summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* Add the "state" alias to the "conntrack" matchJozsef Kadlecsik2013-01-282-4/+25
|
* doc: name the supported log levels for ipt_LOGJan Engelhardt2013-01-072-2/+8
| | | | | | | | | | | Leonardo Ferreira da Silva Boiko lets it be known that syslogd.conf may not exist on certain systems. Referencing that manpage is not a good idea in any case, I believe, since the strings that are accepted are defined by iptables and not a syslog implementation. References: http://bugs.debian.org/567564 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_DNAT: set IPv6 DNAT --to-destinationUlrich Weber2013-01-041-5/+5
| | | | | | | as in IPv4 and fixes DNAT_save Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extension: libip6t_DNAT: allow port DNAT without addressUlrich Weber2013-01-042-6/+16
| | | | | | | | | | | | | | | | | | | | | | | correct parsing of IPv6 port NAT without address NAT, assume one colon as port information. Allows: * address only: -j DNAT --to affe::1 -j DNAT --to [affe::1] * port only -j DNAT --to :80 -j DNAT --to :80-110 -j DNAT --to []:80 -j DNAT --to []:80-110 * address and port -j DNAT --to [affe::1]:80 -j DNAT --to [affe::1]:80-110 Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_DNPT: fix wording in DNPT targetUlrich Weber2013-01-031-9/+9
| | | | | | | | | replaces SNPT by DNPT. This fixes broken help message that points to SNPT. Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve link failure for ip6t_NETMAPJan Engelhardt2013-01-021-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | Link stage of libip6t_NETMAP failed since recently. CCLD libip6t_NETMAP.so /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: cannot find -lip6tc libip6t_NETMAP.c uses the "ipv6_prefix_length" function from libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to it is not specified. Why does the link succeed for some people? Because /usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments, especially those without iptables development files, have that file, hence this link error can happen. By suggestion of Mike Frysinger, this patch uses libtool to produce and link the plugins. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Acked-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_statistic: Fix save outputTom Eastep2012-11-191-1/+1
| | | | | | | | | | Suppressing '--packet 0' in save output resulted in restore failure. This patch includes '--packet 0' in save output while continuing to suppress it in print output. Signed-off-by: Tom Eastep <teastep@shorewall.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next' branch that contains new features scheduled forPablo Neira Ayuso2012-10-2517-87/+1184
|\ | | | | | | Linux kernel 3.7
| * libxt_time: add support to ignore day transitionFlorian Westphal2012-09-302-0/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, if you want to do something like: "match Monday, starting 23:00, for two hours" You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00. The rule --weekdays Mo --timestart 23:00 --timestop 01:00 looks correct, but it will first match on monday from midnight to 1 a.m. and then again for another hour from 23:00 onwards. This permits userspace to explicitly ignore the day transition and match for a single, continuous time period instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add NPT extensionPatrick McHardy2012-09-102-0/+142
| | | | | | | | | | | | | | | | Add extensions for the SNPT and DNPT stateless IPv6-to-IPv6 Network Prefix Translation targets. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 NETMAP extensionPatrick McHardy2012-09-102-1/+94
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 REDIRECT extensionPatrick McHardy2012-09-101-0/+151
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 DNAT targetPatrick McHardy2012-09-101-0/+247
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 SNAT extensionPatrick McHardy2012-09-101-0/+247
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 MASQUERADE extensionPatrick McHardy2012-09-102-0/+180
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * Convert the NAT targets to use the kernel supplied nf_nat.h headerPatrick McHardy2012-09-106-86/+91
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | build: resolve compile abort in libxt_limit on RHEL5Jan Engelhardt2012-10-102-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libxt_limit.c: In function 'print_rate': libxt_limit.c:124: error: 'INFINITY' undeclared (first use in this function) The default mode of glibc-2.15's <features.h> sets "-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However, on þe olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L". Explicitly draw in the definition of INFINITY by always defining _ISOC99_SOURCE. By doing this, we are moving off of the default set, so _BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is used in xt_hashlimit.h. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | build: remove symlink-only extensions from static object listJan Engelhardt2012-10-091-4/+4
| | | | | | | | | | | | | | | | | | | | | | $ ./configure --enable-static --disable-shared --enable-ipv4 --enable-ipv6 && make [...] make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by "libext.a". Stop. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'master' of git://git.inai.de/iptablesJan Engelhardt2012-09-306-58/+35
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: extensions/GNUmakefile.in Resolution: trivial, since this was a fuzz 3. Reason: Line added from v1.4.15-16-g33710a5 was in vincinity of changes from v1.4.15-22-g4496801.
| * | doc: have NOTRACK manpage point to CT insteadJan Engelhardt2012-09-302-6/+4
| | | | | | | | | | | | | | | | | | The module is obsolete, so point to CT --notrack instead. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | doc: trim "state" manpage and reference conntrack insteadJan Engelhardt2012-09-302-23/+7
| | | | | | | | | | | | | | | | | | | | | The module is practically obsolete, so just pinpoint to the replacement in short order. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | doc: deduplicate extension descriptions into a new manpageJan Engelhardt2012-09-302-22/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables.8 and ip6tables.8 had pretty much the same content, with a few protocol-specific deviations here and there. Not only did that bloat the manpages, but it also made it harder to spot differences. Separate out the extension descriptions into a new manpage, which conveniently features differences next to one another (cf. REJECT). Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | doc: clean up interpunction in state list for xt_conntrackJan Engelhardt2012-09-301-8/+8
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* | | Merge branch 'master' of git://git.inai.de/iptablesJan Engelhardt2012-09-305-152/+237
|\| |
| * | libxt_state: replace as an alias to xt_conntrackJan Engelhardt2012-09-303-138/+194
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | libxt_NOTRACK: replace as an alias to CT --notrackJan Engelhardt2012-09-293-15/+44
| | | | | | | | | | | | | | | | | | | | | Note that we do not need any print/save functions for the alias entries, since the real CT entry will handle this. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* | | New set match revision with --return-nomatch flag supportJozsef Kadlecsik2012-09-212-0/+104
| | |
* | | build: have `make clean` remove dep files tooJan Engelhardt2012-09-101-1/+1
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | While changing branches, one can hit errors like: make[2]: *** CC libipt_CLUSTERIP.oo No hay ninguna regla para construir el objetivo `../include/net/netfilter/nf_nat.h', necesario para `libipt_DNAT.oo'. Alto. Pablo thinks dep files should be removed on `make clean`, and I concur. (JFI, Note that native automake would not clear its ".deps" directory.) Keep the "distclean: clean" line to keep invocations by automake from the parent directory working. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libxt_addrtype: fix type in help messagePablo Neira Ayuso2012-09-081-1/+1
|/ | | | | | | | --limit-iface-out Match only on the packet's incoming device Note that it says "incoming" when it should say "outcoming" Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_tcp: print space before, not after "flags:"Andreas Schwab2012-08-211-3/+2
| | | | | | | | tcp dpt:10flags: 0x17/0x02 ^^ Signed-off-by: Andreas Schwab <schwab@linux-m68k.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libip6t_frag: match any frag id by defaultMichal Kubeček2012-08-081-0/+8
| | | | | | | | | | | | | | | | | If no --fragid option is given, the frag extension only matches fragments with a zero-valued "Identification" field. This behavior deviates from what other extensions do (they match all values in this case) and is unexpected, and therefore changed by this patch. Additionally, --fragid 0:4294967295 leads to no output on `iptables -S` because part of the code thinks that this would be the default, when it is not. So, default to match all frag values, such that iptables -S not outputting anything also becomes correct. Signed-off-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_*limit: avoid division by zeroJan Engelhardt2012-07-312-10/+24
| | | | | | | | | | | | It was possible to specify -A mychain -m hashlimit --hashlimit 600059/minute; this would convert to r->avg=0, which subsequently causes a division by zero when printing with -S mychain. 1. Avoid division by zero in print_rate by printing infinity instead. 2. Rewrite the test in parse_rate to properly reject too high rates. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_LED: guard against negative numbersJan Engelhardt2012-07-311-2/+5
| | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_devgroup: guard against negative numbersJan Engelhardt2012-07-311-4/+6
| | | | | | More corrections of the strtoul kind. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_devgroup: consolidate devgroup specification parsingJan Engelhardt2012-07-311-40/+30
| | | | | | | This is a small cleanup, reducing the two copies of X/Y parsing to one. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_u32: do bounds checking for @'s operandsJan Engelhardt2012-07-311-8/+4
| | | | | | | | Using only strtoul is prone to accept all values, including negative ones which are not explicitly allowed. Therefore, use xtables_strtoui with bounds checking. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* doc: grammatical updates to libxt_SETJan Engelhardt2012-07-311-6/+6
| | | | | | Cherry-picked these from recent patches from Mr Dash Four. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_recent: add --mask netmaskDenys Fedoryshchenko2012-07-312-21/+161
| | | | | | | | | | This new option will be available in the Linux kernel 3.5 [ Pablo fixed coding-style issues and cleaned up this. Added manpages as well ] Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_HMARK: correct a number of errors introduced by Pablo's reworkHans Schillstrom2012-07-171-19/+26
| | | | | | | | | | | * Fix typo in --hmark-rnd description. * Remove trailing -set from port and spi options. * Take missing value for ports and spi from command line. * Fix spi / port validation. * Remove --hmark-offset as mandatory. Signed-off-by: Hans Schillstrom <hans@schillstrom.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_HMARK: fix ct case examplePablo Neira Ayuso2012-07-161-2/+2
| | | | | | | | | ... -j HMARK --hmark-tuple ct,src,dst --hmark-offset 10000 ... Note `ct' requires also the tuples. Reported-by: Hans Schillstrom <hans@schillstrom.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_HMARK: fix output of iptables -LHans Schillstrom2012-07-161-8/+8
| | | | | | | | | Fix accidental swap of [s|d]port-mask and [s|d]port-port. Use xtables_ipmask_to_cidr instead of xtables_ipmask_to_numeric. Signed-off-by: Hans Schillstrom <hans@schillstrom.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_hashlimit: add support for byte-based operationFlorian Westphal2012-07-142-15/+175
| | | | | | | | | | | | | | allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ] to make hashlimit match when X bytes/second are exceeded; optionally, Y bytes will not be matched (i.e. bursted). [ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ] libxt_hashlimit.c: In function ‘parse_bytes’: libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_recent: remove unused variableEldad Zack2012-07-141-2/+0
| | | | | | | The info variable is assigned but never read in recent_check(). Signed-off-by: Eldad Zack <eldad@fogrefinery.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add HMARK targetHans Schillstrom2012-07-142-0/+503
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The target allows you to set mark packets based Jenkins' hash calculation: h(t, rnd) = x mark = (x % mod) + offset where: * t is a tuple that is used for the hashing: t = [ src, dst, proto, sport, dport ] Note that you can customize the tuple, thus, removing some component that you don't want to use for the calculation. You can also use spi instead of sport and dport, btw. * rnd is the random seed that is explicitly passed via --hmark-rnd * mod is the modulus, to determine the range of possible marks * offset determines where the mark starts from This target only works for the "raw" and "mangle" tables. This can be used to distribute flows between a cluster of systems and uplinks. Initially based on work from Hans Schillingstrom. Pablo took it over and introduced several improvements. Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_devgroup: add man page snippetFlorian Westphal2012-07-041-0/+7
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_rateest: output all options in save hookFlorian Westphal2012-05-221-21/+34
| | | | | | | | | | | | | | ipt-restore fails to parse the ipt-save output: zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5 (should be "--rateest-pps 5 --rateest-lt"). Also, the "delta" option was never shown in -save output, but twice in some cases when using "iptables -L". Also, the "b/pps1" option must be shown when "delta" option is used with relative mode. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libipt_ULOG: fix --ulog-cprangePablo Neira Ayuso2012-05-091-2/+2
| | | | | | | | | | | In 1f2474a libipt_ULOG: use guided option parser. A bug has been accidentally introduced in --ulog-cprange, limiting possible values from 1 to 50. However, that limit should be applied to --ulog-qthreshold. Reported-by: Gaurav Sinha <vgsinha@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: add --timeout optionPablo Neira Ayuso2012-04-022-12/+127
| | | | | | | | | | | | | | | | | | | | This patch adds the --timeout option to allow to attach timeout policy objects to flows, eg. iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \ -j CT --timeout custom-tcp-policy You need the nfct(8) tool which is available at: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git To define the cttimeout policies. Example of usage: nfct timeout add custom-tcp-policy inet tcp established 1000 The new nfct tool also requires libnetfilter_cttimeout: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add nfacct matchPablo Neira Ayuso2012-03-272-0/+119
| | | | | | | | | | | | | | This patch provides the user-space iptables support for the nfacct match. This can be used as it follows: nfacct add http-traffic iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic nfacct get http-traffic See also man nfacct(8) for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mark newly opened fds as FD_CLOEXEC (close on exec)Maciej Żenczykowski2012-03-231-0/+7
| | | | | | | | | | | | | | | | | | By default, Unix-like systems leak file descriptors after fork/exec call. I think this seem to result in SELinux spotting a strange AVC log messages according to what I can find on the web. Fedora 18 iptables source includes this change. Maciej says: "iptables does potentially fork/exec modprobe to load modules. That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing. You can do automated inspection of what gets carried across such privilege changes and any unexpected open file descriptors flag problems, patches like this cut down on the noise." Signed-off-by: Maciej enczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>