summaryrefslogtreecommitdiffstats
path: root/iptables.c
Commit message (Collapse)AuthorAgeFilesLines
* iptables: fix error reporting with wrong/missing argumentsPablo Neira Ayuso2008-11-191-1/+18
| | | | | | | | | | | | | | | | This patch fixes wrong error reporting when arguments are missing: # iptables -I INPUT -m state --state iptables v1.4.2-rc1: Unknown arg `(null)' Try `iptables -h' or 'iptables --help' for more information. or wrong: # iptables -I INPUT -m state --xyz iptables v1.4.2-rc1: Unknown arg `(null)' Try `iptables -h' or 'iptables --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use NFPROTO_ constantsJan Engelhardt2008-11-181-1/+1
| | | | | | | | Resync netfilter.h from the latest kernel and make use of the new NFPROTO_ constants that have been introduced. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: remove indirectionsJan Engelhardt2008-11-101-35/+35
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: remove typedef indirectionJan Engelhardt2008-11-101-16/+16
| | | | | | | | | | | Don't you hate it when iptc_handle_t *x actually is a double-indirection struct iptc_handle **? This also shows the broken constness model, since "const iptc_handle_t x" = "iptc_handle_t const x" = "struct iptc_handle *const x", which is like no const at all. Lots of things to do then. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Synchronize invert flag order with manpagesJan Engelhardt2008-08-131-6/+6
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Warn about use of DROP in nat tableJan Engelhardt2008-08-131-0/+8
| | | | | | | Consensus is that we should warn for now. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-restore: fix segmentation fault with -tanythingJan Engelhardt2008-08-041-3/+2
| | | | | | | | | | | | | | | | | | | | Reference: Debian bug #458042 iptables-restore must not pass a table into do_command. It checks for "-t arg" and "--table arg", but not "-targ". (On a related note, using -targ does not work as expected). This should fail gracefully, but crashes: iptables-restore <(echo -e '*filter\n-A INPUT -tx\nCOMMIT') And this should use table "filter", or perhaps raise an error, but instead sets the table to (literally) "-tfilter": iptables -tfilter -A INPUT Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables: fix printing of line numbers with --line-numbers argHenrik Nordstrom2008-06-131-1/+1
| | | | | | | Commit bb34082d ("iptables --list chain rulenum") broke the line numbering, starting with printing an offset of 2. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Make --set-counters (-c) accept comma separated countersHenrik Nordstrom2008-05-131-4/+7
| | | | | | | | | | | | Here is the --set-counters syntax patch requested earlier today making --set-counters (-c) accept comma separated counts. -c packets,bytes I have not updated the manpage to reflect this alternate syntax for the --set-counters (-c) option. Henrik Nordstrom <henrik@henriknordstrom.net>
* iptables --list chain rulenumHenrik Nordstrom2008-05-131-15/+31
| | | | | | | | | | | | Excent --list (and --list-rules) to allow selection of a single rule number iptables --list INPUT 4 iptables --list-rules INPUT 4 list rule number 4 in INPUT. Henrik Nordstrom <henrik@henriknordstrom.net>
* iptables --list-rules commandHenrik Nordstrom2008-05-131-15/+274
| | | | | | | | | | | | | | | | | | Adds iptables --list-rules (-S) command, acting as a combination of iptables --list and iptables-save. The primary motivation behind this patch is to get iptables-save like output capabilities in iptables-restore, allowing "iptables-restore -n" to be used as a consistent API to iptables for all kind of operations, not only blind updates.. As a bonus iptables also gets the capability of printing the rules as-is. This completely replaces the earlier patch which added the --rules option. Henrik Nordstrom <henrik@henriknordstrom.net>
* Add support for --set-counters to iptables -PHenrik Nordstrom2008-05-121-2/+2
| | | | | | | | Adds support for setting the policy counters iptables -P INPUT -J DROP -c 10 20 Henrik Nordstrom <henrik@henriknordstrom.net>
* Remove old functions, constantsJan Engelhardt2008-04-151-19/+7
|
* iptables: use C99 lists for struct optionsGáspár Lajos2008-04-141-32/+32
|
* manpages: grammar and spellingJan Engelhardt2008-04-131-1/+1
|
* Fix all remaining warnings (missing declarations, missing prototypes)Jan Engelhardt2008-04-131-3/+1
|
* Fix -Wshadow warnings and clean up xt_sctp.hJan Engelhardt2008-04-061-6/+6
| | | | | Note: xt_sctp.h is still not merged upstream in the kernel as of this commit. But a refactoring was really needed.
* whitespace cleanupMax Kellermann2008-01-291-13/+13
| | | | Max Kellermann <max@duempel.org>
* rename overlapping function namesJan Engelhardt2008-01-201-194/+4
| | | | | | Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* bunch o' renamesJan Engelhardt2008-01-201-78/+6
| | | | | | | | Move a few functions from iptables.c/ip6tables.c to xtables.c so they are available for combined (both AF_INET and AF_INET6) libxt modules. Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* - cleanup several code wraparoundsPablo Neira Ayuso2008-01-171-4/+21
| | | | | - check for malloc() return value in merge_opts() - check for merge_opts() return value
* [PATCH iptables] print warnings to stderrMax Kellermann2007-10-171-3/+4
| | | | | | | | iptables prints some of its error messages and warnings to stdout. This patch applies to svn r7075 and will make iptables print diagnostic messages to stderr instead. Signed-off-by: Max Kellermann <max@duempel.org>
* Fix sscanf type errorsPatrick McHardy2007-10-171-6/+5
|
* Delete empty ->final_check() functionsJan Engelhardt2007-10-041-2/+3
| | | | | | | Deletes empty ->final_check() functions, and makes ip[6]tables checks for NULL on these. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fix more sparse warnings: non-C99 array declaration, incorrect function ↵Patrick McHardy2007-09-081-54/+54
| | | | prototypes
* Fix strict aliasing warningsPatrick McHardy2007-09-051-2/+5
|
* Remove last vestiges of NFC (Peter Riley <Peter.Riley@hotpop.com>)Peter Riley2007-09-021-5/+4
|
* Make @msg argument a const char *, just like printf().Jan Engelhardt2007-08-011-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Makes it possible to omit extra_opts of matches/targets if unnecessary.Jan Engelhardt2007-07-301-0/+3
| | | | | | (Jan Engelhardt <jengelh@gmx.de>) A nice side effect is that merge_option() doesn't copy options in that case.
* Moves some duplicated functions in ip[6]tables.c to xtables.cYasuyuki KOZAKAI2007-07-241-106/+0
| | | | | string_to_number_ll, string_to_number_l, string_to_number, service_to_port, parse_port, parse_interface, are moved.
* Introduces xtables match/target registrationYasuyuki KOZAKAI2007-07-241-310/+21
| | | | | | | | | | | | | | | | | | | | | | | - moves lib_dir to xtables.c - introduces struct pfinfo which has protocol family dependent infomations. - unifies load_ip[6]tables_ko() and moves them as load_xtables_ko() - introduces xt_{match,match_rule,target,tryload} and replaces ip[6]t_* with them - unifies following functions and move them to xtables.c - find_{match,find_target} - compatible_revision, compatible_{match,target}_revision - introduces xtables_register_{match,target} and make register_{match,target}[6] call them. xtables_register_* register ONLY matches/targets matched protocol family Some concepts: - source compatibility for libip[6]t_xxx.c with warning on compilation not binary compatibility. - binary compatibility between 2.4/2.6 kernel and iptables/ip6tables, of cause. - xtables is enough to support only one address family at runtime. Then xtables keeps infomations of only the focused address famiy in struct afinfo.
* Moves ip[6]tables_insmod() to xtables.c as xtables_insmod()Yasuyuki KOZAKAI2007-07-241-80/+1
|
* Moves common fw_malloc() and fw_calloc() to xtables.cYasuyuki KOZAKAI2007-07-241-24/+1
|
* Fix "iptables getsockopt failed strangely" when querying revisions for ↵Patrick McHardy2007-06-261-1/+1
| | | | | | non-existant matches and targets Reported by Joseph Jezak <josejx@gentoo.org>.
* In fixing bug #446 [1], the output for unspecified proto was changed from ↵Phil Oester2007-04-301-0/+1
| | | | "all" to "0". This reverts to the original behaviour, and closes bugzilla #543. (Phil Oester)
* Fix iptables --modprobe parameter (Maurice van der Pot <griffon26@kfk4ever.com>)Pablo Neira AyusoMaurice van der Pot2007-04-161-1/+1
| | | | | | Supply modprobe parameter to iptables_insmod function. Bugzilla #556
* Fixes typos in the argument of ip[6]tables_insmod: quit -> quietYasuyuki KOZAKAI2007-03-201-4/+4
|
* Supress error message from modprobe on checking revision.Yasuyuki KOZAKAI2007-03-131-8/+14
|
* Add UDPLITE multiport supportPatrick McHardy2007-01-111-0/+1
|
* Fix /etc/network usage (Pablo Neira)Pablo Neira Ayuso2006-11-291-35/+34
| | | | | | | | | | | | | | | | | | | | | | http://bugs.debian.org/398082 iptables 1.3.5 and 1.3.6 appear to read /etc/networks, but the information is lost somewhere with 1.3.6. # cat /etc/networks foonet 10.0.0.0 # strace -s 255 -o /tmp/foo iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.5 [1] ACCEPT all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0 # strace -s 255 -o /tmp/bar iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.6 [2] iptables v1.3.6: host/network `foonet.0.0.0' not found Try `iptables -h' or 'iptables --help' for more information. 1. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.5.txt 2. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.6.txt
* Fix -E (rename) in iptables/ip6tablesKrzysztof Piotr Oledzki2006-11-141-1/+0
| | | | | | | | | | Remove ununsed CHECK entry in commands_v_options. It makes -E (rename) working again - generic_opt_check expects options for RENAME not for CHECK at that table index. Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Patrick McHardy <kaber@trash.net>
* load ip_[6]tables.ko just before checking revision support in kernel.Yasuyuki KOZAKAI2006-11-131-2/+19
|
* Fix spelling errorPatrick McHardy2006-10-111-1/+1
|
* Use negative-list for "weird character in interface" warning instead of ↵Patrick McHardy2006-09-201-3/+3
| | | | warning for basically every non-alphanumeric character.
* Revert "proto_to_name duplication" patch, as noticed by Yasuyuki it can causePatrick McHardyJesper Brouer2006-07-251-2/+1
| | | | invalid arguments to get accepted.
* proto_to_name duplication (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-221-1/+2
| | | | | Update multiport match to use the iptables version of proto_to_name instead of reinventing the wheel.
* reduce parse_*_port duplication (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-201-0/+13
| | | | | The below patch (dependent upon my 'reduce service_to_port duplication' patch) centralizes the parse_*_port functions into parse_port.
* reduce service_to_port duplication (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-201-0/+11
| | | | | The service_to_port function is used in a number of places, and could benefit from some centralization instead of being duplicated everywhere.
* iptables: handle cidr notation more sanely (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-101-0/+30
| | | | | | | | | | | | | | | | At present, a command such as iptables -A foo -s 10.10/16 will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end up with 10.0.0.0/16, which likely isn't what the user intended. Yet some people do expect 10.10 (without the cidr notation) to end up as 10.0.0.10. The below patch should satisfy all parties. It zero pads the missing octets only in the cidr case, leaving the IP untouched otherwise. This resolves bug #422
* In ip[6]tables.c, NUMBER_OF_OPT was increased to 12 for the OPT_COUNTERSPatrick McHardyHarald Welte2006-04-221-15/+16
| | | | | | option. However, the new array element is not initialized in either commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] or inverse_for_options[NUMBER_OF_OPT]. (Closes: #462)