path: root/extensions/libxt_set.h
Commit message (Collapse)AuthorAgeFilesLines
* libxtables: Move struct xtables_afinfo into xtables.hPhil Sutter2022-06-231-1/+0
| | | | | | | | | | | | | The library "owns" this structure and maintains 'afinfo' pointer to instances of it. With libxt_set, there's even an extension making use of the data. To avoid impact on library users, guard it by XTABLES_INTERNAL. To eliminate the xshared.h include by libxt_set, DEBUGP has to be redefined. Other extensions have similar defines, fix this later. Signed-off-by: Phil Sutter <>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter2021-06-071-2/+2
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <>
* Consolidate DEBUGP macrosPhil Sutter2018-08-041-6/+0
| | | | | | | | | | | | | | | | | | This debug printing macro was defined in various places, always identical. Move it into xshared.h and drop it from sources including that header. There are a few exceptions: * iptables-xml.c did not include xshared.h, which this patch changes. * Sources in extensions and libiptc mostly left alone since they don't include xshared.h (and maybe shouldn't). Only libxt_set.h does, so it's converted, too. This also converts DEBUG define use in libip6t_hbh.c to avoid a compiler warning. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* extensions: libxt_set, libxt_SET: check the set family tooJozsef Kadlecsik2013-11-181-4/+48
| | | | | | | | | | | Do not accept silently sets with wrong protocol family but reject them with an error message. It makes straightforward to catch user errors. [ Use afinfo instead to avoid a binary interface update --pablo ] Signed-off-by: Jozsef Kadlecsik <> Signed-off-by: Pablo Neira Ayuso <>
* src: mark newly opened fds as FD_CLOEXEC (close on exec)Maciej ┼╗enczykowski2012-03-231-0/+7
| | | | | | | | | | | | | | | | | | By default, Unix-like systems leak file descriptors after fork/exec call. I think this seem to result in SELinux spotting a strange AVC log messages according to what I can find on the web. Fedora 18 iptables source includes this change. Maciej says: "iptables does potentially fork/exec modprobe to load modules. That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing. You can do automated inspection of what gets carried across such privilege changes and any unexpected open file descriptors flag problems, patches like this cut down on the noise." Signed-off-by: Maciej enczykowski <> Signed-off-by: Pablo Neira Ayuso <>
* Fix set match/target direction parserJozsef Kadlecsik2011-04-091-4/+3
| | | | | The direction parser did not catch when more src/dst direction parameters were supplied than allowed.
* libxt_set: new revision addedJozsef Kadlecsik2010-06-161-0/+147
libipt_set renamed to libxt_set and the support for the forthcoming ipset release added. I have tested backward (IPv4) and forward compatibility (IPv4/IPv6): ipset -N test iphash ipset -A test test-address iptables -N test-set iptables -A test-set -j LOG --log-prefix "match " iptables -A test-set -j DROP iptables -A OUTPUT -m set --match-set test dst -j test-set ping test-address