Jan Engelhardt [Mon, 26 Oct 2009 17:43:54 +0000 (18:43 +0100)]
libiptc: fix wrong maptype of base chain counters on restore
When a ruleset that does not reset any chain policies/counters, such as
*filter
COMMIT
is sourced by iptables-restore, the previous policy and counters
(i.e. the ones read from the kernel) are reused. The counter skew
offsetting is wrong however, causing the read value to be readded to
the kernel value. This manifests itself in practice by the counter
value almost doubling everytime iptables-restore is called.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 29 Oct 2009 18:03:38 +0000 (19:03 +0100)]
iprange: warn on reverse range (log)
Reverse ranges like B-A cause packets to be generally never matched,
as an address S does not match >=B && <=A (except for the border case
where S=A=B).
The kernel module itself does not check for reverse ranges, and it
seems nicer to check that in userspace anyway.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 21:35:49 +0000 (23:35 +0200)]
libiptc: avoid strict-aliasing warnings
In file included from libiptc/libip4tc.c:117:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘iptc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip4tc.c: In function ‘dump_entry’:
libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:112:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘ip6tc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip6tc.c: In function ‘dump_entry’:
libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 23 Oct 2009 21:40:02 +0000 (23:40 +0200)]
libiptc: remove unused functions
Fix the two warnings in libiptc.c:
CC libiptc/libip4tc.lo
libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used
CC libiptc/libip6tc.lo
libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 11 Oct 2009 07:56:18 +0000 (03:56 -0400)]
Support for nommu arches
Linux systems that lack a MMU cannot call fork(). Fortunately, the
only place in iptables that uses fork() follows it by an exec(), so
we can easily convert the code to vfork().
Jan Engelhardt [Thu, 20 Aug 2009 15:15:22 +0000 (17:15 +0200)]
manpages: more fixes to minuses, hyphens, dashes
Debian still carries patches patches to the iptables nroff code touching
ASCII minuses, so I thought, what's it this time.
Eventually, this patch tries to straighten things once more, per
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Hyphens and
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Dashes .
Titles will get the em dash; all typed commands or parameters with a
hyphen get a minus (so that man(1) hyperlinking and copy-pasting does
work), but other mentions get the hyphen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Laurence J. Lane [Thu, 20 Aug 2009 15:14:25 +0000 (17:14 +0200)]
manpage: fix lintian warnings
Description: extraneous slash caused this lintian warning:
W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz
220: cannot use newline as a starting delimiter
W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz
1823: warning: `precedence'' not defined
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Trent W. Buck [Thu, 20 Aug 2009 15:13:27 +0000 (17:13 +0200)]
ipt_set: fix a typo in the manpage
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539101 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Florian Westphal [Thu, 20 Aug 2009 14:39:05 +0000 (16:39 +0200)]
libxt_NFQUEUE: add new v1 version with queue-balance option
New version that adds support for specifying a queue range instead
of a single queue id.
The kernel will distribute flows across the given queue range.
This is useful for multicore systems, simply start multiple instances
of the userspace program on queues x, x+1, .. x+n and use
"--queue-balance x:x+n".
Packets belonging to the same connection are put into the same queue.
With fixes from Jan Engelhardt.
Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Sat, 25 Jul 2009 16:18:36 +0000 (18:18 +0200)]
build: build only iptables-multi
I see no pressing reason to install all single programs when the
multi binary can do the job. Within the build directory, developers
can run the components by means of, for example,
./ip6tables-multi {main|restore|save} ...
And when make install-ed, symlinks are available.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 23 Jul 2009 18:21:45 +0000 (20:21 +0200)]
build: fix struct size mismatch
Mixing code compiled with and without -DNO_SHARED_LIBS is fine as
long as the structs have the same layout. This patch prevents a
potential (currently non-triggerable) "ip6tables: target (null)<123>
is missing a version" error.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 25 Jul 2009 12:28:07 +0000 (14:28 +0200)]
multi binary: allow subcommand via argv[1]
libtool does not play well with symlinks when trying to run commands
in the build directory. So provide an alternate way to call
iptables-multi: when argv[0] is not a recognized name, inspect [1]
for an alternate identifer.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jozsef Kadlecsik [Thu, 11 Jun 2009 10:27:09 +0000 (12:27 +0200)]
Updated set/SET match and target to support multiple ipset protocols.
By checking the protocol version of the kernel part, the sockopt type
of ipset protocols are all supported. Forward compatibility with the
netlink based protocol is missing.
The --set option of the set match is replaced by --match-set to avoid
clashing with the recent match, but the old option is also kept.
Manpages are updated, references to bindings removed.
Jan Engelhardt [Wed, 10 Jun 2009 18:18:43 +0000 (20:18 +0200)]
manpages: markup corrections
The manpage of xt_cluster and xt_recent had some unclosed tags.
Backslashes in commands are also not wanted because manpages are a
freeform, automatically-wrapped text.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
kd6lvw [Sun, 7 Jun 2009 12:23:00 +0000 (14:23 +0200)]
libxt_connlimit: initialize v6_mask
When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the
code uses a left shift on v6_mask[n]. This requires v6_mask to be
filled with all one-bits beforehand, but this initialization was not
done.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=597 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 1 Jun 2009 09:56:23 +0000 (11:56 +0200)]
extensions: use NFPROTO_UNSPEC for .family field
This constant would be the designated one for the .family field; it
also, given recent changes, makes grep for NFPROTO_UNSPEC work to
finally recollect all manpages.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Most other extensions use strtoul (by means of xtables_strtoui)
and would abide by the standard convention of hex/octal prefixes
0x/0, and decimal otherwise, but CLASSIFY is an exception.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 4 Apr 2009 11:28:40 +0000 (13:28 +0200)]
iptables: print negation extrapositioned
This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.
Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089 Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 29 Mar 2009 22:44:46 +0000 (00:44 +0200)]
libxtables: reorder .version member
When the structure's layout changes, as it did between v1.4.1 and
v1.4.2, trying to compare the version string makes iptables segfault
while it tries to determine whether the module is compatible in the
first place.
By moving the member to a known offset in the struct and keeping it
there, objects (both iptables and 3rd party) compiled from this
commit onwards will avoid the segfault.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Peter Volkov [Tue, 24 Mar 2009 08:09:16 +0000 (11:09 +0300)]
build: fix linker issue when LDFLAGS contains --as-needed
The link of iptables-save fails on:
$ make LDFLAGS="-Wl,--as-needed"
[...]
extensions/libext4.a(libxt_RATEEST.o): In function `RATEEST_final_check':
extensions/libxt_RATEEST.c:164: undefined reference to `log'
Helpful Reference: http://www.gentoo.org/proj/en/qa/asneeded.xml Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Peter Volkov [Tue, 24 Mar 2009 08:09:16 +0000 (11:09 +0300)]
libxtables: fix compile error due to incomplete change
Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update
the constant in one place, and the compile error triggered only
when -DNO_SHARED_LIBS (configure --disable-shared) was in effect.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Chain renaming (TC_RENAME_CHAIN) can result in an unsorted
chain list. That breaks the requirement of the binary search
done in iptcc_bsearch_chain_index().
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Thu, 19 Mar 2009 15:57:35 +0000 (16:57 +0100)]
iptables-save: module loading corrections
1. Ignore the absence of /proc/net/ip_tables_names, which happens
when x_tables.ko is not loaded. This is equivalent to having
x_tables.ko, but no tabe modules, loaded. As such, success should
be returned.
2. Load table when explicitly requested by the -t option. Users might
expect "*foo" etc. to be output when `iptables-save -t foo` is
executed. So do autoload x_tables.ko and the table in this case.
*. Do this for both iptables-save and ip6tables-save, and adjust
the manpages for the new -M (modprobe program location) option that
is introduced.
Based upon a patch by Soren Hansen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 19 Mar 2009 09:38:41 +0000 (10:38 +0100)]
libxtables: add -I/-L flags to pkgconfig files
These are needed in case iptables gets installed into a non-standard
path. It also enables automatic detection of these locations from 3rd
party programs via pkgconfig.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
iptables: fix broken options-merging during libxtables rework
This patch fixes options-merging that was broken somewhere
during the libxtables rework. Before this patch, two pointers
were used to keep the current options, however, the options field
in xt_params was not appropritely updated. Thus, xtables_free_opts()
was not restoring the original options.
This patch fixes iptables-restore and ip6tables-restore that
stopped working in my personal firewall.
% iptables-restore
*filter
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables: Add limits.h to get INT_MIN, INT_MAX, ...
Fix build failure of iptables utilities on debian/ubuntu, maybe other distros.
The values INT_MIN and INT_MAX are used by many filters and these
are defined in limits.h
---
patch against current iptables.git
projects / thirdparty / iptables.git / log
