| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances),
ip{6}tables-restore does not work anymore:
iptables-restore < x
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
do_command{6}(...) is called from ip{6}tables-restore for every iptables
command contained in the rule-set file. Thus, hitting the lock error
after the second command.
Fix it by bypassing the locking in the ip{6}tables-restore path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
No real API/ABI change incurred, since the definition of the structs'
types is not visible anyhow.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Set proper name of application.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Addendum to commit v1.4.3-rc1-41-g77f48c2 where the macro users
got moved.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
| |
Don't you hate it when iptc_handle_t *x actually is a double-indirection
struct iptc_handle **? This also shows the broken constness model, since
"const iptc_handle_t x" = "iptc_handle_t const x" =
"struct iptc_handle *const x", which is like no const at all.
Lots of things to do then.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
xtables.h does not need really need libxtc.h, and we can drop it from
the install as it is internal-only.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds iptables --list-rules (-S) command, acting as a combination of
iptables --list and iptables-save.
The primary motivation behind this patch is to get iptables-save like
output capabilities in iptables-restore, allowing "iptables-restore -n"
to be used as a consistent API to iptables for all kind of operations,
not only blind updates..
As a bonus iptables also gets the capability of printing the rules
as-is.
This completely replaces the earlier patch which added the --rules
option.
Henrik Nordstrom <henrik@henriknordstrom.net>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
string_to_number_ll, string_to_number_l, string_to_number,
service_to_port, parse_port, parse_interface, are moved.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- moves lib_dir to xtables.c
- introduces struct pfinfo which has protocol family dependent infomations.
- unifies load_ip[6]tables_ko() and moves them as load_xtables_ko()
- introduces xt_{match,match_rule,target,tryload} and replaces
ip[6]t_* with them
- unifies following functions and move them to xtables.c
- find_{match,find_target}
- compatible_revision, compatible_{match,target}_revision
- introduces xtables_register_{match,target} and make
register_{match,target}[6] call them. xtables_register_* register ONLY
matches/targets matched protocol family
Some concepts:
- source compatibility for libip[6]t_xxx.c with warning on compilation
not binary compatibility.
- binary compatibility between 2.4/2.6 kernel and iptables/ip6tables,
of cause.
- xtables is enough to support only one address family at runtime.
Then xtables keeps infomations of only the focused address famiy
in struct afinfo.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
66 and 67 is conflicted with IPv6 Advanced API in kernel <= 2.6.18.
|
|
|
|
|
| |
- Add support port range match to libip6t_multiport
(R?mi Denis-Courmont <rdenis@simphalempin.com>)
|
|
|
|
|
| |
The below patch (dependent upon my 'reduce service_to_port duplication' patch)
centralizes the parse_*_port functions into parse_port.
|
|
|
|
|
| |
The service_to_port function is used in a number of places, and could
benefit from some centralization instead of being duplicated everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If two or more matches of the same type are detected then the options
are assumed to be grouped in order to tell which option belongs
to which match:
... -m foo ... <options0> ... -m foo ... <options1> ...
Otherwise the commandline parsing is unmodified.
|
|
|
|
| |
Bugzilla #413
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
- iptables-save/-restore is no longer experimental
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|