summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libiptc: remove old fixmeJesper Dangaard Brouer2008-09-241-2/+0
| | | | | | | Chains _are_ sorted, binary search depend on it! Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: remove mentions of NAT in ip6tables manpageJan Engelhardt2008-09-081-18/+3
| | | | | | | ip6tables does not support NAT at this time. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: run ldconfig on `make install`Jan Engelhardt2008-09-081-0/+5
| | | | | | Reporeted-by: Brent Clark <brentgclarklist@gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: update comments part IIJan Engelhardt2008-09-042-4/+4
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: fix another typo in tcp manpagePatrick McHardy2008-09-011-1/+1
|
* manpages: Fix a typo in tcp man pageWANG Cong2008-09-011-1/+1
| | | | | Signed-off-by: WANG Cong <wangcong@zeuux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Missing limits.h includesPhil Oester2008-09-013-0/+5
| | | | | | | | | Latest git doesn't compile for me on Fedora 9 due to various *MAX constants being undefined. Below adds the include in 3 files which need it (although I can't see why this isn't required in 1.4.1.1). Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_recent: do allow --rttl for --updateJan Engelhardt2008-09-012-2/+2
| | | | | | | | Tony Ho noticed a too-strict check in xt_recent, so here is a fix. Reported-by: Tony Ho <iptables@iblink.com.cn> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: prepare make tarball for git 1.6.0Jan Engelhardt2008-09-011-1/+1
| | | | | | | Git 1.6.0 will not have the dashful forms anymore. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Update commentsJan Engelhardt2008-09-0164-340/+13
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use regular includesJan Engelhardt2008-09-019-10/+9
| | | | | | | | iptables ships with all header files and prioritized its own include directory over /usr/include/linux, so just use the normal brackets. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_iprange: fix option namesJan Engelhardt2008-09-011-16/+16
| | | | | | | There is no --src-ip, just --src-range. (Same for --dst-range.) Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_mac: flatten casts in libxt_macJan Engelhardt2008-09-011-5/+8
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: add missing rateest match documentationJan Engelhardt2008-08-151-0/+55
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* manpages: add missing rateest documentationJan Engelhardt2008-08-151-0/+1
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix iptables-static buildJan Engelhard2008-08-151-2/+2
| | | | | | | | Commit 126c1361ad5201973e6ebc761b3e38a67915de29 unfortunately broke building iptables-static due to listing iptables.c twice. Fix this. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* manpages: add missing --rsource,--rdest options to libxt_recent.manJan Engelhardt2008-08-131-0/+7
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: fix initext.c dependencyJan Engelhardt2008-08-131-1/+1
| | | | | | | initext?.c is generated within the current directory, not in ${srcdir}. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: fix dependency tracking for xtables.h.inJan Engelhardt2008-08-131-0/+2
| | | | | | | | For files to be correctly regenerated after the .in file has been touched, an explicit extra dependency is needed in the Makefile. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Synchronize invert flag order with manpagesJan Engelhardt2008-08-1322-45/+45
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Warn about use of DROP in nat tableJan Engelhardt2008-08-131-0/+8
| | | | | | | Consensus is that we should warn for now. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* physdev: remove extra space in outputJan Engelhardt2008-08-131-11/+12
| | | | | | | | Just a cosmetic fix for `iptables -S` and `iptables-save` printing two spaces between arguments in the physdev match. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: correct erroneous markupJan Engelhardt2008-08-129-10/+10
| | | | | | | | Text paragraphs should use .PP, since .TP makes it a list item with indented description. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Put xtables.c into its own library, libxtables.soJan Engelhardt2008-08-044-13/+39
| | | | | | | | | | | iproute2's tc's m_ipt.c poses as a pseudo-iptables program to make use of the info structure composition of iptables extensions. Since tc would have to clone a lot of code, xtables.c is put into its own shared library and should not be relied upon by any other programs. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_dscp: fix save of negated dscp match rulesPhil Oester2008-08-041-1/+1
| | | | | | | | | | | | As pointed out by Vyacheslav Garashchenko, iptables-save does not save negated dscp matches properly. Fix below. This closes bugzilla #533. Phil Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-save: fix hashlimit outputPhil Oester2008-08-041-1/+1
| | | | | | | | | In bugzilla 550, Xeb notes that the --hashlimit-htable-gcinterval argument is saved incorrectly. Patch below corrects. Patch-from: Xeb <xeb@mail.ru> Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_recent: do not allow both --set and --rttlJan Engelhardt2008-08-041-10/+23
| | | | | | | | | | | | Reported-by: Erich Schubert <erich@debian.org> Reference: Debian bug #346034 "I was using the --rttl option in my --set line; this caused all incoming ssh connections to be rejected; --rttl is only to be used with --rcheck and --update." Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-restore: fix segmentation fault with -tanythingJan Engelhardt2008-08-044-8/+6
| | | | | | | | | | | | | | | | | | | | Reference: Debian bug #458042 iptables-restore must not pass a table into do_command. It checks for "-t arg" and "--table arg", but not "-targ". (On a related note, using -targ does not work as expected). This should fail gracefully, but crashes: iptables-restore <(echo -e '*filter\n-A INPUT -tx\nCOMMIT') And this should use table "filter", or perhaps raise an error, but instead sets the table to (literally) "-tfilter": iptables -tfilter -A INPUT Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: drop libiptc from installationJan Engelhardt2008-08-041-3/+0
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: remove dependency on libiptc headersJan Engelhardt2008-08-049-10/+17
| | | | | | | | xtables.h does not need really need libxtc.h, and we can drop it from the install as it is internal-only. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: name and markup fixesJan Engelhardt2008-07-302-24/+24
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' of vishnu.netfilter.org:/data/git/iptablesJan Engelhardt2008-07-2910-458/+471
|\
| * v1.4.2-rc1v1.4.2-rc1Patrick McHardy2008-07-232-4/+4
| |
| * xt_string: string extension case insensitive matchingJoonwoo Park2008-07-072-11/+74
| | | | | | | | | | | | | | | | | | The string extension can search patterns case insensitively with --icase option. A new revision 1 was added, in the meantime invert of xt_string_info was moved into flags as a flag. Signed-off-by: Joonwoo Park <joonwpark81@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * libiptc: fix scalability performance issue during initial ruleset parsingJesper Dangaard Brouer2008-07-031-11/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Finding jump chains is slow O(Chain*Rules). The problem: is that the chain list is searched lineary for each rule with a jump target. The problem lies in the "second pass" (of function parse_table) where the userchain jump targets are found. For each rule "R" with a IPTCC_R_JUMP target, function iptcc_find_chain_by_offset() searches through the chains "C" in the chain list (worst-case hitting the last one). The solution: in this patch is to speed up iptcc_find_chain_by_offset() by using binary search. Reducing complexity from O(C) to O(log C). Implementation: Its possible to use the same bsearch algorithm and data structure (chain_index), as used for chain name searching. How is that possible: One has to realize that the chains are both sorted by name and offsets, this is because the chains are already sorted in the ruleset from the kernel. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * libiptc: minor bugfixJesper Dangaard Brouer2008-07-031-1/+2
| | | | | | | | | | | | | | | | Minor bugfix, an extra check is needed if the tail element is a builtin chain, as builtin chains are not sorted. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * manpages: various updatesJan Engelhardt2008-07-032-390/+225
| | | | | | | | | | | | | | | | | | - synchronized iptables--ip6tbales manpages - -S option, list of chain names, protocol names - markup updates Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * build: various changes to release.shJan Engelhardt2008-07-032-25/+2
| | | | | | | | | | | | | | | | | | - do not remove autogen.sh - remove COMMIT_NOTES - it does not apply to git anymore - create SHA1 sums for tarballs and patches Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * build: quote variables in release.shJan Engelhardt2008-07-031-11/+11
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * libxt_TOS: make sure --set-tos value/mask is recognizedJan Engelhardt2008-06-301-1/+2
| | | | | | | | | | | | | | | | | | Only when a 'stop' pointer is passed, the string may consist of more than just a number. Reported-by: Anonymous Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * build: ip6.h is not requiredJan Engelhardt2008-06-251-1/+0
| | | | | | | | | | | | | | | | | | Remove the check from configure.ac that errors out when ip6.h is not found. The code does not actually depend on any structures from it. Reported-by: anonymous Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * build: change equailty test for old bashJan Engelhardt2008-06-231-4/+4
| | | | | | | | | | | | | | | | | | Michael used GNU bash, version 1.14.7(1), which apparently does not seem to know about the double ("==") variant of equality tests. Reported-by: Michael Teicher <mteicher@gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * ip6tables: add --goto supportThomas Jacob2008-06-232-2/+38
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * release.sh: fix changelog filenamePatrick McHardy2008-06-191-1/+1
| | | | | | | | | | | | Add missing .txt extension. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | build: do not install ip{,6}tables.hJan Engelhardt2008-07-291-1/+1
|/ | | | | | | | These files do not contain anything that 3rd party modules could reasonably use. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Add simple release scriptPatrick McHardy2008-06-171-0/+30
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* v1.4.1.1v1.4.1.1Patrick McHardy2008-06-161-1/+1
|
* iprange: kernel flags were not setJan Engelhardt2008-06-131-0/+6
| | | | | | | | | The --src-range and --dst-range parameters did not set the IPRANGE_* flags in struct xt_iprange_mtinfo. Reported-by: Maxim Britov <maxim.britov@gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables: fix printing of line numbers with --line-numbers argHenrik Nordstrom2008-06-132-2/+2
| | | | | | | Commit bb34082d ("iptables --list chain rulenum") broke the line numbering, starting with printing an offset of 2. Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: fix `make install` when --disable-shared is usedJan Engelhardt2008-06-121-1/+1
| | | | | | | | | When --disable-shared is used, there are no .so files to install, and the argument order for install would get messed up. Reported-by: Michael Teicher <mteicher@gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>