summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* | doc: fixup omissions in ip6tables-restore.8Jan Engelhardt2013-01-072-3/+5
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxtables: add xtables_print_numPablo Neira Ayuso2013-01-044-89/+53
| | | | | | | | | | | | | | | | This function is used both by iptables and ip6tables, and refactorize to avoid longer than 80-chars per column lines of code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxtables: add xtables_rule_matches_freePablo Neira Ayuso2013-01-045-46/+28
| | | | | | | | | | | | This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: remove unused leftover definitionsPablo Neira Ayuso2013-01-041-16/+0
|/ | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_DNAT: set IPv6 DNAT --to-destinationUlrich Weber2013-01-041-5/+5
| | | | | | | as in IPv4 and fixes DNAT_save Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extension: libip6t_DNAT: allow port DNAT without addressUlrich Weber2013-01-042-6/+16
| | | | | | | | | | | | | | | | | | | | | | | correct parsing of IPv6 port NAT without address NAT, assume one colon as port information. Allows: * address only: -j DNAT --to affe::1 -j DNAT --to [affe::1] * port only -j DNAT --to :80 -j DNAT --to :80-110 -j DNAT --to []:80 -j DNAT --to []:80-110 * address and port -j DNAT --to [affe::1]:80 -j DNAT --to [affe::1]:80-110 Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_DNPT: fix wording in DNPT targetUlrich Weber2013-01-031-9/+9
| | | | | | | | | replaces SNPT by DNPT. This fixes broken help message that points to SNPT. Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve link failure for ip6t_NETMAPJan Engelhardt2013-01-021-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | Link stage of libip6t_NETMAP failed since recently. CCLD libip6t_NETMAP.so /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: cannot find -lip6tc libip6t_NETMAP.c uses the "ipv6_prefix_length" function from libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to it is not specified. Why does the link succeed for some people? Because /usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments, especially those without iptables development files, have that file, hence this link error can happen. By suggestion of Mike Frysinger, this patch uses libtool to produce and link the plugins. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Acked-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.17v1.4.17Pablo Neira Ayuso2012-12-251-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Manpage update: matches are evaluated in the order they are specified.Jozsef Kadlecsik2012-12-061-1/+2
| | | | Fixes bugzilla id 797.
* extensions: libxt_statistic: Fix save outputTom Eastep2012-11-191-1/+1
| | | | | | | | | | Suppressing '--packet 0' in save output resulted in restore failure. This patch includes '--packet 0' in save output while continuing to suppress it in print output. Signed-off-by: Tom Eastep <teastep@shorewall.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next' branch that contains new features scheduled forPablo Neira Ayuso2012-10-2524-257/+1262
|\ | | | | | | Linux kernel 3.7
| * libxt_time: add support to ignore day transitionFlorian Westphal2012-09-303-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, if you want to do something like: "match Monday, starting 23:00, for two hours" You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00. The rule --weekdays Mo --timestart 23:00 --timestop 01:00 looks correct, but it will first match on monday from midnight to 1 a.m. and then again for another hour from 23:00 onwards. This permits userspace to explicitly ignore the day transition and match for a single, continuous time period instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add NPT extensionPatrick McHardy2012-09-103-0/+158
| | | | | | | | | | | | | | | | Add extensions for the SNPT and DNPT stateless IPv6-to-IPv6 Network Prefix Translation targets. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 NETMAP extensionPatrick McHardy2012-09-102-1/+94
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 REDIRECT extensionPatrick McHardy2012-09-101-0/+151
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 DNAT targetPatrick McHardy2012-09-101-0/+247
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 SNAT extensionPatrick McHardy2012-09-101-0/+247
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 MASQUERADE extensionPatrick McHardy2012-09-103-0/+188
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * Convert the NAT targets to use the kernel supplied nf_nat.h headerPatrick McHardy2012-09-1011-256/+144
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | bump iptables to 1.4.16.3v1.4.16.3Pablo Neira Ayuso2012-10-181-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | build: resolve compile abort in libxt_limit on RHEL5Jan Engelhardt2012-10-102-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libxt_limit.c: In function 'print_rate': libxt_limit.c:124: error: 'INFINITY' undeclared (first use in this function) The default mode of glibc-2.15's <features.h> sets "-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However, on þe olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L". Explicitly draw in the definition of INFINITY by always defining _ISOC99_SOURCE. By doing this, we are moving off of the default set, so _BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is used in xt_hashlimit.h. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | build: remove symlink-only extensions from static object listJan Engelhardt2012-10-091-4/+4
| | | | | | | | | | | | | | | | | | | | | | $ ./configure --enable-static --disable-shared --enable-ipv4 --enable-ipv6 && make [...] make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by "libext.a". Stop. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | bump version to 1.4.16.2v1.4.16.2Pablo Neira Ayuso2012-10-081-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: restore NOTRACK functionality, target aliasingJan Engelhardt2012-10-083-27/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL which was always false (true). real_name was never NULL, so cs->jumpto would always be used, which rendered -j NOTRACK unusable, since the chosen real name.revision is for example NOTRACK.1, which does not exist at the kernel side. # ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK dbg: Using NOTRACK.1 WARNING: The NOTRACK target is obsolete. Use CT instead. iptables: Protocol wrong type for socket. To reasonably support the extra-special verdict names, make it so that real_name remains NULL when an extension defined no alias, which we can then use to determine whether the user entered an alias name (which needs to be followed) or not. [ I have mangled this patch to remove a comment unnecessarily large. BTW, this patch gets this very close to the initial target aliasing proposal --pablo ] Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | bump version to 1.4.16.1v1.4.16.1Pablo Neira Ayuso2012-10-081-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: fix standard targetPablo Neira Ayuso2012-10-082-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This regression was added by: commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf Author: Jan Engelhardt <jengelh@inai.de> Date: Tue Sep 4 05:24:47 2012 +0200 iptables: support for target aliase The result is that: iptables -I INPUT -j ACCEPT says: iptables: No chain/target/match by that name. This also breaks iptables-restore, of course. Jan, you'll have to explain me how you have tested this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | bump version to 1.4.16v1.4.16Pablo Neira Ayuso2012-10-071-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'master' of git://git.inai.de/iptablesJan Engelhardt2012-09-3012-99/+84
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: extensions/GNUmakefile.in Resolution: trivial, since this was a fuzz 3. Reason: Line added from v1.4.15-16-g33710a5 was in vincinity of changes from v1.4.15-22-g4496801.
| * | doc: mention iptables-apply in the SEE ALSO sectionsJan Engelhardt2012-09-303-1/+3
| | | | | | | | | | | | | | | References: http://bugs.debian.org/660748 Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | doc: have NOTRACK manpage point to CT insteadJan Engelhardt2012-09-302-6/+4
| | | | | | | | | | | | | | | | | | The module is obsolete, so point to CT --notrack instead. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | doc: trim "state" manpage and reference conntrack insteadJan Engelhardt2012-09-302-23/+7
| | | | | | | | | | | | | | | | | | | | | The module is practically obsolete, so just pinpoint to the replacement in short order. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | doc: deduplicate extension descriptions into a new manpageJan Engelhardt2012-09-307-62/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables.8 and ip6tables.8 had pretty much the same content, with a few protocol-specific deviations here and there. Not only did that bloat the manpages, but it also made it harder to spot differences. Separate out the extension descriptions into a new manpage, which conveniently features differences next to one another (cf. REJECT). Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | doc: clean up interpunction in state list for xt_conntrackJan Engelhardt2012-09-301-8/+8
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* | | Merge branch 'master' of git://git.inai.de/iptablesJan Engelhardt2012-09-3014-182/+351
|\| |
| * | libxt_state: replace as an alias to xt_conntrackJan Engelhardt2012-09-303-138/+194
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | iptables: support for match aliasesJan Engelhardt2012-09-294-6/+19
| | | | | | | | | | | | | | | | | | | | | This patch allows for match names listed on the command line to be rewritten to new names and revisions, like we did for targets before. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | libxt_NOTRACK: replace as an alias to CT --notrackJan Engelhardt2012-09-293-15/+44
| | | | | | | | | | | | | | | | | | | | | Note that we do not need any print/save functions for the alias entries, since the real CT entry will handle this. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | iptables: support for target aliasesJan Engelhardt2012-09-275-11/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | libxtables: consolidate preference logicJan Engelhardt2012-09-271-16/+53
| | | | | | | | | | | | | | | | | | | | | | | | Alias support will require testing for more conditions, so move the revision comparison code into a separate function where it can be shared between matches and targets. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | build: separate AC variable replacements from xtables.hJan Engelhardt2012-08-316-6/+7
| | | | | | | | | | | | | | | | | | | | | It was/is a bit annoying that modifying xtables.h.in causes configure to rerun. Split the @foo@ things into a separate file to bypass this. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | build: support for automake-1.12Jan Engelhardt2012-08-311-0/+1
| | | | | | | | | | | | | | | | | | automake-1.12 wants that AM_PROG_AR be used when LT_INIT is. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* | | New set match revision with --return-nomatch flag supportJozsef Kadlecsik2012-09-213-0/+106
| | |
* | | build: have `make clean` remove dep files tooJan Engelhardt2012-09-101-1/+1
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | While changing branches, one can hit errors like: make[2]: *** CC libipt_CLUSTERIP.oo No hay ninguna regla para construir el objetivo `../include/net/netfilter/nf_nat.h', necesario para `libipt_DNAT.oo'. Alto. Pablo thinks dep files should be removed on `make clean`, and I concur. (JFI, Note that native automake would not clear its ".deps" directory.) Keep the "distclean: clean" line to keep invocations by automake from the parent directory working. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libxt_addrtype: fix type in help messagePablo Neira Ayuso2012-09-081-1/+1
| | | | | | | | | | | | | | | | --limit-iface-out Match only on the packet's incoming device Note that it says "incoming" when it should say "outcoming" Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: fix wrong error messagesPablo Neira Ayuso2012-09-082-2/+2
|/ | | | | | | | | | iptables -P INPUT iptables v1.4.15: -X requires a chain and a policy Try `iptables -h' or 'iptables --help' for more information. Note that it says -X when we have used -P. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_tcp: print space before, not after "flags:"Andreas Schwab2012-08-211-3/+2
| | | | | | | | tcp dpt:10flags: 0x17/0x02 ^^ Signed-off-by: Andreas Schwab <schwab@linux-m68k.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libip6t_frag: match any frag id by defaultMichal Kubeček2012-08-081-0/+8
| | | | | | | | | | | | | | | | | If no --fragid option is given, the frag extension only matches fragments with a zero-valued "Identification" field. This behavior deviates from what other extensions do (they match all values in this case) and is unexpected, and therefore changed by this patch. Additionally, --fragid 0:4294967295 leads to no output on `iptables -S` because part of the code thinks that this would be the default, when it is not. So, default to match all frag values, such that iptables -S not outputting anything also becomes correct. Signed-off-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* Merge remote-tracking branch 'nf/stable'Jan Engelhardt2012-08-080-0/+0
|\
| * include: add missing linux/netfilter_ipv4/ip_queue.hPablo Neira Ayuso2012-08-031-0/+72
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes compilation of libipq with headers from Linux kernel 3.5: In file included from libipq.c:34:0: ../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory ip_queue is gone since Linux kernel 3.5. However, you can still use new iptables versions with old Linux kernels. We have to keep libipq in this tree for a while (1.5-2 years should be OK). Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>