| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
based on tests/options-most.rules
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
based on tests/options-most.rules
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
"All other Makefiles add CPPFLAGS to ${COMPILE} (automake), but GNUmakefile.in
doesn't set it."
http://bugs.debian.org/665286
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Fedora, ArchLinux, Ubuntu, and Debian, at the least, use
alternative syslog daemons by default these days. Let's make
the syslog reference generic.
Reference: http://bugs.debian.org/567564
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add usage examples for string and hex string patterns.
References: http://bugs.debian.org/699904
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Remove it.
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The extension man page shows "port-unreach" and "port-unreachable" as
default icmpv6 and icomp reject-with types. Either and variations work
fine for writing rules, but they are displayed as "icmp6-port-unreachable"
and "icmp-port-unreachable". Let's make that consistent.
http://bugs.debian.org/644819
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The first might work. The second doesn't.
(The other corrections in the bug report are already implemented.)
http://bugs.debian.org/654983
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Corrects an example address with subnet mask.
http://bugs.debian.org/698393
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| | |
To retrieve:
iptables: state match incompatibilty across versions
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As reported in Debian bug #718810 [1], state match rules added in < 1.4.16
iptables versions are incorrectly displayed by >= 1.4.16 iptables versions.
Issue bisected to commit 0d701631 (libxt_state: replace as an alias to
xt_conntrack).
Fix this by adding the missing .print and .save functions for state match
aliases in the conntrack match.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
... and remove the QUEUE snippets from ip(6)tables man page,
the queue target was replaced by nfqueue years ago.
Fix up a couple of needless differences in ip(6)tables.8, too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Document --nowildcard option and its implications when using -m socket
to intercept packets.
While at it, update man page with Balazs Scheidlers comments from
nf_tproxy_core.h in kernel tree to better explain how lookup is performed.
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xt_socket module can be a nice replacement to conntrack module
in some cases (SYN filtering for example)
But it lacks the ability to match the 3rd packet of TCP
handshake (ACK coming from the client).
Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism
The wildcard is the legacy socket match behavior, that ignores
LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent)
iptables -I INPUT -p tcp --syn -j SYN_CHAIN
iptables -I INPUT -m socket -j ACCEPT
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Available since Linux kernel 3.8.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
libipt_LOG is using the xtables_save_string func, which
escapes unsafe characters as needed. libip6t_LOG should
do the same.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This checking was accidentally removed in (74ded72 libxt_recent:
add --mask netmask).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.
The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).
Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.
So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reap functionality appears to have been accidentally disabled
by (74ded72 libxt_recent: add --mask netmask) since iptables 1.4.15
and later. This adds a patch to restore reap functionality for
recent_opts_v1.
Patch obtained via: http://patchwork.openwrt.org/patch/3812/
Signed-off-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The revision add the support of matching the packet/byte counters
if the set was defined with the extension. Also, a new flag is
introduced to suppress updating the packet/byte counters if required.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
also update list of protocols valid for port mapping.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|\
| |
| |
| | |
Get fix for LED extension.
|
| |
| |
| |
| |
| |
| |
| | |
Closes bugzilla:
https://bugzilla.netfilter.org/show_bug.cgi?id=825
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch renames libipt_SNAT.man to libxt_SNAT.man thus informing
about the IPv6 version.
Also the list of valid protocols for port mapping is updated to:
tcp, udp, dccp and sctp.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This patch renames libipt_NETMAP.man to libxt_NETMAP.man thus informing
about the IPv6 version.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch renames libipt_REDIRECT.man to libxt_REDIRECT.man thus
informing about the IPv6 version.
Also the list of valid protocols for port mapping is updated to:
tcp, udp, dccp and sctp.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch renames libipt_DNAT.man to libxt_DNAT.man thus informing
about the IPv6 version, as suggested by Patrick McHardy.
Also, it updates the list of valid protocols for port mapping is
updated to: tcp, udp, dccp and sctp.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| | |
Add copyright statements to all extensions authored by myself.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
SNAT in the INPUT chain was added Jun 2010 to the kernel
(commit c68cd6cc21eb329c47ff020ff7412bf58176984e).
Signed-off-by: Michael Roth <mail@mroth.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allows to "tag" connections with up to 128 label names.
Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0
Labels can then be attached to flows, e.g.
-A PREROUTING -i eth0 -m connlabel --label "from eth0" --set
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
The conntrack match uses a different value for the UNTRACKED state than
the state match. Translate states to conntrack states to make sure they
all match.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
This patch updates the list of valid protocols in the man page section
of the multiport match to: tcp, udp, udplite, dccp and sctp.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|