Jan Engelhardt [Thu, 24 Jun 2010 19:13:47 +0000 (21:13 +0200)]
libxt_hashlimit: always print burst value
iptables -L lists the burst value, and so should iptables -S. I was
certainly surprised to see it gone even when explicitly specifying
--hashlimit-burst 5 on the command line.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jozsef Kadlecsik [Wed, 16 Jun 2010 10:45:33 +0000 (12:45 +0200)]
libxt_set: new revision added
libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):
ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
Dmitry V. Levin [Thu, 20 May 2010 14:00:48 +0000 (16:00 +0200)]
extensions: MASQUERADE: fix --to-ports parser
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
such port range errors as "1a-2" and "1-2a".
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Dmitry V. Levin [Fri, 14 May 2010 11:24:51 +0000 (13:24 +0200)]
extensions: REDIRECT: fix --to-ports parser
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
several types of port range errors, including:
"-1", "-1a", "-1-a", "a-1", "1a-2", "1-2a", etc.
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Karl Hiramoto [Mon, 10 May 2010 15:50:41 +0000 (17:50 +0200)]
iptables: optionally disable largefile support
Many toolchains for embedded systems don't have largefile support:
usr/include/features.h:383:4: error: #error It appears you have defined _FILE_OFFSET_BITS=64. Unfortunately, uClibc was built without large file support enabled.
In file included from /build_armeb/staging_dir/usr/include/stdio.h:72,
from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/bits/uClibc_stdio.h:72:2: error: #error Sorry... uClibc was built without large file support!
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:83: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'fpos_t'
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:709: error: expected declaration specifiers or '...' before 'fpos_t'
/build_armeb/staging_dir/usr/include/stdio.h:711: error: expected ';', ',' or ')' before '*' token
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
# iptables -t raw -I PREROUTING -t raw -j CT --ctevents assured
iptables v1.4.7: Unknown event type "assured"
Try `iptables -h' or 'iptables --help' for more information.
However, `assured' is one of the supported arguments for --ctevents.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vincent Bernat [Wed, 21 Apr 2010 12:48:26 +0000 (14:48 +0200)]
iprange: fix xt_iprange v0 parsing
iprange_parse() was incomplete and did not include parsed ranges into
ipt_iprange_info structure resulting in always adding range
0.0.0.0-0.0.0.0 in the kernel.
Moreover, when using --dst-range, error messages may display
--src-range instead. Fix this too.
Signed-off-by: Vincent Bernat <bernat@luffy.cx> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Tue, 16 Mar 2010 15:49:21 +0000 (16:49 +0100)]
iptables: correctly check for too-long chain/target/match names
* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=641 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Wed, 10 Mar 2010 23:24:14 +0000 (00:24 +0100)]
libxt_comment: avoid use of IPv4-specific examples
Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.
References: http://bugs.debian.org/572628 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Dmitry V. Levin [Thu, 18 Feb 2010 17:08:31 +0000 (18:08 +0100)]
libip4tc: Add static qualifier to dump_entry()
Change dump_entry() signature defined in libip4tc.c to match prototype
declared in libiptc.c and another static dump_entry() function defined
in libip6tc.c. This function is not a part of the public libiptc API.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Sun, 31 Jan 2010 21:42:52 +0000 (22:42 +0100)]
includes: header updates
Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.
Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 22:45:33 +0000 (00:45 +0200)]
iptables/extensions: make bundled options work again
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 27 Oct 2009 01:59:33 +0000 (02:59 +0100)]
iptables: fix undersized deletion mask creation
The mask created for the -D rulespec is simply too small.
xtables_targets points to whatever target has last been loaded, so
xtables_targets->size is quite almost wrong, as we need to use the
size of the target for the specific rule that is about to be deleted.
This bug existed ever since iptables history is tracked, and requires
certain circumstances to be visible, where the deletion operation is
one. Furthermore, multiple userspace target extensions must have been
loaded, and a target B whose .size is smaller than the target A of
the rule we are about to delete must have been loaded more recently
than target A. The minimal testcase is (rule 60007 gets wrongly
removed)
Jan Engelhardt [Mon, 26 Oct 2009 17:43:54 +0000 (18:43 +0100)]
libiptc: fix wrong maptype of base chain counters on restore
When a ruleset that does not reset any chain policies/counters, such as
*filter
COMMIT
is sourced by iptables-restore, the previous policy and counters
(i.e. the ones read from the kernel) are reused. The counter skew
offsetting is wrong however, causing the read value to be readded to
the kernel value. This manifests itself in practice by the counter
value almost doubling everytime iptables-restore is called.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 29 Oct 2009 18:03:38 +0000 (19:03 +0100)]
iprange: warn on reverse range (log)
Reverse ranges like B-A cause packets to be generally never matched,
as an address S does not match >=B && <=A (except for the border case
where S=A=B).
The kernel module itself does not check for reverse ranges, and it
seems nicer to check that in userspace anyway.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 21:35:49 +0000 (23:35 +0200)]
libiptc: avoid strict-aliasing warnings
In file included from libiptc/libip4tc.c:117:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘iptc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip4tc.c: In function ‘dump_entry’:
libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:112:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘ip6tc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip6tc.c: In function ‘dump_entry’:
libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 21:40:02 +0000 (23:40 +0200)]
libiptc: remove unused functions
Fix the two warnings in libiptc.c:
CC libiptc/libip4tc.lo
libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used
CC libiptc/libip6tc.lo
libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 11 Oct 2009 07:56:18 +0000 (03:56 -0400)]
Support for nommu arches
Linux systems that lack a MMU cannot call fork(). Fortunately, the
only place in iptables that uses fork() follows it by an exec(), so
we can easily convert the code to vfork().
Jan Engelhardt [Thu, 20 Aug 2009 15:15:22 +0000 (17:15 +0200)]
manpages: more fixes to minuses, hyphens, dashes
Debian still carries patches patches to the iptables nroff code touching
ASCII minuses, so I thought, what's it this time.
Eventually, this patch tries to straighten things once more, per
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Hyphens and
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Dashes .
Titles will get the em dash; all typed commands or parameters with a
hyphen get a minus (so that man(1) hyperlinking and copy-pasting does
work), but other mentions get the hyphen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Laurence J. Lane [Thu, 20 Aug 2009 15:14:25 +0000 (17:14 +0200)]
manpage: fix lintian warnings
Description: extraneous slash caused this lintian warning:
W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz
220: cannot use newline as a starting delimiter
W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz
1823: warning: `precedence'' not defined
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Trent W. Buck [Thu, 20 Aug 2009 15:13:27 +0000 (17:13 +0200)]
ipt_set: fix a typo in the manpage
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539101 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Florian Westphal [Thu, 20 Aug 2009 14:39:05 +0000 (16:39 +0200)]
libxt_NFQUEUE: add new v1 version with queue-balance option
New version that adds support for specifying a queue range instead
of a single queue id.
The kernel will distribute flows across the given queue range.
This is useful for multicore systems, simply start multiple instances
of the userspace program on queues x, x+1, .. x+n and use
"--queue-balance x:x+n".
Packets belonging to the same connection are put into the same queue.
With fixes from Jan Engelhardt.
Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Sat, 25 Jul 2009 16:18:36 +0000 (18:18 +0200)]
build: build only iptables-multi
I see no pressing reason to install all single programs when the
multi binary can do the job. Within the build directory, developers
can run the components by means of, for example,
./ip6tables-multi {main|restore|save} ...
And when make install-ed, symlinks are available.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 23 Jul 2009 18:21:45 +0000 (20:21 +0200)]
build: fix struct size mismatch
Mixing code compiled with and without -DNO_SHARED_LIBS is fine as
long as the structs have the same layout. This patch prevents a
potential (currently non-triggerable) "ip6tables: target (null)<123>
is missing a version" error.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 25 Jul 2009 12:28:07 +0000 (14:28 +0200)]
multi binary: allow subcommand via argv[1]
libtool does not play well with symlinks when trying to run commands
in the build directory. So provide an alternate way to call
iptables-multi: when argv[0] is not a recognized name, inspect [1]
for an alternate identifer.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
projects / thirdparty / iptables.git / log
