Jan Engelhardt [Mon, 10 Nov 2008 15:59:27 +0000 (16:59 +0100)]
libiptc: remove typedef indirection
Don't you hate it when iptc_handle_t *x actually is a double-indirection
struct iptc_handle **? This also shows the broken constness model, since
"const iptc_handle_t x" = "iptc_handle_t const x" =
"struct iptc_handle *const x", which is like no const at all.
Lots of things to do then.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Thomas Jarosch [Thu, 23 Oct 2008 13:41:27 +0000 (15:41 +0200)]
Fix compile warnings using gcc 4.3.2
libxt_dccp.c: In function 'port_to_service':
libxt_dccp.c:196: warning: implicit declaration of function 'htons'
libxt_sctp.c: In function 'port_to_service':
libxt_sctp.c:321: warning: implicit declaration of function 'htons'
libxt_tcp.c: In function 'port_to_service':
libxt_tcp.c:220: warning: implicit declaration of function 'htons'
libxt_udp.c: In function 'port_to_service':
libxt_udp.c:104: warning: implicit declaration of function 'htons'
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Thomas Jarosch [Thu, 23 Oct 2008 13:40:52 +0000 (15:40 +0200)]
Fix compile error in libxt_iprange.c using gcc 4.3.2
In file included from libxt_iprange.c:9:
../include/linux/netfilter.h:43: error: field 'in' has incomplete type
../include/linux/netfilter.h:44: error: field 'in6' has incomplete type
libxt_iprange.c: In function 'parse_iprange':
libxt_iprange.c:46: error: dereferencing pointer to incomplete type
libxt_iprange.c:53: error: dereferencing pointer to incomplete type
libxt_iprange.c: In function 'iprange_mt4_parse':
libxt_iprange.c:117: error: dereferencing pointer to incomplete type
libxt_iprange.c:121: error: dereferencing pointer to incomplete type
libxt_iprange.c:136: error: dereferencing pointer to incomplete type
libxt_iprange.c:140: error: dereferencing pointer to incomplete type
libxt_iprange.c: In function 'iprange_mt6_parse':
libxt_iprange.c:167: error: dereferencing pointer to incomplete type
libxt_iprange.c:171: error: dereferencing pointer to incomplete type
libxt_iprange.c:186: error: dereferencing pointer to incomplete type
libxt_iprange.c:190: error: dereferencing pointer to incomplete type
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Jirí Moravec [Wed, 22 Oct 2008 06:57:38 +0000 (08:57 +0200)]
libxt_TOS: fix compilation error
Fix compilation error caused by double definition of IPPROTO_SCTP:
In file included from /usr/include/netinet/ip.h:25,
from /usr/include/linux/ip.h:19,
from tos_values.c:4,
from libxt_TOS.c:15:
/usr/include/netinet/in.h:84: error: expected identifier before numeric constant
make[2]: *** [libxt_TOS.oo] Error 1
When a neg mark is saved via iptables-save it is saved as !--mark,
but this is not recognized by iptables-restore, just adding a
space to the saved file to make it look like "! --mark" makes
iptables-restore accept the file.
Signed-off-by: Pablo Sebastian Greco <pablo@fliagreco.com.ar> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jan Engelhardt [Mon, 8 Sep 2008 13:42:06 +0000 (15:42 +0200)]
build: run ldconfig on `make install`
Reporeted-by: Brent Clark <brentgclarklist@gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Phil Oester [Mon, 1 Sep 2008 13:07:26 +0000 (15:07 +0200)]
src: Missing limits.h includes
Latest git doesn't compile for me on Fedora 9 due to various *MAX constants
being undefined. Below adds the include in 3 files which need it (although
I can't see why this isn't required in 1.4.1.1).
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Mon, 4 Aug 2008 16:37:38 +0000 (18:37 +0200)]
Put xtables.c into its own library, libxtables.so
iproute2's tc's m_ipt.c poses as a pseudo-iptables program to make
use of the info structure composition of iptables extensions.
Since tc would have to clone a lot of code, xtables.c is put into
its own shared library and should not be relied upon by any other
programs.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Mon, 4 Aug 2008 10:52:27 +0000 (12:52 +0200)]
libxt_recent: do not allow both --set and --rttl
Reported-by: Erich Schubert <erich@debian.org>
Reference: Debian bug #346034
"I was using the --rttl option in my --set line; this caused all
incoming ssh connections to be rejected; --rttl is only to be used
with --rcheck and --update."
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Mon, 4 Aug 2008 10:51:01 +0000 (12:51 +0200)]
iptables-restore: fix segmentation fault with -tanything
Reference: Debian bug #458042
iptables-restore must not pass a table into do_command. It checks for
"-t arg" and "--table arg", but not "-targ". (On a related note,
using -targ does not work as expected).
Joonwoo Park [Mon, 7 Jul 2008 11:32:25 +0000 (13:32 +0200)]
xt_string: string extension case insensitive matching
The string extension can search patterns case insensitively with
--icase option. A new revision 1 was added, in the meantime invert
of xt_string_info was moved into flags as a flag.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
libiptc: fix scalability performance issue during initial ruleset parsing
Finding jump chains is slow O(Chain*Rules).
The problem:
is that the chain list is searched lineary for each rule with a jump
target. The problem lies in the "second pass" (of function
parse_table) where the userchain jump targets are found. For each
rule "R" with a IPTCC_R_JUMP target, function
iptcc_find_chain_by_offset() searches through the chains "C" in the
chain list (worst-case hitting the last one).
The solution:
in this patch is to speed up iptcc_find_chain_by_offset() by using
binary search. Reducing complexity from O(C) to O(log C).
Implementation:
Its possible to use the same bsearch algorithm and data structure
(chain_index), as used for chain name searching.
How is that possible:
One has to realize that the chains are both sorted by name and
offsets, this is because the chains are already sorted in the ruleset
from the kernel.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Sun, 8 Jun 2008 17:11:51 +0000 (19:11 +0200)]
manpage updates
A number of options support negation, but the manpage did not reflect
this ("[!]" was absent). Also fix a few [] (optional arguments) to {}
(required arguments) in the option-BNF.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Fri, 6 Jun 2008 12:20:05 +0000 (14:20 +0200)]
libxt_owner: add spaces to output
It could happen that --<arg><value> was printed on iptables-save with
owner rules (owner_mt_save() function) without the obligatory space
inbetween. Also transfer printing of the space character into
owner_mt_print_item().
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
In revision 1 address type checking can be limited to either the
incoming or outgoing interface depending on the current chain. In
the FORWARD chain only one of them is allowed at the same time.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt [Thu, 5 Jun 2008 17:54:48 +0000 (19:54 +0200)]
build: check for missing feature files
linux/dccp.h is unlikely to be installed before 2.6.18 (which was
when headers_install was introduced), and does not exist at all
before 2.6.14. Add a compile-time check to skip compilation of
libxt_dccp in case this was detected.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Thomas Jarosch [Tue, 3 Jun 2008 13:02:18 +0000 (15:02 +0200)]
Add xtables version defines.
Attached is a patch to add the new defines. The macro XTABLES_VERSION
is already in use, so I named it XTABLES_VERSION_CHECK. I've also tested
that an empty XTABLES_VERSION_EXTRA in configure.ac works.
Now we can write code like this:
#warning You are obselete and will be assimilated.
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Patrick McHardy [Mon, 2 Jun 2008 10:48:48 +0000 (12:48 +0200)]
manpages: consistent syntax
In the manpages, bold is used to denote characters the user has to
enter verbatim, italic denotes placeholders and non-highlighted
pieces are used as a structure: "[]" specifying an optional part,
"{}" a mandatory part, with "|" used for alternations. The "!" for
negation is better supported before the option than after it, too.
The patch makes a few files consistent with this style already used
in manpages.
ip6tables improperly displays the destination address when the address
is longer than 18 characters. Here is example output:
...
DROP tcp 2001:db8::/32 2001:db8:3:4:5:6:7:8/128tcp spt:25
...
Proper formatting should have a space between '2001:db8:3:4:5:6:7:8/128'
and 'tcp'.
Signed-off-by: Jamie Strandboge <jamie@ubuntu.com> Signed-off-by: Lawrence J. Lane <ljlane@debian.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Henrik Nordstrom [Tue, 13 May 2008 11:08:26 +0000 (13:08 +0200)]
iptables --list-rules command
Adds iptables --list-rules (-S) command, acting as a combination of
iptables --list and iptables-save.
The primary motivation behind this patch is to get iptables-save like
output capabilities in iptables-restore, allowing "iptables-restore -n"
to be used as a consistent API to iptables for all kind of operations,
not only blind updates..
As a bonus iptables also gets the capability of printing the rules
as-is.
This completely replaces the earlier patch which added the --rules
option.
Henrik Nordstrom [Mon, 12 May 2008 18:51:45 +0000 (20:51 +0200)]
Make iptables-restore usable over a pipe
The attached patch flushes stdout between commands to make output
operations (-L etc) in iptables-restore usable over a pipe. stdio by
defaut buffers output if not connected to a terminal.
projects / thirdparty / iptables.git / log
