summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* iptables: add -C to check for existing rulesStefan Tomanek2011-03-082-0/+12
| | | | | | | | | | | | | | | | | It is often useful to check whether a specific rule is already present in a chain without actually modifying the iptables config. Services like fail2ban usually employ techniques like grepping through the output of "iptables -L" which is quite error prone. This patch adds a new operation -C to the iptables command which mostly works like -D; it can detect and indicate the existence of the specified rule by modifying the exit code. The new operation TC_CHECK_ENTRY uses the same code as the -D operation, whose functions got a dry-run parameter appended. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add extension for devgroup matchPatrick McHardy2011-02-031-0/+21
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_connlimit: remove duplicate member that caused size changeJan Engelhardt2011-01-201-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: libxt_conntrack: add support for specifying port rangesPatrick McHardy2011-01-201-0/+15
| | | | | | | Add support for revision 3 of the conntrack match, which allows to specify port ranges for origsrc/origdst/replsrc/repldst. Signed-off-by: Patrick McHardy <kaber@trash.net>
* extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass optionFlorian Westphal2011-01-201-0/+6
| | | | | | | | --queue-bypass: if no userpace program is listening on the queue, then allow packets to continue through the ruleset instead of dropping them. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_AUDIT: add AUDIT targetThomas Graf2011-01-201-0/+30
| | | | | | | | | libxt module for the AUDIT target. -j AUDIT --type (accept|reject|drop) Signed-off-by: Thomas Graf <tgraf@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_connlimit: support for dstaddr-supporting revision 1Jan Engelhardt2011-01-191-2/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xt_comment: remove redundant castJan Engelhardt2011-01-071-1/+1
|
* include: update files with headers from Linux 2.6.37-rc1Jan Engelhardt2010-12-0316-48/+81
| | | | Also includes the type change to __u{8,16,32} kernel types already.
* Revert "Revert "libxtables: change option precedence order to be intuitive""Jan Engelhardt2010-11-151-2/+3
| | | | | This reverts commit e84f131b5f992577119bd3679241f69ec394e0a7. Solution follows.
* Revert "libxtables: change option precedence order to be intuitive"Patrick McHardy2010-11-151-3/+2
| | | | | | | | | | | This reverts commit 600f38db82548a683775fd89b6e136673e924097. The commit breaks option parsing: iptables v1.4.9: host/network `port' not found Try `iptables -h' or 'iptables --help' for more information. Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxtables: change option precedence order to be intuitiveJan Engelhardt2010-10-291-2/+3
| | | | | | | | | | | | | When using `-m mark --mark 2 -m connmark --mark 2`, the user currently gets an error about the (libxt_mark) --mark option being used twice. This is because libxt_connmark's option table does not override any previous options. This patch changes this behavior, since the current behavior does not allow connmark's option to be used at all, which is illogical. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_quota: don't ignore the quota value on deletionChangli Gao2010-08-021-1/+1
| | | | | | | | Don't ignore the quota value on deletion, then we can remove a special rule everytime. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* all: consistent syntax use in struct optionJan Engelhardt2010-07-231-0/+2
| | | | | | Try to inhibit copypasting old stuff. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extension: add xt_cpu matchEric Dumazet2010-07-231-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kernel 2.6.36 supports xt_cpu match In some situations a CPU match permits a better spreading of connections, or select targets only for a given cpu. With Remote Packet Steering or multiqueue NIC and appropriate IRQ affinities, we can distribute trafic on available cpus, per session. (all RX packets for a given flow are handled by a given cpu) Some legacy applications being not SMP friendly, one way to scale a server is to run multiple copies of them. Instead of randomly choosing an instance, we can use the cpu number as a key so that softirq handler for a whole instance is running on a single cpu, maximizing cache effects in TCP/UDP stacks. Using NAT for example, a four ways machine might run four copies of server application, using a separate listening port for each instance, but still presenting an unique external port : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \ -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \ -j REDIRECT --to-port 8081 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \ -j REDIRECT --to-port 8082 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \ -j REDIRECT --to-port 8083 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_ipvs: user-space lib for netfilter matcher xt_ipvsHannes Eder2010-07-231-0/+27
| | | | | | | | | The user-space library for the netfilter matcher xt_ipvs. [ trivial up-port by Simon Horman <horms@verge.net.au> ] Signed-off-by: Hannes Eder <heder@google.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' into iptables-nextPatrick McHardy2010-07-1513-555/+221
|\
| * Merge branch 'master' of vishnu.netfilter.org:/data/git/iptablesPatrick McHardy2010-06-253-519/+110
| |\
| | * libxt_set: new revision addedJozsef Kadlecsik2010-06-163-519/+110
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libipt_set renamed to libxt_set and the support for the forthcoming ipset release added. I have tested backward (IPv4) and forward compatibility (IPv4/IPv6): ipset -N test iphash ipset -A test test-address iptables -N test-set iptables -A test-set -j LOG --log-prefix "match " iptables -A test-set -j DROP iptables -A OUTPUT -m set --match-set test dst -j test-set ping test-address
| * | xtables: remove xtables_set_revision functionJan Engelhardt2010-06-071-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | Since iptables uses its own copies of the header files anyway where the revision field is exposed, there is no reach to access name[] beyond its size. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | includes: sync header files from Linux 2.6.35-rc1Jan Engelhardt2010-06-079-35/+111
| |/ | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: fix compilation of the new CHECKSUM targetPatrick McHardy2010-07-151-0/+18
| | | | | | | | | | | | Add missing header file. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: libipt_LOG/libip6t_LOG: support macdecode optionPatrick McHardy2010-06-282-2/+4
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add idletimer xt target extensionLuciano Coelho2010-06-151-0/+45
|/ | | | | | | Add the extension plugin for the IDLETIMER x_tables target. Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Revert "Revert "Merge branch 'iptables-next'""Patrick McHardy2010-05-211-0/+9
| | | | | | This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099. Revert the revert to restore the TEE target.
* Revert "Merge branch 'iptables-next'"Patrick McHardy2010-05-211-9/+0
| | | | | | | This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e. Forgot to commit the version increase.
* extensions: add support for xt_TEEJan Engelhardt2010-04-191-0/+9
| | | | | | xt_TEE is firstly included in Linux 2.6.35. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add CT extensionPatrick McHardy2010-03-082-0/+38
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* includes: header updatesJan Engelhardt2010-02-0161-652/+296
| | | | | | | | | | | | Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add osf extensionPatrick McHardy2009-11-121-0/+135
| | | | | | From Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-1/+1
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_NFQUEUE: add new v1 version with queue-balance optionFlorian Westphal2009-08-201-0/+5
| | | | | | | | | | | | | | | | New version that adds support for specifying a queue range instead of a single queue id. The kernel will distribute flows across the given queue range. This is useful for multicore systems, simply start multiple instances of the userspace program on queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets belonging to the same connection are put into the same queue. With fixes from Jan Engelhardt. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'stable'Jan Engelhardt2009-08-051-0/+13
|\ | | | | | | | | | | | | Conflicts: extensions/libxt_conntrack.c Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * xt_conntrack: revision 2 for enlarged state_mask memberJan Engelhardt2009-06-251-0/+13
| | | | | | | | | | | | This complements the xt_conntrack revision 2 code added to the kenrel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: combine iptables-multi and iptables-staticJan Engelhardt2009-07-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changed the Makefile so that: 1. --enable-shared / --disable-shared control the linkage against libdl (and thus the potential to use 3rd party extensions) 2. --enable-static / --disable-static controls whether shipped extensions are built-in or provided as modules iptables-static becomes redundant by this action; iptables-multi now has the feature. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: fix struct size mismatchJan Engelhardt2009-07-251-4/+0
| | | | | | | | | | | | | | | | | | Mixing code compiled with and without -DNO_SHARED_LIBS is fine as long as the structs have the same layout. This patch prevents a potential (currently non-triggerable) "ip6tables: target (null)<123> is missing a version" error. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | xtables: add multi-registration functionsJan Engelhardt2009-06-261-0/+2
| | | | | | | | | | | | Similar to the ones that are present in the kernel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables: accept multiple IP address specifications for -s, -dMichael Granzow2009-06-261-0/+5
|/ | | | | | | | | | | | | | libiptc already supports adding and deleting multiple rules with different addresses, so it only needs to be wired up to the options. # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2 Adjustments made: syntax, removal of unneeded variables, manpage adjustment, soversion bump. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: use extern "C"Jan Engelhardt2009-05-261-0/+8
| | | | | | This fixes linking errors for 3rd-party C++ code. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add `cluster' match supportPablo Neira Ayuso2009-05-061-0/+17
| | | | | | This patch adds support for the cluster match to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* SNAT/DNAT: add support for persistent multi-range NAT mappingsPatrick McHardy2009-04-171-0/+1
| | | | | | | Add support for persistent mappings (2.6.29-rc2+) as replacement for the removed SAME target. Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxtables: reorder .version memberJan Engelhardt2009-04-031-3/+13
| | | | | | | | | | | | | When the structure's layout changes, as it did between v1.4.1 and v1.4.2, trying to compare the version string makes iptables segfault while it tries to determine whether the module is compatible in the first place. By moving the member to a known offset in the struct and keeping it there, objects (both iptables and 3rd party) compiled from this commit onwards will avoid the segfault. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge commit 'nf/master'Jan Engelhardt2009-03-151-0/+1
|\
| * iptables: Add limits.h to get INT_MIN, INT_MAX, ...Stephen Hemminger2009-02-251-0/+1
| | | | | | | | | | | | | | | | | | | | Fix build failure of iptables utilities on debian/ubuntu, maybe other distros. The values INT_MIN and INT_MAX are used by many filters and these are defined in limits.h --- patch against current iptables.git Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add missing limits.h includeJan Engelhardt2009-02-212-0/+10
| | | | | | | | | | | | Thanks to Stephen Hemminger for noticing. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | include: resynchronize headers with 2.6.29-rc5Jan Engelhardt2009-02-2114-60/+63
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: inline and remove unused OPTION_OFFSET macroJan Engelhardt2009-02-211-1/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: make library available as a shared libraryJan Engelhardt2009-02-161-0/+4
| | | | | Tested-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: general follow-up cleanupJamal Hadi Salim2009-02-131-1/+0
| | | | | | Kill program_name, program_version and xtables_program_name. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-01 00:13:01 +0000