| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the software version to the first line of the
following manpages:
iptables-save.8
iptables-restore.8
iptables-apply.8
iptables-xml.1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
iptables-xml.8 was moved to iptables-xm1.1.
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
CMD_ZERO_NUM is 14, so it has to be defined in position 15 in the
commands_v_options array. This does not manifests easily since
commands from 9 to 14 have a very similar pattern in such array.
Based on this patch: http://patchwork.ozlabs.org/patch/188153/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| | |
To retrieve:
iptables: correctly reference generated file
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since (14bca55 iptables: use autoconf to process .in man pages),
the file "iptables-extensions.8.tmpl" is generated from
"iptables-extensions.8.tmpl.in" and is consequently no
longer found in ${srcdir} but in the build directory.
(Becomes visible with builddir != srcdir)
Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
a couple of improvements to the iptables man page never made it into
ip6tables version.
The number of differences between these two files is so small that
it seems preferable to alias the ipv6 man pages to their ipv4 counterpart
and change iptables man page to specifically document differences
(e.g. lack of ip6tables -f, etc).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
|
| |
... and remove the QUEUE snippets from ip(6)tables man page,
the queue target was replaced by nfqueue years ago.
Fix up a couple of needless differences in ip(6)tables.8, too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Similar to (2165f38 iptables-restore: fix parameter parsing
(shows up with gcc-4.7)), make sure iptables-xml doesn't hit
the same problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:
1) Ignore "-A <chain>" instead of just "-A"
2) When checking to see if we need a <match> tag, inversion needs to be taken
into account
This closes netfilter bugzilla #679.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances),
ip{6}tables-restore does not work anymore:
iptables-restore < x
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
do_command{6}(...) is called from ip{6}tables-restore for every iptables
command contained in the rule-set file. Thus, hitting the lock error
after the second command.
Fix it by bypassing the locking in the ip{6}tables-restore path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously. Currently
open bug reports which are related:
325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts
As Patrick notes in 325: "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."
I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile. But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up. And this also requires a writable filesystem. Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.
Starting in 2.2, Linux added support for abstract sockets. These sockets
require no filesystem, and automatically disappear once the application
terminates. This is the locking solution I chose to implement in ip[6]tables.
As an added bonus, since each network namespace has its own socket pool, an
ip[6]tables instance running in one namespace will not lock out an ip[6]tables
instance running in another namespace. A filesystem approach would have
to recognize and handle multiple network namespaces.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@
was not processed in the VERSION section. It also simplifies the
Makefile by avoiding some sed commands.
[ Mangled this patch to rename iptables-extensions.8.in to
iptables-extensions.8.tmpl.in to avoid having a file whose name
is terminated by .in.in --pablo ]
Signed-off-by: Andy Spencer <andy753421@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
As the man page shows --protocol not --proto, also do so in the usage
text displayed by ip[6]tables -h.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch changes the NETMAP target extension (IPv6 side) to use
the xtables_ip6mask_to_cidr available in libxtables.
As a side effect, we get rid of the libip6tc dependency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This closes bugzilla:
http://bugzilla.netfilter.org/show_bug.cgi?id=807
Reported-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ |
|
| |
| |
| |
| |
| |
| | |
Based on the IPv4 description.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
| |
The match/target alias allows us to support the syntax of matches, targets
targets merged into other matches/targets.
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This function is used both by iptables and ip6tables, and
refactorize to avoid longer than 80-chars per column lines
of code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This function is shared by iptables and ip6tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Fixes bugzilla id 797.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL
which was always false (true). real_name was never NULL, so cs->jumpto
would always be used, which rendered -j NOTRACK unusable, since the
chosen real name.revision is for example NOTRACK.1, which does not exist
at the kernel side.
# ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
dbg: Using NOTRACK.1
WARNING: The NOTRACK target is obsolete. Use CT instead.
iptables: Protocol wrong type for socket.
To reasonably support the extra-special verdict names, make it so that
real_name remains NULL when an extension defined no alias, which we can
then use to determine whether the user entered an alias name (which
needs to be followed) or not.
[ I have mangled this patch to remove a comment unnecessarily large.
BTW, this patch gets this very close to the initial target aliasing
proposal --pablo ]
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This regression was added by:
commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf
Author: Jan Engelhardt <jengelh@inai.de>
Date: Tue Sep 4 05:24:47 2012 +0200
iptables: support for target aliase
The result is that:
iptables -I INPUT -j ACCEPT
says:
iptables: No chain/target/match by that name.
This also breaks iptables-restore, of course. Jan, you'll have to explain me
how you have tested this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
extensions/GNUmakefile.in
Resolution: trivial, since this was a fuzz 3.
Reason: Line added from v1.4.15-16-g33710a5 was in vincinity of changes
from v1.4.15-22-g4496801.
|
| |
| |
| |
| |
| | |
References: http://bugs.debian.org/660748
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
iptables.8 and ip6tables.8 had pretty much the same content, with a few
protocol-specific deviations here and there. Not only did that bloat the
manpages, but it also made it harder to spot differences. Separate out
the extension descriptions into a new manpage, which conveniently
features differences next to one another (cf. REJECT).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|\| |
|
| |
| |
| |
| |
| |
| |
| | |
This patch allows for match names listed on the command line to be
rewritten to new names and revisions, like we did for targets before.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch allows for target names listed on the command line to be
rewritten to new names and revisions.
As before, we will pick a revision that is supported by the kernel - now
including real_name in the search. This gives us the possibility to test
for many action names.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|/
|
|
|
|
|
|
|
|
| |
iptables -P INPUT
iptables v1.4.15: -X requires a chain and a policy
Try `iptables -h' or 'iptables --help' for more information.
Note that it says -X when we have used -P.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch moves the parameter parsing to one function to reduce
one level of indentation. Jan Engelhardt likes this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
save-restore syntax uses *table, not -t table.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes parameter parsing in iptables-restore since time ago. The
problem has shown up with gcc-4.7. This version of gcc seem to perform more
agressive memory management than previous.
Peter Lekensteyn provided the following sample code similar to the one
in iptables-restore:
int i = 0;
for (;;) {
char x[5];
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}
Many may expect 0123 as output. But GCC 4.7 does not do that when compiling
with optimization enabled (-O1 and higher). It instead puts random data in the
first bytes of the character array, which becomes:
| 0 | 1 | 2 | 3 | 4 |
| RANDOM | '3' | '\0' |
Since the array is declared inside the scope of loop's body, you can think of
it as of a new array being allocated in the automatic storage area for each
loop iteration.
The correct code should be:
char x[5];
for (;;) {
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This reverts commit 44191bdbd71e685fba9eab864b9df25e63905220.
Apply instead a patch that really clarifies the bug in iptables-restore.
This should be good for the record (specifically, for distributors so
they can find the fix by googling).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch seems to be a mere cleanup that moves the parameter parsing
code to add_param_to_argv.
But, in reality, it also fixes iptables when compiled with gcc-4.7.
Moving param_buffer declaration out of the loop seems to resolve the
issue. gcc-4.7 seems to be generating bad code regarding param_buffer.
@@ -380,9 +380,9 @@
quote_open = 0;
escaped = 0;
param_len = 0;
+ char param_buffer[1024];
for (curchar = parsestart; *curchar; curchar++) {
- char param_buffer[1024];
if (quote_open) {
if (escaped) {
But I have hard time to apply this patch in such a way. Instead, I came
up with the idea of this cleanup, which does not harm after all (and fixes
the issue for us).
Someone in:
https://bugzilla.redhat.com/show_bug.cgi?id=82579
put some light on this:
"Yes, I ran into this too. The issue is that the gcc optimizer is
optimizing out the code that collects quoted strings in
iptables-restore.c at line 396. If inside a quotemark and it hasn't
seen another one yet, it executes
param_buffer[param_len++] = *curchar;
continue;
At -O1 or higher, the write to param_buffer[] never happens. It just
increments param_len and continues.
Moving the definition of char param_buffer[1024]; outside the loop
fixes it. Why, I'm not sure. Defining the param_buffer[] inside the
loop should simply restrict its scope to inside the loop."
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Else, argv[argc] may point to free'd memory.
Some extensions, e.g. rateest, may fail to parse valid input
because argv[optind] (with optind == argc) is not NULL.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ |
|
| |\ |
|
| | |
| | |
| | |
| | | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Command used:
git grep -f <(pcregrep -hior
'(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/)
and then fix all occurrences.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
No real API/ABI change incurred, since the definition of the structs'
types is not visible anyhow.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|