summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* libxt_recent: remove unused variableEldad Zack2012-07-141-2/+0
| | | | | | | The info variable is assigned but never read in recent_check(). Signed-off-by: Eldad Zack <eldad@fogrefinery.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add HMARK targetHans Schillstrom2012-07-142-0/+503
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The target allows you to set mark packets based Jenkins' hash calculation: h(t, rnd) = x mark = (x % mod) + offset where: * t is a tuple that is used for the hashing: t = [ src, dst, proto, sport, dport ] Note that you can customize the tuple, thus, removing some component that you don't want to use for the calculation. You can also use spi instead of sport and dport, btw. * rnd is the random seed that is explicitly passed via --hmark-rnd * mod is the modulus, to determine the range of possible marks * offset determines where the mark starts from This target only works for the "raw" and "mangle" tables. This can be used to distribute flows between a cluster of systems and uplinks. Initially based on work from Hans Schillingstrom. Pablo took it over and introduced several improvements. Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_devgroup: add man page snippetFlorian Westphal2012-07-041-0/+7
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_rateest: output all options in save hookFlorian Westphal2012-05-221-21/+34
| | | | | | | | | | | | | | ipt-restore fails to parse the ipt-save output: zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5 (should be "--rateest-pps 5 --rateest-lt"). Also, the "delta" option was never shown in -save output, but twice in some cases when using "iptables -L". Also, the "b/pps1" option must be shown when "delta" option is used with relative mode. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libipt_ULOG: fix --ulog-cprangePablo Neira Ayuso2012-05-091-2/+2
| | | | | | | | | | | In 1f2474a libipt_ULOG: use guided option parser. A bug has been accidentally introduced in --ulog-cprange, limiting possible values from 1 to 50. However, that limit should be applied to --ulog-qthreshold. Reported-by: Gaurav Sinha <vgsinha@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: add --timeout optionPablo Neira Ayuso2012-04-022-12/+127
| | | | | | | | | | | | | | | | | | | | This patch adds the --timeout option to allow to attach timeout policy objects to flows, eg. iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \ -j CT --timeout custom-tcp-policy You need the nfct(8) tool which is available at: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git To define the cttimeout policies. Example of usage: nfct timeout add custom-tcp-policy inet tcp established 1000 The new nfct tool also requires libnetfilter_cttimeout: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add nfacct matchPablo Neira Ayuso2012-03-272-0/+119
| | | | | | | | | | | | | | This patch provides the user-space iptables support for the nfacct match. This can be used as it follows: nfacct add http-traffic iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic nfacct get http-traffic See also man nfacct(8) for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mark newly opened fds as FD_CLOEXEC (close on exec)Maciej Żenczykowski2012-03-231-0/+7
| | | | | | | | | | | | | | | | | | By default, Unix-like systems leak file descriptors after fork/exec call. I think this seem to result in SELinux spotting a strange AVC log messages according to what I can find on the web. Fedora 18 iptables source includes this change. Maciej says: "iptables does potentially fork/exec modprobe to load modules. That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing. You can do automated inspection of what gets carried across such privilege changes and any unexpected open file descriptors flag problems, patches like this cut down on the noise." Signed-off-by: Maciej enczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add IPv6 capable ECN match extensionPatrick McHardy2012-02-232-32/+33
| | | | | | | Patrick submitted this patch by 9th Jun 2011, I'm recovering and applying it to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add rpfilter moduleFlorian Westphal2012-02-232-0/+134
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: link on libxtables and check symbolsJan Engelhardt2011-12-311-11/+3
| | | | | | | | | | | | | Have each extension link against libxtables.so; with this, all home symbols are known at link time and we can use ld's --no-undefined to run the check, dropping the homebrew solution. By having libxtables.so required by extensions, package managers' automatic dependency discovery will become effective so that manual dependencies for distros with split extension packages (e.g. OpenWRT) will not be necessary anymore. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: use delayed expansion on the user-settable variablesJan Engelhardt2011-12-311-21/+21
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Update .gitignoreJan Engelhardt2011-12-311-0/+9
| | | | Split off extensions/.gitignore.
* Merge branch 'stable'Pablo Neira Ayuso2011-12-231-17/+25
|\
| * libxt_connbytes: fix handling of --connbytes FROMFlorian Westphal2011-12-231-17/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | quoting man page: match packets from a connection whose packets/bytes/average packet size is more than FROM and less than TO bytes/packets. if TO is omitted only FROM check is done. But, when TO was omitted, we did treat it like "x:x" which is not the same at all. Before commit 09631dc60ce41bc484a42fcf4d4ddf7036820bd1 (libxt_connbytes: use guided option parser), we failed to parse "--connbytes x" ('Bad range "x"'), but treated "x:" like "x:0xffffffff". Also, restore the "from must be smaller than to" check. Signed-off-by: Florian Westphal <fw@strlen.de>
* | Merge branch 'stable'Jan Engelhardt2011-12-186-40/+52
|\ \ | |/ |/|
| * libxt_recent: Add support for --reap optionTim Gardner2011-12-092-1/+21
| | | | | | | | | | | | | | | | Support for the reap option was merged in the kernel as of 2.6.35. Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
| * Merge branch 'stable'Pablo Neira Ayuso2011-11-011-1/+1
| |\
| * | Improve readability of bitwise operationThomas Jarosch2011-09-281-2/+2
| | | | | | | | | | | | | | | | | | | | | CLUSTERIP: improve readability of bitwise operation Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | Merge branch 'stable'Jan Engelhardt2011-09-191-4/+4
| |\ \
| * | | src: resolve old macro names that are indirectionsJan Engelhardt2011-09-111-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | | Merge branch 'stable'Jan Engelhardt2011-09-111-6/+6
| |\ \ \
| * \ \ \ Merge branch 'master' of git://dev.medozas.de/iptablesJan Engelhardt2011-09-082-32/+24
| |\ \ \ \
| | * | | | libxt_addrtype: add support for revision 1Jan Engelhardt2011-08-281-32/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but there was no corresponding iptables patch so far. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| | * | | | libxt_addrtype: rename from libipt_addrtypeJan Engelhardt2011-08-282-0/+0
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | | | | libipt_SAME: set PROTO_RANDOM on all rangesJan Engelhardt2011-11-303-24/+34
| |_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolve the (justified) WTF remark to a clearer version of when/why PROTO_RANDOM needs to be set. Especially when --random is used before --to in SAME, it would have not been appleid.
* | | | | libxt_NFQUEUE: fix --queue-bypass ipt-save outputFlorian Westphal2011-11-011-1/+1
| |_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | else, this will print "--queue-num 0--queue-bypass ". Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | | build: make check stage not fail when building staticallyJan Engelhardt2011-09-191-2/+2
| | | | | | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | | build: restore build order of modulesJan Engelhardt2011-09-191-2/+2
| |_|/ |/| | | | | | | | | | | | | | | | | | | | iptables(exe) requires libext.a, but extensions/ require libxtables.la (in iptables/). This circular dependency does not work out, so separate libxtables into its own directory and put it in front. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | build: sort file list before buildJan Engelhardt2011-09-081-6/+6
|/ / | | | | | | | | | | | | | | | | Manpage subsections are already sorted for obvious reasons. Since $(wildcard) can actually return results unordered (just what the OS can do) do the sorting with the .o file list too, for developer comfort. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxt_CONNSECMARK: fix spacing in outputTom Eastep2011-09-051-1/+1
| | | | | | | | | | | | | | | | | | ~# iptables -t mangle -A foo -j CONNSECMARK --save ~# iptables -t mangle -S [...] -A foo -j CONNSECMARK--save Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: scan for unreferenced symbolsJan Engelhardt2011-09-031-1/+10
| | | | | | | | | | | | | | To be notified of occurrences where we are missing any libraries, run some ldd checks post building. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxt_RATEEST: link with -lmJan Engelhardt2011-09-031-0/+1
| | | | | | | | | | | | | | $ ldd -r libxt_RATEEST.so undefined symbol: log (./libxt_RATEEST.so) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxt_statistic: link with -lmJan Engelhardt2011-09-031-1/+4
|/ | | | | | | | $ ldd -r libxt_statistic.so undefined symbol: lround (./libxt_statistic.so) References: https://bugs.archlinux.org/task/25358 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: improve error message on parsing violationTom Eastep2011-08-271-4/+11
| | | | | | | | | | | | | | | Tom Eastep noted: $ iptables -A foo -m conntrack --ctorigdstport 22 iptables v1.4.12: conntrack rev 2 does not support port ranges Try `iptables -h' or 'iptables --help' for more information. Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug, but let's include Tom's patch nevertheless for the better error message in case one actually does specify a range with rev 2. References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_TOS: update linux kernel version list for backported fixFernando Luis Vázquez Cao2011-08-261-4/+4
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: escape the escaping char tooJan Engelhardt2011-08-261-1/+1
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=740 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: replace hex codes by char equivalentsJan Engelhardt2011-08-251-3/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: simplify hex output routineJan Engelhardt2011-08-251-7/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: observe new default gc-expire time when savingJan Engelhardt2011-08-211-13/+20
| | | | | | | | Since a while, --htable-gc-expire defaults to the chosen time quantum instead of 10 fixed seconds, which leads the expiry value to be always printed, which is redundant. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_policy: remove superfluous inversionJan Engelhardt2011-08-211-2/+1
| | | | | | --dir cannot be inverted. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_physdev: restore inversion supportJan Engelhardt2011-08-211-3/+4
| | | | | | | | Bug origin is in commit v1.4.11~26^2~4. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_owner: restore inversion supportJan Engelhardt2011-08-211-1/+2
| | | | | | | | Bug origin is in commit v1.4.11~16^2~7. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipt_ttl: document that negation is availableJan Engelhardt2011-08-212-2/+2
| | | | | | Glitch since commit v1.2.1~75. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_dst: restore setting IP6T_OPTS_LEN flagJan Engelhardt2011-08-211-0/+3
| | | | | | Bug origin is in commit v1.4.11~26^2~18. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_hbh: restore setting IP6T_OPTS_LEN flagJan Engelhardt2011-08-211-0/+1
| | | | | | Bug origin is in commit v1.4.11~26^2~17. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: remove inversion from hashlimit rev 0Jan Engelhardt2011-08-211-11/+2
| | | | | | | Revision 0 indeed did not have inversion support, nor presence of --hashlimit-above. This glitch was added in v1.4.11~16^2~10. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_frag: restore inversion supportJan Engelhardt2011-08-211-0/+16
| | | | | | | | --fraglen also was not printed since v1.4.11~26^2~22. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: fix --ctproto 0 outputJan Engelhardt2011-08-211-4/+5
| | | | | | | | | | | First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER. (Next commit will flag this.) Furthermore, l4proto is of type uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not work => revert v1.4.12~1^2. Bug goes back to v1.4.12~1^2. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: default htable-expire must be in millisecondsJan Engelhardt2011-08-211-2/+2
| | | | | | Bug goes back to v1.4.12~3^2~11. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>