| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
Deletes empty ->final_check() functions, and makes ip[6]tables
checks for NULL on these.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
| |
prototypes
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
| |
(Jan Engelhardt <jengelh@gmx.de>)
A nice side effect is that merge_option() doesn't copy options in that case.
|
|
|
|
|
| |
string_to_number_ll, string_to_number_l, string_to_number,
service_to_port, parse_port, parse_interface, are moved.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- moves lib_dir to xtables.c
- introduces struct pfinfo which has protocol family dependent infomations.
- unifies load_ip[6]tables_ko() and moves them as load_xtables_ko()
- introduces xt_{match,match_rule,target,tryload} and replaces
ip[6]t_* with them
- unifies following functions and move them to xtables.c
- find_{match,find_target}
- compatible_revision, compatible_{match,target}_revision
- introduces xtables_register_{match,target} and make
register_{match,target}[6] call them. xtables_register_* register ONLY
matches/targets matched protocol family
Some concepts:
- source compatibility for libip[6]t_xxx.c with warning on compilation
not binary compatibility.
- binary compatibility between 2.4/2.6 kernel and iptables/ip6tables,
of cause.
- xtables is enough to support only one address family at runtime.
Then xtables keeps infomations of only the focused address famiy
in struct afinfo.
|
| |
|
| |
|
|
|
|
|
|
| |
non-existant matches and targets
Reported by Joseph Jezak <josejx@gentoo.org>.
|
|
|
|
| |
"all" to "0". This reverts to the original behaviour, and closes bugzilla #543. (Phil Oester)
|
|
|
|
|
|
| |
Supply modprobe parameter to iptables_insmod function.
Bugzilla #556
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://bugs.debian.org/398082
iptables 1.3.5 and 1.3.6 appear to read /etc/networks, but the
information is lost somewhere with 1.3.6.
# cat /etc/networks
foonet 10.0.0.0
# strace -s 255 -o /tmp/foo iptables -v -A INPUT -s foonet/8 -j
ACCEPT #1.3.5 [1]
ACCEPT all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0
# strace -s 255 -o /tmp/bar iptables -v -A INPUT -s foonet/8 -j
ACCEPT #1.3.6 [2]
iptables v1.3.6: host/network `foonet.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
1. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.5.txt
2. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.6.txt
|
|
|
|
|
|
|
|
|
|
| |
Remove ununsed CHECK entry in commands_v_options.
It makes -E (rename) working again - generic_opt_check
expects options for RENAME not for CHECK at that table index.
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
| |
|
|
|
|
| |
warning for basically every non-alphanumeric character.
|
|
|
|
| |
invalid arguments to get accepted.
|
|
|
|
|
| |
Update multiport match to use the iptables version of proto_to_name
instead of reinventing the wheel.
|
|
|
|
|
| |
The below patch (dependent upon my 'reduce service_to_port duplication' patch)
centralizes the parse_*_port functions into parse_port.
|
|
|
|
|
| |
The service_to_port function is used in a number of places, and could
benefit from some centralization instead of being duplicated everywhere.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At present, a command such as
iptables -A foo -s 10.10/16
will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end
up with 10.0.0.0/16, which likely isn't what the user intended. Yet
some people do expect 10.10 (without the cidr notation) to end up as
10.0.0.10.
The below patch should satisfy all parties. It zero pads the missing
octets only in the cidr case, leaving the IP untouched otherwise.
This resolves bug #422
|
|
|
|
|
|
| |
option. However, the new array element is not initialized in either
commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] or
inverse_for_options[NUMBER_OF_OPT]. (Closes: #462)
|
|
|
|
|
|
| |
bit position of the command mask as an index in the array. There's no entry for
CMD_CHECK (0x0800U), so lookups for CMD_RENAME_CHAIN (0x1000U) index outside the
array. (Closes: #463)
|
|
|
|
|
|
|
|
|
|
| |
If two or more matches of the same type are detected then the options
are assumed to be grouped in order to tell which option belongs
to which match:
... -m foo ... <options0> ... -m foo ... <options1> ...
Otherwise the commandline parsing is unmodified.
|
|
|
|
| |
(Closes: #446)
|
|
|
|
|
|
| |
(Closes: #440). However, while this fixes the double-free, it still doesn't make iptables
support two of the same matches within one rule. Apparently the last matchinfo is copied into all the previous
matchinfo instances.
|
|
|
|
| |
Bugzilla #413
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DNAT and SNAT targets. At present, the error is somewhat vague:
# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables: Invalid argument
But if we want current iptables to work with kernels <= 2.6.10, we
cannot simply disallow this in all cases.
So the below patch adds kernel version checking to iptables, and
utilizes it in [DS]NAT. Now, users will see a more informative error:
# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables v1.3.3: Multiple --to-source not supported
This generic infrastructure (shamelessly lifted from procps btw) may
come in handy in the future for other changes.
This fixes bugzilla #367. (Phil Oester)
|
|
|
|
|
|
|
|
|
| |
argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory. (Marcus Sundberg <marcus@ingate.com>)
ip6tables merge by myself.
|
| |
|
| |
|
|
|
|
| |
<yasuyuki.kozakai@toshiba.co.jp>)
|
|
|
|
| |
iptables-restore dramatically (Pablo Neira)
|
| |
|
| |
|
|
|
|
| |
everywhere else '0' is used (Jonas Berlin)
|
|
|
|
| |
Fixes build with conntrack event patch for 2.6
|
| |
|
| |
|
|
|
|
|
| |
Enhance MARK match with second revision.
Committed in anticipation of the kernel patch being applied.
|
| |
|
|
|
|
|
|
| |
inline instead of extern inline (otherwise it doesn't compile without -O).
Don't re-initialize libiptc/libip6t unless modprobe attempt actually succeeds. This makes nfsim run about 20 times faster, as it doesn't have to explore failures in the first iptc_init().
|