Jozsef Kadlecsik [Thu, 11 Jun 2009 10:27:09 +0000 (12:27 +0200)]
Updated set/SET match and target to support multiple ipset protocols.
By checking the protocol version of the kernel part, the sockopt type
of ipset protocols are all supported. Forward compatibility with the
netlink based protocol is missing.
The --set option of the set match is replaced by --match-set to avoid
clashing with the recent match, but the old option is also kept.
Manpages are updated, references to bindings removed.
Jan Engelhardt [Wed, 10 Jun 2009 18:18:43 +0000 (20:18 +0200)]
manpages: markup corrections
The manpage of xt_cluster and xt_recent had some unclosed tags.
Backslashes in commands are also not wanted because manpages are a
freeform, automatically-wrapped text.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
kd6lvw [Sun, 7 Jun 2009 12:23:00 +0000 (14:23 +0200)]
libxt_connlimit: initialize v6_mask
When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the
code uses a left shift on v6_mask[n]. This requires v6_mask to be
filled with all one-bits beforehand, but this initialization was not
done.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=597 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 1 Jun 2009 09:56:23 +0000 (11:56 +0200)]
extensions: use NFPROTO_UNSPEC for .family field
This constant would be the designated one for the .family field; it
also, given recent changes, makes grep for NFPROTO_UNSPEC work to
finally recollect all manpages.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Most other extensions use strtoul (by means of xtables_strtoui)
and would abide by the standard convention of hex/octal prefixes
0x/0, and decimal otherwise, but CLASSIFY is an exception.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 4 Apr 2009 11:28:40 +0000 (13:28 +0200)]
iptables: print negation extrapositioned
This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.
Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089 Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 29 Mar 2009 22:44:46 +0000 (00:44 +0200)]
libxtables: reorder .version member
When the structure's layout changes, as it did between v1.4.1 and
v1.4.2, trying to compare the version string makes iptables segfault
while it tries to determine whether the module is compatible in the
first place.
By moving the member to a known offset in the struct and keeping it
there, objects (both iptables and 3rd party) compiled from this
commit onwards will avoid the segfault.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Peter Volkov [Tue, 24 Mar 2009 08:09:16 +0000 (11:09 +0300)]
build: fix linker issue when LDFLAGS contains --as-needed
The link of iptables-save fails on:
$ make LDFLAGS="-Wl,--as-needed"
[...]
extensions/libext4.a(libxt_RATEEST.o): In function `RATEEST_final_check':
extensions/libxt_RATEEST.c:164: undefined reference to `log'
Helpful Reference: http://www.gentoo.org/proj/en/qa/asneeded.xml Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Peter Volkov [Tue, 24 Mar 2009 08:09:16 +0000 (11:09 +0300)]
libxtables: fix compile error due to incomplete change
Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update
the constant in one place, and the compile error triggered only
when -DNO_SHARED_LIBS (configure --disable-shared) was in effect.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Chain renaming (TC_RENAME_CHAIN) can result in an unsorted
chain list. That breaks the requirement of the binary search
done in iptcc_bsearch_chain_index().
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Thu, 19 Mar 2009 15:57:35 +0000 (16:57 +0100)]
iptables-save: module loading corrections
1. Ignore the absence of /proc/net/ip_tables_names, which happens
when x_tables.ko is not loaded. This is equivalent to having
x_tables.ko, but no tabe modules, loaded. As such, success should
be returned.
2. Load table when explicitly requested by the -t option. Users might
expect "*foo" etc. to be output when `iptables-save -t foo` is
executed. So do autoload x_tables.ko and the table in this case.
*. Do this for both iptables-save and ip6tables-save, and adjust
the manpages for the new -M (modprobe program location) option that
is introduced.
Based upon a patch by Soren Hansen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 19 Mar 2009 09:38:41 +0000 (10:38 +0100)]
libxtables: add -I/-L flags to pkgconfig files
These are needed in case iptables gets installed into a non-standard
path. It also enables automatic detection of these locations from 3rd
party programs via pkgconfig.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
iptables: fix broken options-merging during libxtables rework
This patch fixes options-merging that was broken somewhere
during the libxtables rework. Before this patch, two pointers
were used to keep the current options, however, the options field
in xt_params was not appropritely updated. Thus, xtables_free_opts()
was not restoring the original options.
This patch fixes iptables-restore and ip6tables-restore that
stopped working in my personal firewall.
% iptables-restore
*filter
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables: Add limits.h to get INT_MIN, INT_MAX, ...
Fix build failure of iptables utilities on debian/ubuntu, maybe other distros.
The values INT_MIN and INT_MAX are used by many filters and these
are defined in limits.h
---
patch against current iptables.git
Jan Engelhardt [Sat, 21 Feb 2009 03:00:21 +0000 (04:00 +0100)]
libxt_policy: use bounded strtoui
reqid and SPI can only have a value in the range 0..UINT32_MAX, not
the entire range of the "long" type. Also throw an error if the
incoming string does not look like a pure number.
Christian Perle [Tue, 17 Feb 2009 16:31:52 +0000 (17:31 +0100)]
libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff
http://bugzilla.netfilter.org/show_bug.cgi?id=577
When using the -m policy match, the option argument for --spi is converted
using strtol(), which returns a signed 32 bit value, so the highest
positive value is 0x7fffffff. Instead strtoul() should be used.
The same applies for the --reqid option argument.
Jamal Hadi Salim [Fri, 13 Feb 2009 14:14:17 +0000 (09:14 -0500)]
libxtables: consolidate init calls into one function
Introduce xtables_init_all() which hides three calls xtables_init(),
xtables_set_nfproto(), and xtables_set_params(). Make
ip[6]tables-restore, ip[6]tables-save and ip[6]tables-standalone use
it.
I moved xtables_set_params around for readability reasons.
Jamal Hadi Salim [Fri, 13 Feb 2009 13:36:44 +0000 (08:36 -0500)]
libxtables: consolidate merge_options into xtables_merge_options
Introduce xtables_merge_options() for re-use reasons. Apps can use it
instead of each defining their own merge_options(). Made iptables and
ip6tables use the new shared interface.
Jamal Hadi Salim [Thu, 12 Feb 2009 16:43:01 +0000 (11:43 -0500)]
libxtables: make iptables and ip6tables use xtables_free_opts
The patch modifies xtables_globals to introduce orig_opts and
xtables_free_opts() to emulate what free_opts used to do. We also get
rid of the copies of free_opts() that iptables and ip6tables keep.
Jan Engelhardt [Thu, 12 Feb 2009 14:07:15 +0000 (15:07 +0100)]
libipq: fix compile error
libipq.c: In function `ipq_create_handle':
libipq.c:220: error: `NFPROTO_IPV4' undeclared (first use in this function)
libipq.c:220: error: (Each undeclared identifier is reported only once
libipq.c:220: error: for each function it appears in.)
libipq.c:222: error: `NFPROTO_IPV6' undeclared (first use in this function)
Add the required includes.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jamal Hadi Salim [Wed, 11 Feb 2009 12:05:43 +0000 (13:05 +0100)]
libxtables: simple aliasing macro for exit_error
Rename xtables_globals exit_error cb to exit_err and introduce
a very simple aliasing macro to point to it.
convert iptables, ip6tables and iptables_xml to use it.
Note iptables_xml does not have to define its own exit_error()
since it can use the basic one provided.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jamal Hadi Salim [Wed, 11 Feb 2009 12:02:21 +0000 (13:02 +0100)]
libxtables: Add exit_error cb to xtables_globals
Introduce exit_error() as part of xtables_globals structure.
When an application registers its xtables_globals definition
and does not specify its exit_error() it gets assigned a
basic version
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jamal Hadi Salim [Wed, 11 Feb 2009 12:00:02 +0000 (13:00 +0100)]
libxtables: define xtables_free_opts()
Introduce xtables_free_opts() an xtables variant of
free_opts() which uses xtables_globals already set
by xtables_set_params(). The end goal is to have all internal
references in xtables.c use xtables_free_opts() instead of
depending on external defined free_opts()
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jamal Hadi Salim [Wed, 11 Feb 2009 11:58:54 +0000 (12:58 +0100)]
libxtables: Introduce global params structuring
introduce a new struct,xtables_globals, so as to
localize the globals used and help in symbol renames.
The applications must invoke xtables_set_params() before starting
to use any iptables APIs.
xtables_set_params() is intended to free xtables from depending
(as it does right now) on existence of such externally definitions
(from iptables/iptables6 etc). At the moment, xtables wont even
compile without presence of at least one of {iptables/iptables6 etc}
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
projects / thirdparty / iptables.git / log
