| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Note: xt_sctp.h is still not merged upstream in the kernel as of
this commit. But a refactoring was really needed.
|
|
|
|
| |
Max Kellermann <max@duempel.org>
|
|
|
|
| |
Max Kellermann <max@duempel.org>
|
|
|
|
|
|
| |
Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
|
| |
Move a few functions from iptables.c/ip6tables.c to xtables.c
so they are available for combined (both AF_INET and AF_INET6)
libxt modules. Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
|
| |
iptables prints some of its error messages and warnings to stdout.
This patch applies to svn r7075 and will make iptables print
diagnostic messages to stderr instead.
Signed-off-by: Max Kellermann <max@duempel.org>
|
| |
|
|
|
|
|
|
|
| |
Deletes empty ->final_check() functions, and makes ip[6]tables
checks for NULL on these.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
| |
prototypes
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
| |
(Jan Engelhardt <jengelh@gmx.de>)
A nice side effect is that merge_option() doesn't copy options in that case.
|
|
|
|
|
| |
string_to_number_ll, string_to_number_l, string_to_number,
service_to_port, parse_port, parse_interface, are moved.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- moves lib_dir to xtables.c
- introduces struct pfinfo which has protocol family dependent infomations.
- unifies load_ip[6]tables_ko() and moves them as load_xtables_ko()
- introduces xt_{match,match_rule,target,tryload} and replaces
ip[6]t_* with them
- unifies following functions and move them to xtables.c
- find_{match,find_target}
- compatible_revision, compatible_{match,target}_revision
- introduces xtables_register_{match,target} and make
register_{match,target}[6] call them. xtables_register_* register ONLY
matches/targets matched protocol family
Some concepts:
- source compatibility for libip[6]t_xxx.c with warning on compilation
not binary compatibility.
- binary compatibility between 2.4/2.6 kernel and iptables/ip6tables,
of cause.
- xtables is enough to support only one address family at runtime.
Then xtables keeps infomations of only the focused address famiy
in struct afinfo.
|
| |
|
| |
|
|
|
|
|
|
| |
non-existant matches and targets
Reported by Joseph Jezak <josejx@gentoo.org>.
|
| |
|
|
|
|
|
| |
allows '! -p xxx' where xxx is extension header. It matches all valid IPv6
packets.
|
|
|
|
| |
"all" to "0". This reverts to the original behaviour, and closes bugzilla #543. (Phil Oester)
|
| |
|
| |
|
|
|
|
| |
Kernel part will go in 2.6.21
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove ununsed CHECK entry in commands_v_options.
It makes -E (rename) working again - generic_opt_check
expects options for RENAME not for CHECK at that table index.
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
- Add support port range match to libip6t_multiport
(R?mi Denis-Courmont <rdenis@simphalempin.com>)
|
|
|
|
| |
warning for basically every non-alphanumeric character.
|
|
|
|
|
| |
The below patch (dependent upon my 'reduce service_to_port duplication' patch)
centralizes the parse_*_port functions into parse_port.
|
|
|
|
|
| |
The service_to_port function is used in a number of places, and could
benefit from some centralization instead of being duplicated everywhere.
|
|
|
|
|
|
| |
option. However, the new array element is not initialized in either
commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] or
inverse_for_options[NUMBER_OF_OPT]. (Closes: #462)
|
|
|
|
|
|
| |
bit position of the command mask as an index in the array. There's no entry for
CMD_CHECK (0x0800U), so lookups for CMD_RENAME_CHAIN (0x1000U) index outside the
array. (Closes: #463)
|
| |
|
|
|
|
|
|
|
| |
Sometimes I hear that people do 'ip6tables -p ah ...' which never matches
any packet. IPv6 extension headers except of ESP are skipped and invalid
as argument of '-p'. Then I propose that ip6tables exits with error in such
case.
|
|
|
|
|
|
|
|
|
|
| |
If two or more matches of the same type are detected then the options
are assumed to be grouped in order to tell which option belongs
to which match:
... -m foo ... <options0> ... -m foo ... <options1> ...
Otherwise the commandline parsing is unmodified.
|
|
|
|
| |
(Closes: #446)
|
|
|
|
|
|
| |
(Closes: #440). However, while this fixes the double-free, it still doesn't make iptables
support two of the same matches within one rule. Apparently the last matchinfo is copied into all the previous
matchinfo instances.
|
|
|
|
| |
Bugzilla #413
|
|
|
|
|
|
|
|
|
| |
argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory. (Marcus Sundberg <marcus@ingate.com>)
ip6tables merge by myself.
|
| |
|
| |
|
|
|
|
| |
<yasuyuki.kozakai@toshiba.co.jp>)
|
|
|
|
| |
iptables-restore dramatically (Pablo Neira)
|
| |
|
|
|
|
| |
everywhere else '0' is used (Jonas Berlin)
|
|
|
|
| |
Fixes build with conntrack event patch for 2.6
|
| |
|
|
|
|
|
|
| |
inline instead of extern inline (otherwise it doesn't compile without -O).
Don't re-initialize libiptc/libip6t unless modprobe attempt actually succeeds. This makes nfsim run about 20 times faster, as it doesn't have to explore failures in the first iptc_init().
|
|
|
|
| |
set them in testsuite if we're running iptables within tree.
|