doc: S/DNAT allows to omit IP addresses

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

iptables: fix the dead loop when meeting unknown options

Signed-off-by: Changli Gao <xiaosuo@gmail.com>

Merge branch 'opts' of git://dev.medozas.de/iptables

libxt_dccp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_udp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_PORTRC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

extensions: remove unused TOS code

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_tos: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_TOS: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

combine ip6?tables-multi into xtables-multi

Signed-off-by: Maciej Zenczykowski <maze@google.com>

Move common parts of libext{4,6}.a into libext.a

Signed-off-by: Maciej Zenczykowski <maze@google.com>

Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.

This enables one to have a single configuration file for both ipv4 and ipv6
firewall rules.

Example:
  iptables-restore config
  ip6tables-restore config

Where the file 'config' contains:
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :ssh - [0:0]

  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  -A INPUT -m state --state INVALID -j DROP
  -A INPUT -i lo -j ACCEPT
  -A INPUT -4 -p icmp -j ACCEPT
  -A INPUT -6 -p icmpv6 -j ACCEPT
  -A INPUT -p tcp --dport 22 -m state --state NEW -j ssh
  -A ssh -j ACCEPT

  COMMIT

Signed-off-by: Maciej Zenczykowski <maze@google.com>

Don't load ip6?_tables module when already loaded

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

Merge branch 'floating/opts' of git://dev.medozas.de/iptables

SET target revision 2 added

The new revision of the SET target supports the following new operations

- specifying the timeout value of the entry to be added
- flag to instruct the kernel that if the entry already
  exists then reset the timeout value to the specified one (or
  to the default from the set definition)

xtoptions: respect return value in xtables_getportbyname

If ret was negative, ntohs may make it positive, which is undesired.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_TEE: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

build: bump libxtables ABI version

Adding the x6_* members to struct xtables_{match,target} caused a
change requiring a bump.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libipt_ULOG: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_TPROXY: use guided option parser

I am starting with a simple module here that does not require a
final_check function.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_PORT support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_ONEHOST support

The bonus of the POSIX socket API is that it is almost protocol-agnostic
and that there are ready-made functions to take over the gist of address
parsing and packing.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip[6]t_LOG: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_SYSLOGLEVEL support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_string: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: pass struct xt_entry_{match,target} to x6 parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_TCPMSS: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_NFQUEUE: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_CT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT16 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_connbytes: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT64RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT8RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_tcpmss: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_length: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT16RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libipt_realm: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_devgroup: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: linked-list name<->id map

This consolidates the maps from libxt_devgroup and libxt_realm.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_quota: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT64 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_CONNMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_MARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_MARKMASK32 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

Merge branch 'opts' of git://dev.medozas.de/iptables

Merge branch 'opts' of git://dev.medozas.de/iptables

Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables

Fix set match/target direction parser

The direction parser did not catch when more src/dst direction
parameters were supplied than allowed.

doc: avoid duplicate entries in manpage

Commit v1.4.9-35-gd4105ad changed from [A-Z] and [a-z] to use
[[:alnum:]], which unfortunately drew matches into the target section,
and targets into the match section. [[:upper:]] and [[:lower:]] should
have been used instead, of course.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_u32: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_time: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_state: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_pkttype: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_physdev: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_helper: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_comment: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_TCPOPTSTRIP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_SECMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_LED: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_DSCP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_CLASSIFY: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_AUDIT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libipt_addrtype: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libipt_ECN: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip6t_ipv6header: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip[6]t_icmp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip6t_hbh: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip6t_dst: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip[6]t_REJECT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_STRING support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_esp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip6t_frag: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip[6]t_ah: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT32RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip[6]t_hl: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libip[6]t_HL: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT8 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_cluster: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: min-max option support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_cpu: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: XTTYPE_UINT32 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_CONNSECMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: provide better final_check

This passes the per-extension data block to the new x6_fcheck function
pointer, which can then do last alterations without using hacks
like global variables (think libxt_statistic).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_socket: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxt_CHECKSUM: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

libxtables: guided option parser

This patchset seeks to drastically reduce the code in the individual
extensions by centralizing their argument parsing (breakdown of
strings), validation, and in part, assignment.

As a secondary goal, this reduces the number of static storage duration
variables in flight.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

extensions: add missing checks for specific flags (2)

Addendum to v1.4.10-75-g4e5d4bf. It does not make sense to use
ipv6header's --soft without specifying any options.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

convert ip6?tables-multi to actually use their own header files

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

move 'int line' definition from ip6?tables.c into xtables.c

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v6: rename do_command() to do_command6()

(actually only applies to two comments, since the
function has long been called do_command6)

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v4: rename do_command() to do_command4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v6: rename print_rule() to print_rule6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v4: rename print_rule() to print_rule4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v6: rename delete_chain() to delete_chain6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v4: rename delete_chain() to delete_chain4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v6: rename flush_entries() to flush_entries6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v4: rename flush_entries() to flush_entries4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v6: rename for_each_chain() to for_each_chain6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

v4: rename for_each_chain() to for_each_chain4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

xtables.h: init_extensions() no longer exists

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>