summaryrefslogtreecommitdiffstats
path: root/iptables.c
Commit message (Collapse)AuthorAgeFilesLines
...
* Delete empty ->final_check() functionsJan Engelhardt2007-10-041-2/+3
| | | | | | | Deletes empty ->final_check() functions, and makes ip[6]tables checks for NULL on these. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fix more sparse warnings: non-C99 array declaration, incorrect function ↵Patrick McHardy2007-09-081-54/+54
| | | | prototypes
* Fix strict aliasing warningsPatrick McHardy2007-09-051-2/+5
|
* Remove last vestiges of NFC (Peter Riley <Peter.Riley@hotpop.com>)Peter Riley2007-09-021-5/+4
|
* Make @msg argument a const char *, just like printf().Jan Engelhardt2007-08-011-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Makes it possible to omit extra_opts of matches/targets if unnecessary.Jan Engelhardt2007-07-301-0/+3
| | | | | | (Jan Engelhardt <jengelh@gmx.de>) A nice side effect is that merge_option() doesn't copy options in that case.
* Moves some duplicated functions in ip[6]tables.c to xtables.cYasuyuki KOZAKAI2007-07-241-106/+0
| | | | | string_to_number_ll, string_to_number_l, string_to_number, service_to_port, parse_port, parse_interface, are moved.
* Introduces xtables match/target registrationYasuyuki KOZAKAI2007-07-241-310/+21
| | | | | | | | | | | | | | | | | | | | | | | - moves lib_dir to xtables.c - introduces struct pfinfo which has protocol family dependent infomations. - unifies load_ip[6]tables_ko() and moves them as load_xtables_ko() - introduces xt_{match,match_rule,target,tryload} and replaces ip[6]t_* with them - unifies following functions and move them to xtables.c - find_{match,find_target} - compatible_revision, compatible_{match,target}_revision - introduces xtables_register_{match,target} and make register_{match,target}[6] call them. xtables_register_* register ONLY matches/targets matched protocol family Some concepts: - source compatibility for libip[6]t_xxx.c with warning on compilation not binary compatibility. - binary compatibility between 2.4/2.6 kernel and iptables/ip6tables, of cause. - xtables is enough to support only one address family at runtime. Then xtables keeps infomations of only the focused address famiy in struct afinfo.
* Moves ip[6]tables_insmod() to xtables.c as xtables_insmod()Yasuyuki KOZAKAI2007-07-241-80/+1
|
* Moves common fw_malloc() and fw_calloc() to xtables.cYasuyuki KOZAKAI2007-07-241-24/+1
|
* Fix "iptables getsockopt failed strangely" when querying revisions for ↵Patrick McHardy2007-06-261-1/+1
| | | | | | non-existant matches and targets Reported by Joseph Jezak <josejx@gentoo.org>.
* In fixing bug #446 [1], the output for unspecified proto was changed from ↵Phil Oester2007-04-301-0/+1
| | | | "all" to "0". This reverts to the original behaviour, and closes bugzilla #543. (Phil Oester)
* Fix iptables --modprobe parameter (Maurice van der Pot <griffon26@kfk4ever.com>)Pablo Neira AyusoMaurice van der Pot2007-04-161-1/+1
| | | | | | Supply modprobe parameter to iptables_insmod function. Bugzilla #556
* Fixes typos in the argument of ip[6]tables_insmod: quit -> quietYasuyuki KOZAKAI2007-03-201-4/+4
|
* Supress error message from modprobe on checking revision.Yasuyuki KOZAKAI2007-03-131-8/+14
|
* Add UDPLITE multiport supportPatrick McHardy2007-01-111-0/+1
|
* Fix /etc/network usage (Pablo Neira)Pablo Neira Ayuso2006-11-291-35/+34
| | | | | | | | | | | | | | | | | | | | | | http://bugs.debian.org/398082 iptables 1.3.5 and 1.3.6 appear to read /etc/networks, but the information is lost somewhere with 1.3.6. # cat /etc/networks foonet 10.0.0.0 # strace -s 255 -o /tmp/foo iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.5 [1] ACCEPT all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0 # strace -s 255 -o /tmp/bar iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.6 [2] iptables v1.3.6: host/network `foonet.0.0.0' not found Try `iptables -h' or 'iptables --help' for more information. 1. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.5.txt 2. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.6.txt
* Fix -E (rename) in iptables/ip6tablesKrzysztof Piotr Oledzki2006-11-141-1/+0
| | | | | | | | | | Remove ununsed CHECK entry in commands_v_options. It makes -E (rename) working again - generic_opt_check expects options for RENAME not for CHECK at that table index. Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Patrick McHardy <kaber@trash.net>
* load ip_[6]tables.ko just before checking revision support in kernel.Yasuyuki KOZAKAI2006-11-131-2/+19
|
* Fix spelling errorPatrick McHardy2006-10-111-1/+1
|
* Use negative-list for "weird character in interface" warning instead of ↵Patrick McHardy2006-09-201-3/+3
| | | | warning for basically every non-alphanumeric character.
* Revert "proto_to_name duplication" patch, as noticed by Yasuyuki it can causePatrick McHardyJesper Brouer2006-07-251-2/+1
| | | | invalid arguments to get accepted.
* proto_to_name duplication (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-221-1/+2
| | | | | Update multiport match to use the iptables version of proto_to_name instead of reinventing the wheel.
* reduce parse_*_port duplication (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-201-0/+13
| | | | | The below patch (dependent upon my 'reduce service_to_port duplication' patch) centralizes the parse_*_port functions into parse_port.
* reduce service_to_port duplication (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-201-0/+11
| | | | | The service_to_port function is used in a number of places, and could benefit from some centralization instead of being duplicated everywhere.
* iptables: handle cidr notation more sanely (Phil Oester <kernel@linuxace.com>)Phil Oester2006-07-101-0/+30
| | | | | | | | | | | | | | | | At present, a command such as iptables -A foo -s 10.10/16 will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end up with 10.0.0.0/16, which likely isn't what the user intended. Yet some people do expect 10.10 (without the cidr notation) to end up as 10.0.0.10. The below patch should satisfy all parties. It zero pads the missing octets only in the cidr case, leaving the IP untouched otherwise. This resolves bug #422
* In ip[6]tables.c, NUMBER_OF_OPT was increased to 12 for the OPT_COUNTERSPatrick McHardyHarald Welte2006-04-221-15/+16
| | | | | | option. However, the new array element is not initialized in either commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] or inverse_for_options[NUMBER_OF_OPT]. (Closes: #462)
* cmdflags is used in cmd2char() to return the option for a command. It uses theHarald Welte2006-04-211-2/+1
| | | | | | bit position of the command mask as an index in the array. There's no entry for CMD_CHECK (0x0800U), so lookups for CMD_RENAME_CHAIN (0x1000U) index outside the array. (Closes: #463)
* Multiple matches of the same type can be specified on the commandline.Joszef Kadlecsik2006-03-031-7/+32
| | | | | | | | | | If two or more matches of the same type are detected then the options are assumed to be grouped in order to tell which option belongs to which match: ... -m foo ... <options0> ... -m foo ... <options1> ... Otherwise the commandline parsing is unmodified.
* Make '-p all' a special case that is handled before calling getprotoent() ↵Harald Welte2006-02-111-1/+7
| | | | (Closes: #446)
* fix double-free if a single match is used multiple times within a signle ruleHarald Welte2006-02-111-1/+3
| | | | | | (Closes: #440). However, while this fixes the double-free, it still doesn't make iptables support two of the same matches within one rule. Apparently the last matchinfo is copied into all the previous matchinfo instances.
* Fix probing for supported revisions (Jones Desougi <jones@ingate.com>)Jones Desougi2005-12-221-4/+4
| | | | Bugzilla #413
* fix compilation of iptables on [old] systems that don't have IPT_F_GOTOHarald Welte2005-11-241-0/+2
|
* only set revisions on real targets, not on jumps. (Pablo Neira)Pablo Neira2005-11-171-1/+3
|
* add 'goto' support (Henrik Nordstrom <hno@marasystems.com>)Henrik Nordstrom2005-11-051-1/+23
|
* Kernels higher than 2.6.10 don't support multiple --to arguments inPhil Oester2005-09-191-0/+18
| | | | | | | | | | | | | | | | | | | | | DNAT and SNAT targets. At present, the error is somewhat vague: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables: Invalid argument But if we want current iptables to work with kernels <= 2.6.10, we cannot simply disallow this in all cases. So the below patch adds kernel version checking to iptables, and utilizes it in [DS]NAT. Now, users will see a more informative error: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables v1.3.3: Multiple --to-source not supported This generic infrastructure (shamelessly lifted from procps btw) may come in handy in the future for other changes. This fixes bugzilla #367. (Phil Oester)
* The call to free_opts() in merge_options() is invalid C. The oldoptsMarcus Sundberg2005-07-291-3/+1
| | | | | | | | | argument always refers to the memory pointed to by the opts global, which may be freed by the call to free_opts(), but oldopts is used after the free_opts() call. This patch makes sure we don't use freed memory. (Marcus Sundberg <marcus@ingate.com>) ip6tables merge by myself.
* get rid of numerous gcc-4 warningsHarald Welte2005-07-191-1/+2
|
* reduce code replication of parse_interface() (Yasuyuki Kozakai)Yasuyuki KOZAKAI2005-06-221-2/+1
|
* Chain name should not start with '!' (Yasuyuki Kozakai ↵Yasuyuki KOZAKAI2005-06-131-2/+2
| | | | <yasuyuki.kozakai@toshiba.co.jp>)
* Release previously merged options from merge_opts(), reduces memory-usage of ↵Pablo Neira2005-05-291-6/+17
| | | | iptables-restore dramatically (Pablo Neira)
* poll goto specific changes out of trunkHarald WeltePablo Neira2005-04-151-3/+0
|
* fix iptables-save/restore of goto (Jonas Berlin)Jonas Berlin2005-04-151-0/+3
|
* the optflags array contains a '3' for the OPT_LINENUMBERS entry while ↵Jonas Berlin2005-04-011-1/+1
| | | | everywhere else '0' is used (Jonas Berlin)
* Kill NFC_* stuff in iptables (Pablo Neira <pablo@eurodev.net>)Pablo Neira2005-02-141-10/+8
| | | | Fixes build with conntrack event patch for 2.6
* Remove leftover debug printfMartin Josefsson2005-01-031-3/+0
|
* Replace memchr with strlen and fix up one of the statements.Martin Josefsson2005-01-031-4/+4
|
* Extension revision number support (if kernel supports the getsockopts).Rusty Russell2005-01-031-5/+120
| | | | | Enhance MARK match with second revision. Committed in anticipation of the kernel patch being applied.
* Fix setting lib_dir in ip*tables-{save,restore}Martin Josefsson2004-12-271-10/+1
|
* Don't need ipt_entry_target()/ip6t_entry_target() now kernel uses static ↵Rusty Russell2004-12-221-15/+8
| | | | | | inline instead of extern inline (otherwise it doesn't compile without -O). Don't re-initialize libiptc/libip6t unless modprobe attempt actually succeeds. This makes nfsim run about 20 times faster, as it doesn't have to explore failures in the first iptc_init().