| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Debian still carries patches patches to the iptables nroff code touching
ASCII minuses, so I thought, what's it this time.
Eventually, this patch tries to straighten things once more, per
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Hyphens and
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Dashes .
Titles will get the em dash; all typed commands or parameters with a
hyphen get a minus (so that man(1) hyperlinking and copy-pasting does
work), but other mentions get the hyphen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
Description: extraneous slash caused this lintian warning:
W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz
220: cannot use newline as a starting delimiter
W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz
1823: warning: `precedence'' not defined
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539101
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New version that adds support for specifying a queue range instead
of a single queue id.
The kernel will distribute flows across the given queue range.
This is useful for multicore systems, simply start multiple instances
of the userspace program on queues x, x+1, .. x+n and use
"--queue-balance x:x+n".
Packets belonging to the same connection are put into the same queue.
With fixes from Jan Engelhardt.
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\
| |
| |
| |
| |
| |
| | |
Conflicts:
extensions/libxt_conntrack.c
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
This complements the xt_conntrack revision 2 code added to the kenrel.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I see no pressing reason to install all single programs when the
multi binary can do the job. Within the build directory, developers
can run the components by means of, for example,
./ip6tables-multi {main|restore|save} ...
And when make install-ed, symlinks are available.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changed the Makefile so that:
1. --enable-shared / --disable-shared control the linkage against
libdl (and thus the potential to use 3rd party extensions)
2. --enable-static / --disable-static controls whether shipped
extensions are built-in or provided as modules
iptables-static becomes redundant by this action; iptables-multi now
has the feature.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Mixing code compiled with and without -DNO_SHARED_LIBS is fine as
long as the structs have the same layout. This patch prevents a
potential (currently non-triggerable) "ip6tables: target (null)<123>
is missing a version" error.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
libtool does not play well with symlinks when trying to run commands
in the build directory. So provide an alternate way to call
iptables-multi: when argv[0] is not a recognized name, inspect [1]
for an alternate identifer.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
libiptc.la must come after its components or `make install` won't get
things right.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
Similar to the ones that are present in the kernel.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
This is for extensions that do not take any options, and which
subsequently do not offer any help text either.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
This means we can do some code removal in extensions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are no different code paths between IPV4 and IPV6, so
data can be consolidated here.
text data bss dec hex filename
243757 12212 2576 258545 3f1f1 ip6tables-static[before.i586]
243613 9428 2576 255617 3e681 ip6tables-static[after.i586]
-144 -2784
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
The split can save some diskspace for constrained systems running
which are only running one protocol.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
libiptc already supports adding and deleting multiple rules with
different addresses, so it only needs to be wired up to the options.
# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
Adjustments made: syntax, removal of unneeded variables, manpage
adjustment, soversion bump.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The manpage of xt_cluster and xt_recent had some unclosed tags.
Backslashes in commands are also not wanted because manpages are a
freeform, automatically-wrapped text.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Just for correctness, close some file descriptors that were opened.
(E.g. ip6tables-save reading from procfs files.)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the
code uses a left shift on v6_mask[n]. This requires v6_mask to be
filled with all one-bits beforehand, but this initialization was not
done.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=597
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From: Ian Bruce <ian_bruce@fastmail.net>
The commit corrects some minor errors in the iptables(8) man page,
related to port ranges in the "tcp" module.
Reference: http://bugs.debian.org/531677
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| | |
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=596
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
|
|
|
|
|
|
|
| |
By checking the protocol version of the kernel part, the sockopt type
of ipset protocols are all supported. Forward compatibility with the
netlink based protocol is missing.
The --set option of the set match is replaced by --match-set to avoid
clashing with the recent match, but the old option is also kept.
Manpages are updated, references to bindings removed.
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
This constant would be the designated one for the .family field; it
also, given recent changes, makes grep for NFPROTO_UNSPEC work to
finally recollect all manpages.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Florian Westphal points out that v1.4.3.2-9-gc304d77 greps for the
keyword in the wrong file, and that files with NFPROTO_UNSPEC are
skipped.
This patch corrects that part, and makes `make` now output the
manpages it collected.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
The files duplicate most of their code, and struct ipt_policy_info
being defined to xt_policy_info makes them actually have even more in
common.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
References: http://bugs.debian.org/529954
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
References: http://bugs.debian.org/528457
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
This fixes linking errors for 3rd-party C++ code.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a segfault that can be triggered if you use an
incorrect protocol, e.g.
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
Segmentation fault
With this patch:
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
iptables v1.4.3.2: unknown protocol `lala' specified
Try `iptables -h' or 'iptables --help' for more information
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for the cluster match to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add support for persistent mappings (2.6.29-rc2+) as replacement for the
removed SAME target.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
