| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
|
| |\| |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The bonus of the POSIX socket API is that it is almost protocol-agnostic
and that there are ready-made functions to take over the gist of address
parsing and packing.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
This consolidates the maps from libxt_devgroup and libxt_realm.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The new revision of the SET target supports the following new operations
- specifying the timeout value of the entry to be added
- flag to instruct the kernel that if the entry already
exists then reset the timeout value to the specified one (or
to the default from the set definition)
|
| |\| |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\| |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This passes the per-extension data block to the new x6_fcheck function
pointer, which can then do last alterations without using hacks
like global variables (think libxt_statistic).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patchset seeks to drastically reduce the code in the individual
extensions by centralizing their argument parsing (breakdown of
strings), validation, and in part, assignment.
As a secondary goal, this reduces the number of static storage duration
variables in flight.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
| |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is often useful to check whether a specific rule is already present
in a chain without actually modifying the iptables config.
Services like fail2ban usually employ techniques like grepping through
the output of "iptables -L" which is quite error prone.
This patch adds a new operation -C to the iptables command which
mostly works like -D; it can detect and indicate the existence of the
specified rule by modifying the exit code. The new operation
TC_CHECK_ENTRY uses the same code as the -D operation, whose functions
got a dry-run parameter appended.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
Add support for revision 3 of the conntrack match, which allows to
specify port ranges for origsrc/origdst/replsrc/repldst.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
--queue-bypass: if no userpace program is listening on the queue, then
allow packets to continue through the ruleset instead of dropping them.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
libxt module for the AUDIT target.
-j AUDIT --type (accept|reject|drop)
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
|
| |
|
|
| |
Also includes the type change to __u{8,16,32} kernel types already.
|
| |
|
|
|
| |
This reverts commit e84f131b5f992577119bd3679241f69ec394e0a7.
Solution follows.
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit 600f38db82548a683775fd89b6e136673e924097.
The commit breaks option parsing:
iptables v1.4.9: host/network `port' not found
Try `iptables -h' or 'iptables --help' for more information.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using `-m mark --mark 2 -m connmark --mark 2`, the user currently
gets an error about the (libxt_mark) --mark option being used twice.
This is because libxt_connmark's option table does not override any
previous options. This patch changes this behavior, since the current
behavior does not allow connmark's option to be used at all, which is
illogical.
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Don't ignore the quota value on deletion, then we can remove a special
rule everytime.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Try to inhibit copypasting old stuff.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
