Jan Engelhardt [Mon, 7 Feb 2011 02:20:02 +0000 (03:20 +0100)]
src: unclutter command_default function
(Essentially, 5 levels of indentation have been stripped compared to the
original layout, and this is surely a result that looks a lot better
than it did before.)
Things to note:
1. If the m->parse call succeeded, we can return from the function and
do not need to go through the other code. As such, "m" is guaranteed to
be useless at the end of the match loop, and so, conditions can be
removed.
2. Since the per-extension parse function only ever get their own option
codes (since v1.4.10-26-gd09b6d5), their return value no longer has a
meaning and can be ignored.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 18 Dec 2010 01:04:59 +0000 (02:04 +0100)]
iptables: do not print trailing whitespaces
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 31 Jan 2011 01:34:49 +0000 (02:34 +0100)]
iptables: warn when parameter limit is exceeded
While testing many match extensions in a single rule, I ran into this
error not warned about. Arguments were just ignored, causing
surprising "Need to specify an argument to --whatever" when the
argument was in fact given on the command line.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 31 Jan 2011 01:33:43 +0000 (02:33 +0100)]
xtables: set custom opts to NULL on free
When inside ip6tables-restore, xtables_free_opts can be called
multiple times, especially when trying to exit with an error message
from outside do_command. So set it to NULL so that we do not attempt
to free a dangling pointer.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 18 Jan 2011 17:04:57 +0000 (18:04 +0100)]
libxt_connlimit: add a --connlimit-upto option
Direct specifications like "upto" are easier to grasp than "not
above". This patch adds such an upto variant similar to what
libxt_hashlimit already has.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 8 Jan 2011 01:25:28 +0000 (02:25 +0100)]
ip[6]tables: only call match's parse function when option char is in range
Normally, extensions use a "default:" case in switch(c) to just return
if they do not handle c. Apparently, libip6t_hl does that too late and
checks for hl-specific parsing state before it has established that c
refers to one of its own options.
Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic.
One way to fix this is to move the flags checks into case '2', '3',
'4'. Doing this replication feels bad, so as an alternative, let's
just free extensions from having to deal with other extension's
options passing thru.
References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 8 Jan 2011 01:10:52 +0000 (02:10 +0100)]
xtables: reorder num_old substraction for clarity
When going over this again, I noticed we happen to malloc too much.
That is no problem, but I felt moving the num_old adjustment upwards
makes things more clear, and also addresses the allocation.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 7 Jan 2011 11:26:59 +0000 (12:26 +0100)]
iptables: abort on empty interface specification
Fiedler Roman brings to attention that if, in a faulty script,
"$some_variable" expands to an empty string, iptables should probably
catch this most likely undesired invocation. If no/all interfaces were
really desired, one can either omit -i completely, or use -i +.
References: http://marc.info/?l=netfilter&m=129439862903487&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 4 Dec 2010 01:53:20 +0000 (02:53 +0100)]
build: fix globbing of extensions in other locales
In the fi_FI locale, [a-z] would not include 'w', for example. Rectify
this by using [[:alnum:]] (to counter against different ordering) and
forcing the POSIX locale (so that the alphabet has at least the 26
base characters).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 28 Nov 2010 14:35:06 +0000 (15:35 +0100)]
iptables: reset options at the start of each command
For each new command, iptables is supposed to start afresh with a
blank option set (opts) that only contains the program-specific
options (orig_opts), without any extension options. We failed to
restore this pointer (in function do_command) after the previous free
call in xtables_free_opts.
Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 15 Nov 2010 12:19:48 +0000 (13:19 +0100)]
iptables: fix longopt reecognition and workaround getopt(3) behavior
* On the first call to getopt, opts was NULL, so long options would
not be recognized until a match/target was loaded.
Whacky getopt behavior:
* If the longopts parameter is NULL, getopt fails to recognize unknown
options, such that `iptables-multi main --append` will print a garbage
help message ("main needs an argument").
* If the longopts parameter is NULL on the first call, but not on
subsequent calls, it completely screws up option parsing, taking
the --dport in `iptables-multi main -A INPUT -p tcp --dport 1000`
as --destination instead, but not accepting "--destination 1.2.3.4"
either.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 29 Oct 2010 16:57:42 +0000 (18:57 +0200)]
libxtables: change option precedence order to be intuitive
When using `-m mark --mark 2 -m connmark --mark 2`, the user currently
gets an error about the (libxt_mark) --mark option being used twice.
This is because libxt_connmark's option table does not override any
previous options. This patch changes this behavior, since the current
behavior does not allow connmark's option to be used at all, which is
illogical.
Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Mon, 13 Sep 2010 14:06:50 +0000 (16:06 +0200)]
libiptc: build with -Wl,--no-as-needed
Since libiptc does not reference any symbols in libip(4|6)tc, the linker
may ignore the dependencies. Use --no-as-needed to explicitly force a
DT_NEEDED entry.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=674 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 13 Sep 2010 13:35:18 +0000 (15:35 +0200)]
iptables-xml: resolve compiler warnings
iptables-xml.c: In function "parse_counters":
iptables-xml.c:70:8: warning: assignment from incompatible pointer type
iptables-xml.c:71:8: warning: assignment from incompatible pointer type
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 3 Aug 2010 17:58:38 +0000 (19:58 +0200)]
build: fix static linking
Gabor Z. Papp noted this link-time error when configuring with
--enable-static:
extensions/libext4.a(initext4.o): In function "init_extensions":
extensions/initext4.c:144: undefined reference to "libxt_IDLETIMER_init"
extensions/initext4.c:145: undefined reference to "libxt_TEE_init"
Indeed, since the two modules did not use our special macro "_init"
(which expands to libxt_foo_init), initext4.c could not find them by
that name. Correct this.
References: http://marc.info/?l=netfilter&m=128085480927924&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Eric Dumazet [Fri, 23 Jul 2010 14:15:14 +0000 (16:15 +0200)]
extension: add xt_cpu match
Kernel 2.6.36 supports xt_cpu match
In some situations a CPU match permits a better spreading of
connections, or select targets only for a given cpu.
With Remote Packet Steering or multiqueue NIC and appropriate IRQ
affinities, we can distribute trafic on available cpus, per session.
(all RX packets for a given flow are handled by a given cpu)
Some legacy applications being not SMP friendly, one way to scale a
server is to run multiple copies of them.
Instead of randomly choosing an instance, we can use the cpu number as a
key so that softirq handler for a whole instance is running on a single
cpu, maximizing cache effects in TCP/UDP stacks.
Using NAT for example, a four ways machine might run four copies of
server application, using a separate listening port for each instance,
but still presenting an unique external port :
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
-j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
-j REDIRECT --to-port 8081
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
-j REDIRECT --to-port 8082
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
-j REDIRECT --to-port 8083
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Hannes Eder [Fri, 23 Jul 2010 10:51:26 +0000 (12:51 +0200)]
libxt_ipvs: user-space lib for netfilter matcher xt_ipvs
The user-space library for the netfilter matcher xt_ipvs.
[ trivial up-port by Simon Horman <horms@verge.net.au> ] Signed-off-by: Hannes Eder <heder@google.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
extensions: libxt_rateest: fix bps options for iptables-save
The output generated by the libxt_rateest extension for bps matches
was wrong and could not be restored properly. This patch fixes this
problem by using the correct options in the right order when saving
the table.
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This adds a `CHECKSUM' target, which can be used in the iptables mangle
table.
You can use this target to compute and fill in the checksum in
a packet that lacks a checksum. This is particularly useful,
if you need to work around old applications such as dhcp clients,
that do not work well with checksum offloads, but don't want to disable
checksum offload in your device.
The problem happens in the field with virtualized applications.
For reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.html
Typical expected use (helps old dhclient binary running in a VM):
iptables -A POSTROUTING -t mangle -p udp --dport bootpc \
-j CHECKSUM --checksum-fill
Includes fixes by Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Thu, 24 Jun 2010 19:13:47 +0000 (21:13 +0200)]
libxt_hashlimit: always print burst value
iptables -L lists the burst value, and so should iptables -S. I was
certainly surprised to see it gone even when explicitly specifying
--hashlimit-burst 5 on the command line.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jozsef Kadlecsik [Wed, 16 Jun 2010 10:45:33 +0000 (12:45 +0200)]
libxt_set: new revision added
libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):
ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
projects / thirdparty / iptables.git / log
