summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* libxt_string: escape the escaping char tooJan Engelhardt2011-08-261-1/+1
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=740 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: replace hex codes by char equivalentsJan Engelhardt2011-08-251-3/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: simplify hex output routineJan Engelhardt2011-08-251-7/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: observe new default gc-expire time when savingJan Engelhardt2011-08-211-13/+20
| | | | | | | | Since a while, --htable-gc-expire defaults to the chosen time quantum instead of 10 fixed seconds, which leads the expiry value to be always printed, which is redundant. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_policy: remove superfluous inversionJan Engelhardt2011-08-211-2/+1
| | | | | | --dir cannot be inverted. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_physdev: restore inversion supportJan Engelhardt2011-08-211-3/+4
| | | | | | | | Bug origin is in commit v1.4.11~26^2~4. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_owner: restore inversion supportJan Engelhardt2011-08-211-1/+2
| | | | | | | | Bug origin is in commit v1.4.11~16^2~7. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipt_ttl: document that negation is availableJan Engelhardt2011-08-212-2/+2
| | | | | | Glitch since commit v1.2.1~75. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_dst: restore setting IP6T_OPTS_LEN flagJan Engelhardt2011-08-211-0/+3
| | | | | | Bug origin is in commit v1.4.11~26^2~18. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_hbh: restore setting IP6T_OPTS_LEN flagJan Engelhardt2011-08-211-0/+1
| | | | | | Bug origin is in commit v1.4.11~26^2~17. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: remove inversion from hashlimit rev 0Jan Engelhardt2011-08-211-11/+2
| | | | | | | Revision 0 indeed did not have inversion support, nor presence of --hashlimit-above. This glitch was added in v1.4.11~16^2~10. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_frag: restore inversion supportJan Engelhardt2011-08-211-0/+16
| | | | | | | | --fraglen also was not printed since v1.4.11~26^2~22. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: fix --ctproto 0 outputJan Engelhardt2011-08-211-4/+5
| | | | | | | | | | | First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER. (Next commit will flag this.) Furthermore, l4proto is of type uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not work => revert v1.4.12~1^2. Bug goes back to v1.4.12~1^2. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: default htable-expire must be in millisecondsJan Engelhardt2011-08-211-2/+2
| | | | | | Bug goes back to v1.4.12~3^2~11. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dscp: restore inversion supportJan Engelhardt2011-08-211-2/+3
| | | | | | References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: fix random output of ! on --dccp-optionJan Engelhardt2011-08-211-1/+1
| | | | | | | | | | | dccp-option tests info->typemask, but it really should look at info->invflags instead. This bug goes back to commit v1.3.4~11. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: provide man pages options in short help tooJan Engelhardt2011-08-212-2/+5
| | | | | | | | This omission goes back to commit v1.3.4~11. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: spell out option name on saveJan Engelhardt2011-08-211-1/+1
| | | | | | | | This glitch goes back to commit v1.3.4~11. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: fix deprecated intrapositional ordering of !Jan Engelhardt2011-08-211-4/+5
| | | | | | | | This bug goes back to v1.4.3~63. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_dccp: restore missing XTOPT_INVERT tags for optionsJan Engelhardt2011-08-211-2/+3
| | | | | | | | This regression goes back to v1.4.11~19^2. References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700 References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: remove one misleading commentJan Engelhardt2011-08-211-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: clarify libxt_connlimit defaultsJan Engelhardt2011-08-211-1/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: fix space around argumentsDwight Davis2011-08-201-2/+2
| | | | | | | Fix oversight from commit v1.4.11~80. References: http://bugs.debian.org/637499 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_set: put differing variable names in directlyJan Engelhardt2011-08-202-18/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix typo in libxt_TRACEBernard Massot2011-08-201-1/+1
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=736 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_tcp: always print the mask partsJan Engelhardt2011-08-201-3/+1
| | | | | | | | | 0xFF is unlikely to happen (given that ALL translates to 0x3F at most), but assuming that through magic, 0xFF was put into memory, iptables -S/iptables-save would ignore printing it, practically outputting just one argument to --tcp-flags which currently wants two. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_set: update man page about kernel support on the featureJan Engelhardt2011-08-202-6/+4
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_u32: fix missing allowance for inversionJan Engelhardt2011-08-201-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-08-094-60/+61
|\
| * libxt_string: define _GNU_SOURCE for strnlenJan Engelhardt2011-08-011-0/+1
| | | | | | | | | | | | | | | | | | On RHEL-5.6 and clones with its gcc-4.1.2 and glibc-2.5: libxt_string.c: In function "parse_string": libxt_string.c:84: warning: implicit declaration of function "strnlen" Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_TCPMSS: restore build with IPv6-less libcsJan Engelhardt2011-07-222-4/+4
| | | | | | | | | | | | | | Commit v1.4.10-149-gea2a02f added an netinet/ip6.h include, which is not available on systems without IPv6 header files. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * extensions: use multi-target registrationJan Engelhardt2011-07-222-56/+56
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-07-116-47/+42
|\|
| * libxt_conntrack: move more data into the xt_option_entryJan Engelhardt2011-07-101-8/+6
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_conntrack: restore network-byte order for v1,v2Jan Engelhardt2011-07-101-7/+39
| | | | | | | | | | | | References: http://bugs.debian.org/632804 References: http://marc.info/?l=netfilter-devel&m=130999299016674&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * option: remove last traces of intrapositional negationJan Engelhardt2011-07-105-35/+0
| | | | | | | | | | | | Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-06-308-109/+99
|\|
| * doc: fix group range in libxt_NFLOG's manJakub Zawadzki2011-06-241-1/+1
| | | | | | | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=723 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_RATEEST: fix userspacesize fieldMassimo Maggi2011-06-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I cannot delete a rule by matching it if the target of the rule is RATEEST. Copy-paste from terminal: # iptables -t mangle -A PREROUTING -j RATEEST --rateest-name somename --rateest-interval 250ms --rateest-ewmalog 4s # iptables -t mangle -D PREROUTING -j RATEEST --rateest-name somename --rateest-interval 250ms --rateest-ewmalog 4s iptables: No chain/target/match by that name. I saw in comments of the kernel code that the last part of the struct xt_rateest_target_info is used only by kernel: struct xt_rateest_target_info { char name[IFNAMSIZ]; __s8 interval; __u8 ewma_log; /* Used internally by the kernel */ struct xt_rateest *est __attribute__((aligned(8))); }; but in struct xtables_target, .size and .userspacesize are equal. Simply correcting this solved the problem. References: http://bugzilla.netfilter.org/show_bug.cgi?id=724 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_hashlimit: use a more obvious expiry value by defaultJan Engelhardt2011-06-221-16/+41
| | | | | | | | | | | | | | | | | | | | Due to the previous default expiry of 10 sec, "--hashlimit 1/min" would allow matching up to 6/min if a properly timed. To do what the user expects, the minimum expiry must equal the selected time quantum however. Cc: Jan Rovner <jan.rovner@diadema.cz> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_state: fix regression about inversion of main optionJan Engelhardt2011-06-221-1/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libip6t_HL: fix option names from ttl -> hlJan Engelhardt2011-06-221-3/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_RATEEST: abolish global variablesJan Engelhardt2011-06-211-7/+12
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_rateest: abolish global variablesJan Engelhardt2011-06-211-9/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_RATEEST: use guided option parserJan Engelhardt2011-06-211-64/+30
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libipt_LOG: fix ignoring all but last flagsJan Engelhardt2011-06-212-10/+10
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | doc: document IPv6 TOS mangling bug in old Linux kernelsFernando Luis Vazquez Cao2011-06-171-7/+16
|/ | | | | | | | | | | | | | | | In Linux kernels up to and including 2.6.38, with the exception of longterm releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug (*) whereby IPv6 TOS mangling does not behave as documented and differs from the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs to be inverted before applying it to the original TOS field. However, the aformentioned kernels forgo the inversion which breaks --set-tos and its mnemonics. (*) Fixed by upstream commit: 1ed2f73d90fb49bcf5704aee7e9084adb882bfc5 (netfilter: IPv6: fix DSCP mangle code) Signed-off-by: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: fix MASQUERADE section of man pageVlad Dogaru2011-06-081-1/+1
| | | | | | | | The section about MASQUERADE specifies that it takes a single option, but in reality it takes two: --to-ports and --random. Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: fix trivial typo in libipt_SNATElie De Brauwer2011-06-011-1/+1
| | | | | | | The word "occur" had ufortunately been removed in v1.3.8~23. References: http://bugzilla.netfilter.org/show_bug.cgi?id=707 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move remaining preprocessor flags to CPPFLAGSMike Frysinger2011-06-011-2/+2
| | | | | References; http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>