summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* rateest: guard against segfaultJan Engelhardt2008-12-301-0/+3
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-save: output ! in position according to manpageJan Engelhardt2008-12-0916-78/+54
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: fix a typo in libip6t_REJECT.manJan Engelhardt2008-11-241-2/+1
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: remove inclusion of iptables.hJan Engelhardt2008-11-2040-38/+38
| | | | | | | | | iptables.h and ip6tables.h only include declarations internal to iptables (specifically iptables.c and ip6tables.c), as most of the public API has been moved to xtables.h a few months ago. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* state: report spaces in the state list parsingPablo Neira Ayuso2008-11-192-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | This patch adds better error reporting when the user inserts a space between two states with the --state option. iptables -I INPUT -m state ESTABLISHED, RELATED ^ mind the space results in: iptables v1.4.2-rc1: Bad state `' Try `iptables -h' or 'iptables --help' for more information. Now this returns: iptables v1.4.2-rc1: `--state' requires a list of states with no spaces, e.g. ESTABLISHED,RELATED This patch also applies to libxt_conntrack which has a copy of the function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use NFPROTO_ constantsJan Engelhardt2008-11-1871-128/+128
| | | | | | | | Resync netfilter.h from the latest kernel and make use of the new NFPROTO_ constants that have been introduced. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_conntrack: dump ctdirJan Engelhardt2008-11-121-0/+15
| | | | | | | | Sent in as part of a larger private mail by Gáspár Lajos <swifty@freemail.hu>; I cherry-picked the ctdir part. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_conntrack: respect -n option during ruledumpJan Engelhardt2008-11-101-2/+8
| | | | | | | Reference: http://bugs.debian.org/502548 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add SCTP/DCCP support to NAT targetsPatrick McHardy2008-11-044-4/+12
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix compile warnings using gcc 4.3.2Thomas Jarosch2008-10-234-0/+4
| | | | | | | | | | | | | | libxt_dccp.c: In function 'port_to_service': libxt_dccp.c:196: warning: implicit declaration of function 'htons' libxt_sctp.c: In function 'port_to_service': libxt_sctp.c:321: warning: implicit declaration of function 'htons' libxt_tcp.c: In function 'port_to_service': libxt_tcp.c:220: warning: implicit declaration of function 'htons' libxt_udp.c: In function 'port_to_service': libxt_udp.c:104: warning: implicit declaration of function 'htons' Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix compile error in libxt_iprange.c using gcc 4.3.2Thomas Jarosch2008-10-231-0/+1
| | | | | | | | | | | | | | | | | | | | | In file included from libxt_iprange.c:9: ../include/linux/netfilter.h:43: error: field 'in' has incomplete type ../include/linux/netfilter.h:44: error: field 'in6' has incomplete type libxt_iprange.c: In function 'parse_iprange': libxt_iprange.c:46: error: dereferencing pointer to incomplete type libxt_iprange.c:53: error: dereferencing pointer to incomplete type libxt_iprange.c: In function 'iprange_mt4_parse': libxt_iprange.c:117: error: dereferencing pointer to incomplete type libxt_iprange.c:121: error: dereferencing pointer to incomplete type libxt_iprange.c:136: error: dereferencing pointer to incomplete type libxt_iprange.c:140: error: dereferencing pointer to incomplete type libxt_iprange.c: In function 'iprange_mt6_parse': libxt_iprange.c:167: error: dereferencing pointer to incomplete type libxt_iprange.c:171: error: dereferencing pointer to incomplete type libxt_iprange.c:186: error: dereferencing pointer to incomplete type libxt_iprange.c:190: error: dereferencing pointer to incomplete type Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
* libxt_recent: add IPv6 supportJan Engelhardt2008-10-222-60/+76
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Move libipt_recent to libxt_recentJan Engelhardt2008-10-222-64/+65
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_TOS: fix compilation errorJirí Moravec2008-10-221-0/+1
| | | | | | | | | | | | | Fix compilation error caused by double definition of IPPROTO_SCTP: In file included from /usr/include/netinet/ip.h:25, from /usr/include/linux/ip.h:19, from tos_values.c:4, from libxt_TOS.c:15: /usr/include/netinet/in.h:84: error: expected identifier before numeric constant make[2]: *** [libxt_TOS.oo] Error 1 Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add iptables support for the socket matchKOVACS Krisztian2008-10-152-0/+41
| | | | | | | Add user-space code for the socket match. Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add iptables support for the TPROXY targetKOVACS Krisztian2008-10-152-0/+172
| | | | | Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
* mark: fix invalid iptables-save outputPablo Sebastian Greco2008-09-291-1/+1
| | | | | | | | | | When a neg mark is saved via iptables-save it is saved as !--mark, but this is not recognized by iptables-restore, just adding a space to the saved file to make it look like "! --mark" makes iptables-restore accept the file. Signed-off-by: Pablo Sebastian Greco <pablo@fliagreco.com.ar> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: update comments part IIJan Engelhardt2008-09-042-4/+4
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: fix another typo in tcp manpagePatrick McHardy2008-09-011-1/+1
|
* manpages: Fix a typo in tcp man pageWANG Cong2008-09-011-1/+1
| | | | | Signed-off-by: WANG Cong <wangcong@zeuux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Missing limits.h includesPhil Oester2008-09-013-0/+5
| | | | | | | | | Latest git doesn't compile for me on Fedora 9 due to various *MAX constants being undefined. Below adds the include in 3 files which need it (although I can't see why this isn't required in 1.4.1.1). Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_recent: do allow --rttl for --updateJan Engelhardt2008-09-012-2/+2
| | | | | | | | Tony Ho noticed a too-strict check in xt_recent, so here is a fix. Reported-by: Tony Ho <iptables@iblink.com.cn> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Update commentsJan Engelhardt2008-09-0164-340/+13
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use regular includesJan Engelhardt2008-09-019-10/+9
| | | | | | | | iptables ships with all header files and prioritized its own include directory over /usr/include/linux, so just use the normal brackets. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_iprange: fix option namesJan Engelhardt2008-09-011-16/+16
| | | | | | | There is no --src-ip, just --src-range. (Same for --dst-range.) Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_mac: flatten casts in libxt_macJan Engelhardt2008-09-011-5/+8
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: add missing rateest match documentationJan Engelhardt2008-08-151-0/+55
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* manpages: add missing rateest documentationJan Engelhardt2008-08-151-0/+1
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* manpages: add missing --rsource,--rdest options to libxt_recent.manJan Engelhardt2008-08-131-0/+7
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: fix initext.c dependencyJan Engelhardt2008-08-131-1/+1
| | | | | | | initext?.c is generated within the current directory, not in ${srcdir}. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Synchronize invert flag order with manpagesJan Engelhardt2008-08-1320-34/+34
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* physdev: remove extra space in outputJan Engelhardt2008-08-131-11/+12
| | | | | | | | Just a cosmetic fix for `iptables -S` and `iptables-save` printing two spaces between arguments in the physdev match. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: correct erroneous markupJan Engelhardt2008-08-129-10/+10
| | | | | | | | Text paragraphs should use .PP, since .TP makes it a list item with indented description. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_dscp: fix save of negated dscp match rulesPhil Oester2008-08-041-1/+1
| | | | | | | | | | | | As pointed out by Vyacheslav Garashchenko, iptables-save does not save negated dscp matches properly. Fix below. This closes bugzilla #533. Phil Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-save: fix hashlimit outputPhil Oester2008-08-041-1/+1
| | | | | | | | | In bugzilla 550, Xeb notes that the --hashlimit-htable-gcinterval argument is saved incorrectly. Patch below corrects. Patch-from: Xeb <xeb@mail.ru> Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_recent: do not allow both --set and --rttlJan Engelhardt2008-08-041-10/+23
| | | | | | | | | | | | Reported-by: Erich Schubert <erich@debian.org> Reference: Debian bug #346034 "I was using the --rttl option in my --set line; this caused all incoming ssh connections to be rejected; --rttl is only to be used with --rcheck and --update." Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: remove dependency on libiptc headersJan Engelhardt2008-08-044-0/+4
| | | | | | | | xtables.h does not need really need libxtc.h, and we can drop it from the install as it is internal-only. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* xt_string: string extension case insensitive matchingJoonwoo Park2008-07-071-10/+60
| | | | | | | | | The string extension can search patterns case insensitively with --icase option. A new revision 1 was added, in the meantime invert of xt_string_info was moved into flags as a flag. Signed-off-by: Joonwoo Park <joonwpark81@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_TOS: make sure --set-tos value/mask is recognizedJan Engelhardt2008-06-301-1/+2
| | | | | | | | | Only when a 'stop' pointer is passed, the string may consist of more than just a number. Reported-by: Anonymous Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iprange: kernel flags were not setJan Engelhardt2008-06-131-0/+6
| | | | | | | | | The --src-range and --dst-range parameters did not set the IPRANGE_* flags in struct xt_iprange_mtinfo. Reported-by: Maxim Britov <maxim.britov@gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: fix `make install` when --disable-shared is usedJan Engelhardt2008-06-121-1/+1
| | | | | | | | | When --disable-shared is used, there are no .so files to install, and the argument order for install would get messed up. Reported-by: Michael Teicher <mteicher@gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpage updatesJan Engelhardt2008-06-0818-43/+47
| | | | | | | | | A number of options support negation, but the manpage did not reflect this ("[!]" was absent). Also fix a few [] (optional arguments) to {} (required arguments) in the option-BNF. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* sparse warning fixes: integer used as pointerPatrick McHardy2008-06-075-9/+9
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_owner: add spaces to outputJan Engelhardt2008-06-061-23/+23
| | | | | | | | | | It could happen that --<arg><value> was printed on iptables-save with owner rules (owner_mt_save() function) without the obligatory space inbetween. Also transfer printing of the space character into owner_mt_print_item(). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* addrtype match: added revision 1Laszlo Attila Toth2008-06-062-16/+206
| | | | | | | | | In revision 1 address type checking can be limited to either the incoming or outgoing interface depending on the current chain. In the FORWARD chain only one of them is allowed at the same time. Signed-off-by: Laszlo Attila Toth <panther@balabit.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix iptables-save output of libxt_owner matchLutz Jaenicke2008-06-061-9/+9
| | | | | The _save functions need to use the same syntax that is used for parsing the input instead of "user readable" output.
* build: check for missing feature filesJan Engelhardt2008-06-051-0/+3
| | | | | | | | | | linux/dccp.h is unlikely to be installed before 2.6.18 (which was when headers_install was introduced), and does not exist at all before 2.6.14. Add a compile-time check to skip compilation of libxt_dccp in case this was detected. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: consistent syntaxPatrick McHardy2008-06-0230-83/+90
| | | | | | | | | | In the manpages, bold is used to denote characters the user has to enter verbatim, italic denotes placeholders and non-highlighted pieces are used as a structure: "[]" specifying an optional part, "{}" a mandatory part, with "|" used for alternations. The "!" for negation is better supported before the option than after it, too. The patch makes a few files consistent with this style already used in manpages.
* REDIRECT: Allow symbolic port in REDIRECT --to-portKristof Provost2008-05-261-0/+3
| | | | | | Fixes Bugzilla 482. Signed-off-by: Kristof Provost <kristof@sigsegv.be>
* Don't assume /bin/sh is bashThomas Jacob2008-05-201-6/+8
| | | | | | | | The new iptables git version assumes /bin/sh is always GNU bash, that's not the case (Ubuntu 8.04 uses dash), see attachment for a fix. Signed-off-by: Patrick McHardy <kaber@trash.net>