-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | Since (14bca55 iptables: use autoconf to process .in man pages), the file "iptables-extensions.8.tmpl" is generated from "iptables-extensions.8.tmpl.in" and is consequently no longer found in ${srcdir} but in the build directory. (Becomes visible with builddir != srcdir) Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables: trivial spelling fixstephen hemminger2013-08-071-2/+2
| | | | | | | | | | Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: merge ip6table man pages into ipv4 onesFlorian Westphal2013-08-0710-610/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | a couple of improvements to the iptables man page never made it into ip6tables version. The number of differences between these two files is so small that it seems preferable to alias the ipv6 man pages to their ipv4 counterpart and change iptables man page to specifically document differences (e.g. lack of ip6tables -f, etc). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: add libnetfilter_queue pointer to libxt_NFQUEUE.manFlorian Westphal2013-08-062-19/+12
| | | | | | | | | | | | | | | | ... and remove the QUEUE snippets from ip(6)tables man page, the queue target was replaced by nfqueue years ago. Fix up a couple of needless differences in ip(6)tables.8, too. Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: libxt_socket: update man pageFlorian Westphal2013-08-061-2/+19
| | | | | | | | | | | | | | | | | | | | | | Document --nowildcard option and its implications when using -m socket to intercept packets. While at it, update man page with Balazs Scheidlers comments from nf_tproxy_core.h in kernel tree to better explain how lookup is performed. Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* | xt_socket: add --nowildcard flagEric Dumazet2013-08-062-0/+69
|/ | | | | | | | | | | | | | | | | | | | | xt_socket module can be a nice replacement to conntrack module in some cases (SYN filtering for example) But it lacks the ability to match the 3rd packet of TCP handshake (ACK coming from the client). Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism The wildcard is the legacy socket match behavior, that ignores LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent) iptables -I INPUT -p tcp --syn -j SYN_CHAIN iptables -I INPUT -m socket -j ACCEPT Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables 1.4.20 releasev1.4.20Pablo Neira Ayuso2013-08-061-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-xml: fix parameter parsing (similar to 2165f38)Pablo Neira Ayuso2013-07-261-1/+1
| | | | | | | | Similar to (2165f38 iptables-restore: fix parameter parsing (shows up with gcc-4.7)), make sure iptables-xml doesn't hit the same problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: iptables-xml: Fix various parsing bugsPhil Oester2013-07-261-6/+13
| | | | | | | | | | | | | There are two bugs in iptables-xml do_rule_part parsing corrected by this patch: 1) Ignore "-A <chain>" instead of just "-A" 2) When checking to see if we need a <match> tag, inversion needs to be taken into account This closes netfilter bugzilla #679. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-11 15:08:39 +0000