]> git.ipfire.org Git - thirdparty/iptables.git/log
thirdparty/iptables.git
13 years agoRevert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"
Pablo Neira Ayuso [Mon, 30 Jul 2012 00:56:43 +0000 (02:56 +0200)] 
Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"

This reverts commit 44191bdbd71e685fba9eab864b9df25e63905220.

Apply instead a patch that really clarifies the bug in iptables-restore.
This should be good for the record (specifically, for distributors so
they can find the fix by googling).

13 years agoiptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)
Pablo Neira Ayuso [Mon, 23 Jul 2012 10:27:16 +0000 (12:27 +0200)] 
iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)

This patch seems to be a mere cleanup that moves the parameter parsing
code to add_param_to_argv.

But, in reality, it also fixes iptables when compiled with gcc-4.7.

Moving param_buffer declaration out of the loop seems to resolve the
issue. gcc-4.7 seems to be generating bad code regarding param_buffer.

@@ -380,9 +380,9 @@
                        quote_open = 0;
                        escaped = 0;
                        param_len = 0;
+                       char param_buffer[1024];

                        for (curchar = parsestart; *curchar; curchar++) {
-                               char param_buffer[1024];

                                if (quote_open) {
                                        if (escaped) {

But I have hard time to apply this patch in such a way. Instead, I came
up with the idea of this cleanup, which does not harm after all (and fixes
the issue for us).

Someone in:

https://bugzilla.redhat.com/show_bug.cgi?id=82579

put some light on this:

"Yes, I ran into this too. The issue is that the gcc optimizer is
optimizing out the code that collects quoted strings in
iptables-restore.c at line 396. If inside a quotemark and it hasn't
seen another one yet, it executes

   param_buffer[param_len++] = *curchar;
   continue;

At -O1 or higher, the write to param_buffer[] never happens. It just
increments param_len and continues.

Moving the definition of char param_buffer[1024]; outside the loop
fixes it. Why, I'm not sure. Defining the param_buffer[] inside the
loop should simply restrict its scope to inside the loop."

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxt_HMARK: correct a number of errors introduced by Pablo's rework
Hans Schillstrom [Tue, 17 Jul 2012 16:27:24 +0000 (18:27 +0200)] 
libxt_HMARK: correct a number of errors introduced by Pablo's rework

* Fix typo in --hmark-rnd description.
* Remove trailing -set from port and spi options.
* Take missing value for ports and spi from command line.
* Fix spi / port validation.
* Remove --hmark-offset as mandatory.

Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxt_HMARK: fix ct case example
Pablo Neira Ayuso [Mon, 16 Jul 2012 12:04:10 +0000 (14:04 +0200)] 
libxt_HMARK: fix ct case example

... -j HMARK --hmark-tuple ct,src,dst --hmark-offset 10000 ...

Note `ct' requires also the tuples.

Reported-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxt_HMARK: fix output of iptables -L
Hans Schillstrom [Mon, 16 Jul 2012 11:53:42 +0000 (13:53 +0200)] 
libxt_HMARK: fix output of iptables -L

Fix accidental swap of [s|d]port-mask and [s|d]port-port.

Use xtables_ipmask_to_cidr instead of xtables_ipmask_to_numeric.

Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxt_hashlimit: add support for byte-based operation
Florian Westphal [Tue, 8 May 2012 03:16:52 +0000 (03:16 +0000)] 
libxt_hashlimit: add support for byte-based operation

allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ]
to make hashlimit match when X bytes/second are exceeded;
optionally, Y bytes will not be matched (i.e. bursted).

[ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ]

libxt_hashlimit.c: In function ‘parse_bytes’:
libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat]

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxt_recent: remove unused variable
Eldad Zack [Wed, 4 Jul 2012 11:53:54 +0000 (11:53 +0000)] 
libxt_recent: remove unused variable

The info variable is assigned but never read in recent_check().

Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoextensions: add HMARK target
Hans Schillstrom [Mon, 23 Apr 2012 03:35:28 +0000 (03:35 +0000)] 
extensions: add HMARK target

The target allows you to set mark packets based Jenkins' hash calculation:

h(t, rnd) = x

mark = (x % mod) + offset

where:

* t is a tuple that is used for the hashing:

 t = [ src, dst, proto, sport, dport ]

Note that you can customize the tuple, thus, removing some component
that you don't want to use for the calculation. You can also use spi
instead of sport and dport, btw.

* rnd is the random seed that is explicitly passed via --hmark-rnd
* mod is the modulus, to determine the range of possible marks
* offset determines where the mark starts from

This target only works for the "raw" and "mangle" tables.

This can be used to distribute flows between a cluster of
systems and uplinks.

Initially based on work from Hans Schillingstrom. Pablo took it
over and introduced several improvements.

Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxtables: add xtables_ip[6]mask_to_cidr
Pablo Neira Ayuso [Sat, 14 Jul 2012 13:39:20 +0000 (15:39 +0200)] 
libxtables: add xtables_ip[6]mask_to_cidr

This patch adds generic functions to return the mask in CIDR
notation whenever is possible.

This patch also simplifies xtables_ip[6]mask_to_numeric, that
now use these new two functions.

This patch also bumps libxtables_vcurrent and libxtables_vage
since we added a couple new interfaces (thanks to Jan Engelhardt
for his little reminder on this).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxt_devgroup: add man page snippet
Florian Westphal [Mon, 2 Jul 2012 11:03:12 +0000 (11:03 +0000)] 
libxt_devgroup: add man page snippet

Signed-off-by: Florian Westphal <fw@strlen.de>
13 years agoBump version to 1.4.14 v1.4.14
Pablo Neira Ayuso [Sat, 26 May 2012 16:44:33 +0000 (18:44 +0200)] 
Bump version to 1.4.14

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agotests: add rateest match rules
Florian Westphal [Thu, 17 May 2012 01:03:09 +0000 (01:03 +0000)] 
tests: add rateest match rules

also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoextensions: libxt_rateest: output all options in save hook
Florian Westphal [Thu, 17 May 2012 01:03:08 +0000 (01:03 +0000)] 
extensions: libxt_rateest: output all options in save hook

ipt-restore fails to parse the ipt-save output:
zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5
(should be "--rateest-pps 5 --rateest-lt").  Also, the "delta" option
was never shown in -save output, but twice in some cases when using
"iptables -L".

Also, the "b/pps1" option must be shown when "delta" option is used with
relative mode.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoip(6)tables-restore: make sure argv is NULL terminated
Florian Westphal [Thu, 10 May 2012 05:42:47 +0000 (05:42 +0000)] 
ip(6)tables-restore: make sure argv is NULL terminated

Else, argv[argc] may point to free'd memory.

Some extensions, e.g. rateest, may fail to parse valid input
because argv[optind] (with optind == argc) is not NULL.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibipt_ULOG: fix --ulog-cprange
Pablo Neira Ayuso [Tue, 8 May 2012 22:28:41 +0000 (00:28 +0200)] 
libipt_ULOG: fix --ulog-cprange

In 1f2474a libipt_ULOG: use guided option parser.

A bug has been accidentally introduced in --ulog-cprange, limiting
possible values from 1 to 50. However, that limit should be applied
to --ulog-qthreshold.

Reported-by: Gaurav Sinha <vgsinha@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibiptc: fix retry path in TC_INIT
Miguel GAIO [Thu, 19 Apr 2012 00:14:33 +0000 (00:14 +0000)] 
libiptc: fix retry path in TC_INIT

There is an issue on TC_INIT retry path:
In error case, TC_FREE is called and close sockfd.
The retry does not reopen then always fail.

The proposing patch reopens sockfd in retry patch.

Signed-off-by: Miguel GAIO <miguel.gaio@efixo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agolibxt_CT: add --timeout option
Pablo Neira Ayuso [Wed, 29 Feb 2012 12:48:36 +0000 (13:48 +0100)] 
libxt_CT: add --timeout option

This patch adds the --timeout option to allow to attach timeout
policy objects to flows, eg.

 iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \
  -j CT --timeout custom-tcp-policy

You need the nfct(8) tool which is available at:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git
To define the cttimeout policies.

Example of usage:
 nfct timeout add custom-tcp-policy inet tcp established 1000

The new nfct tool also requires libnetfilter_cttimeout:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoBump version to 1.4.13 v1.4.13
Pablo Neira Ayuso [Tue, 27 Mar 2012 11:33:02 +0000 (13:33 +0200)] 
Bump version to 1.4.13

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoextensions: add nfacct match
Pablo Neira Ayuso [Tue, 27 Mar 2012 08:23:49 +0000 (10:23 +0200)] 
extensions: add nfacct match

This patch provides the user-space iptables support for the nfacct match.
This can be used as it follows:

 nfacct add http-traffic
 iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
 iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic
 nfacct get http-traffic

See also man nfacct(8) for more information.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agosrc: mark newly opened fds as FD_CLOEXEC (close on exec)
Maciej Żenczykowski [Wed, 21 Mar 2012 00:52:00 +0000 (00:52 +0000)] 
src: mark newly opened fds as FD_CLOEXEC (close on exec)

By default, Unix-like systems leak file descriptors after fork/exec
call. I think this seem to result in SELinux spotting a strange AVC
log messages according to what I can find on the web.

Fedora 18 iptables source includes this change.

Maciej says:
"iptables does potentially fork/exec modprobe to load modules.
That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing.
You can do automated inspection of what gets carried across such
privilege changes and any unexpected open file descriptors flag
problems, patches like this cut down on the noise."

Signed-off-by: Maciej enczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoiptables: missing free() in function delete_entry()
Franz Flasch [Thu, 8 Mar 2012 04:20:41 +0000 (04:20 +0000)] 
iptables: missing free() in function delete_entry()

Fixed a memory leak in the dry run path of function delete_entry().

Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoiptables: missing free() in function cache_add_entry()
Franz Flasch [Thu, 8 Mar 2012 04:20:37 +0000 (04:20 +0000)] 
iptables: missing free() in function cache_add_entry()

Fixed a memory leak in the error path of function cache_add_entry().

Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoRevert "libiptc: Returns the position the entry was inserted"
Pablo Neira Ayuso [Wed, 29 Feb 2012 23:27:50 +0000 (00:27 +0100)] 
Revert "libiptc: Returns the position the entry was inserted"

This reverts commit d65702c5c5bbab0ef12298386fa4098c72584e6c.

This is breaking my iptables scripts:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: Incompatible with this kernel.

13 years agolibiptc: Returns the position the entry was inserted
Jonh Wendell [Wed, 4 Jan 2012 17:44:01 +0000 (15:44 -0200)] 
libiptc: Returns the position the entry was inserted

Jan Engelhardt showed no objections to this patch.

13 years agoextensions: add IPv6 capable ECN match extension
Patrick McHardy [Wed, 28 Dec 2011 13:27:47 +0000 (14:27 +0100)] 
extensions: add IPv6 capable ECN match extension

Patrick submitted this patch by 9th Jun 2011, I'm recovering
and applying it to iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoextensions: add rpfilter module
Florian Westphal [Thu, 14 Jul 2011 21:56:47 +0000 (23:56 +0200)] 
extensions: add rpfilter module

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoMerge branch 'stable'
Pablo Neira Ayuso [Mon, 2 Jan 2012 18:09:12 +0000 (19:09 +0100)] 
Merge branch 'stable'

13 years agoBump version to 1.4.12.2 v1.4.12.2
Pablo Neira Ayuso [Mon, 2 Jan 2012 17:19:09 +0000 (18:19 +0100)] 
Bump version to 1.4.12.2

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoextensions: link on libxtables and check symbols
Jan Engelhardt [Fri, 30 Dec 2011 01:14:00 +0000 (02:14 +0100)] 
extensions: link on libxtables and check symbols

Have each extension link against libxtables.so; with this, all home
symbols are known at link time and we can use ld's --no-undefined to
run the check, dropping the homebrew solution.

By having libxtables.so required by extensions, package managers'
automatic dependency discovery will become effective so that manual
dependencies for distros with split extension packages (e.g. OpenWRT)
will not be necessary anymore.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
13 years agobuild: use delayed expansion on the user-settable variables
Jan Engelhardt [Sun, 18 Dec 2011 03:04:37 +0000 (04:04 +0100)] 
build: use delayed expansion on the user-settable variables

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
13 years agoUpdate .gitignore
Jan Engelhardt [Sun, 18 Dec 2011 19:22:26 +0000 (20:22 +0100)] 
Update .gitignore

Split off extensions/.gitignore.

13 years agobuild: use AC_CONFIG_AUX_DIR and stash away tools
Jan Engelhardt [Sun, 18 Dec 2011 19:21:27 +0000 (20:21 +0100)] 
build: use AC_CONFIG_AUX_DIR and stash away tools

13 years agoUpdate .gitignore
Jan Engelhardt [Sun, 18 Dec 2011 19:20:33 +0000 (20:20 +0100)] 
Update .gitignore

Only ignore these paths if they are a directory.

13 years agoMerge branch 'stable'
Jan Engelhardt [Sat, 31 Dec 2011 20:53:54 +0000 (21:53 +0100)] 
Merge branch 'stable'

13 years agonfnl_osf: add missing libnfnetlink_CFLAGS to compile process
Jan Engelhardt [Fri, 30 Dec 2011 01:14:51 +0000 (02:14 +0100)] 
nfnl_osf: add missing libnfnetlink_CFLAGS to compile process

13 years agoMerge branch 'stable'
Pablo Neira Ayuso [Fri, 23 Dec 2011 13:56:44 +0000 (14:56 +0100)] 
Merge branch 'stable'

13 years agolibxt_connbytes: fix handling of --connbytes FROM
Florian Westphal [Fri, 16 Dec 2011 17:34:06 +0000 (18:34 +0100)] 
libxt_connbytes: fix handling of --connbytes FROM

quoting man page:

match packets  from  a  connection  whose packets/bytes/average
packet size is more than FROM and less than TO bytes/packets. if
TO is omitted only FROM check is done.

But, when TO was omitted, we did treat it like "x:x" which is not
the same at all.

Before commit 09631dc60ce41bc484a42fcf4d4ddf7036820bd1
(libxt_connbytes: use guided option parser), we failed to parse
"--connbytes x" ('Bad range "x"'), but treated "x:" like "x:0xffffffff".

Also, restore the "from must be smaller than to" check.

Signed-off-by: Florian Westphal <fw@strlen.de>
13 years agoMerge branch 'stable'
Jan Engelhardt [Sun, 18 Dec 2011 02:10:56 +0000 (03:10 +0100)] 
Merge branch 'stable'

13 years agolibiptc: provide separate pkgconfig files
Jan Engelhardt [Sun, 18 Dec 2011 01:52:15 +0000 (02:52 +0100)] 
libiptc: provide separate pkgconfig files

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
13 years agodoc: clarification on the meaning of -p 0
Jan Engelhardt [Sun, 18 Dec 2011 01:44:05 +0000 (02:44 +0100)] 
doc: clarification on the meaning of -p 0

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
13 years agolibxt_recent: Add support for --reap option
Tim Gardner [Wed, 30 Nov 2011 15:16:53 +0000 (08:16 -0700)] 
libxt_recent: Add support for --reap option

Support for the reap option was merged in the kernel as of 2.6.35.

Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
13 years agolibipt_SAME: set PROTO_RANDOM on all ranges
Jan Engelhardt [Fri, 25 Nov 2011 14:36:56 +0000 (15:36 +0100)] 
libipt_SAME: set PROTO_RANDOM on all ranges

Resolve the (justified) WTF remark to a clearer version of when/why
PROTO_RANDOM needs to be set.

Especially when --random is used before --to in SAME, it would have
not been appleid.

13 years agoMerge branch 'stable'
Pablo Neira Ayuso [Tue, 1 Nov 2011 12:39:06 +0000 (13:39 +0100)] 
Merge branch 'stable'

13 years agolibxt_NFQUEUE: fix --queue-bypass ipt-save output
Florian Westphal [Mon, 31 Oct 2011 15:10:57 +0000 (16:10 +0100)] 
libxt_NFQUEUE: fix --queue-bypass ipt-save output

else, this will print "--queue-num 0--queue-bypass ".

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
14 years agoMerge branch 'stable'
Pablo Neira Ayuso [Wed, 28 Sep 2011 18:53:48 +0000 (20:53 +0200)] 
Merge branch 'stable'

14 years agoImprove readability of bitwise operation
Thomas Jarosch [Mon, 5 Sep 2011 20:25:39 +0000 (22:25 +0200)] 
Improve readability of bitwise operation

CLUSTERIP: improve readability of bitwise operation

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
14 years agolibxtables: Fix file descriptor leak in xtables_lmap_init on error
Thomas Jarosch [Wed, 28 Sep 2011 18:45:24 +0000 (20:45 +0200)] 
libxtables: Fix file descriptor leak in xtables_lmap_init on error

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
14 years agoMerge branch 'stable'
Jan Engelhardt [Mon, 19 Sep 2011 11:44:18 +0000 (13:44 +0200)] 
Merge branch 'stable'

14 years agobuild: make check stage not fail when building statically
Jan Engelhardt [Sun, 18 Sep 2011 13:38:20 +0000 (15:38 +0200)] 
build: make check stage not fail when building statically

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agobuild: restore build order of modules
Jan Engelhardt [Sun, 18 Sep 2011 13:06:05 +0000 (15:06 +0200)] 
build: restore build order of modules

iptables(exe) requires libext.a, but extensions/ require libxtables.la
(in iptables/). This circular dependency does not work out, so
separate libxtables into its own directory and put it in front.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoip6tables-restore: make code look alike with iptables-restore
Jan Engelhardt [Sat, 27 Aug 2011 08:34:01 +0000 (10:34 +0200)] 
ip6tables-restore: make code look alike with iptables-restore

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibiptc: use a family-invariant xtc_ops struct for code reduction
Jan Engelhardt [Sat, 27 Aug 2011 10:50:32 +0000 (12:50 +0200)] 
libiptc: use a family-invariant xtc_ops struct for code reduction

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agosrc: resolve old macro names that are indirections
Jan Engelhardt [Sat, 27 Aug 2011 07:56:16 +0000 (09:56 +0200)] 
src: resolve old macro names that are indirections

Command used:

git grep -f <(pcregrep -hior
'(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/)

and then fix all occurrences.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibiptc: combine common types: _handle
Jan Engelhardt [Sat, 27 Aug 2011 09:39:52 +0000 (11:39 +0200)] 
libiptc: combine common types: _handle

No real API/ABI change incurred, since the definition of the structs'
types is not visible anyhow.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibiptc: replace ipt_chainlabel by xt_chainlabel
Jan Engelhardt [Sat, 27 Aug 2011 09:16:16 +0000 (11:16 +0200)] 
libiptc: replace ipt_chainlabel by xt_chainlabel

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibiptc: combine common types
Jan Engelhardt [Sat, 27 Aug 2011 09:12:49 +0000 (11:12 +0200)] 
libiptc: combine common types

Make an xt_chainlabel type out of ipt_chainlabel and ip6t_chainlabel,
and add backward-API #defines. The ABI naturally does not change
either, so no soversion bump.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibiptc: remove unused HOOK_DROPPING thing
Jan Engelhardt [Sat, 27 Aug 2011 08:59:31 +0000 (10:59 +0200)] 
libiptc: remove unused HOOK_DROPPING thing

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoiptables-save: remove binary dumping dead code
Jan Engelhardt [Sat, 27 Aug 2011 11:06:37 +0000 (13:06 +0200)] 
iptables-save: remove binary dumping dead code

Was never implemented, kill it.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibiptc: resolve compile failure
Jan Engelhardt [Sun, 11 Sep 2011 15:24:26 +0000 (17:24 +0200)] 
libiptc: resolve compile failure

  CC     libip4tc.lo
In file included from libip4tc.c:118:0:
libiptc.c:70:8: error: redefinition of "struct xt_error_target"
../include/linux/netfilter/x_tables.h:69:8: note: originally defined here

Remove libiptc's duplicate definition and substitute names.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoMerge branch 'stable'
Jan Engelhardt [Sun, 11 Sep 2011 15:14:04 +0000 (17:14 +0200)] 
Merge branch 'stable'

14 years agodoc: document iptables-restore's -T option
Jan Engelhardt [Sat, 27 Aug 2011 07:31:35 +0000 (09:31 +0200)] 
doc: document iptables-restore's -T option

Commit v1.4.0-rc1-12-ge8665f8 completely forgot this.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoip6tables-restore: implement missing -T option
Jan Engelhardt [Sat, 27 Aug 2011 07:29:30 +0000 (09:29 +0200)] 
ip6tables-restore: implement missing -T option

Commit v1.4.0-rc1-12-ge8665f8 forgot to port the change to the
ip6tables part.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agodoc: fix undesired newline in ip6tables-restore(8)
Jan Engelhardt [Sat, 27 Aug 2011 07:21:46 +0000 (09:21 +0200)] 
doc: fix undesired newline in ip6tables-restore(8)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agobuild: sort file list before build
Jan Engelhardt [Thu, 8 Sep 2011 15:08:37 +0000 (17:08 +0200)] 
build: sort file list before build

Manpage subsections are already sorted for obvious reasons. Since
$(wildcard) can actually return results unordered (just what the OS
can do) do the sorting with the .o file list too, for developer
comfort.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoMerge branch 'master' of git://dev.medozas.de/iptables
Jan Engelhardt [Thu, 8 Sep 2011 15:00:49 +0000 (17:00 +0200)] 
Merge branch 'master' of git://dev.medozas.de/iptables

14 years agoMerge branch 'stable'
Jan Engelhardt [Thu, 8 Sep 2011 14:07:16 +0000 (16:07 +0200)] 
Merge branch 'stable'

14 years agolibxt_CONNSECMARK: fix spacing in output
Tom Eastep [Sat, 3 Sep 2011 00:45:51 +0000 (17:45 -0700)] 
libxt_CONNSECMARK: fix spacing in output

~# iptables -t mangle -A foo -j CONNSECMARK --save
~# iptables -t mangle -S
[...]
-A foo -j CONNSECMARK--save

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoMerge branch 'stable' of git://dev.medozas.de/iptables
Jan Engelhardt [Mon, 5 Sep 2011 18:15:10 +0000 (20:15 +0200)] 
Merge branch 'stable' of git://dev.medozas.de/iptables

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoiptables: move kernel version find routing into libxtables
Jan Engelhardt [Sat, 3 Sep 2011 12:27:55 +0000 (14:27 +0200)] 
iptables: move kernel version find routing into libxtables

That way, the remaining unreferenced symbols that do appear in
libipt_DNAT and libipt_SNAT as part of the new check can be resolved,
and the ugly -rdynamic hack can finally be removed.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agobuild: scan for unreferenced symbols
Jan Engelhardt [Sat, 3 Sep 2011 12:11:53 +0000 (14:11 +0200)] 
build: scan for unreferenced symbols

To be notified of occurrences where we are missing any libraries, run
some ldd checks post building.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_RATEEST: link with -lm
Jan Engelhardt [Sat, 3 Sep 2011 11:35:53 +0000 (13:35 +0200)] 
libxt_RATEEST: link with -lm

$ ldd -r libxt_RATEEST.so
undefined symbol: log   (./libxt_RATEEST.so)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_statistic: link with -lm
Jan Engelhardt [Sat, 3 Sep 2011 11:34:40 +0000 (13:34 +0200)] 
libxt_statistic: link with -lm

$ ldd -r libxt_statistic.so
undefined symbol: lround        (./libxt_statistic.so)

References: https://bugs.archlinux.org/task/25358
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoBump version to 1.4.12.1 v1.4.12.1
Pablo Neira Ayuso [Thu, 1 Sep 2011 16:30:42 +0000 (18:30 +0200)] 
Bump version to 1.4.12.1

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
14 years agoinclude: refresh include files from kernel 3.1-rc3
Jan Engelhardt [Sun, 28 Aug 2011 12:19:43 +0000 (14:19 +0200)] 
include: refresh include files from kernel 3.1-rc3

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_addrtype: add support for revision 1
Jan Engelhardt [Sun, 28 Aug 2011 12:16:14 +0000 (14:16 +0200)] 
libxt_addrtype: add support for revision 1

Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but
there was no corresponding iptables patch so far.

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_addrtype: rename from libipt_addrtype
Jan Engelhardt [Sun, 28 Aug 2011 12:10:19 +0000 (14:10 +0200)] 
libxt_addrtype: rename from libipt_addrtype

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoxtoptions: simplify xtables_parse_interface
Richard Weinberger [Sat, 27 Aug 2011 13:32:31 +0000 (15:32 +0200)] 
xtoptions: simplify xtables_parse_interface

mask is already filled with zeros, there is no need to zero it again.

References: http://marc.info/?l=netfilter-devel&m=131445196526269&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_conntrack: improve error message on parsing violation
Tom Eastep [Thu, 18 Aug 2011 22:11:16 +0000 (15:11 -0700)] 
libxt_conntrack: improve error message on parsing violation

Tom Eastep noted:

$ iptables -A foo -m conntrack --ctorigdstport 22
iptables v1.4.12: conntrack rev 2 does not support port ranges
Try `iptables -h' or 'iptables --help' for more information.

Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug,
but let's include Tom's patch nevertheless for the better error
message in case one actually does specify a range with rev 2.

References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoxtoptions: fill in fallback value for nvals
Jan Engelhardt [Sat, 27 Aug 2011 15:59:52 +0000 (17:59 +0200)] 
xtoptions: fill in fallback value for nvals

Parsing for libxt_conntrack rev 2 is done by using rev 2's option
structure, which specifies XTTYPE_PORT, and using rev 3's parser
skeleton, which uses cb->nvals. Reading cb->nvals when not using
XTTYPE_PORTRC (or any other multi-value type) is undefined behavior.

Make it defined. Since XTTYPE_NONE is the only type that can take
void, nvals logically ought to be 1.

References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_TOS: update linux kernel version list for backported fix
Fernando Luis Vázquez Cao [Tue, 2 Aug 2011 01:00:40 +0000 (10:00 +0900)] 
libxt_TOS: update linux kernel version list for backported fix

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_string: escape the escaping char too
Jan Engelhardt [Fri, 26 Aug 2011 12:46:40 +0000 (14:46 +0200)] 
libxt_string: escape the escaping char too

References: http://bugzilla.netfilter.org/show_bug.cgi?id=740
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agosrc: remove unused IPTABLES_MULTI define
Jan Engelhardt [Fri, 26 Aug 2011 10:45:02 +0000 (12:45 +0200)] 
src: remove unused IPTABLES_MULTI define

This dead code has been lingering around since commit v1.4.5~7.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_string: replace hex codes by char equivalents
Jan Engelhardt [Thu, 25 Aug 2011 10:11:20 +0000 (12:11 +0200)] 
libxt_string: replace hex codes by char equivalents

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_string: simplify hex output routine
Jan Engelhardt [Sun, 21 Aug 2011 11:16:16 +0000 (13:16 +0200)] 
libxt_string: simplify hex output routine

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_hashlimit: observe new default gc-expire time when saving
Jan Engelhardt [Sun, 21 Aug 2011 11:04:38 +0000 (13:04 +0200)] 
libxt_hashlimit: observe new default gc-expire time when saving

Since a while, --htable-gc-expire defaults to the chosen time quantum
instead of 10 fixed seconds, which leads the expiry value to be always
printed, which is redundant.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agotests: add negation tests for libxt_statistic
Jan Engelhardt [Sun, 21 Aug 2011 10:46:08 +0000 (12:46 +0200)] 
tests: add negation tests for libxt_statistic

Note: it is valid to check cb->invert before calling
xtables_option_parse.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_policy: remove superfluous inversion
Jan Engelhardt [Sun, 21 Aug 2011 10:39:04 +0000 (12:39 +0200)] 
libxt_policy: remove superfluous inversion

--dir cannot be inverted.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_physdev: restore inversion support
Jan Engelhardt [Sun, 21 Aug 2011 10:27:06 +0000 (12:27 +0200)] 
libxt_physdev: restore inversion support

Bug origin is in commit v1.4.11~26^2~4.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_owner: restore inversion support
Jan Engelhardt [Sun, 21 Aug 2011 10:25:06 +0000 (12:25 +0200)] 
libxt_owner: restore inversion support

Bug origin is in commit v1.4.11~16^2~7.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibipt_ttl: document that negation is available
Jan Engelhardt [Sun, 21 Aug 2011 10:11:15 +0000 (12:11 +0200)] 
libipt_ttl: document that negation is available

Glitch since commit v1.2.1~75.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibip6t_dst: restore setting IP6T_OPTS_LEN flag
Jan Engelhardt [Sun, 21 Aug 2011 09:59:58 +0000 (11:59 +0200)] 
libip6t_dst: restore setting IP6T_OPTS_LEN flag

Bug origin is in commit v1.4.11~26^2~18.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibip6t_hbh: restore setting IP6T_OPTS_LEN flag
Jan Engelhardt [Sun, 21 Aug 2011 09:54:01 +0000 (11:54 +0200)] 
libip6t_hbh: restore setting IP6T_OPTS_LEN flag

Bug origin is in commit v1.4.11~26^2~17.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_hashlimit: remove inversion from hashlimit rev 0
Jan Engelhardt [Sun, 21 Aug 2011 09:49:21 +0000 (11:49 +0200)] 
libxt_hashlimit: remove inversion from hashlimit rev 0

Revision 0 indeed did not have inversion support, nor presence of
--hashlimit-above. This glitch was added in v1.4.11~16^2~10.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibip6t_frag: restore inversion support
Jan Engelhardt [Sun, 21 Aug 2011 09:41:13 +0000 (11:41 +0200)] 
libip6t_frag: restore inversion support

--fraglen also was not printed since v1.4.11~26^2~22.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agoxtoptions: flag use of XTOPT_POINTER without XTOPT_PUT
Jan Engelhardt [Sun, 21 Aug 2011 08:14:28 +0000 (10:14 +0200)] 
xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT

When XTOPT_POINTER is used (and yields a non-zero offsetof), we can
flag the absence of XTOPT_PUT.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_conntrack: fix --ctproto 0 output
Jan Engelhardt [Sun, 21 Aug 2011 08:06:18 +0000 (10:06 +0200)] 
libxt_conntrack: fix --ctproto 0 output

First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER.
(Next commit will flag this.) Furthermore, l4proto is of type
uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not
work => revert v1.4.12~1^2.

Bug goes back to v1.4.12~1^2.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_hashlimit: default htable-expire must be in milliseconds
Jan Engelhardt [Sun, 21 Aug 2011 07:46:12 +0000 (09:46 +0200)] 
libxt_hashlimit: default htable-expire must be in milliseconds

Bug goes back to v1.4.12~3^2~11.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_dscp: restore inversion support
Jan Engelhardt [Sun, 21 Aug 2011 06:52:56 +0000 (08:52 +0200)] 
libxt_dscp: restore inversion support

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_dccp: fix random output of ! on --dccp-option
Jan Engelhardt [Sun, 21 Aug 2011 07:39:21 +0000 (09:39 +0200)] 
libxt_dccp: fix random output of ! on --dccp-option

dccp-option tests info->typemask, but it really should look at
info->invflags instead.

This bug goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
14 years agolibxt_dccp: provide man pages options in short help too
Jan Engelhardt [Sun, 21 Aug 2011 07:15:20 +0000 (09:15 +0200)] 
libxt_dccp: provide man pages options in short help too

This omission goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>