summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libxt_string: add unit testPablo Neira Ayuso2013-10-071-0/+18
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_state: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CT: add unit testPablo Neira Ayuso2013-10-071-0/+20
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_pkttype: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_ttl.t: add unit testPablo Neira Ayuso2013-10-071-0/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_NFQUEUE: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_icmp: add unit testPablo Neira Ayuso2013-10-071-0/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_helper: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_esp: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_dccp: add unit testPablo Neira Ayuso2013-10-071-0/+30
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_NFLOG: add unit testPablo Neira Ayuso2013-10-071-0/+19
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tos: add unit testPablo Neira Ayuso2013-10-071-0/+13
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcp: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_udp: add unit testPablo Neira Ayuso2013-10-071-0/+22
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_length: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_time: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_hashlimit: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CONNMARK: add unit testPablo Neira Ayuso2013-10-071-0/+7
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connmark: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlimit: add unit testPablo Neira Ayuso2013-10-071-0/+16
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connbytes: add unit testPablo Neira Ayuso2013-10-071-0/+21
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CLASSIFY: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CHECKSUM: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_AUDIT: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_comment: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_cluster: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_addrtype: add unit testPablo Neira Ayuso2013-10-071-0/+17
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_ah: add unit testPablo Neira Ayuso2013-10-071-0/+14
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_ah: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: extensions/GNUMakefile.in use CPPFLAGSLaurence J. Lane2013-09-271-1/+1
| | | | | | | | | | "All other Makefiles add CPPFLAGS to ${COMPILE} (automake), but GNUmakefile.in doesn't set it." http://bugs.debian.org/665286 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_LOG: use generic syslog reference in manpageLaurence J. Lane2013-09-271-4/+2
| | | | | | | | | | | Fedora, ArchLinux, Ubuntu, and Debian, at the least, use alternative syslog daemons by default these days. Let's make the syslog reference generic. Reference: http://bugs.debian.org/567564 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libxt_string.man add examplesLaurence J. Lane2013-08-241-0/+10
| | | | | | | | Add usage examples for string and hex string patterns. References: http://bugs.debian.org/699904 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables: libxt_recent.{c,man} dead URLLaurence J. Lane2013-08-242-4/+1
| | | | | | | Remove it. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables: libip(6)t_REJECT.man default icmp typesLaurence J. Lane2013-08-222-7/+6
| | | | | | | | | | | | The extension man page shows "port-unreach" and "port-unreachable" as default icmpv6 and icomp reject-with types. Either and variations work fine for writing rules, but they are displayed as "icmp6-port-unreachable" and "icmp-port-unreachable". Let's make that consistent. http://bugs.debian.org/644819 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libxt_conntrack.man extraneous commasLaurence J. Lane2013-08-221-2/+2
| | | | | | | | | | | The first might work. The second doesn't. (The other corrections in the bug report are already implemented.) http://bugs.debian.org/654983 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libxt_hashlimit.man: correct addressLaurence J. Lane2013-08-221-1/+1
| | | | | | | | | Corrects an example address with subnet mask. http://bugs.debian.org/698393 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable-1.4.20'Pablo Neira Ayuso2013-08-081-0/+6
|\ | | | | | | | | | | To retrieve: iptables: state match incompatibilty across versions
| * iptables: state match incompatibilty across versionsPhil Oester2013-08-081-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As reported in Debian bug #718810 [1], state match rules added in < 1.4.16 iptables versions are incorrectly displayed by >= 1.4.16 iptables versions. Issue bisected to commit 0d701631 (libxt_state: replace as an alias to xt_conntrack). Fix this by adding the missing .print and .save functions for state match aliases in the conntrack match. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810 Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: add libnetfilter_queue pointer to libxt_NFQUEUE.manFlorian Westphal2013-08-061-6/+7
| | | | | | | | | | | | | | | | ... and remove the QUEUE snippets from ip(6)tables man page, the queue target was replaced by nfqueue years ago. Fix up a couple of needless differences in ip(6)tables.8, too. Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: libxt_socket: update man pageFlorian Westphal2013-08-061-2/+19
| | | | | | | | | | | | | | | | | | | | | | Document --nowildcard option and its implications when using -m socket to intercept packets. While at it, update man page with Balazs Scheidlers comments from nf_tproxy_core.h in kernel tree to better explain how lookup is performed. Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* | xt_socket: add --nowildcard flagEric Dumazet2013-08-061-0/+62
|/ | | | | | | | | | | | | | | | | | | | | xt_socket module can be a nice replacement to conntrack module in some cases (SYN filtering for example) But it lacks the ability to match the 3rd packet of TCP handshake (ACK coming from the client). Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism The wildcard is the legacy socket match behavior, that ignores LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent) iptables -I INPUT -p tcp --syn -j SYN_CHAIN iptables -I INPUT -m socket -j ACCEPT Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: Add the "NOTRACK" aliasJozsef Kadlecsik2013-07-242-2/+50
| | | | | | | Available since Linux kernel 3.8. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libip6t_LOG: target output is different to libipt_LOGPhil Oester2013-07-241-2/+4
| | | | | | | | | libipt_LOG is using the xtables_save_string func, which escapes unsafe characters as needed. libip6t_LOG should do the same. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_recent: restore minimum value for --secondsPablo Neira Ayuso2013-07-241-1/+1
| | | | | | | This checking was accidentally removed in (74ded72 libxt_recent: add --mask netmask). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlabel: use libnetfilter_conntrackFlorian Westphal2013-07-163-115/+33
| | | | | | | | | | | | | | | | | Pablo suggested to make it depend on lnf-conntrack, and get rid of the example config file as well. The problem is that the file must be in a fixed path, /etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file" when translating names to their bit values (and vice versa). Originally "make install" did put an example file into /etc/xtables/, but distributors complained about iptables ignoring the sysconfdir. So rather remove the example file, the man-page explains the format, and connlabels are inherently system-specific anyway. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libipt_ULOG: man page should mention NFLOG as replacementFlorian Westphal2013-07-151-1/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_recent: restore reap functionality to recent moduleRussell Senior2013-07-151-0/+2
| | | | | | | | | | | | The reap functionality appears to have been accidentally disabled by (74ded72 libxt_recent: add --mask netmask) since iptables 1.4.15 and later. This adds a patch to restore reap functionality for recent_opts_v1. Patch obtained via: http://patchwork.openwrt.org/patch/3812/ Signed-off-by: Russell Senior <russell@personaltelco.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Introduce a new revision for the set match with the counters supportJozsef Kadlecsik2013-06-072-2/+261
| | | | | | | | The revision add the support of matching the packet/byte counters if the set was defined with the extension. Also, a new flag is introduced to suppress updating the packet/byte counters if required. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>