summaryrefslogtreecommitdiffstats
path: root/include/linux
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libebt_ip: Include kernel headerPhil Sutter14 days1-3/+12
| | | | | | | Update the local copy of linux/netfilter_bridge/ebt_ip.h and include it instead of keeping the local copy of struct ebt_ip_info et al. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: un-break among match with concatenationFlorian Westphal2022-09-221-8/+475
| | | | | | | | | | The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags") breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but doesn't set the CONCAT flag. Update uapi header and also set CONCAT. Signed-off-by: Florian Westphal <fw@strlen.de>
* netfilter: add nf_log.hMarkus Mayer2022-06-281-0/+15
| | | | | | | | | | Since libxt_NFLOG is now using the UAPI version of nf_log.h, it should be bundled alongside the other netfilter kernel headers. This copy of nf_log.h was taken from Linux 5.18. Signed-off-by: Markus Mayer <mmayer@broadcom.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* treewide: use uint* instead of u_int*Nick Hainke2022-05-181-1/+1
| | | | | | | | | | | | | | | | | | | | Gcc complains about missing types. Some commits introduced u_int* instead of uint*. Use uint treewide. Fixes errors in the form of: In file included from xtables-legacy-multi.c:5: xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'? 83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, | ^~~~~~~~~ | uint16_t make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1 Avoid libipq API breakage by adjusting libipq.h include accordingly. For arpt_mangle.h kernel uAPI header, apply same change as in kernel commit e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t"). Signed-off-by: Nick Hainke <vincent@systemli.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: SECMARK: Implement revision 1Phil Sutter2021-05-041-0/+6
| | | | | | | | | The changed data structure for communication with kernel allows to exclude the field 'secid' which is populated on kernel side. Thus this fixes the formerly always failing extension comparison breaking rule check and rule delete by content. Signed-off-by: Phil Sutter <phil@nwl.cc>
* include: Avoid undefined left-shift in xt_sctp.hPhil Sutter2020-05-291-3/+3
| | | | | | | | | | | | | Pull the fix in kernel commit 164166558aace ("netfilter: uapi: Avoid undefined left-shift in xt_sctp.h") into iptables repository. The original description is: With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is undefined for the signed 32-bit value 1. Avoid this by declaring 1 as unsigned. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: IDLETIMER: Add alarm timer optionManoj Basapathi2020-04-161-0/+12
| | | | | | | | | | | | | | Introduce "--alarm" option for idletimer rule. If it is present, hardidle-timer is used, else default timer. The default idletimer starts a deferrable timer or in other words the timer will cease to run when cpu is in suspended state. This change introduces the option to start a non-deferrable or alarm timer which will continue to run even when the cpu is in suspended state. Signed-off-by: Manoj Basapathi <manojbm@codeaurora.org> Signed-off-by: Sauvik Saha <ssaha@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: nfacct: Fix alignment mismatch in xt_nfacct_match_infoJuliana Rodrigueiro2019-08-201-0/+5
| | | | | | | | | | | | | | | | When running a 64-bit kernel with a 32-bit iptables binary, the size of the xt_nfacct_match_info struct diverges. kernel: sizeof(struct xt_nfacct_match_info) : 40 iptables: sizeof(struct xt_nfacct_match_info)) : 36 This patch is the userspace fix of the memory misalignment. It introduces a v1 ABI with the correct alignment and stays compatible with unfixed revision 0 kernels. Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_owner: Add supplementary groups optionLukasz Pawelczyk2019-06-191-3/+4
| | | | | | | | The --suppl-groups option causes GIDs specified with --gid-owner to be also checked in the supplementary groups of a process. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: extend the headers conflict workaround to in6.hBaruch Siach2018-12-031-1/+1
| | | | | | | | | | | | | Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2") introduced a kernel/user headers conflict workaround that allows build of iptables with kernel headers older than 4.2. This minor extension allows build with kernel headers older than 3.12, which is the version that introduced explicit IP headers synchronization. Fixes: 8d9d7e4b9ef4 ("include: fix build with kernel headers before 4.2") Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix build with kernel headers before 4.2Baruch Siach2018-11-171-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit 672accf1530 (include: update kernel netfilter header files) updated linux/netfilter.h and brought with it the update from kernel commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h from netns headers). This triggers conflict of headers that is fixed in kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with netinet/in.h) included in kernel version 4.2. For earlier kernel headers we need a workaround that prevents the headers conflict. Fixes the following build failure: In file included from .../sysroot/usr/include/netinet/ip.h:25:0, from ../include/libiptc/ipt_kernel_headers.h:8, from ../include/libiptc/libiptc.h:6, from libip4tc.c:29: .../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’ IPPROTO_IP = 0, /* Dummy protocol for TCP */ ^ .../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here IPPROTO_IP = 0, /* Dummy protocol for TCP. */ ^~~~~~~~~~ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Florian Westphal <fw@strlen.de>
* Revert "extensions: libxt_quota: Allow setting the remaining quota"Pablo Neira Ayuso2018-10-191-5/+3
| | | | | | | This reverts commit 0a8f2bcadff157489a737f8cc8846adcb750b91f. Google folks are reporting some issues with 32-bits arch, let's revert this until we have a new version for this.
* extensions: libxt_quota: Allow setting the remaining quotaChenbo Feng2018-10-091-3/+5
| | | | | | | | | | | | | | | | The current xt_quota module cannot track the current remaining quota of a specific rule. Everytime an unrelated rule is updated in the same iptables table, the quota will be reset. This is not a very useful function for iptables that get changed at run time. This patch fixes the above problem by adding a new field in the struct that records the current remaining quota. Fixed a print out bug in verbose print out wrt. inversion. Signed-off-by: Chenbo Feng <fengc@google.com> Suggested-by: Maciej Żenczykowski <maze@google.com> Reviewed-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add cgroup revision 2Pablo Neira Ayuso2018-09-181-3/+20
| | | | | | Just like revision v1, but cgroup path field is smaller. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update kernel netfilter header filesFlorian Westphal2018-06-173-8/+703
| | | | | | needed to get the TRACE definition. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-markJack Ma2018-05-081-0/+5
| | | | | | | | | | | | | | | This patch adds a new feature to iptables that allow bitshifting for --restore,set and save-mark operations. This allows existing logic operators (and, or and xor) and mask to co-operate with new bitshift operations. The intention is to provide uses with more fexible uses of skb->mark and ct->mark. For example, users can save extra bits in skb->mark: skb->mark = ct->mark << 8; Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_srh: support matching previous, next and last SIDAhmed Abdelsalam2018-05-081-2/+41
| | | | | | | | This patch extends the libip6t_srh shared library to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_DNAT: support shifted portmap rangesThierry Du Tre2018-04-291-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | This is a proposal patch for iptables DNAT extension to support shifted portmap ranges. It is related to the kernel patch proposed in earlier message '[PATCH v5] netfilter : add NAT support for shifted portmap ranges'. A new struct nf_nat_range2 was added as extension for existing struct nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with older kernels is not impacted. The syntax for shifted portmaps uses an extra value in '--to-destination' for setting the base port which determines the offset in the redirect port range for incoming connections. i.e. : iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000' The base port value is totally optional, so current behavior is not impacted in any way. The use of slash '/' as separator is an arbitrary choice, all other suggestions are valid of course (original proposal used semicolon but this was not practical for commandline use) Another approach using an additional option seems also possible (i.e. '--base-port 5000'). However, that would mean more parsing logic with extra lines of code and thus increased risk for regression. Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add support for 'srh' matchAhmed Abdelsalam2018-01-121-0/+56
| | | | | | | | | This patch adds a new exetension to iptables to supprt 'srh' match The implementation considers revision 7 of the SRH draft. https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07 Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netfilter: xt_hashlimit: add rate match modeVishwanath Pai2017-09-081-6/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new feature to hashlimit that allows matching on the current packet/byte rate without rate limiting. This can be enabled with a new flag --hashlimit-rate-match. The match returns true if the current rate of packets is above/below the user specified value. The main difference between the existing algorithm and the new one is that the existing algorithm rate-limits the flow whereas the new algorithm does not. Instead it *classifies* the flow based on whether it is above or below a certain rate. I will demonstrate this with an example below. Let us assume this rule: iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets every second and send 5 packets to "new_chain". But with the new algorithm, as long as the rate of 15/s is sustained, all packets will continue to match and every packet is sent to new_chain. This new functionality will let us classify different flows based on their current rate, so that further decisions can be made on them based on what the current rate is. This is how the new algorithm works: We divide time into intervals of 1 (sec/min/hour) as specified by the user. We keep track of the number of packets/bytes processed in the current interval. After each interval we reset the counter to 0. When we receive a packet for match, we look at the packet rate during the current interval and the previous interval to make a decision: if [ prev_rate < user and cur_rate < user ] return Below else return Above Where cur_rate is the number of packets/bytes seen in the current interval, prev is the number of packets/bytes seen in the previous interval and 'user' is the rate specified by the user. We also provide flexibility to the user for choosing the time interval using the option --hashilmit-interval. For example the user can keep a low rate like x/hour but still keep the interval as small as 1 second. To preserve backwards compatibility we have to add this feature in a new revision, so I've created revision 3 for hashlimit. The two new options we add are: --hashlimit-rate-match --hashlimit-rate-interval I have updated the help text to add these new options. Also added a few tests for the new options. Suggested-by: Igor Lubashev <ilubashe@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_bpf: support ebpf pinned objectsWillem de Bruijn2016-12-101-1/+24
| | | | | | | | | | | | | | | Exercise the new kernel feature introduced in commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") to load pinned eBPF programs. The new interface allows instantiating a bpf match using -m bpf --object-pinned ${PATH} where ${PATH} points to a node in a bpf virtual filesystem. See also the revised man page. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_hashlimit: Create revision 2 of xt_hashlimit to support ↵Vishwanath Pai2016-10-041-1/+25
| | | | | | | | | | | | | | | | higher pps rates Create a new revision for the hashlimit iptables extension module. Rev 2 will support higher pps of upto 1 million, Version 1 supports only 10k. To support this we have to increase the size of the variables avg and burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2 and xt_hashlimit_mtinfo2 and also create newer versions of all the functions for match, checkentry and destory. Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_NFLOG: nflog-range does not truncate packetsVishwanath Pai2016-07-011-1/+5
| | | | | | | | | | | | | | | | | | | | The option --nflog-range has never worked, but we cannot just fix this because users might be using this feature option and their behavior would change. Instead add a new option --nflog-size. This option works the same way nflog-range should have, and both of them are mutually exclusive. When someone uses --nflog-range we print a warning message informing them that this feature has no effect. To indicate the kernel that the user has set --nflog-size we have to pass a new flag XT_NFLOG_F_COPY_LEN. Also updated the man page to reflect the new option and added tests to extensions/libxt_NFLOG.t Reported-by: Joe Dollard <jdollard@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_cgroup2: add support for cgroup2 path matchingTejun Heo2015-12-231-0/+13
| | | | | | | | | | | | | | | | | This patch updates xt_cgroup so that it supports revision 1 interface which includes cgroup2 path based matching. v3: Folded into xt_cgroup as a new revision interface as suggested by Pablo. v2: cgroup2_match->userspacesize and ->save and man page updated as per Jan. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <dborkman@redhat.com> Cc: Jan Engelhardt <jengelh@inai.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_cgroup: prepare for multi revisionsTejun Heo2015-12-231-1/+1
| | | | | | | | | | | | libxt_cgroup will grow cgroup2 path based match. Postfix existing symbols with _v0 and prepare for multi revision registration. While at it, rename O_CGROUP to O_CLASSID and fwid to classid. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <dborkman@redhat.com> Cc: Jan Engelhardt <jengelh@inai.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: add support for recently introduced zone optionsDaniel Borkmann2015-09-291-0/+3
| | | | | | | | This adds the user space front-end and man-page bits for the additional zone features (direction, mark) of the CT target. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* added missing icmpv6 codes in REJECTAndreas Herz2015-09-291-1/+3
| | | | | | | | | | | | | | RFC 4443 added two new codes values for ICMPv6 type 1: 5 - Source address failed ingress/egress policy 6 - Reject route to destination And RFC 7084 states in L-14 that IPv6 Router MUST send ICMPv6 Destination Unreachable with code 5 for packets forwarded to it that use an address from a prefix that has been invalidated. Signed-off-by: Andreas Herz <andi@geekosphere.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_socket: add --restore-skmark optionHarout Hedeshian2015-06-301-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | xt_socket is useful for matching sockets with IP_TRANSPARENT and taking some action on the matching packets. However, it lacks the ability to match only a small subset of transparent sockets. Suppose there are 2 applications, each with its own set of transparent sockets. The first application wants all matching packets dropped, while the second application wants them forwarded somewhere else. Add the ability to retore the skb->mark from the sk_mark. The mark is only restored if a matching socket is found and the transparent / nowildcard conditions are satisfied. Now the 2 hypothetical applications can differentiate their sockets based on a mark value set with SO_MARK. iptables -t mangle -I PREROUTING -m socket --transparent \ --restore-skmark -j action iptables -t mangle -A action -m mark --mark 10 -j action2 iptables -t mangle -A action -m mark --mark 11 -j action3 Signed-off-by: Harout Hedeshian <harouth@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Sync with upstream kernel headersFelix Janda2015-06-262-17/+20
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'ipset-next'Pablo Neira Ayuso2015-04-282-1/+16
|\ | | | | | | | | | | | | | | Get this patch into master: "Alignment problem between 64bit kernel 32bit userspace" As Jozsef requests.
| * Alignment problem between 64bit kernel 32bit userspaceJozsef Kadlecsik2014-11-062-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* | extensions: remove SAME targetFlorian Westphal2015-02-191-20/+0
| | | | | | | | | | | | removed from the kernel December 2007. Signed-off-by: Florian Westphal <fw@strlen.de>
* | ebtables-compat: add mark target extensionArturo Borrero2015-02-031-0/+23
| | | | | | | | | | | | | | Translate the mark target extension to the xtables-compat environment. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | ebtables-compat: add mark_m match extensionArturo Borrero2015-01-301-0/+16
| | | | | | | | | | | | | | Translate mark_m match extension to the xtables-compat environment. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | ebtables-compat: add 'ip' match extensionArturo Borrero2015-01-281-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the 'ip' match extension to ebtables-compat. It involves adapting old ebtables extension code to the xtables-compat environment. For testing: % sudo ebtables-compat -p 0x0800 --ip-src 1.1.1.1 -j ACCEPT The patch includes a cached copy of the extension kernel header. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | include: cache copy of Linux header uapi/linux/netfilter_bridge/ebt_802_3.hArturo Borrero2015-01-281-0/+63
| | | | | | | | | | | | | | | | Cache a copy of Linux header uapi/linux/netfilter_bridge/ebt_802_3.h which contains the struct ebt_802_3_info definition. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | ebtables-compat: use ebtables_command_state in bootstrap codePablo Neira Ayuso2014-11-241-276/+0
| | | | | | | | | | | | | | | | | | | | | | And introduce fake ebt_entry. This gets the code in sync in other existing compat tools. This will likely allow to consolidate common infrastructure. This code is still quite experimental. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft: bootstrap ebtables-compatPablo Neira Ayuso2014-11-242-0/+309
|/ | | | | | | | | | | | | | | | | | | This patch bootstraps ebtables-compat, the ebtables compatibility software upon nf_tables. [ Original patches: http://patchwork.ozlabs.org/patch/395544/ http://patchwork.ozlabs.org/patch/395545/ http://patchwork.ozlabs.org/patch/395546/ I have also forward port them on top of the current git HEAD, otherwise compilation breaks. This bootstrap is experimental, this still needs more work. --Pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'ipset'Pablo Neira Ayuso2014-11-052-0/+20
|\ | | | | | | | | | | This provides the ipset skbinfo extension. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)Anton Danilov2014-09-142-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This feature add support of mapping metainformation to packets like nftables maps or ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue. Usage of this functionality allowed only from mangle table. We can map tc priority only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision. If entry doesn't exist in the set nothing of fields changed. Example of classify by destination address: iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* | refresh nf_tables.h cached copyPablo Neira Ayuso2014-10-091-1/+76
|/ | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add linux/filter.hWillem de Bruijn2014-07-301-0/+139
| | | | | | | | xt_bpf.h includes linux/filter.h for the definition of sock_filter. add that file to the repository Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next-3.14'Pablo Neira Ayuso2014-05-163-4/+35
|\
| * iptables: add libxt_cgroup frontendDaniel Borkmann2014-01-041-0/+11
| | | | | | | | | | | | | | | | | | This patch adds the user space extension/frontend for process matching based on cgroups from the kernel patch entitled "netfilter: xtables: lightweight process control group matching". Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: snat: add randomize-full supportDaniel Borkmann2014-01-041-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides the userspace part for snat in order to make randomize-full support available in {ip,nf}tables. It allows for enabling full port randomization that was motivated in [1] and introduced to the kernel in [2]. Joint work between Hannes Frederic Sowa and Daniel Borkmann. [1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf [2] http://patchwork.ozlabs.org/patch/304306/ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: Add IPv4/6 IPcomp match supportfan.du2013-12-241-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables user to set iptables ACTIONs for IPcomp flow specified by its SPI value. For example: iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP IPcomp packet with spi as 0x12 will be dropped. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | update FSF address in license textJiri Popelka2014-03-131-1/+1
| | | | | | | | | | | | | | http://www.gnu.org/licenses/gpl-2.0.html http://www.fsf.org/about/contact/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | include: Update nftables API header in sync with kernel's oneTomasz Bursztyka2013-12-301-7/+296
| | | | | | | | | | | | | | Many changes were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables: batch rule-set updates into one single netlink messagePablo Neira Ayuso2013-12-302-47/+4
| | | | | | | | | | | | | | | | With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | include: cache netfilter_arp kernel headersPablo Neira Ayuso2013-12-303-0/+249
| | | | | | | | | | | | | | To ensure that compilation does not break if Linux kernel headers are not installed in the system. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>