| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
The manpage of xt_cluster and xt_recent had some unclosed tags.
Backslashes in commands are also not wanted because manpages are a
freeform, automatically-wrapped text.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
Just for correctness, close some file descriptors that were opened.
(E.g. ip6tables-save reading from procfs files.)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the
code uses a left shift on v6_mask[n]. This requires v6_mask to be
filled with all one-bits beforehand, but this initialization was not
done.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=597
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From: Ian Bruce <ian_bruce@fastmail.net>
The commit corrects some minor errors in the iptables(8) man page,
related to port ranges in the "tcp" module.
Reference: http://bugs.debian.org/531677
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| | |
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=596
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
|
|
|
|
|
|
|
| |
By checking the protocol version of the kernel part, the sockopt type
of ipset protocols are all supported. Forward compatibility with the
netlink based protocol is missing.
The --set option of the set match is replaced by --match-set to avoid
clashing with the recent match, but the old option is also kept.
Manpages are updated, references to bindings removed.
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
This constant would be the designated one for the .family field; it
also, given recent changes, makes grep for NFPROTO_UNSPEC work to
finally recollect all manpages.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Florian Westphal points out that v1.4.3.2-9-gc304d77 greps for the
keyword in the wrong file, and that files with NFPROTO_UNSPEC are
skipped.
This patch corrects that part, and makes `make` now output the
manpages it collected.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
The files duplicate most of their code, and struct ipt_policy_info
being defined to xt_policy_info makes them actually have even more in
common.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugs.debian.org/529954
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugs.debian.org/528457
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This fixes linking errors for 3rd-party C++ code.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a segfault that can be triggered if you use an
incorrect protocol, e.g.
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
Segmentation fault
With this patch:
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
iptables v1.4.3.2: unknown protocol `lala' specified
Try `iptables -h' or 'iptables --help' for more information
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for the cluster match to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add support for persistent mappings (2.6.29-rc2+) as replacement for the
removed SAME target.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
This patch bumps iptables version to 1.4.3.2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Because the wrong flag was checked, the "!" was either wrongly
printed, or not printed at all.
This was broken since v1.4.0-29-ga8ad34c.
Reported-by: Steven Jan Springl <steven@springl.ukfsn.org>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Most other extensions use strtoul (by means of xtables_strtoui)
and would abide by the standard convention of hex/octal prefixes
0x/0, and decimal otherwise, but CLASSIFY is an exception.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.
Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089
Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
µClibc may not provide the in6addr_any variable when IPv6 is
disabled. So just provide it ourselves.
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=569
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
This patch complements the previous one.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This also skips building the IPv6 extensions. It does not #ifdef out
all code however, I think that would make it too ugly.
Inspired-by: http://bugzilla.netfilter.org/show_bug.cgi?id=560
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| | |
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=560
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the structure's layout changes, as it did between v1.4.1 and
v1.4.2, trying to compare the version string makes iptables segfault
while it tries to determine whether the module is compatible in the
first place.
By moving the member to a known offset in the struct and keeping it
there, objects (both iptables and 3rd party) compiled from this
commit onwards will avoid the segfault.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
iptables multi-purpose version: unknown applet name iptables-static
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
With this patch, iptables refers to dmesg for further
troubleshooting if we hit EINVAL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ \
| |/
|/|
| | |
Connect history to the tag.
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The link of iptables-save fails on:
$ make LDFLAGS="-Wl,--as-needed"
[...]
extensions/libext4.a(libxt_RATEEST.o): In function `RATEEST_final_check':
extensions/libxt_RATEEST.c:164: undefined reference to `log'
Helpful Reference: http://www.gentoo.org/proj/en/qa/asneeded.xml
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| | |
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=568
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update
the constant in one place, and the compile error triggered only
when -DNO_SHARED_LIBS (configure --disable-shared) was in effect.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Add notes about my scalability work on the library libiptc.
This should make in more obvious who to complain to.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Cleanup whitespaces while going through the code.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Chain renaming (TC_RENAME_CHAIN) can result in an unsorted
chain list. That breaks the requirement of the binary search
done in iptcc_bsearch_chain_index().
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
iptc_insert_chain is too big to get inlined and so it generates
a warning while compiling.
Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Ignore the absence of /proc/net/ip_tables_names, which happens
when x_tables.ko is not loaded. This is equivalent to having
x_tables.ko, but no tabe modules, loaded. As such, success should
be returned.
2. Load table when explicitly requested by the -t option. Users might
expect "*foo" etc. to be output when `iptables-save -t foo` is
executed. So do autoload x_tables.ko and the table in this case.
*. Do this for both iptables-save and ip6tables-save, and adjust
the manpages for the new -M (modprobe program location) option that
is introduced.
Based upon a patch by Soren Hansen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519584
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
These are needed in case iptables gets installed into a non-standard
path. It also enables automatic detection of these locations from 3rd
party programs via pkgconfig.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|