| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This function is used both by iptables and ip6tables, and
refactorize to avoid longer than 80-chars per column lines
of code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
This function is shared by iptables and ip6tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
as in IPv4 and fixes DNAT_save
Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
correct parsing of IPv6 port NAT without address NAT,
assume one colon as port information.
Allows:
* address only:
-j DNAT --to affe::1
-j DNAT --to [affe::1]
* port only
-j DNAT --to :80
-j DNAT --to :80-110
-j DNAT --to []:80
-j DNAT --to []:80-110
* address and port
-j DNAT --to [affe::1]:80
-j DNAT --to [affe::1]:80-110
Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
replaces SNPT by DNPT.
This fixes broken help message that points to SNPT.
Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Link stage of libip6t_NETMAP failed since recently.
CCLD libip6t_NETMAP.so
/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld:
cannot find -lip6tc
libip6t_NETMAP.c uses the "ipv6_prefix_length" function from
libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to
it is not specified.
Why does the link succeed for some people? Because
/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments,
especially those without iptables development files, have that file,
hence this link error can happen.
By suggestion of Mike Frysinger, this patch uses libtool to produce
and link the plugins.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Fixes bugzilla id 797.
|
|
|
|
|
|
|
|
|
|
| |
Suppressing '--packet 0' in save output resulted in restore failure.
This patch includes '--packet 0' in save output while continuing to
suppress it in print output.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| | |
Linux kernel 3.7
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, if you want to do something like:
"match Monday, starting 23:00, for two hours"
You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
The rule
--weekdays Mo --timestart 23:00 --timestop 01:00
looks correct, but it will first match on monday from midnight to 1 a.m.
and then again for another hour from 23:00 onwards.
This permits userspace to explicitly ignore the day transition and
match for a single, continuous time period instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add extensions for the SNPT and DNPT stateless IPv6-to-IPv6 Network Prefix
Translation targets.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libxt_limit.c: In function 'print_rate':
libxt_limit.c:124: error: 'INFINITY' undeclared (first use in
this function)
The default mode of glibc-2.15's <features.h> sets
"-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However,
on þe olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L".
Explicitly draw in the definition of INFINITY by always defining
_ISOC99_SOURCE. By doing this, we are moving off of the default set, so
_BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is
used in xt_hashlimit.h.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
$ ./configure --enable-static --disable-shared --enable-ipv4
--enable-ipv6 && make
[...]
make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by
"libext.a". Stop.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL
which was always false (true). real_name was never NULL, so cs->jumpto
would always be used, which rendered -j NOTRACK unusable, since the
chosen real name.revision is for example NOTRACK.1, which does not exist
at the kernel side.
# ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
dbg: Using NOTRACK.1
WARNING: The NOTRACK target is obsolete. Use CT instead.
iptables: Protocol wrong type for socket.
To reasonably support the extra-special verdict names, make it so that
real_name remains NULL when an extension defined no alias, which we can
then use to determine whether the user entered an alias name (which
needs to be followed) or not.
[ I have mangled this patch to remove a comment unnecessarily large.
BTW, this patch gets this very close to the initial target aliasing
proposal --pablo ]
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This regression was added by:
commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf
Author: Jan Engelhardt <jengelh@inai.de>
Date: Tue Sep 4 05:24:47 2012 +0200
iptables: support for target aliase
The result is that:
iptables -I INPUT -j ACCEPT
says:
iptables: No chain/target/match by that name.
This also breaks iptables-restore, of course. Jan, you'll have to explain me
how you have tested this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
extensions/GNUmakefile.in
Resolution: trivial, since this was a fuzz 3.
Reason: Line added from v1.4.15-16-g33710a5 was in vincinity of changes
from v1.4.15-22-g4496801.
|
| | |
| | |
| | |
| | |
| | | |
References: http://bugs.debian.org/660748
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | | |
The module is obsolete, so point to CT --notrack instead.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The module is practically obsolete, so just pinpoint to the replacement
in short order.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
iptables.8 and ip6tables.8 had pretty much the same content, with a few
protocol-specific deviations here and there. Not only did that bloat the
manpages, but it also made it harder to spot differences. Separate out
the extension descriptions into a new manpage, which conveniently
features differences next to one another (cf. REJECT).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|\| | |
|
| | |
| | |
| | |
| | | |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch allows for match names listed on the command line to be
rewritten to new names and revisions, like we did for targets before.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Note that we do not need any print/save functions for the alias entries,
since the real CT entry will handle this.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch allows for target names listed on the command line to be
rewritten to new names and revisions.
As before, we will pick a revision that is supported by the kernel - now
including real_name in the search. This gives us the possibility to test
for many action names.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Alias support will require testing for more conditions, so move the
revision comparison code into a separate function where it can be
shared between matches and targets.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It was/is a bit annoying that modifying xtables.h.in causes configure
to rerun. Split the @foo@ things into a separate file to bypass this.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | |
| | |
| | |
| | |
| | |
| | | |
automake-1.12 wants that AM_PROG_AR be used when LT_INIT is.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| | | |
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While changing branches, one can hit errors like:
make[2]: *** CC libipt_CLUSTERIP.oo
No hay ninguna regla para construir el objetivo
`../include/net/netfilter/nf_nat.h', necesario para
`libipt_DNAT.oo'. Alto.
Pablo thinks dep files should be removed on `make clean`, and I
concur. (JFI, Note that native automake would not clear its ".deps"
directory.) Keep the "distclean: clean" line to keep invocations by
automake from the parent directory working.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
--limit-iface-out Match only on the packet's incoming device
Note that it says "incoming" when it should say "outcoming"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
|
|
|
| |
iptables -P INPUT
iptables v1.4.15: -X requires a chain and a policy
Try `iptables -h' or 'iptables --help' for more information.
Note that it says -X when we have used -P.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
tcp dpt:10flags: 0x17/0x02
^^
Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no --fragid option is given, the frag extension only matches
fragments with a zero-valued "Identification" field. This behavior
deviates from what other extensions do (they match all values in this
case) and is unexpected, and therefore changed by this patch.
Additionally, --fragid 0:4294967295 leads to no output on `iptables
-S` because part of the code thinks that this would be the default,
when it is not.
So, default to match all frag values, such that iptables -S not
outputting anything also becomes correct.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes compilation of libipq with headers from Linux
kernel 3.5:
In file included from libipq.c:34:0:
../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory
ip_queue is gone since Linux kernel 3.5. However, you can still use
new iptables versions with old Linux kernels. We have to keep libipq
in this tree for a while (1.5-2 years should be OK).
Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|