summaryrefslogtreecommitdiffstats
path: root/iptables
Commit message (Collapse)AuthorAgeFilesLines
* ip(6)tables-restore: make sure argv is NULL terminatedFlorian Westphal2012-05-142-2/+2
| | | | | | | | | | Else, argv[argc] may point to free'd memory. Some extensions, e.g. rateest, may fail to parse valid input because argv[optind] (with optind == argc) is not NULL. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable'Jan Engelhardt2011-12-1810-281/+252
|\
| * Merge branch 'stable'Jan Engelhardt2011-09-193-3020/+1
| |\
| * | ip6tables-restore: make code look alike with iptables-restoreJan Engelhardt2011-09-112-33/+30
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | src: resolve old macro names that are indirectionsJan Engelhardt2011-09-118-86/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | libiptc: combine common types: _handleJan Engelhardt2011-09-118-44/+44
| | | | | | | | | | | | | | | | | | | | | No real API/ABI change incurred, since the definition of the structs' types is not visible anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | libiptc: replace ipt_chainlabel by xt_chainlabelJan Engelhardt2011-09-112-30/+30
| | | | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | iptables-save: remove binary dumping dead codeJan Engelhardt2011-09-112-92/+68
| | | | | | | | | | | | | | | | | | Was never implemented, kill it. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | doc: clarification on the meaning of -p 0Jan Engelhardt2011-12-182-7/+19
| |/ |/| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: restore build order of modulesJan Engelhardt2011-09-193-3020/+1
|/ | | | | | | | iptables(exe) requires libext.a, but extensions/ require libxtables.la (in iptables/). This circular dependency does not work out, so separate libxtables into its own directory and put it in front. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: document iptables-restore's -T optionJan Engelhardt2011-09-082-1/+7
| | | | | | Commit v1.4.0-rc1-12-ge8665f8 completely forgot this. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* ip6tables-restore: implement missing -T optionJan Engelhardt2011-09-081-1/+10
| | | | | | | Commit v1.4.0-rc1-12-ge8665f8 forgot to port the change to the ip6tables part. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix undesired newline in ip6tables-restore(8)Jan Engelhardt2011-09-081-1/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: move kernel version find routing into libxtablesJan Engelhardt2011-09-033-19/+18
| | | | | | | | That way, the remaining unreferenced symbols that do appear in libipt_DNAT and libipt_SNAT as part of the new check can be resolved, and the ugly -rdynamic hack can finally be removed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_statistic: link with -lmJan Engelhardt2011-09-031-2/+7
| | | | | | | | $ ldd -r libxt_statistic.so undefined symbol: lround (./libxt_statistic.so) References: https://bugs.archlinux.org/task/25358 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtoptions: simplify xtables_parse_interfaceRichard Weinberger2011-08-271-3/+1
| | | | | | | mask is already filled with zeros, there is no need to zero it again. References: http://marc.info/?l=netfilter-devel&m=131445196526269&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtoptions: fill in fallback value for nvalsJan Engelhardt2011-08-271-0/+6
| | | | | | | | | | | | | Parsing for libxt_conntrack rev 2 is done by using rev 2's option structure, which specifies XTTYPE_PORT, and using rev 3's parser skeleton, which uses cb->nvals. Reading cb->nvals when not using XTTYPE_PORTRC (or any other multi-value type) is undefined behavior. Make it defined. Since XTTYPE_NONE is the only type that can take void, nvals logically ought to be 1. References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: remove unused IPTABLES_MULTI defineJan Engelhardt2011-08-268-38/+1
| | | | | | This dead code has been lingering around since commit v1.4.5~7. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtoptions: flag use of XTOPT_POINTER without XTOPT_PUTJan Engelhardt2011-08-211-1/+7
| | | | | | | When XTOPT_POINTER is used (and yields a non-zero offsetof), we can flag the absence of XTOPT_PUT. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: strengthen check for overlong lladdr componentsJan Engelhardt2011-08-011-2/+2
| | | | | | | | | | | | | | | ethermac[i] > UINT8_MAX is quite pointless, because ethermac[i] is just uint8_t. To catch values that are not in the range "00"-"ff", use a string length check (end-arg>2). I am willingly using 2 there, because no one is going to specify an Ethernet LL address as "0x00:0x24:0xbe:0xc2:0x7f:0x16" -- because it is always interpreted as hexadecimal anyway even without the 0x prefix. xtoptions.c: In function "xtopt_parse_ethermac": xtoptions.c:760:3: warning: comparison is always false due to limited range of data type xtoptions.c:766:2: warning: comparison is always false due to limited range of data type Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: workaround broken linux-headers on RHEL-5Jan Engelhardt2011-08-011-0/+2
| | | | | | | maigc.h was not invented yet, but they do not ship proc_fs.h either, duh. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: set clone's initial data to NULLJan Engelhardt2011-07-101-0/+1
| | | | | | | Avoid a crash in xs_init_match when a clone's m->udata points at the parent. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* option: remove last traces of intrapositional negationJan Engelhardt2011-07-103-39/+0
| | | | | | Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: ignore whitespace in the multiaddress argument parserJan Engelhardt2011-07-091-0/+4
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: properly reject empty hostnamesJan Engelhardt2011-07-091-26/+20
| | | | | | | | | An empty hostname in the address list of an -s/-d argument, which may be the result of a typo, is interpreted as 0/0, which, when combined with -j ACCEPT, leads to an undesired opening of the firewall. References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: restore negation for -fJan Engelhardt2011-07-051-1/+1
| | | | | | | This move was missed in commit v1.4.11~77^2~6. References: http://bugs.debian.org/632695 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: the -m option cannot be invertedJan Engelhardt2011-07-042-6/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix version string in ip6tables.8Jan Engelhardt2011-07-041-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: mention multiple verbosity flagsJan Engelhardt2011-06-302-2/+4
| | | | | | | | "-vv" can be used to further increase the verbosity level. Document this. References: http://bugs.debian.org/616037 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables-apply: select default rule file depending on call nameMartin F. Krafft2011-06-301-12/+13
| | | | | | | | | | ip6tables-apply points to iptables-apply (which is good). Since iptables/ip6tables rule files are different, the reporter suggests that the DEFAULT_FILE variable should depend on whether iptables-apply or ip6tables-apply is run. References: http://bugs.debian.org/547734 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: attempt to fix building under Linux 2.4Jan Engelhardt2011-06-241-1/+6
| | | | | | | | | | | | | | | | iptables no longer compiles for Linux 2.4 because it uses linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for Linux 2.6. xtables.c:35:52: error: linux/magic.h: No such file or directory xtables.c: In function 'proc_file_exists': xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in this function) xtables.c:389: error: (Each undeclared identifier is reported only once for each function it appears in.) References: http://bugzilla.netfilter.org/show_bug.cgi?id=720 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: RESOURCE_LEAKJiri Popelka2011-06-221-0/+1
| | | | | | | | | | | | | | | xtables.c:320: alloc_fn: Calling allocation function "get_modprobe". xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc". xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)". xtables.c:304: return_alloc: Returning allocated memory "ret". xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()". xtables.c:323: var_assign: Assigning: "modprobe" = "buf". xtables.c:348: leaked_storage: Variable "buf" going out of scope leaks the storage it points to. xtables.c:348: leaked_storage: Returning without freeing "modprobe" leaks the storage that it points to. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: VARARGSJiri Popelka2011-06-221-3/+9
| | | | | | | | | xtables.c:931: va_init: Initializing va_list "args". xtables.c:938: missing_va_end: va_end was not called for "args". xtables.c:947: missing_va_end: va_end was not called for "args". xtables.c:961: missing_va_end: va_end was not called for "args". Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: REVERSE_INULLJiri Popelka2011-06-223-6/+3
| | | | | | | | | | | | | | ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in". ip6tables-restore.c:463: check_after_deref: Dereferencing "in" before a null check. iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in". iptables-restore.c:468: check_after_deref: Dereferencing "in" before a null check. iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in". iptables-xml.c:873: check_after_deref: Dereferencing "in" before a null check. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: support for per-extension instance "global" variable spaceJan Engelhardt2011-06-212-0/+22
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: consolidate target/match init callJan Engelhardt2011-06-214-14/+22
| | | | | | | This is useful for the upcoming patch about per-instance auxiliary data. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: include matches/targets in manpage againJan Engelhardt2011-06-091-2/+2
| | | | | | | Evil sed did not throw any warning whatsoever when it cannot find the file. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* option: fix ignored negation before implicit extension loadingJan Engelhardt2011-06-074-8/+18
| | | | | | | | | | | | `iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it was not present in a subsequent `iptables -S`. Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto extension, cs.invert must not be touched until the next getopt call. This is now fixed by having command_default return a value to indicate whether to jump or not. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all iptables pieces into a separate directoryJan Engelhardt2011-06-0730-0/+11293
(Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>