summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* libxt_recent: add --mask netmaskDenys Fedoryshchenko2012-07-311-0/+10
| | | | | | | | | | This new option will be available in the Linux kernel 3.5 [ Pablo fixed coding-style issues and cleaned up this. Added manpages as well ] Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_hashlimit: add support for byte-based operationFlorian Westphal2012-07-141-1/+5
| | | | | | | | | | | | | | allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ] to make hashlimit match when X bytes/second are exceeded; optionally, Y bytes will not be matched (i.e. bursted). [ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ] libxt_hashlimit.c: In function ‘parse_bytes’: libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add HMARK targetHans Schillstrom2012-07-141-0/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The target allows you to set mark packets based Jenkins' hash calculation: h(t, rnd) = x mark = (x % mod) + offset where: * t is a tuple that is used for the hashing: t = [ src, dst, proto, sport, dport ] Note that you can customize the tuple, thus, removing some component that you don't want to use for the calculation. You can also use spi instead of sport and dport, btw. * rnd is the random seed that is explicitly passed via --hmark-rnd * mod is the modulus, to determine the range of possible marks * offset determines where the mark starts from This target only works for the "raw" and "mangle" tables. This can be used to distribute flows between a cluster of systems and uplinks. Initially based on work from Hans Schillingstrom. Pablo took it over and introduced several improvements. Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_ip[6]mask_to_cidrPablo Neira Ayuso2012-07-141-0/+2
| | | | | | | | | | | | | | This patch adds generic functions to return the mask in CIDR notation whenever is possible. This patch also simplifies xtables_ip[6]mask_to_numeric, that now use these new two functions. This patch also bumps libxtables_vcurrent and libxtables_vage since we added a couple new interfaces (thanks to Jan Engelhardt for his little reminder on this). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: add --timeout optionPablo Neira Ayuso2012-04-021-0/+12
| | | | | | | | | | | | | | | | | | | | This patch adds the --timeout option to allow to attach timeout policy objects to flows, eg. iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \ -j CT --timeout custom-tcp-policy You need the nfct(8) tool which is available at: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git To define the cttimeout policies. Example of usage: nfct timeout add custom-tcp-policy inet tcp established 1000 The new nfct tool also requires libnetfilter_cttimeout: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add nfacct matchPablo Neira Ayuso2012-03-271-0/+17
| | | | | | | | | | | | | | This patch provides the user-space iptables support for the nfacct match. This can be used as it follows: nfacct add http-traffic iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic nfacct get http-traffic See also man nfacct(8) for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "libiptc: Returns the position the entry was inserted"Pablo Neira Ayuso2012-03-011-2/+1
| | | | | | | | | This reverts commit d65702c5c5bbab0ef12298386fa4098c72584e6c. This is breaking my iptables scripts: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables: Incompatible with this kernel.
* libiptc: Returns the position the entry was insertedJonh Wendell2012-02-291-1/+2
| | | | Jan Engelhardt showed no objections to this patch.
* extensions: add IPv6 capable ECN match extensionPatrick McHardy2012-02-232-35/+33
| | | | | | | Patrick submitted this patch by 9th Jun 2011, I'm recovering and applying it to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add rpfilter moduleFlorian Westphal2012-02-231-0/+17
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libiptc: use a family-invariant xtc_ops struct for code reductionJan Engelhardt2011-09-113-0/+17
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: resolve old macro names that are indirectionsJan Engelhardt2011-09-112-8/+8
| | | | | | | | | | | Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: combine common types: _handleJan Engelhardt2011-09-115-73/+72
| | | | | | | No real API/ABI change incurred, since the definition of the structs' types is not visible anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: replace ipt_chainlabel by xt_chainlabelJan Engelhardt2011-09-114-44/+44
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: combine common typesJan Engelhardt2011-09-114-3/+11
| | | | | | | | Make an xt_chainlabel type out of ipt_chainlabel and ip6t_chainlabel, and add backward-API #defines. The ABI naturally does not change either, so no soversion bump. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/iptablesJan Engelhardt2011-09-0841-292/+519
|\
| * include: refresh include files from kernel 3.1-rc3Jan Engelhardt2011-08-3140-292/+475
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_addrtype: add support for revision 1Jan Engelhardt2011-08-281-0/+44
| | | | | | | | | | | | | | | | Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but there was no corresponding iptables patch so far. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables: move kernel version find routing into libxtablesJan Engelhardt2011-09-032-8/+8
|/ | | | | | | | That way, the remaining unreferenced symbols that do appear in libipt_DNAT and libipt_SNAT as part of the new check can be resolved, and the ugly -rdynamic hack can finally be removed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* option: remove last traces of intrapositional negationJan Engelhardt2011-07-101-2/+0
| | | | | | Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: support for per-extension instance "global" variable spaceJan Engelhardt2011-06-211-3/+15
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: use uintmax for xtables_strtoulJan Engelhardt2011-05-241-2/+2
| | | | | | | | | | | | | | | Addendum to 2305d5fb42fc059f38fc1bdf53411dbeecdb310b. I noticed that unsigned long long is not consistently used, for example, min/max are still just unsigned long, and strtoul is being called. Instead of changing it to unsigned long long, just use uintmax functions right away so this does not need size-related changing in the future. Cc: JP Abgrall <jpa@google.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_quota: make sure uint64 is not truncatedJP Abgrall2011-05-201-1/+1
| | | | | The xtables_strtoul() would cram a long long into a long. The parse_int would try to cram a UINT64 into a long.
* libxtables: retract _NE types and use a flag insteadJan Engelhardt2011-05-181-6/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: replace old IP*T_ALIGN macrosJan Engelhardt2011-05-122-14/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'floating/opts' of git://dev.medozas.de/iptablesPatrick McHardy2011-05-121-0/+3
|\
| * libxtables: XTTYPE_ETHERMAC supportJan Engelhardt2011-05-091-0/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Merge branch 'opts' of git://dev.medozas.de/iptablesPatrick McHardy2011-05-111-4/+24
|\|
| * libxtables: XTTYPE_PROTOCOL supportJan Engelhardt2011-05-091-1/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_multiport: use guided option parserJan Engelhardt2011-05-091-0/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_HOSTMASK supportJan Engelhardt2011-05-091-0/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_PLEN supportJan Engelhardt2011-05-091-0/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: do not overlay addr and mask parts, and cleanupJan Engelhardt2011-05-091-4/+13
| | | | | | | | | | | | | | | | | | XTTYPE_HOSTMASK will require that what has now become haddr, hmask/hlen are not overlays of another. Thus relax the structure and always set all members of the {haddr, hmask, hlen} triplet now for all types that touch any of the members. Add some more comments and clean out ONEHOST.
| * libxtables: support for XTTYPE_PLENMASKJan Engelhardt2011-05-091-1/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Merge branch 'opts' of git://dev.medozas.de/iptablesPatrick McHardy2011-05-091-1/+4
|\|
| * libxtables: XTTYPE_DOUBLE supportJan Engelhardt2011-05-091-0/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * extensions: remove bogus use of XT_GETOPT_TABLEENDJan Engelhardt2011-05-081-1/+1
| | | | | | | | | | | | | | | | | | | | Commit v1.4.8-36-g32b8e61 added this end marker in a little too many places: at non-getopt places. Fix that. Also change the definition of XT_GETOPT_TABLEEND to reference a struct getopt member by name so that this cannot happen again. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Merge branch 'opts' of git://dev.medozas.de/iptablesPatrick McHardy2011-05-091-1/+10
|\|
| * libxtables: XTTYPE_PORTRC supportJan Engelhardt2011-05-011-1/+5
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_TOS: use guided option parserJan Engelhardt2011-05-011-0/+5
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Move common parts of libext{4,6}.a into libext.aMaciej Żenczykowski2011-04-191-0/+1
| | | | | | | | Signed-off-by: Maciej Zenczykowski <maze@google.com>
* | Merge branch 'floating/opts' of git://dev.medozas.de/iptablesPatrick McHardy2011-04-181-1/+41
|\|
| * libxtables: XTTYPE_PORT supportJan Engelhardt2011-04-131-1/+5
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_ONEHOST supportJan Engelhardt2011-04-131-0/+3
| | | | | | | | | | | | | | | | The bonus of the POSIX socket API is that it is almost protocol-agnostic and that there are ready-made functions to take over the gist of address parsing and packing. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_SYSLOGLEVEL supportJan Engelhardt2011-04-131-1/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: pass struct xt_entry_{match,target} to x6 parserJan Engelhardt2011-04-131-0/+4
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_UINT16 supportJan Engelhardt2011-04-131-1/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_UINT64RC supportJan Engelhardt2011-04-131-1/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_UINT8RC supportJan Engelhardt2011-04-131-1/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: XTTYPE_UINT16RC supportJan Engelhardt2011-04-131-0/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>