]> git.ipfire.org Git - thirdparty/iptables.git/log
thirdparty/iptables.git
12 years agoiptables: libxt_conntrack.man extraneous commas
Laurence J. Lane [Sun, 18 Aug 2013 19:44:13 +0000 (15:44 -0400)] 
iptables: libxt_conntrack.man extraneous commas

The first might work. The second doesn't.

(The other corrections in the bug report are already implemented.)

http://bugs.debian.org/654983

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoiptables: libxt_hashlimit.man: correct address
Laurence J. Lane [Sat, 17 Aug 2013 23:08:59 +0000 (19:08 -0400)] 
iptables: libxt_hashlimit.man: correct address

Corrects an example address with subnet mask.

http://bugs.debian.org/698393

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoip[6]tables: fix incorrect alignment in commands_v_options
Pablo Neira Ayuso [Fri, 9 Aug 2013 16:00:22 +0000 (18:00 +0200)] 
ip[6]tables: fix incorrect alignment in commands_v_options

CMD_ZERO_NUM is 14, so it has to be defined in position 15 in the
commands_v_options array. This does not manifests easily since
commands from 9 to 14 have a very similar pattern in such array.

Based on this patch: http://patchwork.ozlabs.org/patch/188153/

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoMerge branch 'stable-1.4.20'
Pablo Neira Ayuso [Thu, 8 Aug 2013 16:16:36 +0000 (18:16 +0200)] 
Merge branch 'stable-1.4.20'

To retrieve:

iptables: state match incompatibilty across versions

12 years agoiptables: state match incompatibilty across versions
Phil Oester [Wed, 7 Aug 2013 23:44:49 +0000 (16:44 -0700)] 
iptables: state match incompatibilty across versions

As reported in Debian bug #718810 [1], state match rules added in < 1.4.16
iptables versions are incorrectly displayed by >= 1.4.16 iptables versions.
Issue bisected to commit 0d701631 (libxt_state: replace as an alias to
xt_conntrack).

Fix this by adding the missing .print and .save functions for state match
aliases in the conntrack match.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoMerge branch 'stable-1.4.20'
Pablo Neira Ayuso [Thu, 8 Aug 2013 10:37:31 +0000 (12:37 +0200)] 
Merge branch 'stable-1.4.20'

To retrieve:

iptables: correctly reference generated file

12 years agoiptables: correctly reference generated file
Lutz Jaenicke [Wed, 7 Aug 2013 08:09:16 +0000 (10:09 +0200)] 
iptables: correctly reference generated file

Since (14bca55 iptables: use autoconf to process .in man pages),
the file "iptables-extensions.8.tmpl" is generated from
"iptables-extensions.8.tmpl.in" and is consequently no
longer found in ${srcdir} but in the build directory.
(Becomes visible with builddir != srcdir)

Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoxtables: trivial spelling fix
stephen hemminger [Sun, 4 Aug 2013 22:08:26 +0000 (15:08 -0700)] 
xtables: trivial spelling fix

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: merge ip6table man pages into ipv4 ones
Florian Westphal [Sun, 14 Jul 2013 17:32:12 +0000 (19:32 +0200)] 
doc: merge ip6table man pages into ipv4 ones

a couple of improvements to the iptables man page never made it into
ip6tables version.

The number of differences between these two files is so small that
it seems preferable to alias the ipv6 man pages to their ipv4 counterpart
and change iptables man page to specifically document differences
(e.g. lack of ip6tables -f, etc).

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: add libnetfilter_queue pointer to libxt_NFQUEUE.man
Florian Westphal [Fri, 12 Jul 2013 21:14:27 +0000 (23:14 +0200)] 
doc: add libnetfilter_queue pointer to libxt_NFQUEUE.man

... and remove the QUEUE snippets from ip(6)tables man page,
the queue target was replaced by nfqueue years ago.
Fix up a couple of needless differences in ip(6)tables.8, too.

Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agoextensions: libxt_socket: update man page
Florian Westphal [Fri, 12 Jul 2013 21:29:28 +0000 (23:29 +0200)] 
extensions: libxt_socket: update man page

Document --nowildcard option and its implications when using -m socket
to intercept packets.

While at it, update man page with Balazs Scheidlers comments from
nf_tproxy_core.h in kernel tree to better explain how lookup is performed.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agoxt_socket: add --nowildcard flag
Eric Dumazet [Thu, 20 Jun 2013 12:52:35 +0000 (05:52 -0700)] 
xt_socket: add --nowildcard flag

xt_socket module can be a nice replacement to conntrack module
in some cases (SYN filtering for example)

But it lacks the ability to match the 3rd packet of TCP
handshake (ACK coming from the client).

Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism

The wildcard is the legacy socket match behavior, that ignores
LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent)

iptables -I INPUT -p tcp --syn -j SYN_CHAIN
iptables -I INPUT -m socket -j ACCEPT

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoiptables 1.4.20 release v1.4.20
Pablo Neira Ayuso [Tue, 6 Aug 2013 15:48:43 +0000 (17:48 +0200)] 
iptables 1.4.20 release

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoiptables-xml: fix parameter parsing (similar to 2165f38)
Pablo Neira Ayuso [Fri, 26 Jul 2013 14:38:55 +0000 (16:38 +0200)] 
iptables-xml: fix parameter parsing (similar to 2165f38)

Similar to (2165f38 iptables-restore: fix parameter parsing
(shows up with gcc-4.7)), make sure iptables-xml doesn't hit
the same problem.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoiptables: iptables-xml: Fix various parsing bugs
Phil Oester [Thu, 20 Jun 2013 12:53:36 +0000 (08:53 -0400)] 
iptables: iptables-xml: Fix various parsing bugs

There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:

1) Ignore "-A <chain>" instead of just "-A"
2) When checking to see if we need a <match> tag, inversion needs to be taken
   into account

This closes netfilter bugzilla #679.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agobuild: fail in configure on missing dependency with --enable-bpf-compiler
Willem de Bruijn [Mon, 22 Jul 2013 00:02:38 +0000 (20:02 -0400)] 
build: fail in configure on missing dependency with --enable-bpf-compiler

The build of utils/nfbpf_compile depends on libpcap. If configure is
run with --enable-bpf-compiler, the script succeeds, but make fails.

This small patch adds a test for the dependency (libpcap) in configure
and fails hard if not found.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agobuild: additional include path required after UAPI changes
Phil Oester [Sun, 21 Jul 2013 15:30:49 +0000 (08:30 -0700)] 
build: additional include path required after UAPI changes

After kernel commit 607ca46e (UAPI: (Scripted) Disintegrate
include/linux), using the "--with-kernel" argument to build iptables
stopped working due to the missing #ifdefs in the original files.
We need to make sure the UAPI include dir is listed before the
original location. Leaving both allows support for old and new
kernels.

This fixes bug #833.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibxt_CT: Add the "NOTRACK" alias
Jozsef Kadlecsik [Mon, 28 Jan 2013 20:32:55 +0000 (21:32 +0100)] 
libxt_CT: Add the "NOTRACK" alias

Available since Linux kernel 3.8.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibip6t_LOG: target output is different to libipt_LOG
Phil Oester [Sat, 6 Jul 2013 15:56:01 +0000 (08:56 -0700)] 
libip6t_LOG: target output is different to libipt_LOG

libipt_LOG is using the xtables_save_string func, which
escapes unsafe characters as needed. libip6t_LOG should
do the same.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibxt_recent: restore minimum value for --seconds
Pablo Neira Ayuso [Mon, 15 Jul 2013 10:14:55 +0000 (12:14 +0200)] 
libxt_recent: restore minimum value for --seconds

This checking was accidentally removed in (74ded72 libxt_recent:
add --mask netmask).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libxt_connlabel: use libnetfilter_conntrack
Florian Westphal [Mon, 15 Jul 2013 14:35:08 +0000 (16:35 +0200)] 
extensions: libxt_connlabel: use libnetfilter_conntrack

Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.

The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).

Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.

So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.

Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agoextensions: libipt_ULOG: man page should mention NFLOG as replacement
Florian Westphal [Fri, 12 Jul 2013 21:20:50 +0000 (23:20 +0200)] 
extensions: libipt_ULOG: man page should mention NFLOG as replacement

Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agolibxt_recent: restore reap functionality to recent module
Russell Senior [Sat, 13 Jul 2013 10:08:07 +0000 (10:08 +0000)] 
libxt_recent: restore reap functionality to recent module

The reap functionality appears to have been accidentally disabled
by (74ded72 libxt_recent: add --mask netmask) since iptables 1.4.15
and later.  This adds a patch to restore reap functionality for
recent_opts_v1.

Patch obtained via: http://patchwork.openwrt.org/patch/3812/

Signed-off-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoip{6}tables-restore: fix breakage due to new locking approach
Pablo Neira Ayuso [Mon, 8 Jul 2013 17:34:12 +0000 (19:34 +0200)] 
ip{6}tables-restore: fix breakage due to new locking approach

Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances),
ip{6}tables-restore does not work anymore:

iptables-restore < x
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

do_command{6}(...) is called from ip{6}tables-restore for every iptables
command contained in the rule-set file. Thus, hitting the lock error
after the second command.

Fix it by bypassing the locking in the ip{6}tables-restore path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoip6tables: don't print out /128
Phil Oester [Thu, 20 Jun 2013 20:11:38 +0000 (16:11 -0400)] 
ip6tables: don't print out /128

Similar to how iptables does not print /32 on IPv4 addresses, ip6tables
should not print out /128 on IPv6 addresses.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
12 years agodoc: clarify DEBUG usage macro
Alexey Perevalov [Thu, 4 Jul 2013 07:26:17 +0000 (11:26 +0400)] 
doc: clarify DEBUG usage macro

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
12 years agoMerge branch 'stable'
Pablo Neira Ayuso [Wed, 12 Jun 2013 08:01:23 +0000 (10:01 +0200)] 
Merge branch 'stable'

Get c545933 iptables: Fix connlabel.conf install location

12 years agoiptables: Fix connlabel.conf install location
Phil Oester [Mon, 10 Jun 2013 09:35:44 +0000 (05:35 -0400)] 
iptables: Fix connlabel.conf install location

As reported by Danny Rawlins in bug #828, connlabel.conf is
unconditionally installed in /etc/xtables instead of using
prefix set at configure time. Fix to use sysconfdir variable.

This closes bugzilla #828.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoip[6]tables: Add locking to prevent concurrent instances
Phil Oester [Fri, 31 May 2013 13:07:04 +0000 (09:07 -0400)] 
ip[6]tables: Add locking to prevent concurrent instances

There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously.  Currently
open bug reports which are related:

325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts

As Patrick notes in 325:  "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."

I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile.  But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up.  And this also requires a writable filesystem.  Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.

Starting in 2.2, Linux added support for abstract sockets.  These sockets
require no filesystem, and automatically disappear once the application
terminates.  This is the locking solution I chose to implement in ip[6]tables.
As an added bonus, since each network namespace has its own socket pool, an
ip[6]tables instance running in one namespace will not lock out an ip[6]tables
instance running in another namespace.  A filesystem approach would have
to recognize and handle multiple network namespaces.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoIntroduce a new revision for the set match with the counters support
Jozsef Kadlecsik [Tue, 30 Apr 2013 22:56:35 +0000 (00:56 +0200)] 
Introduce a new revision for the set match with the counters support

The revision add the support of matching the packet/byte counters
if the set was defined with the extension. Also, a new flag is
introduced to suppress updating the packet/byte counters if required.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agoextensions: libxt_LOG: rename IPv4 manpage and tell about IPv6 support
Mart Frauenlob [Wed, 10 Apr 2013 06:47:32 +0000 (06:47 +0000)] 
extensions: libxt_LOG: rename IPv4 manpage and tell about IPv6 support

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agoextensions: libxt_MASQUERADE: rename IPv4 manpage and tell about IPv6 support
Mart Frauenlob [Wed, 10 Apr 2013 06:45:08 +0000 (06:45 +0000)] 
extensions: libxt_MASQUERADE: rename IPv4 manpage and tell about IPv6 support

also update list of protocols valid for port mapping.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agoconfigure: display summary
Eric Leblond [Wed, 5 Jun 2013 02:16:25 +0000 (04:16 +0200)] 
configure: display summary

This patch adds a message at the end of configure which displays
the different compilation options and system settings.

An example output is the following:

Iptables Configuration:
  IPv4 support: yes
  IPv6 support: yes
  Devel support: yes
  IPQ support: no
  Large file support: yes
  BPF utils support: no

Build parameters:
  Put plugins into executable (static): no
  Support plugins via dlopen (shared): yes
  Installation prefix (--prefix): /usr/local
  Xtables extension directory: /usr/local/lib/xtables
  Pkg-config directory: /usr/local/lib/pkgconfig
  Kernel build directory: /lib/modules/custom
  Host: x86_64-unknown-linux-gnu
  GCC binary: gcc

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoMerge branch 'stable'
Pablo Neira Ayuso [Thu, 30 May 2013 10:48:39 +0000 (12:48 +0200)] 
Merge branch 'stable'

Get fix for LED extension.

12 years agoextensions: libxt_LED: fix parsing of delay
Pablo Neira Ayuso [Thu, 30 May 2013 10:44:43 +0000 (12:44 +0200)] 
extensions: libxt_LED: fix parsing of delay

Closes bugzilla:
https://bugzilla.netfilter.org/show_bug.cgi?id=825

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoxtables: improve get_modprobe handling
Phil Oester [Mon, 27 May 2013 06:55:11 +0000 (06:55 +0000)] 
xtables: improve get_modprobe handling

In bug #455, Dmitry V. Levin proposed a more robust get_modprobe
implementation.  The patch below is a version of his patch,
updated to apply to current git.

This closes bug #455.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
12 years agoiptables: use autoconf to process .in man pages
Andy Spencer [Sun, 19 May 2013 17:01:06 +0000 (17:01 +0000)] 
iptables: use autoconf to process .in man pages

This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@
was not processed in the VERSION section. It also simplifies the
Makefile by avoiding some sed commands.

[ Mangled this patch to rename iptables-extensions.8.in to
  iptables-extensions.8.tmpl.in to avoid having a file whose name
  is terminated by .in.in --pablo ]

Signed-off-by: Andy Spencer <andy753421@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libxt_SNAT: rename IPv4 manpage and tell about IPv6 support
Mart Frauenlob [Wed, 10 Apr 2013 06:49:57 +0000 (06:49 +0000)] 
extensions: libxt_SNAT: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_SNAT.man to libxt_SNAT.man thus informing
about the IPv6 version.

Also the list of valid protocols for port mapping is updated to:
tcp, udp, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libxt_NETMAP: rename IPv4 manpage and tell about IPv6 support
Mart Frauenlob [Wed, 10 Apr 2013 06:49:25 +0000 (06:49 +0000)] 
extensions: libxt_NETMAP: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_NETMAP.man to libxt_NETMAP.man thus informing
about the IPv6 version.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libxt_REDIRECT: rename IPv4 manpage and tell about IPv6 support
Mart Frauenlob [Wed, 10 Apr 2013 06:48:49 +0000 (06:48 +0000)] 
extensions: libxt_REDIRECT: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_REDIRECT.man to libxt_REDIRECT.man thus
informing about the IPv6 version.

Also the list of valid protocols for port mapping is updated to:
tcp, udp, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libxt_DNAT: rename IPv4 manpage and tell about IPv6 support
Mart Frauenlob [Wed, 10 Apr 2013 06:47:07 +0000 (06:47 +0000)] 
extensions: libxt_DNAT: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_DNAT.man to libxt_DNAT.man thus informing
about the IPv6 version, as suggested by Patrick McHardy.

Also, it updates the list of valid protocols for port mapping is
updated to: tcp, udp, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibip6t_mh: Correct command to list named mh types in manpage
Mart Frauenlob [Wed, 10 Apr 2013 11:23:45 +0000 (13:23 +0200)] 
libip6t_mh: Correct command to list named mh types in manpage

Signed-off-by: Patrick McHardy <kaber@trash.net>
12 years agoextensions: add copyright statements
Patrick McHardy [Sat, 6 Apr 2013 11:41:25 +0000 (13:41 +0200)] 
extensions: add copyright statements

Add copyright statements to all extensions authored by myself.

Signed-off-by: Patrick McHardy <kaber@trash.net>
12 years agoextensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter
holger@eitzenberger.org [Tue, 2 Apr 2013 00:35:39 +0000 (00:35 +0000)] 
extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoiptables 1.4.19.1 release v1.4.19.1
Pablo Neira Ayuso [Wed, 29 May 2013 13:48:30 +0000 (15:48 +0200)] 
iptables 1.4.19.1 release

Unfortunately, previous release was not included two patches
that were applied by Florian recently. This release fixes it.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agobuild: bump version to 1.4.19
Pablo Neira Ayuso [Wed, 29 May 2013 13:14:38 +0000 (15:14 +0200)] 
build: bump version to 1.4.19

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: mention SNAT in INPUT chain since kernel 2.6.36
Michael Roth [Sun, 19 May 2013 11:22:16 +0000 (13:22 +0200)] 
doc: mention SNAT in INPUT chain since kernel 2.6.36

SNAT in the INPUT chain was added Jun 2010 to the kernel
(commit c68cd6cc21eb329c47ff020ff7412bf58176984e).

Signed-off-by: Michael Roth <mail@mroth.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agoRevert "extensions: add connlabel match" duplicate
Florian Westphal [Wed, 15 May 2013 21:18:02 +0000 (23:18 +0200)] 
Revert "extensions: add connlabel match" duplicate

This reverts commit ca376fcbe51b9a102a490545957d5fee69e253e1
to get rid of the duplicated install-data-hook.

This should get the tree back into the right state.

Conflicts:
Makefile.am

12 years agolibxtables: fix parsing of dotted network mask format
Pablo Neira Ayuso [Wed, 8 May 2013 13:01:12 +0000 (15:01 +0200)] 
libxtables: fix parsing of dotted network mask format

After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken:

-A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN

With iptables 1.4.18:
iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32)

This was probably broken by the augmented parser.

Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: add connlabel match
Florian Westphal [Mon, 6 May 2013 19:07:38 +0000 (21:07 +0200)] 
extensions: add connlabel match

allows to "tag" connections with up to 128 label names.

Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0

Labels can then be attached to flows, e.g.

-A PREROUTING  -i eth0 -m connlabel --label "from eth0" --set

Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agoextensions: add connlabel match
Florian Westphal [Mon, 6 May 2013 19:01:38 +0000 (21:01 +0200)] 
extensions: add connlabel match

allows to "tag" connections with up to 128 label names.

Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0

Labels can then be attached to flows, e.g.

-A PREROUTING  -i eth0 -m connlabel --label "from eth0" --set

Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agolibxt_conntrack: fix state match alias state parsing
Patrick McHardy [Fri, 26 Apr 2013 12:45:15 +0000 (14:45 +0200)] 
libxt_conntrack: fix state match alias state parsing

The conntrack match uses a different value for the UNTRACKED state than
the state match. Translate states to conntrack states to make sure they
all match.

Signed-off-by: Patrick McHardy <kaber@trash.net>
12 years agoextensions: libxt_multiport: Update manpage to list valid protocols
Mart Frauenlob [Tue, 9 Apr 2013 08:51:53 +0000 (08:51 +0000)] 
extensions: libxt_multiport: Update manpage to list valid protocols

This patch updates the list of valid protocols in the man page section
of the multiport match to: tcp, udp, udplite, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libxt_bpf: clarify --bytecode argument
Pablo Neira Ayuso [Fri, 19 Apr 2013 00:14:04 +0000 (02:14 +0200)] 
extensions: libxt_bpf: clarify --bytecode argument

Mart Frauenlob suggested a change to explain the --bytecode
better. I have added some reference to the example bytecode
in the format that this argument accepts.

Reported-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoutils: updates .gitignore to include nfbpf_compile
Pablo Neira Ayuso [Fri, 19 Apr 2013 00:08:04 +0000 (02:08 +0200)] 
utils: updates .gitignore to include nfbpf_compile

Reported-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibxt_NFQUEUE: fix bypass option documentation
Florian Westphal [Sat, 13 Apr 2013 09:52:22 +0000 (11:52 +0200)] 
libxt_NFQUEUE: fix bypass option documentation

Steve Caligo points out that the documentation says
'packet will move on to the next rule'.  This is incorrect;
packet moves to the next table.

nf bugzilla #778.

Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agolibxt_recent: Fix missing space in manpage for --mask option
Mart Frauenlob [Fri, 5 Apr 2013 23:20:51 +0000 (23:20 +0000)] 
libxt_recent: Fix missing space in manpage for --mask option

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoMerge branch 'stable'
Pablo Neira Ayuso [Fri, 5 Apr 2013 16:11:56 +0000 (18:11 +0200)] 
Merge branch 'stable'

Resolve conflict with Nicolas' Dichtel update on utils/Makefile.am
for nfnl_osf.

12 years agoutils: nfnl_osf: use the right nfnetlink lib
Nicolas Dichtel [Tue, 2 Apr 2013 23:21:02 +0000 (23:21 +0000)] 
utils: nfnl_osf: use the right nfnetlink lib

If the user specify libnfnetlink_LIBS during the configure, we must use it.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoutils: nfbpf_compile
Willem de Bruijn [Tue, 12 Mar 2013 05:44:12 +0000 (05:44 +0000)] 
utils: nfbpf_compile

A BPF compiler to convert tcpdump expressions to the decimal format
accepted by the libxt_bpf.

Generate a file and pass that to iptables:

  nfbpf_compile RAW 'udp dst port 9000' > test.bpf
  iptables -A OUTPUT -m bpf --bytecode-file test.bpf -j LOG

Or pass the output directly to iptables using backticks:

  iptables -A INPUT -m bpf --bytecode \
      "`./nfbpf_compile RAW 'udp dst port 9000'" -j LOG

This utility depends on libpcap. The library is only compiled if the option
--enable-bpf-compiler is explicitly passed to ./configure and libpcap is
found.

Pablo has mangled the original patch to rename the utility to
nfbpf_compile. Also modified the output to match exactly what
-m bpf --bytecode needs.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: add libxt_bpf extension
Willem de Bruijn [Wed, 23 Jan 2013 16:00:58 +0000 (16:00 +0000)] 
extensions: add libxt_bpf extension

Add user-space code to support the new BPF iptables extension.

Pablo has mangled the original patch to:

* include a copy of include/linux/netfilter/xt_bpf.h in the tree.
* I have also remove the --bytecode-file option. The original
  proposal was to accept BPF code in a file in human readable
  format. Now, with the nfbpf_compile utility, it's very easy
  to generate the filter using tcpdump-like syntax.
* I have remove the trailing comma in the backtick format, the
  parser works just fine for me here.
* Fix error message if --bytecode is missing.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibip6t_DNPT: add manpage
Pablo Neira Ayuso [Thu, 21 Mar 2013 02:40:48 +0000 (02:40 +0000)] 
libip6t_DNPT: add manpage

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibip6t_SNPT: add manpage
Pablo Neira Ayuso [Thu, 21 Mar 2013 02:40:47 +0000 (02:40 +0000)] 
libip6t_SNPT: add manpage

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibxt_osf: fix bad location for location in --genre
Pablo Neira Ayuso [Sun, 24 Mar 2013 09:57:42 +0000 (10:57 +0100)] 
libxt_osf: fix bad location for location in --genre

closes http://bugzilla.netfilter.org/show_bug.cgi?id=805

Reported-by: Bourne Without <blackhole@airpost.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibxt_osf: fix missing --ttl and --log in save output
Pablo Neira Ayuso [Sun, 24 Mar 2013 09:55:07 +0000 (10:55 +0100)] 
libxt_osf: fix missing --ttl and --log in save output

closes http://bugzilla.netfilter.org/show_bug.cgi?id=805

Reported-by: Bourne Without <blackhole@airpost.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoip[6]tables: show --protocol instead of --proto in usage
Mart Frauenlob [Wed, 20 Mar 2013 04:14:06 +0000 (04:14 +0000)] 
ip[6]tables: show --protocol instead of --proto in usage

As the man page shows --protocol not --proto, also do so in the usage
text displayed by ip[6]tables -h.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoRevert "build: resolve link failure for ip6t_NETMAP"
Pablo Neira Ayuso [Sat, 16 Mar 2013 11:15:30 +0000 (12:15 +0100)] 
Revert "build: resolve link failure for ip6t_NETMAP"

This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6.

The use of libtool was introduced to resolve linking problems
in NETMAP (IPv6 version), but that resulted in RPATH problems
reported from distributors and warnings spotted by libtool at
linking stage.

Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and
get rid of libip6tc dependency) fixed the NETMAP issue, let's
roll back to our previous stage.

A small conflicts in extensions/GNUmakefile.in has been resolved
in this revert.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency
Pablo Neira Ayuso [Sat, 16 Mar 2013 11:11:07 +0000 (12:11 +0100)] 
libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency

This patch changes the NETMAP target extension (IPv6 side) to use
the xtables_ip6mask_to_cidr available in libxtables.

As a side effect, we get rid of the libip6tc dependency.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agobuild: bump version to 1.4.18 v1.4.18
Pablo Neira Ayuso [Sun, 3 Mar 2013 21:40:11 +0000 (22:40 +0100)] 
build: bump version to 1.4.18

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: rpfilter: invert option should have own paragraph
Florian Westphal [Sun, 17 Feb 2013 22:16:11 +0000 (23:16 +0100)] 
doc: rpfilter: invert option should have own paragraph

Signed-off-by: Florian Westphal <fw@strlen.de>
12 years agodoc: iptables provides up to 5 independent tables
Pablo Neira Ayuso [Sun, 17 Feb 2013 13:05:35 +0000 (14:05 +0100)] 
doc: iptables provides up to 5 independent tables

This closes bugzilla:

http://bugzilla.netfilter.org/show_bug.cgi?id=807

Reported-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agobuild: bump SONAME for libxtables
Jan Engelhardt [Tue, 5 Feb 2013 14:47:02 +0000 (14:47 +0000)] 
build: bump SONAME for libxtables

Commit v1.4.17-16-gefcdba4 updated structs in xtables.h, so age must
become 0 and vcurrent be increased. The latter has already happened in
v1.4.17-6-gd1e7922.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoMerge branch 'master' of vishnu.netfilter.org:/data/git/iptables
Jozsef Kadlecsik [Thu, 31 Jan 2013 19:36:27 +0000 (20:36 +0100)] 
Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables

12 years agoAdd the "state" alias to the "conntrack" match
Jozsef Kadlecsik [Mon, 28 Jan 2013 20:18:59 +0000 (21:18 +0100)] 
Add the "state" alias to the "conntrack" match

12 years agoIntroduce match/target aliases
Jozsef Kadlecsik [Mon, 28 Jan 2013 20:15:27 +0000 (21:15 +0100)] 
Introduce match/target aliases

The match/target alias allows us to support the syntax of matches, targets
targets merged into other matches/targets.

12 years agodoc: document nat table for IPv6
Pablo Neira Ayuso [Mon, 7 Jan 2013 20:34:39 +0000 (21:34 +0100)] 
doc: document nat table for IPv6

Based on the IPv4 description.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoMerge branch 'stable' into 'master'
Pablo Neira Ayuso [Mon, 28 Jan 2013 11:35:41 +0000 (12:35 +0100)] 
Merge branch 'stable' into 'master'

12 years agoextensions: S/DNPT: add missing save function
Jan Engelhardt [Thu, 24 Jan 2013 09:37:55 +0000 (09:37 +0000)] 
extensions: S/DNPT: add missing save function

Jean-Michel DILLY reports that `ip6tables -S` exits with

Target `DNPT' is missing save function

when a DNPT rule is invoked. Fix this omission.

References: http://marc.info/?l=netfilter&m=135904831220440&w=2
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: document the -4 and -6 options
Jan Engelhardt [Tue, 25 Dec 2012 13:11:28 +0000 (13:11 +0000)] 
doc: document the -4 and -6 options

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: mention -m in the manpage
Jan Engelhardt [Tue, 25 Dec 2012 13:11:27 +0000 (13:11 +0000)] 
doc: mention -m in the manpage

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: name the supported log levels for ipt_LOG
Jan Engelhardt [Tue, 25 Dec 2012 13:11:23 +0000 (13:11 +0000)] 
doc: name the supported log levels for ipt_LOG

Leonardo Ferreira da Silva Boiko lets it be known that syslogd.conf may
not exist on certain systems. Referencing that manpage is not a good
idea in any case, I believe, since the strings that are accepted are
defined by iptables and not a syslog implementation.

References: http://bugs.debian.org/567564
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: document iptables-restore's -h option
Jan Engelhardt [Tue, 25 Dec 2012 13:11:22 +0000 (13:11 +0000)] 
doc: document iptables-restore's -h option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: document iptables-restore's -M option
Jan Engelhardt [Tue, 25 Dec 2012 13:11:21 +0000 (13:11 +0000)] 
doc: document iptables-restore's -M option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: document iptables-restore's -v option
Jan Engelhardt [Tue, 25 Dec 2012 13:11:20 +0000 (13:11 +0000)] 
doc: document iptables-restore's -v option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: document iptables-restore's -t option
Jan Engelhardt [Tue, 25 Dec 2012 13:11:19 +0000 (13:11 +0000)] 
doc: document iptables-restore's -t option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agodoc: fixup omissions in ip6tables-restore.8
Jan Engelhardt [Tue, 25 Dec 2012 13:11:18 +0000 (13:11 +0000)] 
doc: fixup omissions in ip6tables-restore.8

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibxtables: add xtables_print_num
Pablo Neira Ayuso [Mon, 29 Oct 2012 09:49:42 +0000 (10:49 +0100)] 
libxtables: add xtables_print_num

This function is used both by iptables and ip6tables, and
refactorize to avoid longer than 80-chars per column lines
of code.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agolibxtables: add xtables_rule_matches_free
Pablo Neira Ayuso [Fri, 4 Jan 2013 19:27:11 +0000 (20:27 +0100)] 
libxtables: add xtables_rule_matches_free

This function is shared by iptables and ip6tables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoiptables: remove unused leftover definitions
Pablo Neira Ayuso [Mon, 29 Oct 2012 09:22:43 +0000 (10:22 +0100)] 
iptables: remove unused leftover definitions

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libip6t_DNAT: set IPv6 DNAT --to-destination
Ulrich Weber [Thu, 3 Jan 2013 00:41:38 +0000 (00:41 +0000)] 
extensions: libip6t_DNAT: set IPv6 DNAT --to-destination

as in IPv4 and fixes DNAT_save

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextension: libip6t_DNAT: allow port DNAT without address
Ulrich Weber [Thu, 3 Jan 2013 00:39:58 +0000 (00:39 +0000)] 
extension: libip6t_DNAT: allow port DNAT without address

correct parsing of IPv6 port NAT without address NAT,
assume one colon as port information.

Allows:
* address only:
 -j DNAT --to affe::1
 -j DNAT --to [affe::1]

* port only
 -j DNAT --to :80
 -j DNAT --to :80-110
 -j DNAT --to []:80
 -j DNAT --to []:80-110

* address and port
 -j DNAT --to [affe::1]:80
 -j DNAT --to [affe::1]:80-110

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoextensions: libip6t_DNPT: fix wording in DNPT target
Ulrich Weber [Wed, 2 Jan 2013 06:03:49 +0000 (06:03 +0000)] 
extensions: libip6t_DNPT: fix wording in DNPT target

replaces SNPT by DNPT.

This fixes broken help message that points to SNPT.

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agobuild: resolve link failure for ip6t_NETMAP
Jan Engelhardt [Tue, 1 Jan 2013 22:47:51 +0000 (22:47 +0000)] 
build: resolve link failure for ip6t_NETMAP

Link stage of libip6t_NETMAP failed since recently.

  CCLD     libip6t_NETMAP.so
/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld:
cannot find -lip6tc

libip6t_NETMAP.c uses the "ipv6_prefix_length" function from
libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to
it is not specified.

Why does the link succeed for some people? Because
/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments,
especially those without iptables development files, have that file,
hence this link error can happen.

By suggestion of Mike Frysinger, this patch uses libtool to produce
and link the plugins.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agobump version to 1.4.17 v1.4.17
Pablo Neira Ayuso [Tue, 25 Dec 2012 12:38:36 +0000 (13:38 +0100)] 
bump version to 1.4.17

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 years agoManpage update: matches are evaluated in the order they are specified.
Jozsef Kadlecsik [Thu, 6 Dec 2012 18:06:28 +0000 (19:06 +0100)] 
Manpage update: matches are evaluated in the order they are specified.

Fixes bugzilla id 797.

12 years agoextensions: libxt_statistic: Fix save output
Tom Eastep [Mon, 19 Nov 2012 10:40:40 +0000 (11:40 +0100)] 
extensions: libxt_statistic: Fix save output

Suppressing '--packet 0' in save output resulted in restore failure.

This patch includes '--packet 0' in save output while continuing to
suppress it in print output.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoMerge branch 'next' branch that contains new features scheduled for
Pablo Neira Ayuso [Thu, 25 Oct 2012 15:14:26 +0000 (17:14 +0200)] 
Merge branch 'next' branch that contains new features scheduled for
Linux kernel 3.7

13 years agobump iptables to 1.4.16.3 v1.4.16.3
Pablo Neira Ayuso [Thu, 18 Oct 2012 08:50:00 +0000 (10:50 +0200)] 
bump iptables to 1.4.16.3

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agobuild: resolve compile abort in libxt_limit on RHEL5
Jan Engelhardt [Wed, 10 Oct 2012 00:35:14 +0000 (00:35 +0000)] 
build: resolve compile abort in libxt_limit on RHEL5

libxt_limit.c: In function 'print_rate':
libxt_limit.c:124: error: 'INFINITY' undeclared (first use in
this function)

The default mode of glibc-2.15's <features.h> sets
"-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However,
on þe olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L".

Explicitly draw in the definition of INFINITY by always defining
_ISOC99_SOURCE. By doing this, we are moving off of the default set, so
_BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is
used in xt_hashlimit.h.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agobuild: remove symlink-only extensions from static object list
Jan Engelhardt [Mon, 8 Oct 2012 12:04:56 +0000 (12:04 +0000)] 
build: remove symlink-only extensions from static object list

$ ./configure --enable-static --disable-shared --enable-ipv4
  --enable-ipv6 && make
[...]
make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by
"libext.a". Stop.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>