Jan Engelhardt [Mon, 13 Sep 2010 13:35:18 +0000 (15:35 +0200)]
iptables-xml: resolve compiler warnings
iptables-xml.c: In function "parse_counters":
iptables-xml.c:70:8: warning: assignment from incompatible pointer type
iptables-xml.c:71:8: warning: assignment from incompatible pointer type
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 3 Aug 2010 17:58:38 +0000 (19:58 +0200)]
build: fix static linking
Gabor Z. Papp noted this link-time error when configuring with
--enable-static:
extensions/libext4.a(initext4.o): In function "init_extensions":
extensions/initext4.c:144: undefined reference to "libxt_IDLETIMER_init"
extensions/initext4.c:145: undefined reference to "libxt_TEE_init"
Indeed, since the two modules did not use our special macro "_init"
(which expands to libxt_foo_init), initext4.c could not find them by
that name. Correct this.
References: http://marc.info/?l=netfilter&m=128085480927924&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Eric Dumazet [Fri, 23 Jul 2010 14:15:14 +0000 (16:15 +0200)]
extension: add xt_cpu match
Kernel 2.6.36 supports xt_cpu match
In some situations a CPU match permits a better spreading of
connections, or select targets only for a given cpu.
With Remote Packet Steering or multiqueue NIC and appropriate IRQ
affinities, we can distribute trafic on available cpus, per session.
(all RX packets for a given flow are handled by a given cpu)
Some legacy applications being not SMP friendly, one way to scale a
server is to run multiple copies of them.
Instead of randomly choosing an instance, we can use the cpu number as a
key so that softirq handler for a whole instance is running on a single
cpu, maximizing cache effects in TCP/UDP stacks.
Using NAT for example, a four ways machine might run four copies of
server application, using a separate listening port for each instance,
but still presenting an unique external port :
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
-j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
-j REDIRECT --to-port 8081
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
-j REDIRECT --to-port 8082
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
-j REDIRECT --to-port 8083
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Hannes Eder [Fri, 23 Jul 2010 10:51:26 +0000 (12:51 +0200)]
libxt_ipvs: user-space lib for netfilter matcher xt_ipvs
The user-space library for the netfilter matcher xt_ipvs.
[ trivial up-port by Simon Horman <horms@verge.net.au> ] Signed-off-by: Hannes Eder <heder@google.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
extensions: libxt_rateest: fix bps options for iptables-save
The output generated by the libxt_rateest extension for bps matches
was wrong and could not be restored properly. This patch fixes this
problem by using the correct options in the right order when saving
the table.
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This adds a `CHECKSUM' target, which can be used in the iptables mangle
table.
You can use this target to compute and fill in the checksum in
a packet that lacks a checksum. This is particularly useful,
if you need to work around old applications such as dhcp clients,
that do not work well with checksum offloads, but don't want to disable
checksum offload in your device.
The problem happens in the field with virtualized applications.
For reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.html
Typical expected use (helps old dhclient binary running in a VM):
iptables -A POSTROUTING -t mangle -p udp --dport bootpc \
-j CHECKSUM --checksum-fill
Includes fixes by Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Thu, 24 Jun 2010 19:13:47 +0000 (21:13 +0200)]
libxt_hashlimit: always print burst value
iptables -L lists the burst value, and so should iptables -S. I was
certainly surprised to see it gone even when explicitly specifying
--hashlimit-burst 5 on the command line.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jozsef Kadlecsik [Wed, 16 Jun 2010 10:45:33 +0000 (12:45 +0200)]
libxt_set: new revision added
libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):
ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
Dmitry V. Levin [Thu, 20 May 2010 14:00:48 +0000 (16:00 +0200)]
extensions: MASQUERADE: fix --to-ports parser
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
such port range errors as "1a-2" and "1-2a".
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Dmitry V. Levin [Fri, 14 May 2010 11:24:51 +0000 (13:24 +0200)]
extensions: REDIRECT: fix --to-ports parser
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
several types of port range errors, including:
"-1", "-1a", "-1-a", "a-1", "1a-2", "1-2a", etc.
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Karl Hiramoto [Mon, 10 May 2010 15:50:41 +0000 (17:50 +0200)]
iptables: optionally disable largefile support
Many toolchains for embedded systems don't have largefile support:
usr/include/features.h:383:4: error: #error It appears you have defined _FILE_OFFSET_BITS=64. Unfortunately, uClibc was built without large file support enabled.
In file included from /build_armeb/staging_dir/usr/include/stdio.h:72,
from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/bits/uClibc_stdio.h:72:2: error: #error Sorry... uClibc was built without large file support!
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:83: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'fpos_t'
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:709: error: expected declaration specifiers or '...' before 'fpos_t'
/build_armeb/staging_dir/usr/include/stdio.h:711: error: expected ';', ',' or ')' before '*' token
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
# iptables -t raw -I PREROUTING -t raw -j CT --ctevents assured
iptables v1.4.7: Unknown event type "assured"
Try `iptables -h' or 'iptables --help' for more information.
However, `assured' is one of the supported arguments for --ctevents.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vincent Bernat [Wed, 21 Apr 2010 12:48:26 +0000 (14:48 +0200)]
iprange: fix xt_iprange v0 parsing
iprange_parse() was incomplete and did not include parsed ranges into
ipt_iprange_info structure resulting in always adding range
0.0.0.0-0.0.0.0 in the kernel.
Moreover, when using --dst-range, error messages may display
--src-range instead. Fix this too.
Signed-off-by: Vincent Bernat <bernat@luffy.cx> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Tue, 16 Mar 2010 15:49:21 +0000 (16:49 +0100)]
iptables: correctly check for too-long chain/target/match names
* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=641 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Wed, 10 Mar 2010 23:24:14 +0000 (00:24 +0100)]
libxt_comment: avoid use of IPv4-specific examples
Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.
References: http://bugs.debian.org/572628 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Dmitry V. Levin [Thu, 18 Feb 2010 17:08:31 +0000 (18:08 +0100)]
libip4tc: Add static qualifier to dump_entry()
Change dump_entry() signature defined in libip4tc.c to match prototype
declared in libiptc.c and another static dump_entry() function defined
in libip6tc.c. This function is not a part of the public libiptc API.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Sun, 31 Jan 2010 21:42:52 +0000 (22:42 +0100)]
includes: header updates
Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.
Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 22:45:33 +0000 (00:45 +0200)]
iptables/extensions: make bundled options work again
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 27 Oct 2009 01:59:33 +0000 (02:59 +0100)]
iptables: fix undersized deletion mask creation
The mask created for the -D rulespec is simply too small.
xtables_targets points to whatever target has last been loaded, so
xtables_targets->size is quite almost wrong, as we need to use the
size of the target for the specific rule that is about to be deleted.
This bug existed ever since iptables history is tracked, and requires
certain circumstances to be visible, where the deletion operation is
one. Furthermore, multiple userspace target extensions must have been
loaded, and a target B whose .size is smaller than the target A of
the rule we are about to delete must have been loaded more recently
than target A. The minimal testcase is (rule 60007 gets wrongly
removed)
Jan Engelhardt [Mon, 26 Oct 2009 17:43:54 +0000 (18:43 +0100)]
libiptc: fix wrong maptype of base chain counters on restore
When a ruleset that does not reset any chain policies/counters, such as
*filter
COMMIT
is sourced by iptables-restore, the previous policy and counters
(i.e. the ones read from the kernel) are reused. The counter skew
offsetting is wrong however, causing the read value to be readded to
the kernel value. This manifests itself in practice by the counter
value almost doubling everytime iptables-restore is called.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 29 Oct 2009 18:03:38 +0000 (19:03 +0100)]
iprange: warn on reverse range (log)
Reverse ranges like B-A cause packets to be generally never matched,
as an address S does not match >=B && <=A (except for the border case
where S=A=B).
The kernel module itself does not check for reverse ranges, and it
seems nicer to check that in userspace anyway.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 21:35:49 +0000 (23:35 +0200)]
libiptc: avoid strict-aliasing warnings
In file included from libiptc/libip4tc.c:117:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘iptc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip4tc.c: In function ‘dump_entry’:
libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:112:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘ip6tc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip6tc.c: In function ‘dump_entry’:
libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 21:40:02 +0000 (23:40 +0200)]
libiptc: remove unused functions
Fix the two warnings in libiptc.c:
CC libiptc/libip4tc.lo
libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used
CC libiptc/libip6tc.lo
libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
projects / thirdparty / iptables.git / log
