git.ipfire.org Git - thirdparty/iptables.git/log

]> git.ipfire.org Git - thirdparty/iptables.git/log

projects / thirdparty / iptables.git / log

commit | commitdiff | tree

Maciej Żenczykowski [Tue, 5 Apr 2011 05:30:16 +0000 (22:30 -0700)]

combine ip6?tables-multi into xtables-multi

Signed-off-by: Maciej Zenczykowski <maze@google.com>

commit | commitdiff | tree

Maciej Żenczykowski [Wed, 6 Apr 2011 20:35:11 +0000 (13:35 -0700)]

Move common parts of libext{4,6}.a into libext.a

Signed-off-by: Maciej Zenczykowski <maze@google.com>

commit | commitdiff | tree

Maciej Żenczykowski [Thu, 14 Apr 2011 09:22:14 +0000 (02:22 -0700)]

Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.

This enables one to have a single configuration file for both ipv4 and ipv6
firewall rules.

Example:
  iptables-restore config
  ip6tables-restore config

Where the file 'config' contains:
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :ssh - [0:0]

  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  -A INPUT -m state --state INVALID -j DROP
  -A INPUT -i lo -j ACCEPT
  -A INPUT -4 -p icmp -j ACCEPT
  -A INPUT -6 -p icmpv6 -j ACCEPT
  -A INPUT -p tcp --dport 22 -m state --state NEW -j ssh
  -A ssh -j ACCEPT

  COMMIT

Signed-off-by: Maciej Zenczykowski <maze@google.com>

commit | commitdiff | tree

Maciej Zenczykowski [Tue, 19 Apr 2011 07:14:04 +0000 (09:14 +0200)]

Don't load ip6?_tables module when already loaded

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Patrick McHardy [Mon, 18 Apr 2011 13:03:22 +0000 (15:03 +0200)]

Merge branch 'floating/opts' of git://dev.medozas.de/iptables

commit | commitdiff | tree

Jozsef Kadlecsik [Sun, 17 Apr 2011 09:38:18 +0000 (11:38 +0200)]

SET target revision 2 added

The new revision of the SET target supports the following new operations

- specifying the timeout value of the entry to be added
- flag to instruct the kernel that if the entry already
exists then reset the timeout value to the specified one (or
to the default from the set definition)

commit | commitdiff | tree

Jan Engelhardt [Tue, 8 Mar 2011 00:24:26 +0000 (01:24 +0100)]

libipt_ULOG: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 9 Feb 2011 01:15:22 +0000 (02:15 +0100)]

libxt_TPROXY: use guided option parser

I am starting with a simple module here that does not require a
final_check function.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Mon, 14 Feb 2011 14:12:50 +0000 (15:12 +0100)]

libxtables: XTTYPE_PORT support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Mon, 14 Feb 2011 14:10:15 +0000 (15:10 +0100)]

libxtables: XTTYPE_ONEHOST support

The bonus of the POSIX socket API is that it is almost protocol-agnostic
and that there are ready-made functions to take over the gist of address
parsing and packing.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 15 Feb 2011 11:05:12 +0000 (12:05 +0100)]

libip[6]t_LOG: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 15 Feb 2011 21:10:48 +0000 (22:10 +0100)]

libxtables: XTTYPE_SYSLOGLEVEL support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 17:12:04 +0000 (18:12 +0100)]

libxt_string: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 17:11:58 +0000 (18:11 +0100)]

libxtables: pass struct xt_entry_{match,target} to x6 parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 17:00:05 +0000 (18:00 +0100)]

libxt_TCPMSS: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:54:50 +0000 (17:54 +0100)]

libxt_NFQUEUE: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:47:03 +0000 (17:47 +0100)]

libxt_CT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:42:51 +0000 (17:42 +0100)]

libxtables: XTTYPE_UINT16 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:19:10 +0000 (17:19 +0100)]

libxt_connbytes: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:13:54 +0000 (17:13 +0100)]

libxtables: XTTYPE_UINT64RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:09:19 +0000 (17:09 +0100)]

libxtables: XTTYPE_UINT8RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:04:35 +0000 (17:04 +0100)]

libxt_tcpmss: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 16:00:49 +0000 (17:00 +0100)]

libxt_length: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 15:59:23 +0000 (16:59 +0100)]

libxtables: XTTYPE_UINT16RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 15:38:51 +0000 (16:38 +0100)]

libipt_realm: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 15:02:03 +0000 (16:02 +0100)]

libxt_devgroup: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 15:24:43 +0000 (16:24 +0100)]

libxtables: linked-list name<->id map

This consolidates the maps from libxt_devgroup and libxt_realm.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 15:58:24 +0000 (16:58 +0100)]

libxt_quota: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 15:56:53 +0000 (16:56 +0100)]

libxtables: XTTYPE_UINT64 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 14:54:58 +0000 (15:54 +0100)]

libxt_CONNMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 14:21:24 +0000 (15:21 +0100)]

libxt_MARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 13:57:44 +0000 (14:57 +0100)]

libxtables: XTTYPE_MARKMASK32 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Patrick McHardy [Wed, 13 Apr 2011 11:38:20 +0000 (13:38 +0200)]

Merge branch 'opts' of git://dev.medozas.de/iptables

commit | commitdiff | tree

Patrick McHardy [Tue, 12 Apr 2011 14:05:39 +0000 (16:05 +0200)]

Merge branch 'opts' of git://dev.medozas.de/iptables

commit | commitdiff | tree

Patrick McHardy [Tue, 12 Apr 2011 14:05:28 +0000 (16:05 +0200)]

Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables

commit | commitdiff | tree

Jozsef Kadlecsik [Sat, 9 Apr 2011 19:29:08 +0000 (21:29 +0200)]

Fix set match/target direction parser

The direction parser did not catch when more src/dst direction
parameters were supplied than allowed.

commit | commitdiff | tree

Jan Engelhardt [Wed, 6 Apr 2011 11:21:54 +0000 (13:21 +0200)]

doc: avoid duplicate entries in manpage

Commit v1.4.9-35-gd4105ad changed from [A-Z] and [a-z] to use
[[:alnum:]], which unfortunately drew matches into the target section,
and targets into the match section. [[:upper:]] and [[:lower:]] should
have been used instead, of course.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 22:06:59 +0000 (23:06 +0100)]

libxt_u32: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 22:03:36 +0000 (23:03 +0100)]

libxt_time: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 21:52:04 +0000 (22:52 +0100)]

libxt_state: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 18:19:16 +0000 (19:19 +0100)]

libxt_pkttype: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 18:09:38 +0000 (19:09 +0100)]

libxt_physdev: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 17:55:32 +0000 (18:55 +0100)]

libxt_helper: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 19:16:22 +0000 (20:16 +0100)]

libxt_comment: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 21:57:52 +0000 (22:57 +0100)]

libxt_TCPOPTSTRIP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 21:50:13 +0000 (22:50 +0100)]

libxt_SECMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 6 Mar 2011 17:21:42 +0000 (18:21 +0100)]

libxt_LED: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 19:28:24 +0000 (20:28 +0100)]

libxt_DSCP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 19:14:16 +0000 (20:14 +0100)]

libxt_CLASSIFY: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 19:11:01 +0000 (20:11 +0100)]

libxt_AUDIT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 19:02:35 +0000 (20:02 +0100)]

libipt_addrtype: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 23:51:16 +0000 (00:51 +0100)]

libipt_ECN: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 18:51:16 +0000 (19:51 +0100)]

libip6t_ipv6header: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 17:36:15 +0000 (18:36 +0100)]

libip[6]t_icmp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 2 Mar 2011 23:40:43 +0000 (00:40 +0100)]

libip6t_hbh: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Fri, 18 Feb 2011 01:11:31 +0000 (02:11 +0100)]

libip6t_dst: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 16 Feb 2011 00:16:39 +0000 (01:16 +0100)]

libip[6]t_REJECT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 15 Feb 2011 21:09:21 +0000 (22:09 +0100)]

libxtables: XTTYPE_STRING support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 27 Feb 2011 22:56:28 +0000 (23:56 +0100)]

libxt_esp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Fri, 18 Feb 2011 01:17:54 +0000 (02:17 +0100)]

libip6t_frag: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 16 Feb 2011 00:59:18 +0000 (01:59 +0100)]

libip[6]t_ah: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 27 Feb 2011 22:41:10 +0000 (23:41 +0100)]

libxtables: XTTYPE_UINT32RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Fri, 18 Feb 2011 02:20:56 +0000 (03:20 +0100)]

libip[6]t_hl: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 13 Feb 2011 02:31:54 +0000 (03:31 +0100)]

libip[6]t_HL: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 27 Feb 2011 18:03:28 +0000 (19:03 +0100)]

libxtables: XTTYPE_UINT8 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 27 Feb 2011 16:52:23 +0000 (17:52 +0100)]

libxt_cluster: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 27 Feb 2011 16:38:34 +0000 (17:38 +0100)]

libxtables: min-max option support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Fri, 18 Feb 2011 02:41:18 +0000 (03:41 +0100)]

libxt_cpu: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Wed, 16 Feb 2011 00:22:25 +0000 (01:22 +0100)]

libxtables: XTTYPE_UINT32 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 27 Feb 2011 15:50:22 +0000 (16:50 +0100)]

libxt_CONNSECMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Thu, 10 Feb 2011 15:57:37 +0000 (16:57 +0100)]

libxtables: provide better final_check

This passes the per-extension data block to the new x6_fcheck function
pointer, which can then do last alterations without using hacks
like global variables (think libxt_statistic).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Fri, 18 Feb 2011 02:22:52 +0000 (03:22 +0100)]

libxt_socket: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Sun, 27 Feb 2011 15:54:27 +0000 (16:54 +0100)]

libxt_CHECKSUM: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Mon, 7 Feb 2011 03:00:50 +0000 (04:00 +0100)]

libxtables: guided option parser

This patchset seeks to drastically reduce the code in the individual
extensions by centralizing their argument parsing (breakdown of
strings), validation, and in part, assignment.

As a secondary goal, this reduces the number of static storage duration
variables in flight.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 18:48:10 +0000 (19:48 +0100)]

extensions: add missing checks for specific flags (2)

Addendum to v1.4.10-75-g4e5d4bf. It does not make sense to use
ipv6header's --soft without specifying any options.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Maciej Zenczykowski [Tue, 5 Apr 2011 10:43:26 +0000 (12:43 +0200)]

convert ip6?tables-multi to actually use their own header files

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Tue, 5 Apr 2011 10:42:37 +0000 (12:42 +0200)]

move 'int line' definition from ip6?tables.c into xtables.c

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:38:44 +0000 (15:38 +0200)]

v6: rename do_command() to do_command6()

(actually only applies to two comments, since the
function has long been called do_command6)

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:38:11 +0000 (15:38 +0200)]

v4: rename do_command() to do_command4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:37:43 +0000 (15:37 +0200)]

v6: rename print_rule() to print_rule6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:37:13 +0000 (15:37 +0200)]

v4: rename print_rule() to print_rule4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:36:45 +0000 (15:36 +0200)]

v6: rename delete_chain() to delete_chain6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:36:14 +0000 (15:36 +0200)]

v4: rename delete_chain() to delete_chain4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:35:47 +0000 (15:35 +0200)]

v6: rename flush_entries() to flush_entries6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:35:20 +0000 (15:35 +0200)]

v4: rename flush_entries() to flush_entries4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:34:54 +0000 (15:34 +0200)]

v6: rename for_each_chain() to for_each_chain6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:34:28 +0000 (15:34 +0200)]

v4: rename for_each_chain() to for_each_chain4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:33:58 +0000 (15:33 +0200)]

xtables.h: init_extensions() no longer exists

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:33:25 +0000 (15:33 +0200)]

v6: rename init_extensions() to init_extensions6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:32:39 +0000 (15:32 +0200)]

v4: rename init_extensions() to init_extensions4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:31:43 +0000 (15:31 +0200)]

xtables: delay (statically built) match/target initialization

Matches and targets built into the iptables static binary will always
be registered as the binary starts up, this may potentially (as a result
of kernel version support checking) result in modules being autoloaded.

This is undesirable (for example it may cause CONNMARK target to load
and thus cause the kernel to load the conntrack module, which isn't a
no-op).

Transition to a system where matches and targets are registered into
a pending list, from whence they get fully registered only when
required.

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:31:09 +0000 (15:31 +0200)]

xtables_ip6addr_to_numeric: fix typo in comment

An IPv6 address consists of eight hexadecimal 16-bit values seperated
by colons, or alternatively, six (not five) of these followed by a colon
and an IPv4 address in standard dotted decimal quad notation
(for IPv4 mapped addresses and the like).

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:30:32 +0000 (15:30 +0200)]

mark newly opened fds as FD_CLOEXEC (close on exec)

(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Maciej Zenczykowski [Mon, 4 Apr 2011 13:29:40 +0000 (15:29 +0200)]

man pages: allow underscores in match and target names

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Mark Montague [Mon, 4 Apr 2011 12:54:52 +0000 (14:54 +0200)]

iptables: documentation for iptables and ip6tables "security" tables

Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.

Signed-off-by: Mark Montague <mark@catseye.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Thomas Graf [Wed, 16 Mar 2011 15:30:09 +0000 (16:30 +0100)]

iptables: add manual page section for AUDIT target

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

commit | commitdiff | tree

Stefan Tomanek [Tue, 8 Mar 2011 21:42:51 +0000 (22:42 +0100)]

iptables: add -C to check for existing rules

It is often useful to check whether a specific rule is already present
in a chain without actually modifying the iptables config.

Services like fail2ban usually employ techniques like grepping through
the output of "iptables -L" which is quite error prone.

This patch adds a new operation -C to the iptables command which
mostly works like -D; it can detect and indicate the existence of the
specified rule by modifying the exit code. The new operation
TC_CHECK_ENTRY uses the same code as the -D operation, whose functions
got a dry-run parameter appended.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Stefan Tomanek [Mon, 7 Mar 2011 17:30:27 +0000 (18:30 +0100)]

ip(6)tables-multi: unify subcommand handling

I found the subcommand handling and naming done by iptables-multi and
ip6tables-multi very confusing and complicated; this patch
reorganizes the subcommands in a single table, allowing both variants
of them to be used (iptables/main) and also prints a list of the
allowed commands if an unknown command is entered by the user.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 11:51:21 +0000 (12:51 +0100)]

doc: add VERSION section to manpages

This shall make it easier to identify outdated HTML renditions on the
interwebs, since many of them do not display the .TH header like man(1)
does.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

commit | commitdiff | tree

Jan Engelhardt [Tue, 1 Mar 2011 01:45:34 +0000 (02:45 +0100)]

iptables: fix an inversion

Revisiting the original condition (viewable in git log -1 -p
v1.4.10-57-gacef604), one can notice an unforuntate inversion. This
commit corrects this.

Testcase: -A INPUT -p tcp --dport 1

Reported-by: Florian Westphal
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

Mirror of git://git.netfilter.org/iptables

RSS Atom