History log of /external/iptables/
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
e3928b77f18db0fdc615693017c6c15eb71bf4e0 02-Apr-2014 JP Abgrall <jpa@google.com> Fixup build so that the update from nefilter.org to 1.4.20 works


* Keep the generated files needed for building.
Used
./configure --enable-static --disable-shared
make
* Update the various Android *.mk files.


Change-Id: If0e45cf6289f0e3dcf3adf73e6ccff86d640f1c0
Signed-off-by: JP Abgrall <jpa@google.com>
gitignore
onfig.h
xtensions/Android.mk
xtensions/libext.mk
nclude/iptables/internal.h
nclude/xtables-version.h
ptables/Android.mk
ibiptc/Android.mk
ibxtables/Android.mk
11ef84b856859e7d4a08625d09c8573e5f5eef63 02-Apr-2014 JP Abgrall <jpa@google.com> Merge remote-tracking branch 'upstream/stable-1.4.20' into update

Conflicts:
.gitignore
include/linux/types.h
libiptc/libiptc.c

Change-Id: I2c949ba9de090db9ae09d914f4ac5c13e5b7d4da
4c0b72f278ab643208d4a88c326acbe0292dfe50 08-Feb-2014 Elliott Hughes <enh@google.com> Merge "Post-uapi cleanup."
37aaf36719addeaaf717fb1183eb3336254fef99 08-Feb-2014 Elliott Hughes <enh@google.com> Post-uapi cleanup.

We can just use the uapi headers now.

(This is probably true for most of these header files, but I just want
to undo the changes we made during the uapi transition.)

Change-Id: I4ab0c6f782f73699595a2ce24809a2c0187c98f8
nclude/linux/types.h
16515c226654906be74093eaa0bb4af8a72ed3ef 28-Jan-2014 Colin Cross <ccross@android.com> Merge "external/iptables: use local-generated-sources-dir"
84d100d6119fd4df196c0e121d8f7ffe4c2076e1 28-Jan-2014 Colin Cross <ccross@android.com> external/iptables: use local-generated-sources-dir

local-intermediates-dir doesn't work for multiarch builds, because
each architecture needs a separate intermediates dir. Use
local-generated-sources-dir, which gives a directory under $OUT/gen
that can be shared by both architectures. Files installed into
$OUT/gen/*/*_intermediates and listed in LOCAL_GENERATED_SOURCES
will be copied into $OUT/obj*/*/*_intermediates automatically as
necessary.

(cherry picked from commit b4ad8a418b48b6a7df8f88a276c52f00c1bb43af)

Change-Id: I35ed4bc51e694ca4dc8343bc59977f1daeae3abc
xtensions/libext.mk
f58ab5b858e93512a9a8335920c63c6a2c834931 28-Jan-2014 Colin Cross <ccross@android.com> Merge "Revert "external/iptables: use local-generated-sources-dir""
cc1f024e0bd08588f0dae6ef83cb6af47dc155fc 28-Jan-2014 Colin Cross <ccross@android.com> Revert "external/iptables: use local-generated-sources-dir"

This reverts commit b4ad8a418b48b6a7df8f88a276c52f00c1bb43af.

Change-Id: I7870513ad908957a1370cd8e1f7c0a80d8fbb7bb
xtensions/libext.mk
9940b8808da32577032625d0ba6547a570590107 28-Jan-2014 Colin Cross <ccross@android.com> Merge changes I78e78981,Idcbe1da8

* changes:
external/iptables: use local-generated-sources-dir
iptables: rewrite extensions makefile to avoid duplication
b4ad8a418b48b6a7df8f88a276c52f00c1bb43af 28-Jan-2014 Colin Cross <ccross@android.com> external/iptables: use local-generated-sources-dir

local-intermediates-dir doesn't work for multiarch builds, because
each architecture needs a separate intermediates dir. Use
local-generated-sources-dir, which gives a directory under $OUT/gen
that can be shared by both architectures. Files installed into
$OUT/gen/*/*_intermediates and listed in LOCAL_GENERATED_SOURCES
will be copied into $OUT/obj*/*/*_intermediates automatically as
necessary.

Change-Id: I78e7898147a0e2303e814e8b93f7cd0edbd2914e
xtensions/libext.mk
22e7fb7a9e435e8a736ae2c596b57db904a9a1b2 23-Jan-2014 Colin Cross <ccross@android.com> iptables: rewrite extensions makefile to avoid duplication

Move the duplicated parts of the extensions makefile into a
separate libext.mk, and include it 3 times from the main makefile.

Change-Id: Idcbe1da8e024af895da33e396595e616f52e25ad
xtensions/Android.mk
xtensions/libext.mk
3eb211a1f4abee87ce09e0bf571357d0c93e4a55 24-Jan-2014 Colin Cross <ccross@android.com> Merge "iptables: remove $(KERNEL_HEADERS) from include path"
d4cea4666768eeadd0d1fde61e8231bba353d8ee 23-Jan-2014 Colin Cross <ccross@android.com> iptables: remove $(KERNEL_HEADERS) from include path

The kernel headers are already in the include path, and manually
adding them again will break on a multiarch build, where the
kernel headers may be different for each arch.

Change-Id: I20867af3061bbc86d2205f5479c40f6034a61b72
xtensions/Android.mk
ptables/Android.mk
ibiptc/Android.mk
a65313f57b59aec6e32949992cac700f86eefdd6 05-Dec-2013 Kristian Monsen <kristianm@google.com> Merge "Silence all warnings."
9b5ca5cf509bd1ed37ba692082ec6f3f180546c1 05-Dec-2013 Kristian Monsen <kristianm@google.com> Silence all warnings.

Change-Id: I9d180c2da268117a8774290ba49c8774fabd3272
xtensions/Android.mk
ptables/Android.mk
ibiptc/Android.mk
2a930a87f06bd4e13d2e0fef43d6dc5e2737e89a 12-Nov-2013 Elliott Hughes <enh@google.com> Merge "Fix iptables to build with old or uapi header files."
72000dcfdc0b0f26ccf52f7b877221bb008a7869 12-Nov-2013 Elliott Hughes <enh@google.com> Fix iptables to build with old or uapi header files.

Bug: 11559337
Change-Id: Iefb938b87e1f29cbf45d8833e9416c38004d9b5e
nclude/linux/types.h
ibiptc/libiptc.c
76e230e41947576efb96e86e605bb84015cdb287 13-Aug-2013 Jan Engelhardt <jengelh@inai.de> iptables: link against libnetfilter_conntrack

Linking currently fails in --enable-static case:

../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name':
iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name'
[..]
It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack.

If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@
and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty,
therefore producing no harm to include unconditionally.

Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/GNUmakefile.in
ibxtables/Makefile.am
5aff728ec4f9aae69ab248c3d1c4046a14be3ed6 12-Aug-2013 jp abgrall <jpa@google.com> Merge "Include strings.h for the defintion of ffs()"
b28d4dcc9f5559e9c03f35458ac103cfb89d8f87 08-Aug-2013 Phil Oester <kernel@linuxace.com> iptables: state match incompatibilty across versions

As reported in Debian bug #718810 [1], state match rules added in < 1.4.16
iptables versions are incorrectly displayed by >= 1.4.16 iptables versions.
Issue bisected to commit 0d701631 (libxt_state: replace as an alias to
xt_conntrack).

Fix this by adding the missing .print and .save functions for state match
aliases in the conntrack match.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_conntrack.c
71a2b0c78a58387ec476673f1abc75e635ca62f6 07-Aug-2013 Lutz Jaenicke <ljaenicke@innominate.com> iptables: correctly reference generated file

Since (14bca55 iptables: use autoconf to process .in man pages),
the file "iptables-extensions.8.tmpl" is generated from
"iptables-extensions.8.tmpl.in" and is consequently no
longer found in ${srcdir} but in the build directory.
(Becomes visible with builddir != srcdir)

Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/Makefile.am
8643adc8f0f0fe1e22ca0de0503eee0ee1e22bf5 06-Aug-2013 Pablo Neira Ayuso <pablo@netfilter.org> iptables 1.4.20 release

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
20489ff351837a3209838fe5dd6cbbe1478e2bdc 26-Jul-2013 Pablo Neira Ayuso <pablo@netfilter.org> iptables-xml: fix parameter parsing (similar to 2165f38)

Similar to (2165f38 iptables-restore: fix parameter parsing
(shows up with gcc-4.7)), make sure iptables-xml doesn't hit
the same problem.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/iptables-xml.c
68cecd598f55f58a1ae2132cdfb0b5e0a52cae1f 20-Jun-2013 Phil Oester <kernel@linuxace.com> iptables: iptables-xml: Fix various parsing bugs

There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:

1) Ignore "-A <chain>" instead of just "-A"
2) When checking to see if we need a <match> tag, inversion needs to be taken
into account

This closes netfilter bugzilla #679.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/iptables-xml.c
c18f2ce7f61c7e7ae3bd207ef6337a1be0c7aff3 22-Jul-2013 Willem de Bruijn <willemb@google.com> build: fail in configure on missing dependency with --enable-bpf-compiler

The build of utils/nfbpf_compile depends on libpcap. If configure is
run with --enable-bpf-compiler, the script succeeds, but make fails.

This small patch adds a test for the dependency (libpcap) in configure
and fails hard if not found.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
59bbc59fd2fbbb7a51ed19945d82172890bc40f9 21-Jul-2013 Phil Oester <kernel@linuxace.com> build: additional include path required after UAPI changes

After kernel commit 607ca46e (UAPI: (Scripted) Disintegrate
include/linux), using the "--with-kernel" argument to build iptables
stopped working due to the missing #ifdefs in the original files.
We need to make sure the UAPI include dir is listed before the
original location. Leaving both allows support for old and new
kernels.

This fixes bug #833.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
7b26bafb9be05a23b47653640aadbb61d0032665 28-Jan-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> libxt_CT: Add the "NOTRACK" alias

Available since Linux kernel 3.8.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_CT.c
xtensions/libxt_NOTRACK.man
nclude/linux/netfilter/xt_CT.h
33b529a7208952c250f245557d248e50ce533c7d 06-Jul-2013 Phil Oester <kernel@linuxace.com> libip6t_LOG: target output is different to libipt_LOG

libipt_LOG is using the xtables_save_string func, which
escapes unsafe characters as needed. libip6t_LOG should
do the same.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_LOG.c
88b73a2bad9fc02355fad70698cc2c9469048abc 15-Jul-2013 Pablo Neira Ayuso <pablo@netfilter.org> libxt_recent: restore minimum value for --seconds

This checking was accidentally removed in (74ded72 libxt_recent:
add --mask netmask).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_recent.c
51340f7b6a1103b12d86ef488f7140406d80401e 15-Jul-2013 Florian Westphal <fw@strlen.de> extensions: libxt_connlabel: use libnetfilter_conntrack

Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.

The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).

Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.

So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.

Signed-off-by: Florian Westphal <fw@strlen.de>
akefile.am
onfigure.ac
tc/xtables/connlabel.conf
xtensions/GNUmakefile.in
xtensions/libxt_connlabel.c
xtensions/libxt_connlabel.man
a963e217528d2849f32ec6516a1f82450c65f588 12-Jul-2013 Florian Westphal <fw@strlen.de> extensions: libipt_ULOG: man page should mention NFLOG as replacement

Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libipt_ULOG.man
8cf6fb833840d794289f2abf04b2c5cade5a37bf 13-Jul-2013 Russell Senior <russell@personaltelco.net> libxt_recent: restore reap functionality to recent module

The reap functionality appears to have been accidentally disabled
by (74ded72 libxt_recent: add --mask netmask) since iptables 1.4.15
and later. This adds a patch to restore reap functionality for
recent_opts_v1.

Patch obtained via: http://patchwork.openwrt.org/patch/3812/

Signed-off-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_recent.c
d7aeda5ed45ac7ca959f12180690caa371b5b14b 08-Jul-2013 Pablo Neira Ayuso <pablo@netfilter.org> ip{6}tables-restore: fix breakage due to new locking approach

Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances),
ip{6}tables-restore does not work anymore:

iptables-restore < x
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

do_command{6}(...) is called from ip{6}tables-restore for every iptables
command contained in the rule-set file. Thus, hitting the lock error
after the second command.

Fix it by bypassing the locking in the ip{6}tables-restore path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nclude/ip6tables.h
nclude/iptables.h
ptables/ip6tables-restore.c
ptables/ip6tables-standalone.c
ptables/ip6tables.c
ptables/iptables-restore.c
ptables/iptables-standalone.c
ptables/iptables.c
945353a25bbb2dbf88128c27a9169851da6ebf05 20-Jun-2013 Phil Oester <kernel@linuxace.com> ip6tables: don't print out /128

Similar to how iptables does not print /32 on IPv4 addresses, ip6tables
should not print out /128 on IPv6 addresses.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
ibxtables/xtables.c
7c7bf4c1f05d9dcb1e35fda7912bb15159d8db5b 04-Jul-2013 Alexey Perevalov <a.perevalov@samsung.com> doc: clarify DEBUG usage macro

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
NSTALL
f1e394be9d08a9e508ceeffca6866627d5ac40f9 12-Jun-2013 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable'

Get c545933 iptables: Fix connlabel.conf install location
c5459339b0cae14b733fef0e52b3c9294deac65e 10-Jun-2013 Phil Oester <kernel@linuxace.com> iptables: Fix connlabel.conf install location

As reported by Danny Rawlins in bug #828, connlabel.conf is
unconditionally installed in /etc/xtables instead of using
prefix set at configure time. Fix to use sysconfdir variable.

This closes bugzilla #828.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
akefile.am
93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 31-May-2013 Phil Oester <kernel@linuxace.com> ip[6]tables: Add locking to prevent concurrent instances

There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously. Currently
open bug reports which are related:

325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts

As Patrick notes in 325: "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."

I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile. But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up. And this also requires a writable filesystem. Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.

Starting in 2.2, Linux added support for abstract sockets. These sockets
require no filesystem, and automatically disappear once the application
terminates. This is the locking solution I chose to implement in ip[6]tables.
As an added bonus, since each network namespace has its own socket pool, an
ip[6]tables instance running in one namespace will not lock out an ip[6]tables
instance running in another namespace. A filesystem approach would have
to recognize and handle multiple network namespaces.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.8.in
ptables/ip6tables.c
ptables/iptables.8.in
ptables/iptables.c
ptables/xshared.c
ptables/xshared.h
34844da8f53ec80b34ad094f2fca2519a7079ec2 01-May-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Introduce a new revision for the set match with the counters support

The revision add the support of matching the packet/byte counters
if the set was defined with the extension. Also, a new flag is
introduced to suppress updating the packet/byte counters if required.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
xtensions/libxt_set.c
xtensions/libxt_set.man
nclude/linux/netfilter/ipset/ip_set.h
nclude/linux/netfilter/xt_set.h
f927d5fc3a6a0a8a8fb03e733a6572a934482723 10-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> extensions: libxt_LOG: rename IPv4 manpage and tell about IPv6 support

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libip6t_LOG.man
xtensions/libipt_LOG.man
xtensions/libxt_LOG.man
48356408ccf03ec2fdba0ceae3d9b5eae5e5e959 10-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> extensions: libxt_MASQUERADE: rename IPv4 manpage and tell about IPv6 support

also update list of protocols valid for port mapping.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libip6t_MASQUERADE.man
xtensions/libipt_MASQUERADE.man
xtensions/libxt_MASQUERADE.man
fe42fac939288cf72cc751dc6b517714e0720e62 05-Jun-2013 Eric Leblond <eric@regit.org> configure: display summary

This patch adds a message at the end of configure which displays
the different compilation options and system settings.

An example output is the following:

Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support: yes
IPQ support: no
Large file support: yes
BPF utils support: no

Build parameters:
Put plugins into executable (static): no
Support plugins via dlopen (shared): yes
Installation prefix (--prefix): /usr/local
Xtables extension directory: /usr/local/lib/xtables
Pkg-config directory: /usr/local/lib/pkgconfig
Kernel build directory: /lib/modules/custom
Host: x86_64-unknown-linux-gnu
GCC binary: gcc

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
5ff71e97448ebbeed8b2ad4654726361a0c84131 30-May-2013 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable'

Get fix for LED extension.
96c42d4c46df3edbd41fa47b860fba217f03cfeb 30-May-2013 Pablo Neira Ayuso <pablo@netfilter.org> extensions: libxt_LED: fix parsing of delay

Closes bugzilla:
https://bugzilla.netfilter.org/show_bug.cgi?id=825

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_LED.c
17fd36631d3ca17b581be9acb8ab054931b5a917 27-May-2013 Phil Oester <kernel@linuxace.com> xtables: improve get_modprobe handling

In bug #455, Dmitry V. Levin proposed a more robust get_modprobe
implementation. The patch below is a version of his patch,
updated to apply to current git.

This closes bug #455.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
ibxtables/xtables.c
14bca55dde79adddd77999ae262b8132ae0396f9 19-May-2013 Andy Spencer <andy753421@gmail.com> iptables: use autoconf to process .in man pages

This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@
was not processed in the VERSION section. It also simplifies the
Makefile by avoiding some sed commands.

[ Mangled this patch to rename iptables-extensions.8.in to
iptables-extensions.8.tmpl.in to avoid having a file whose name
is terminated by .in.in --pablo ]

Signed-off-by: Andy Spencer <andy753421@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
ptables/.gitignore
ptables/Makefile.am
ptables/ip6tables.8.in
ptables/iptables-extensions.8.in
ptables/iptables-extensions.8.tmpl.in
ptables/iptables.8.in
8df3c38438bb75edb480845913af77692c8a5c99 10-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> extensions: libxt_SNAT: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_SNAT.man to libxt_SNAT.man thus informing
about the IPv6 version.

Also the list of valid protocols for port mapping is updated to:
tcp, udp, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_SNAT.man
xtensions/libxt_SNAT.man
b8646dc9623631db3b71a5c1846566cf54a66a3a 10-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> extensions: libxt_NETMAP: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_NETMAP.man to libxt_NETMAP.man thus informing
about the IPv6 version.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_NETMAP.man
xtensions/libxt_NETMAP.man
ebd4a00b74aa99ed25841a235fe79b1462baea7f 10-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> extensions: libxt_REDIRECT: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_REDIRECT.man to libxt_REDIRECT.man thus
informing about the IPv6 version.

Also the list of valid protocols for port mapping is updated to:
tcp, udp, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_REDIRECT.man
xtensions/libxt_REDIRECT.man
11965180ba6f278fea81f55a3aa48c8f7c667142 10-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> extensions: libxt_DNAT: rename IPv4 manpage and tell about IPv6 support

This patch renames libipt_DNAT.man to libxt_DNAT.man thus informing
about the IPv6 version, as suggested by Patrick McHardy.

Also, it updates the list of valid protocols for port mapping is
updated to: tcp, udp, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_DNAT.man
xtensions/libxt_DNAT.man
a17d7fdf4fd8da8b41e67f02c8b8b371c2daa619 10-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> libip6t_mh: Correct command to list named mh types in manpage

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libip6t_mh.man
0c3753b1d4226a6e7bea9619415cf40cadee1e58 06-Apr-2013 Patrick McHardy <kaber@trash.net> extensions: add copyright statements

Add copyright statements to all extensions authored by myself.

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libip6t_DNPT.c
xtensions/libip6t_SNPT.c
xtensions/libxt_CLASSIFY.c
xtensions/libxt_CT.c
xtensions/libxt_RATEEST.c
xtensions/libxt_addrtype.c
xtensions/libxt_policy.c
xtensions/libxt_rateest.c
xtensions/libxt_statistic.c
ce7d0619ce49587ca78456caf467cf25f7cbbc4e 02-Apr-2013 holger@eitzenberger.org <holger@eitzenberger.org> extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_NFQUEUE.c
xtensions/libxt_NFQUEUE.man
nclude/linux/netfilter/xt_NFQUEUE.h
aef9c366d1761fd2d2013250df699f3dd5a4b708 29-May-2013 Pablo Neira Ayuso <pablo@netfilter.org> iptables 1.4.19.1 release

Unfortunately, previous release was not included two patches
that were applied by Florian recently. This release fixes it.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
da18dbcd084cc6f00c46f738e838e752f2d7ae3c 29-May-2013 Pablo Neira Ayuso <pablo@netfilter.org> build: bump version to 1.4.19

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
472bc914415baf2cd9aeb44605867365723a2e3d 19-May-2013 Michael Roth <mroth@nessie.de> doc: mention SNAT in INPUT chain since kernel 2.6.36

SNAT in the INPUT chain was added Jun 2010 to the kernel
(commit c68cd6cc21eb329c47ff020ff7412bf58176984e).

Signed-off-by: Michael Roth <mail@mroth.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libipt_SNAT.man
0efff29d495f5bf234d06e4730f1abd78bdb8a1a 15-May-2013 Florian Westphal <fw@strlen.de> Revert "extensions: add connlabel match" duplicate

This reverts commit ca376fcbe51b9a102a490545957d5fee69e253e1
to get rid of the duplicated install-data-hook.

This should get the tree back into the right state.

Conflicts:
Makefile.am
akefile.am
33e262d4f80afcc464014f28012491bf0c5567ef 08-May-2013 Pablo Neira Ayuso <pablo@netfilter.org> libxtables: fix parsing of dotted network mask format

After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken:

-A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN

With iptables 1.4.18:
iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32)

This was probably broken by the augmented parser.

Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ibxtables/xtoptions.c
ccbf6b6448a4210432b76fd4660798705b05f8c4 06-May-2013 Florian Westphal <fw@strlen.de> extensions: add connlabel match

allows to "tag" connections with up to 128 label names.

Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0

Labels can then be attached to flows, e.g.

-A PREROUTING -i eth0 -m connlabel --label "from eth0" --set

Signed-off-by: Florian Westphal <fw@strlen.de>
akefile.am
tc/xtables/connlabel.conf
xtensions/libxt_connlabel.c
xtensions/libxt_connlabel.man
nclude/linux/netfilter/xt_connlabel.h
ca376fcbe51b9a102a490545957d5fee69e253e1 06-May-2013 Florian Westphal <fw@strlen.de> extensions: add connlabel match

allows to "tag" connections with up to 128 label names.

Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0

Labels can then be attached to flows, e.g.

-A PREROUTING -i eth0 -m connlabel --label "from eth0" --set

Signed-off-by: Florian Westphal <fw@strlen.de>
akefile.am
b5c12f4aa3ebfc4dac37799e41616c37c188ab4f 26-Apr-2013 Patrick McHardy <kaber@trash.net> libxt_conntrack: fix state match alias state parsing

The conntrack match uses a different value for the UNTRACKED state than
the state match. Translate states to conntrack states to make sure they
all match.

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_conntrack.c
b46f3d833f926c40dd73d52d8cedb94206e6d83d 09-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> extensions: libxt_multiport: Update manpage to list valid protocols

This patch updates the list of valid protocols in the man page section
of the multiport match to: tcp, udp, udplite, dccp and sctp.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_multiport.man
1cb432c06637b5030b4a70ff33e306f2bb81d366 19-Apr-2013 Pablo Neira Ayuso <pablo@netfilter.org> extensions: libxt_bpf: clarify --bytecode argument

Mart Frauenlob suggested a change to explain the --bytecode
better. I have added some reference to the example bytecode
in the format that this argument accepts.

Reported-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_bpf.man
461faea515c11e58e7cbe598ffe8d22eeb6edffd 19-Apr-2013 Pablo Neira Ayuso <pablo@netfilter.org> utils: updates .gitignore to include nfbpf_compile

Reported-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
tils/.gitignore
e816ac4fa83f65a5d7d40445c72aa1c3e811cb78 13-Apr-2013 Florian Westphal <fw@strlen.de> libxt_NFQUEUE: fix bypass option documentation

Steve Caligo points out that the documentation says
'packet will move on to the next rule'. This is incorrect;
packet moves to the next table.

nf bugzilla #778.

Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libxt_NFQUEUE.man
d09cc98b481efc6ea121ce7acd739a87a381c6ed 06-Apr-2013 Mart Frauenlob <mart.frauenlob@chello.at> libxt_recent: Fix missing space in manpage for --mask option

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_recent.man
c8cf36930144ea49d1f5cb29835547b1baededfd 05-Apr-2013 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable'

Resolve conflict with Nicolas' Dichtel update on utils/Makefile.am
for nfnl_osf.
e82a71d7de5f6e364738dbb7154b88bfff8a5fcd 03-Apr-2013 Nicolas Dichtel <nicolas.dichtel@6wind.com> utils: nfnl_osf: use the right nfnetlink lib

If the user specify libnfnetlink_LIBS during the configure, we must use it.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
tils/Makefile.am
1ac30c97c339957b6e3c5cf571de7bc38c827730 12-Mar-2013 Willem de Bruijn <willemb@google.com> utils: nfbpf_compile

A BPF compiler to convert tcpdump expressions to the decimal format
accepted by the libxt_bpf.

Generate a file and pass that to iptables:

nfbpf_compile RAW 'udp dst port 9000' > test.bpf
iptables -A OUTPUT -m bpf --bytecode-file test.bpf -j LOG

Or pass the output directly to iptables using backticks:

iptables -A INPUT -m bpf --bytecode \
"`./nfbpf_compile RAW 'udp dst port 9000'" -j LOG

This utility depends on libpcap. The library is only compiled if the option
--enable-bpf-compiler is explicitly passed to ./configure and libpcap is
found.

Pablo has mangled the original patch to rename the utility to
nfbpf_compile. Also modified the output to match exactly what
-m bpf --bytecode needs.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
akefile.am
onfigure.ac
tils/Makefile.am
tils/nfbpf_compile.c
e0a0dd703b3448f0f07fc59b7232bf1f1cce7b86 23-Jan-2013 Willem de Bruijn <willemb@google.com> extensions: add libxt_bpf extension

Add user-space code to support the new BPF iptables extension.

Pablo has mangled the original patch to:

* include a copy of include/linux/netfilter/xt_bpf.h in the tree.
* I have also remove the --bytecode-file option. The original
proposal was to accept BPF code in a file in human readable
format. Now, with the nfbpf_compile utility, it's very easy
to generate the filter using tcpdump-like syntax.
* I have remove the trailing comma in the backtick format, the
parser works just fine for me here.
* Fix error message if --bytecode is missing.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_bpf.c
xtensions/libxt_bpf.man
nclude/linux/netfilter/xt_bpf.h
71eddedcbf7aebe0cd05421d13b049dd710eaf7f 21-Mar-2013 Pablo Neira Ayuso <pablo@netfilter.org> libip6t_DNPT: add manpage

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_DNPT.man
0a4c357cb91e16a001b1b06ff509d7fb75f5f2e0 21-Mar-2013 Pablo Neira Ayuso <pablo@netfilter.org> libip6t_SNPT: add manpage

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_SNPT.man
5c522b4523f2edb8e581131ba4cb414a5ee7ece4 24-Mar-2013 Pablo Neira Ayuso <pablo@netfilter.org> libxt_osf: fix bad location for location in --genre

closes http://bugzilla.netfilter.org/show_bug.cgi?id=805

Reported-by: Bourne Without <blackhole@airpost.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_osf.c
71e2bf5cf25a821d62f7d75eb8efa4c61a214c6b 24-Mar-2013 Pablo Neira Ayuso <pablo@netfilter.org> libxt_osf: fix missing --ttl and --log in save output

closes http://bugzilla.netfilter.org/show_bug.cgi?id=805

Reported-by: Bourne Without <blackhole@airpost.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_osf.c
bf75fc041b35c75c2c592e01f1906771e00ce4eb 20-Mar-2013 Mart Frauenlob <mart.frauenlob@chello.at> ip[6]tables: show --protocol instead of --proto in usage

As the man page shows --protocol not --proto, also do so in the usage
text displayed by ip[6]tables -h.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.c
ptables/iptables.c
37b19d08f3cbc83a653386d76261490e173a874b 16-Mar-2013 Pablo Neira Ayuso <pablo@netfilter.org> Revert "build: resolve link failure for ip6t_NETMAP"

This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6.

The use of libtool was introduced to resolve linking problems
in NETMAP (IPv6 version), but that resulted in RPATH problems
reported from distributors and warnings spotted by libtool at
linking stage.

Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and
get rid of libip6tc dependency) fixed the NETMAP issue, let's
roll back to our previous stage.

A small conflicts in extensions/GNUmakefile.in has been resolved
in this revert.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/GNUmakefile.in
cccfff9309743f173c504dd265fae173caa5b47f 16-Mar-2013 Pablo Neira Ayuso <pablo@netfilter.org> libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency

This patch changes the NETMAP target extension (IPv6 side) to use
the xtables_ip6mask_to_cidr available in libxtables.

As a side effect, we get rid of the libip6tc dependency.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/GNUmakefile.in
xtensions/libip6t_NETMAP.c
nclude/libiptc/libip6tc.h
ptables/ip6tables.c
ibiptc/libip6tc.c
d797d0ff0338d2938d18b03038d6f4455b000579 03-Mar-2013 Pablo Neira Ayuso <pablo@netfilter.org> build: bump version to 1.4.18

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
d4961b909a75ed0745abb43cdc940e8d947ccf4a 17-Feb-2013 Florian Westphal <fw@strlen.de> doc: rpfilter: invert option should have own paragraph

Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libxt_rpfilter.man
e422fd2773ff55a34f5109798fae44de78cd4608 17-Feb-2013 Pablo Neira Ayuso <pablo@netfilter.org> doc: iptables provides up to 5 independent tables

This closes bugzilla:

http://bugzilla.netfilter.org/show_bug.cgi?id=807

Reported-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.8.in
ptables/iptables.8.in
3e55c13513f90cabd525e3893602c0e7e126651e 05-Feb-2013 Jan Engelhardt <jengelh@inai.de> build: bump SONAME for libxtables

Commit v1.4.17-16-gefcdba4 updated structs in xtables.h, so age must
become 0 and vcurrent be increased. The latter has already happened in
v1.4.17-6-gd1e7922.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
817ac5a5e54d083983b7c834194b46c4366d71d2 31-Jan-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
e612a9d285477e9951349dd137305393a1255b19 28-Jan-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Add the "state" alias to the "conntrack" match
xtensions/libxt_conntrack.c
xtensions/libxt_state.man
nclude/linux/netfilter/xt_conntrack.h
efcdba41ca6bde51c8753cb30c869c370f0a3b93 28-Jan-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Introduce match/target aliases

The match/target alias allows us to support the syntax of matches, targets
targets merged into other matches/targets.
nclude/xtables.h
ptables/ip6tables.c
ptables/iptables.c
166f20a3665a28e0f5fcedd0914c8e7d41521428 07-Jan-2013 Pablo Neira Ayuso <pablo@netfilter.org> doc: document nat table for IPv6

Based on the IPv4 description.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.8.in
1c317dafa986699127d08951037869f9669e3b25 28-Jan-2013 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable' into 'master'
2fda8fcef0f3c321fb03953b8ecc424a2bad4476 24-Jan-2013 Jan Engelhardt <jengelh@inai.de> extensions: S/DNPT: add missing save function

Jean-Michel DILLY reports that `ip6tables -S` exits with

Target `DNPT' is missing save function

when a DNPT rule is invoked. Fix this omission.

References: http://marc.info/?l=netfilter&m=135904831220440&w=2
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_DNPT.c
xtensions/libip6t_SNPT.c
983196ceb4d3bb7b6d3cf6da18bb6d5a5eafb347 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: document the -4 and -6 options

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.8.in
ptables/iptables.8.in
db1414ece88a798ac3f8878875ec3393a917871f 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: mention -m in the manpage

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.8.in
ptables/iptables.8.in
85346f6e406207f85550f1b7b4f61b22a8e38fbb 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: name the supported log levels for ipt_LOG

Leonardo Ferreira da Silva Boiko lets it be known that syslogd.conf may
not exist on certain systems. Referencing that manpage is not a good
idea in any case, I believe, since the strings that are accepted are
defined by iptables and not a syslog implementation.

References: http://bugs.debian.org/567564
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_LOG.man
xtensions/libipt_LOG.man
9ae4dd4d017c85f28b524c3b5b3be4960b3ed245 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: document iptables-restore's -h option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.8
ptables/iptables-restore.8
8c46901ff57856a215c426a50a2fcfe365a3af34 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: document iptables-restore's -M option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.8
ptables/iptables-restore.8
2815a5d5a0e1bd6319bf09a9009f3722f9167b78 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: document iptables-restore's -v option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.8
ptables/iptables-restore.8
3dc75984739fd080eb522b638c535164f401b181 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: document iptables-restore's -t option

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.8
ptables/iptables-restore.8
0824e7d5e9d80988a49a1699adb0d3c17f792b4c 25-Dec-2012 Jan Engelhardt <jengelh@inai.de> doc: fixup omissions in ip6tables-restore.8

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.8
ptables/iptables-restore.8
2f655ede64e07a861e3ec50150f572ed98755013 29-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> libxtables: add xtables_print_num

This function is used both by iptables and ip6tables, and
refactorize to avoid longer than 80-chars per column lines
of code.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nclude/xtables.h
ptables/ip6tables.c
ptables/iptables.c
ibxtables/xtables.c
d1e7922a587a239e16e0dbe654e63f76e1375e49 04-Jan-2013 Pablo Neira Ayuso <pablo@netfilter.org> libxtables: add xtables_rule_matches_free

This function is shared by iptables and ip6tables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
nclude/xtables.h
ptables/ip6tables.c
ptables/iptables.c
ibxtables/xtables.c
31da96d07b8abb35297201000f7f752019258cf6 29-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> iptables: remove unused leftover definitions

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/iptables.c
ff338552d318b49e07662fd7648fdb11e3c42bc9 03-Jan-2013 Ulrich Weber <ulrich.weber@sophos.com> extensions: libip6t_DNAT: set IPv6 DNAT --to-destination

as in IPv4 and fixes DNAT_save

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_DNAT.c
92f05a2f38e6c6bc6c69880358c41ac17bd31298 03-Jan-2013 Ulrich Weber <ulrich.weber@sophos.com> extension: libip6t_DNAT: allow port DNAT without address

correct parsing of IPv6 port NAT without address NAT,
assume one colon as port information.

Allows:
* address only:
-j DNAT --to affe::1
-j DNAT --to [affe::1]

* port only
-j DNAT --to :80
-j DNAT --to :80-110
-j DNAT --to []:80
-j DNAT --to []:80-110

* address and port
-j DNAT --to [affe::1]:80
-j DNAT --to [affe::1]:80-110

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_DNAT.c
xtensions/libip6t_SNAT.c
7b04e3ef3a6ffccb23de83ef3b2d8f5aeaaa09e5 02-Jan-2013 Ulrich Weber <ulrich.weber@sophos.com> extensions: libip6t_DNPT: fix wording in DNPT target

replaces SNPT by DNPT.

This fixes broken help message that points to SNPT.

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_DNPT.c
68e77a26111ee6b8f10c735a76891a7de6d57ee6 01-Jan-2013 Jan Engelhardt <jengelh@inai.de> build: resolve link failure for ip6t_NETMAP

Link stage of libip6t_NETMAP failed since recently.

CCLD libip6t_NETMAP.so
/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld:
cannot find -lip6tc

libip6t_NETMAP.c uses the "ipv6_prefix_length" function from
libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to
it is not specified.

Why does the link succeed for some people? Because
/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments,
especially those without iptables development files, have that file,
hence this link error can happen.

By suggestion of Mike Frysinger, this patch uses libtool to produce
and link the plugins.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/GNUmakefile.in
eec83c7ce4351359cae797840d63cf4ef2809c95 25-Dec-2012 Pablo Neira Ayuso <pablo@netfilter.org> bump version to 1.4.17

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
e4415c6cdc9d298a43871b77e6bcda71a42cea2d 06-Dec-2012 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Manpage update: matches are evaluated in the order they are specified.

Fixes bugzilla id 797.
ptables/iptables-extensions.8.in
8ecfc61e4e6cc3e1b55fe255d8b4f1fedc26e813 27-Nov-2012 JP Abgrall <jpa@google.com> am 42ea6673: ignore SIGPIPES

* commit '42ea6673b74e0ee9ad17f5462dc171fbe1491137':
ignore SIGPIPES
42ea6673b74e0ee9ad17f5462dc171fbe1491137 12-Nov-2012 JP Abgrall <jpa@google.com> ignore SIGPIPES

During bugreports mostly, when adb goes away it leads to apps crashing
because their output stream got closed.
Let's just ignore it.

Bug: 6447319
Change-Id: I1b293ebef737014162edebd5fd9bf254345b2ce8
ptables/iptables-standalone.c
3518a04cff1fb48ca0bf5d2d58b4cd6325f3917c 01-Aug-2012 Kevin Schoedel <kevin.p.schoedel@intel.com> Include strings.h for the defintion of ffs()

ffs() is defined in strings.h. gcc had no problem with this as it
automatically used it's own builtin for ffs().

Change-Id: I7062f6143d680b2ae73f69b6b4b1e0be94a3e28b
Author: Edwin Vane <edwin.vane@intel.com>
Reviewed-by: Kevin Schoedel <kevin.p.schoedel@intel.com>
xtensions/libipt_ULOG.c
a46a5698027aa48e27e3cc2d54bb8bbafb10e7da 19-Nov-2012 Tom Eastep <teastep@shorewall.net> extensions: libxt_statistic: Fix save output

Suppressing '--packet 0' in save output resulted in restore failure.

This patch includes '--packet 0' in save output while continuing to
suppress it in print output.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_statistic.c
93e814c9b08136846335ce463192d90ba59766bb 13-Nov-2012 JP Abgrall <jpa@google.com> Merge "ignore SIGPIPES"
e482ec0a8b1a3b88bbf13f518a5a7261966b1628 12-Nov-2012 JP Abgrall <jpa@google.com> ignore SIGPIPES

During bugreports mostly, when adb goes away it leads to apps crashing
because their output stream got closed.
Let's just ignore it.

Bug: 6447319
Change-Id: I1b293ebef737014162edebd5fd9bf254345b2ce8
ptables/iptables-standalone.c
9d284c1c67188dfa8a4c7a6e36eb9a10bd9c15e2 25-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'next' branch that contains new features scheduled for
Linux kernel 3.7
3e6fa55d5e28c93f417afeae7a7d4f349ddffcf4 18-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> bump iptables to 1.4.16.3

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
9921f2b9a241750e4730fc7d486687c6a32779f4 10-Oct-2012 Jan Engelhardt <jengelh@inai.de> build: resolve compile abort in libxt_limit on RHEL5

libxt_limit.c: In function 'print_rate':
libxt_limit.c:124: error: 'INFINITY' undeclared (first use in
this function)

The default mode of glibc-2.15's <features.h> sets
"-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However,
on þe olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L".

Explicitly draw in the definition of INFINITY by always defining
_ISOC99_SOURCE. By doing this, we are moving off of the default set, so
_BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is
used in xt_hashlimit.h.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_hashlimit.c
xtensions/libxt_limit.c
269655d54e22f3a36250bb2c4639dddd102258c6 08-Oct-2012 Jan Engelhardt <jengelh@inai.de> build: remove symlink-only extensions from static object list

$ ./configure --enable-static --disable-shared --enable-ipv4
--enable-ipv6 && make
[...]
make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by
"libext.a". Stop.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/GNUmakefile.in
c1a150c98fc94858a440550f0cb347a6060ebb30 08-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> bump version to 1.4.16.2

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
dd43527cb6bdf3d469100850ca10dcd2fb761304 07-Oct-2012 Jan Engelhardt <jengelh@inai.de> iptables: restore NOTRACK functionality, target aliasing

Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL
which was always false (true). real_name was never NULL, so cs->jumpto
would always be used, which rendered -j NOTRACK unusable, since the
chosen real name.revision is for example NOTRACK.1, which does not exist
at the kernel side.

# ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
dbg: Using NOTRACK.1
WARNING: The NOTRACK target is obsolete. Use CT instead.
iptables: Protocol wrong type for socket.

To reasonably support the extra-special verdict names, make it so that
real_name remains NULL when an extension defined no alias, which we can
then use to determine whether the user entered an alias name (which
needs to be followed) or not.

[ I have mangled this patch to remove a comment unnecessarily large.
BTW, this patch gets this very close to the initial target aliasing
proposal --pablo ]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.c
ptables/iptables.c
ibxtables/xtables.c
4bdc1edf49dedd20519f2eaea95466400f627dd5 08-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> bump version to 1.4.16.1

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
2aaa7ec29059027756f076c4767b4fa034ebd166 08-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> iptables: fix standard target

This regression was added by:

commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf
Author: Jan Engelhardt <jengelh@inai.de>
Date: Tue Sep 4 05:24:47 2012 +0200

iptables: support for target aliase

The result is that:

iptables -I INPUT -j ACCEPT

says:

iptables: No chain/target/match by that name.

This also breaks iptables-restore, of course. Jan, you'll have to explain me
how you have tested this.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.c
ptables/iptables.c
3fdf783ec78e7a7bffb2cd48d5bc6b3264b00dd2 07-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> bump version to 1.4.16

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
4c1a015e201c6e5192448cbcf1975dd7630cad82 30-Sep-2012 Jan Engelhardt <jengelh@inai.de> Merge branch 'master' of git://git.inai.de/iptables

Conflicts:
extensions/GNUmakefile.in

Resolution: trivial, since this was a fuzz 3.

Reason: Line added from v1.4.15-16-g33710a5 was in vincinity of changes
from v1.4.15-22-g4496801.
8d8896a3833292d091ee5a028f3461083bb956bd 17-Sep-2012 Florian Westphal <fw@strlen.de> libxt_time: add support to ignore day transition

Currently, if you want to do something like:
"match Monday, starting 23:00, for two hours"
You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
The rule
--weekdays Mo --timestart 23:00 --timestop 01:00
looks correct, but it will first match on monday from midnight to 1 a.m.
and then again for another hour from 23:00 onwards.

This permits userspace to explicitly ignore the day transition and
match for a single, continuous time period instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_time.c
xtensions/libxt_time.man
nclude/linux/netfilter/xt_time.h
7b5ba43ae48c1310e5a615cf9485c1d42f486467 28-Sep-2012 Jan Engelhardt <jengelh@inai.de> doc: mention iptables-apply in the SEE ALSO sections

References: http://bugs.debian.org/660748
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
ptables/ip6tables.8.in
ptables/iptables-apply.8
ptables/iptables.8.in
d97d546ba4540a28b14fcbf75176df345caee954 28-Sep-2012 Jan Engelhardt <jengelh@inai.de> doc: have NOTRACK manpage point to CT instead

The module is obsolete, so point to CT --notrack instead.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_NOTRACK.man
xtensions/libxt_conntrack.man
faeaf11536f605ebb733d4d5f5ec2ca074d3f247 28-Sep-2012 Jan Engelhardt <jengelh@inai.de> doc: trim "state" manpage and reference conntrack instead

The module is practically obsolete, so just pinpoint to the replacement
in short order.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_HMARK.man
xtensions/libxt_state.man
4496801821c01e3934996b40e0012ddcb969a8df 28-Sep-2012 Jan Engelhardt <jengelh@inai.de> doc: deduplicate extension descriptions into a new manpage

iptables.8 and ip6tables.8 had pretty much the same content, with a few
protocol-specific deviations here and there. Not only did that bloat the
manpages, but it also made it harder to spot differences. Separate out
the extension descriptions into a new manpage, which conveniently
features differences next to one another (cf. REJECT).

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/.gitignore
xtensions/GNUmakefile.in
ptables/.gitignore
ptables/Makefile.am
ptables/ip6tables.8.in
ptables/iptables-extensions.8.in
ptables/iptables.8.in
9517bbf5b805df874dcc452dfeb2cc36a7bf1500 28-Sep-2012 Jan Engelhardt <jengelh@inai.de> doc: clean up interpunction in state list for xt_conntrack

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_conntrack.man
ec40b897289745da3d67de2cb14be30353003922 30-Sep-2012 Jan Engelhardt <jengelh@inai.de> Merge branch 'master' of git://git.inai.de/iptables
0d701631625898ac33fb53c67ed2b529668fe0d7 28-Sep-2012 Jan Engelhardt <jengelh@inai.de> libxt_state: replace as an alias to xt_conntrack

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/GNUmakefile.in
xtensions/libxt_conntrack.c
xtensions/libxt_state.c
c436dad7cfdd80ca4a05ceed556c39babc266f55 27-Sep-2012 Jan Engelhardt <jengelh@inai.de> iptables: support for match aliases

This patch allows for match names listed on the command line to be
rewritten to new names and revisions, like we did for targets before.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
nclude/xtables.h
ptables/ip6tables.c
ptables/iptables.c
ibxtables/xtables.c
50f19190a60ff7d69e88406a71a2f27e09008566 04-Sep-2012 Jan Engelhardt <jengelh@inai.de> libxt_NOTRACK: replace as an alias to CT --notrack

Note that we do not need any print/save functions for the alias entries,
since the real CT entry will handle this.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/GNUmakefile.in
xtensions/libxt_CT.c
xtensions/libxt_NOTRACK.c
cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf 04-Sep-2012 Jan Engelhardt <jengelh@inai.de> iptables: support for target aliases

This patch allows for target names listed on the command line to be
rewritten to new names and revisions.

As before, we will pick a revision that is supported by the kernel - now
including real_name in the search. This gives us the possibility to test
for many action names.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
onfigure.ac
nclude/xtables.h
ptables/ip6tables.c
ptables/iptables.c
ibxtables/xtables.c
954b76c317f641b7faf33cc26931d45585cc0dea 27-Sep-2012 Jan Engelhardt <jengelh@inai.de> libxtables: consolidate preference logic

Alias support will require testing for more conditions, so move the
revision comparison code into a separate function where it can be
shared between matches and targets.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
ibxtables/xtables.c
d637ead63658d741501974c381889b3857073308 21-Sep-2012 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> New set match revision with --return-nomatch flag support
xtensions/libxt_set.c
xtensions/libxt_set.man
nclude/linux/netfilter/ipset/ip_set.h
33710a5773df0e9fabdec7a2ebdd3c4e206a6a09 10-Sep-2012 Jan Engelhardt <jengelh@inai.de> build: have `make clean` remove dep files too

While changing branches, one can hit errors like:

make[2]: *** CC libipt_CLUSTERIP.oo
No hay ninguna regla para construir el objetivo
`../include/net/netfilter/nf_nat.h', necesario para
`libipt_DNAT.oo'. Alto.

Pablo thinks dep files should be removed on `make clean`, and I
concur. (JFI, Note that native automake would not clear its ".deps"
directory.) Keep the "distclean: clean" line to keep invocations by
automake from the parent directory working.

Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/GNUmakefile.in
1871796877956ee68a39092c6fc3678e5a9d1d88 22-Aug-2012 Patrick McHardy <kaber@trash.net> extensions: add NPT extension

Add extensions for the SNPT and DNPT stateless IPv6-to-IPv6 Network Prefix
Translation targets.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_DNPT.c
xtensions/libip6t_SNPT.c
nclude/linux/netfilter_ipv6/ip6t_NPT.h
5f896fd9432d2c16d17550b943f4b9a782bffe04 22-Aug-2012 Patrick McHardy <kaber@trash.net> extensions: add IPv6 NETMAP extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/GNUmakefile.in
xtensions/libip6t_NETMAP.c
5eca41982d29bc25b241692d03b09b953e7a908a 22-Aug-2012 Patrick McHardy <kaber@trash.net> extensions: add IPv6 REDIRECT extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_REDIRECT.c
9caf63581907860a1a0acee970b9f50d41b6a8ba 22-Aug-2012 Patrick McHardy <kaber@trash.net> extensions: add IPv6 DNAT target

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_DNAT.c
3672111649732be657cb7566178b7d2618ba6ec5 22-Aug-2012 Patrick McHardy <kaber@trash.net> extensions: add IPv6 SNAT extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_SNAT.c
0e37f00980eb6b4fc2c5f979cc5fa83c0fff9d30 22-Aug-2012 Patrick McHardy <kaber@trash.net> extensions: add IPv6 MASQUERADE extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libip6t_MASQUERADE.c
xtensions/libip6t_MASQUERADE.man
nclude/linux/netfilter/nf_nat.h
e62f426c7ead7c0025d15860df97426db6509942 22-Aug-2012 Patrick McHardy <kaber@trash.net> Convert the NAT targets to use the kernel supplied nf_nat.h header

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_DNAT.c
xtensions/libipt_MASQUERADE.c
xtensions/libipt_NETMAP.c
xtensions/libipt_REDIRECT.c
xtensions/libipt_SAME.c
xtensions/libipt_SNAT.c
nclude/linux/netfilter/nf_conntrack_tuple_common.h
nclude/linux/netfilter/nf_nat.h
nclude/linux/netfilter_ipv4/ipt_SAME.h
nclude/net/netfilter/nf_conntrack_tuple.h
nclude/net/netfilter/nf_nat.h
807e1f0e6ede73792337b595a99af21b01f8826e 07-Sep-2012 Pablo Neira Ayuso <pablo@netfilter.org> extensions: libxt_addrtype: fix type in help message

--limit-iface-out Match only on the packet's incoming device

Note that it says "incoming" when it should say "outcoming"

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_addrtype.c
067a9baf6dc82babe466078ab3c05354c7741271 07-Sep-2012 Pablo Neira Ayuso <pablo@netfilter.org> iptables: fix wrong error messages

iptables -P INPUT
iptables v1.4.15: -X requires a chain and a policy
Try `iptables -h' or 'iptables --help' for more information.

Note that it says -X when we have used -P.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables.c
ptables/iptables.c
df60a301bf24c3b3e37188d9da155b97fd6dc076 31-Aug-2012 Jan Engelhardt <jengelh@inai.de> build: separate AC variable replacements from xtables.h

It was/is a bit annoying that modifying xtables.h.in causes configure
to rerun. Split the @foo@ things into a separate file to bypass this.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
gitignore
akefile.am
onfigure.ac
nclude/Makefile.am
nclude/xtables-version.h.in
nclude/xtables.h
nclude/xtables.h.in
053a4fdf6536ca63ad640d0b75f54c3f4964ca2b 31-Aug-2012 Jan Engelhardt <jengelh@inai.de> build: support for automake-1.12

automake-1.12 wants that AM_PROG_AR be used when LT_INIT is.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
onfigure.ac
3abf5cc5ac0c32eba2436567d25e175d7e0f42bc 20-Aug-2012 Andreas Schwab <schwab@linux-m68k.org> libxt_tcp: print space before, not after "flags:"

tcp dpt:10flags: 0x17/0x02
^^

Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_tcp.c
8a988f6707719340114bfa3d85ea3e1c80fe6f5f 07-Aug-2012 Michal Kubeček <mkubecek@suse.cz> libip6t_frag: match any frag id by default

If no --fragid option is given, the frag extension only matches
fragments with a zero-valued "Identification" field. This behavior
deviates from what other extensions do (they match all values in this
case) and is unexpected, and therefore changed by this patch.

Additionally, --fragid 0:4294967295 leads to no output on `iptables
-S` because part of the code thinks that this would be the default,
when it is not.

So, default to match all frag values, such that iptables -S not
outputting anything also becomes correct.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libip6t_frag.c
8bbad67df4a7fb69ed73d4bf90dcb3cf77fd2a03 08-Aug-2012 Jan Engelhardt <jengelh@inai.de> Merge remote-tracking branch 'nf/stable'
a624e0a1b2d075253b599ababd4ea1351ef42b2a 03-Aug-2012 Pablo Neira Ayuso <pablo@netfilter.org> include: add missing linux/netfilter_ipv4/ip_queue.h

This patch fixes compilation of libipq with headers from Linux
kernel 3.5:

In file included from libipq.c:34:0:
../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory

ip_queue is gone since Linux kernel 3.5. However, you can still use
new iptables versions with old Linux kernels. We have to keep libipq
in this tree for a while (1.5-2 years should be OK).

Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nclude/linux/netfilter_ipv4/ip_queue.h
23a98b56935c42ef460020e37a9ff8006eee58e2 03-Aug-2012 Pablo Neira Ayuso <pablo@netfilter.org> ip[6]tables-restore: cleanup to reduce one level of indentation

This patch moves the parameter parsing to one function to reduce
one level of indentation. Jan Engelhardt likes this.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.c
ptables/iptables-restore.c
ad8858c0d3ef875e2c118ebcc69487070fb87f72 03-Aug-2012 Pablo Neira Ayuso <pablo@netfilter.org> include: add missing linux/netfilter_ipv4/ip_queue.h

This patch fixes compilation of libipq with headers from Linux
kernel 3.5:

In file included from libipq.c:34:0:
../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory

ip_queue is gone since Linux kernel 3.5. However, you can still use
new iptables versions with old Linux kernels. We have to keep libipq
in this tree for a while (1.5-2 years should be OK).

Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nclude/linux/netfilter_ipv4/ip_queue.h
9d69da4bdb1d546218d168b72f12ac8aa042e3d8 28-Jul-2012 Jan Engelhardt <jengelh@inai.de> libxt_*limit: avoid division by zero

It was possible to specify -A mychain -m hashlimit --hashlimit
600059/minute; this would convert to r->avg=0, which subsequently
causes a division by zero when printing with -S mychain.

1. Avoid division by zero in print_rate by printing infinity
instead.
2. Rewrite the test in parse_rate to properly reject too high rates.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_hashlimit.c
xtensions/libxt_limit.c
a19988f2795770ce470562c1795e1cf53e3aa54b 15-Jul-2012 Jan Engelhardt <jengelh@inai.de> libxt_LED: guard against negative numbers

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_LED.c
d18b451ec82bbaeaf385241ebdf926912a075ade 14-Jul-2012 Jan Engelhardt <jengelh@inai.de> libxt_devgroup: guard against negative numbers

More corrections of the strtoul kind.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_devgroup.c
c0b7138f39882e2bf8f3d85d15e0ffbd868ed7ba 14-Jul-2012 Jan Engelhardt <jengelh@inai.de> libxt_devgroup: consolidate devgroup specification parsing

This is a small cleanup, reducing the two copies of X/Y parsing to
one.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_devgroup.c
dc23c2d7afd2103cbc589372769c2f6723ea5235 13-Jul-2012 Jan Engelhardt <jengelh@inai.de> libxt_u32: do bounds checking for @'s operands

Using only strtoul is prone to accept all values, including negative
ones which are not explicitly allowed. Therefore, use xtables_strtoui
with bounds checking.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_u32.c
a3c1c206a665d81afa2363507a5e162c20694311 13-Jul-2012 Jan Engelhardt <jengelh@inai.de> doc: grammatical updates to libxt_SET

Cherry-picked these from recent patches from Mr Dash Four.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
xtensions/libxt_SET.man
c5300d11308ccb429d551c32dffe752575c30b77 17-Jun-2012 Jan Engelhardt <jengelh@inai.de> iptables-restore: warn about -t in rule lines

save-restore syntax uses *table, not -t table.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.c
ptables/iptables-restore.c
42ba40035e40b492e8667932f20922cee0682167 31-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> bump version to 1.4.15

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
74ded7257e5da5e309844d386290f24ae91950a6 17-May-2012 Denys Fedoryshchenko <denys@visp.net.lb> libxt_recent: add --mask netmask

This new option will be available in the Linux kernel 3.5

[ Pablo fixed coding-style issues and cleaned up this. Added
manpages as well ]

Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_recent.c
xtensions/libxt_recent.man
nclude/linux/netfilter/xt_recent.h
2165f38d2582e88e8a9dd9416f34eca7a7672e5a 30-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> iptables-restore: fix parameter parsing (shows up with gcc-4.7)

This patch fixes parameter parsing in iptables-restore since time ago. The
problem has shown up with gcc-4.7. This version of gcc seem to perform more
agressive memory management than previous.

Peter Lekensteyn provided the following sample code similar to the one
in iptables-restore:

int i = 0;

for (;;) {
char x[5];

x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}

Many may expect 0123 as output. But GCC 4.7 does not do that when compiling
with optimization enabled (-O1 and higher). It instead puts random data in the
first bytes of the character array, which becomes:

| 0 | 1 | 2 | 3 | 4 |
| RANDOM | '3' | '\0' |

Since the array is declared inside the scope of loop's body, you can think of
it as of a new array being allocated in the automatic storage area for each
loop iteration.

The correct code should be:

char x[5];

for (;;) {
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.c
ptables/iptables-restore.c
f1c668268e9ddaedd8d78d7ae44cd26db1e8469f 30-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"

This reverts commit 44191bdbd71e685fba9eab864b9df25e63905220.

Apply instead a patch that really clarifies the bug in iptables-restore.
This should be good for the record (specifically, for distributors so
they can find the fix by googling).
ptables/ip6tables-restore.c
ptables/iptables-restore.c
44191bdbd71e685fba9eab864b9df25e63905220 23-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)

This patch seems to be a mere cleanup that moves the parameter parsing
code to add_param_to_argv.

But, in reality, it also fixes iptables when compiled with gcc-4.7.

Moving param_buffer declaration out of the loop seems to resolve the
issue. gcc-4.7 seems to be generating bad code regarding param_buffer.

@@ -380,9 +380,9 @@
quote_open = 0;
escaped = 0;
param_len = 0;
+ char param_buffer[1024];

for (curchar = parsestart; *curchar; curchar++) {
- char param_buffer[1024];

if (quote_open) {
if (escaped) {

But I have hard time to apply this patch in such a way. Instead, I came
up with the idea of this cleanup, which does not harm after all (and fixes
the issue for us).

Someone in:

https://bugzilla.redhat.com/show_bug.cgi?id=82579

put some light on this:

"Yes, I ran into this too. The issue is that the gcc optimizer is
optimizing out the code that collects quoted strings in
iptables-restore.c at line 396. If inside a quotemark and it hasn't
seen another one yet, it executes

param_buffer[param_len++] = *curchar;
continue;

At -O1 or higher, the write to param_buffer[] never happens. It just
increments param_len and continues.

Moving the definition of char param_buffer[1024]; outside the loop
fixes it. Why, I'm not sure. Defining the param_buffer[] inside the
loop should simply restrict its scope to inside the loop."

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.c
ptables/iptables-restore.c
f4a6c20c39c97214e22625764bfa80ef8e1e3147 17-Jul-2012 Hans Schillstrom <hans@schillstrom.com> libxt_HMARK: correct a number of errors introduced by Pablo's rework

* Fix typo in --hmark-rnd description.
* Remove trailing -set from port and spi options.
* Take missing value for ports and spi from command line.
* Fix spi / port validation.
* Remove --hmark-offset as mandatory.

Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_HMARK.c
7fb49101acfbec265e96c1d5e475c7051beece19 16-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> libxt_HMARK: fix ct case example

... -j HMARK --hmark-tuple ct,src,dst --hmark-offset 10000 ...

Note `ct' requires also the tuples.

Reported-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_HMARK.man
3ee90dffea02c9be38dca6544ad5f22d4467e334 16-Jul-2012 Hans Schillstrom <hans@schillstrom.com> libxt_HMARK: fix output of iptables -L

Fix accidental swap of [s|d]port-mask and [s|d]port-port.

Use xtables_ipmask_to_cidr instead of xtables_ipmask_to_numeric.

Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_HMARK.c
abdef13f36b63758f8775eb86febd96bf062df6f 08-May-2012 Florian Westphal <fw@strlen.de> libxt_hashlimit: add support for byte-based operation

allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ]
to make hashlimit match when X bytes/second are exceeded;
optionally, Y bytes will not be matched (i.e. bursted).

[ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ]

libxt_hashlimit.c: In function ‘parse_bytes’:
libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat]

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_hashlimit.c
xtensions/libxt_hashlimit.man
nclude/linux/netfilter/xt_hashlimit.h
ests/options-most.rules
874d7ee3c36ba54220fd204e6aa7cbc731a66395 04-Jul-2012 Eldad Zack <eldad@fogrefinery.com> libxt_recent: remove unused variable

The info variable is assigned but never read in recent_check().

Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_recent.c
4df8cb6ab176f3c1f2bf9498d0abde8d9362087b 23-Apr-2012 Hans Schillstrom <hans.schillstrom@ericsson.com> extensions: add HMARK target

The target allows you to set mark packets based Jenkins' hash calculation:

h(t, rnd) = x

mark = (x % mod) + offset

where:

* t is a tuple that is used for the hashing:

t = [ src, dst, proto, sport, dport ]

Note that you can customize the tuple, thus, removing some component
that you don't want to use for the calculation. You can also use spi
instead of sport and dport, btw.

* rnd is the random seed that is explicitly passed via --hmark-rnd
* mod is the modulus, to determine the range of possible marks
* offset determines where the mark starts from

This target only works for the "raw" and "mangle" tables.

This can be used to distribute flows between a cluster of
systems and uplinks.

Initially based on work from Hans Schillingstrom. Pablo took it
over and introduced several improvements.

Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_HMARK.c
xtensions/libxt_HMARK.man
nclude/linux/netfilter/xt_HMARK.h
a96166c24eaac1c91bed4815c09e91733409d888 14-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> libxtables: add xtables_ip[6]mask_to_cidr

This patch adds generic functions to return the mask in CIDR
notation whenever is possible.

This patch also simplifies xtables_ip[6]mask_to_numeric, that
now use these new two functions.

This patch also bumps libxtables_vcurrent and libxtables_vage
since we added a couple new interfaces (thanks to Jan Engelhardt
for his little reminder on this).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
nclude/xtables.h.in
ibxtables/xtables.c
7e2b63603fef2253b463ad33395520297cfe8378 02-Jul-2012 Florian Westphal <fw@strlen.de> libxt_devgroup: add man page snippet

Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libxt_devgroup.man
9eaa87401ce5ac64cc6baa55775f58f59ca26f34 26-May-2012 Pablo Neira Ayuso <pablo@netfilter.org> Bump version to 1.4.14

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
c022454ff5ad39c5e37fa6cd29b85159ad16ed0f 17-May-2012 Florian Westphal <fw@strlen.de> tests: add rateest match rules

also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ests/options-most.rules
a05910364fa0f2f919dbe0b01bcaba9c3cb127ca 17-May-2012 Florian Westphal <fw@strlen.de> extensions: libxt_rateest: output all options in save hook

ipt-restore fails to parse the ipt-save output:
zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5
(should be "--rateest-pps 5 --rateest-lt"). Also, the "delta" option
was never shown in -save output, but twice in some cases when using
"iptables -L".

Also, the "b/pps1" option must be shown when "delta" option is used with
relative mode.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_rateest.c
cb999dfdaf25d5a774d2ee84cb99355438d57c93 10-May-2012 Florian Westphal <fw@strlen.de> ip(6)tables-restore: make sure argv is NULL terminated

Else, argv[argc] may point to free'd memory.

Some extensions, e.g. rateest, may fail to parse valid input
because argv[optind] (with optind == argc) is not NULL.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ptables/ip6tables-restore.c
ptables/iptables-restore.c
6111382a6c27e73c1cef1777c1253be0453a9dbb 09-May-2012 Pablo Neira Ayuso <pablo@netfilter.org> libipt_ULOG: fix --ulog-cprange

In 1f2474a libipt_ULOG: use guided option parser.

A bug has been accidentally introduced in --ulog-cprange, limiting
possible values from 1 to 50. However, that limit should be applied
to --ulog-qthreshold.

Reported-by: Gaurav Sinha <vgsinha@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_ULOG.c
8db1044ba608a78035bbf89007aab6b6d8ff6f68 19-Apr-2012 Miguel GAIO <miguel.gaio@efixo.com> libiptc: fix retry path in TC_INIT

There is an issue on TC_INIT retry path:
In error case, TC_FREE is called and close sockfd.
The retry does not reopen then always fail.

The proposing patch reopens sockfd in retry patch.

Signed-off-by: Miguel GAIO <miguel.gaio@efixo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ibiptc/libiptc.c
e07e0d31f48d951e0f03ba254d4754810732c241 30-Mar-2012 Ashish Sharma <ashishsharma@google.com> Modify iptables to talk to xt_IDLETIMER version 1.

Change-Id: Ib144c5289681cdff21b21be74173164d097710e7
xtensions/libxt_IDLETIMER.c
xtensions/libxt_IDLETIMER.man
nclude/linux/netfilter/xt_IDLETIMER.h
371c311760bffad4570f4e194406f09ddc600b1c 03-Apr-2012 Mike Lockwood <lockwood@google.com> Merge remote-tracking branch 'goog/ics-aah'
e8f32983048d6aa4a908b6a92da55fa71c859623 29-Feb-2012 Pablo Neira Ayuso <pablo@netfilter.org> libxt_CT: add --timeout option

This patch adds the --timeout option to allow to attach timeout
policy objects to flows, eg.

iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \
-j CT --timeout custom-tcp-policy

You need the nfct(8) tool which is available at:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git
To define the cttimeout policies.

Example of usage:
nfct timeout add custom-tcp-policy inet tcp established 1000

The new nfct tool also requires libnetfilter_cttimeout:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_CT.c
xtensions/libxt_CT.man
nclude/linux/netfilter/xt_CT.h
c4a6b0d437b02458fb3cb827b694fd94b3fbe044 27-Mar-2012 Pablo Neira Ayuso <pablo@netfilter.org> Bump version to 1.4.13

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
f233df44196f568075a5d70fc29f31b72b512783 27-Mar-2012 Pablo Neira Ayuso <pablo@netfilter.org> extensions: add nfacct match

This patch provides the user-space iptables support for the nfacct match.
This can be used as it follows:

nfacct add http-traffic
iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic
nfacct get http-traffic

See also man nfacct(8) for more information.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_nfacct.c
xtensions/libxt_nfacct.man
nclude/linux/netfilter/xt_nfacct.h
c0aa38e22e8a09fcb1898ad0e042eaf6314d2d42 21-Mar-2012 Maciej Żenczykowski <maze@google.com> src: mark newly opened fds as FD_CLOEXEC (close on exec)

By default, Unix-like systems leak file descriptors after fork/exec
call. I think this seem to result in SELinux spotting a strange AVC
log messages according to what I can find on the web.

Fedora 18 iptables source includes this change.

Maciej says:
"iptables does potentially fork/exec modprobe to load modules.
That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing.
You can do automated inspection of what gets carried across such
privilege changes and any unexpected open file descriptors flag
problems, patches like this cut down on the noise."

Signed-off-by: Maciej enczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_set.h
ibiptc/libiptc.c
61b8f7ecb64b3b6fe04d2a6ad9598f66e42ceea8 08-Mar-2012 Franz Flasch <franz.flasch@frequentis.com> iptables: missing free() in function delete_entry()

Fixed a memory leak in the dry run path of function delete_entry().

Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ibiptc/libiptc.c
1a7732f965c2b09e526eeca8a551538fbdc099ef 08-Mar-2012 Franz Flasch <franz.flasch@frequentis.com> iptables: missing free() in function cache_add_entry()

Fixed a memory leak in the error path of function cache_add_entry().

Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ibiptc/libiptc.c
7c1b69b97571ddeb8c624b0a1da366a456895a6d 01-Mar-2012 Pablo Neira Ayuso <pablo@netfilter.org> Revert "libiptc: Returns the position the entry was inserted"

This reverts commit d65702c5c5bbab0ef12298386fa4098c72584e6c.

This is breaking my iptables scripts:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: Incompatible with this kernel.
nclude/libiptc/libiptc.h
ibiptc/libiptc.c
d65702c5c5bbab0ef12298386fa4098c72584e6c 04-Jan-2012 Jonh Wendell <jonh.wendell@vexcorp.com> libiptc: Returns the position the entry was inserted

Jan Engelhardt showed no objections to this patch.
nclude/libiptc/libiptc.h
ibiptc/libiptc.c
98e1769b65b71989e3f16b25529b40f374aef323 28-Dec-2011 Patrick McHardy <kaber@trash.net> extensions: add IPv6 capable ECN match extension

Patrick submitted this patch by 9th Jun 2011, I'm recovering
and applying it to iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_ecn.c
xtensions/libipt_ecn.man
xtensions/libxt_ecn.c
xtensions/libxt_ecn.man
nclude/linux/netfilter/xt_ecn.h
nclude/linux/netfilter_ipv4/ipt_ecn.h
166b92d3fb2a7fc008df1b59332ef528a9a573ea 14-Jul-2011 Florian Westphal <fw@strlen.de> extensions: add rpfilter module

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_rpfilter.c
xtensions/libxt_rpfilter.man
nclude/linux/netfilter/xt_rpfilter.h
2117f2b4519a027c8e8ccdb2c99f2025c8af898b 02-Jan-2012 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable'
3852ebcd25f65a42b552a0c705126c4b22da437e 02-Jan-2012 Pablo Neira Ayuso <pablo@netfilter.org> Bump version to 1.4.12.2

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
79cefabaac7a0ecf864db7da2a665845c0789f10 30-Dec-2011 Jan Engelhardt <jengelh@medozas.de> extensions: link on libxtables and check symbols

Have each extension link against libxtables.so; with this, all home
symbols are known at link time and we can use ld's --no-undefined to
run the check, dropping the homebrew solution.

By having libxtables.so required by extensions, package managers'
automatic dependency discovery will become effective so that manual
dependencies for distros with split extension packages (e.g. OpenWRT)
will not be necessary anymore.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
xtensions/GNUmakefile.in
32d8532a37004e11e5994d93df5e249c43197930 18-Dec-2011 Jan Engelhardt <jengelh@medozas.de> build: use delayed expansion on the user-settable variables

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
f63d056f0c1ac122973a0859445c9cb5747e7213 18-Dec-2011 Jan Engelhardt <jengelh@medozas.de> Update .gitignore

Split off extensions/.gitignore.
gitignore
xtensions/.gitignore
de26cd21f367d929a1aff41e268ce250ad49b04b 18-Dec-2011 Jan Engelhardt <jengelh@medozas.de> build: use AC_CONFIG_AUX_DIR and stash away tools
gitignore
onfigure.ac
9e1bb81c7e9d2c402ac62e3955af144e49f96ad8 18-Dec-2011 Jan Engelhardt <jengelh@medozas.de> Update .gitignore

Only ignore these paths if they are a directory.
gitignore
20a776cbd45368256601e4e38761ce5b44b35205 31-Dec-2011 Jan Engelhardt <jengelh@medozas.de> Merge branch 'stable'
1fda09431938321b1aed6b9cf0e4cbcefae39b11 30-Dec-2011 Jan Engelhardt <jengelh@medozas.de> nfnl_osf: add missing libnfnetlink_CFLAGS to compile process
tils/Makefile.am
4c15dcc6ec505d26649be8a8a9c8eb19134bfd5a 23-Dec-2011 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable'
08628f20f492a1f9178f6df2a276f9a108ac0022 16-Dec-2011 Florian Westphal <fw@strlen.de> libxt_connbytes: fix handling of --connbytes FROM

quoting man page:

match packets from a connection whose packets/bytes/average
packet size is more than FROM and less than TO bytes/packets. if
TO is omitted only FROM check is done.

But, when TO was omitted, we did treat it like "x:x" which is not
the same at all.

Before commit 09631dc60ce41bc484a42fcf4d4ddf7036820bd1
(libxt_connbytes: use guided option parser), we failed to parse
"--connbytes x" ('Bad range "x"'), but treated "x:" like "x:0xffffffff".

Also, restore the "from must be smaller than to" check.

Signed-off-by: Florian Westphal <fw@strlen.de>
xtensions/libxt_connbytes.c
32a4b7dcaf252348732362cd6d853bf0005b2bdd 18-Dec-2011 Jan Engelhardt <jengelh@medozas.de> Merge branch 'stable'
b8c42eca0f224a00bf55b60ded81af14a1e07da1 18-Dec-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: provide separate pkgconfig files

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
ibiptc/.gitignore
ibiptc/Makefile.am
ibiptc/libip4tc.pc.in
ibiptc/libip6tc.pc.in
ibiptc/libiptc.pc.in
70af559db7732b6e06a57fca3611c86c6fa5dc00 18-Dec-2011 Jan Engelhardt <jengelh@medozas.de> doc: clarification on the meaning of -p 0

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables.8.in
ptables/iptables.8.in
79ddbf202a06e6f018e087a328c2ca91e65a8463 30-Nov-2011 Tim Gardner <tim.gardner@canonical.com> libxt_recent: Add support for --reap option

Support for the reap option was merged in the kernel as of 2.6.35.

Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
xtensions/libxt_recent.c
xtensions/libxt_recent.man
3964023f8640b60456373825b326b91badd7a058 25-Nov-2011 Jan Engelhardt <jengelh@medozas.de> libipt_SAME: set PROTO_RANDOM on all ranges

Resolve the (justified) WTF remark to a clearer version of when/why
PROTO_RANDOM needs to be set.

Especially when --random is used before --to in SAME, it would have
not been appleid.
xtensions/libipt_DNAT.c
xtensions/libipt_SAME.c
xtensions/libipt_SNAT.c
ba525eb3d3a77a5465e4e8a24970d8f15ba59ee3 01-Nov-2011 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable'
3c461ceeed5f55599930051f6feaec014b08f730 31-Oct-2011 Florian Westphal <fw@strlen.de> libxt_NFQUEUE: fix --queue-bypass ipt-save output

else, this will print "--queue-num 0--queue-bypass ".

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_NFQUEUE.c
ests/options-most.rules
d0a6802613c84d626228e4514b1b6d7fbf59b34c 28-Oct-2011 Ed Heyl <ed@google.com> keep previous history after reset to mr1 plus aah changes (ics-aah-wip)
e28ccdb6a9e710091e9de88caa6d443f36a68930 26-Oct-2011 Ed Heyl <ed@google.com> undo reset to ics-mr1 until we have a better method
6e11195b803d89b705a368dcd9a365f7b53106af 26-Oct-2011 Ed Heyl <ed@google.com> reset to ics-mr1, but keep history
5cf4ec29ddaccb6a39a71f07b70188cf46b79ff9 28-Sep-2011 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'stable'
8fe22aa0a242314349f6cd7219b56a60a9d75276 05-Sep-2011 Thomas Jarosch <thomas.jarosch@intra2net.com> Improve readability of bitwise operation

CLUSTERIP: improve readability of bitwise operation

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libipt_CLUSTERIP.c
e5152bf4ebd4f573ae1d0770044e2bff7ab66d5e 28-Sep-2011 Thomas Jarosch <thomas.jarosch@intra2net.com> libxtables: Fix file descriptor leak in xtables_lmap_init on error

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ibxtables/xtoptions.c
134280881a3c99f313da669117de71bc236f1f77 19-Sep-2011 Jan Engelhardt <jengelh@medozas.de> Merge branch 'stable'
d2b0eaa297dfa87f54b3fbcaa292f14d793e3f3c 18-Sep-2011 Jan Engelhardt <jengelh@medozas.de> build: make check stage not fail when building statically

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
8816e91cddef785c78b3598c7c41a1f88be08f5a 18-Sep-2011 Jan Engelhardt <jengelh@medozas.de> build: restore build order of modules

iptables(exe) requires libext.a, but extensions/ require libxtables.la
(in iptables/). This circular dependency does not work out, so
separate libxtables into its own directory and put it in front.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
onfigure.ac
xtensions/GNUmakefile.in
ptables/Makefile.am
ptables/xtables.c
ptables/xtoptions.c
ibxtables/Makefile.am
ibxtables/xtables.c
ibxtables/xtoptions.c
0ab10b11093ec250b404e3bead1d39177d1cbfa0 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> ip6tables-restore: make code look alike with iptables-restore

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables-restore.c
ptables/iptables-restore.c
de4d2d3b716d83a6d3831aaf902c5adb5d1d14c9 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: use a family-invariant xtc_ops struct for code reduction

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
nclude/libiptc/xtcshared.h
ibiptc/Makefile.am
ibiptc/libip4tc.c
ibiptc/libip6tc.c
ibiptc/libiptc.c
14da56743c6cdf25da35b7b5ca7a5d201771990d 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> src: resolve old macro names that are indirections

Command used:

git grep -f <(pcregrep -hior
'(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/)

and then fix all occurrences.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_realm.c
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
ptables/ip6tables-restore.c
ptables/ip6tables-save.c
ptables/ip6tables.c
ptables/iptables-restore.c
ptables/iptables-save.c
ptables/iptables-xml.c
ptables/iptables.c
ptables/xshared.c
ibiptc/libip4tc.c
ibiptc/libip6tc.c
1639fe86579f86f5f6a954a9b0adde2e16ad1980 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: combine common types: _handle

No real API/ABI change incurred, since the definition of the structs'
types is not visible anyhow.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/ip6tables.h
nclude/iptables.h
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
nclude/libiptc/xtcshared.h
ptables/ip6tables-restore.c
ptables/ip6tables-save.c
ptables/ip6tables-standalone.c
ptables/ip6tables.c
ptables/iptables-restore.c
ptables/iptables-save.c
ptables/iptables-standalone.c
ptables/iptables.c
ibiptc/libip4tc.c
ibiptc/libip6tc.c
ibiptc/libiptc.c
7e5e866a36a76c153e5903b8251f90cfe07a1d34 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: replace ipt_chainlabel by xt_chainlabel

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/ip6tables.h
nclude/iptables.h
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
ptables/ip6tables.c
ptables/iptables.c
ibiptc/libip4tc.c
ibiptc/libip6tc.c
2325c0fedf7507f94aa3bb11cc65a70d33836f8f 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: combine common types

Make an xt_chainlabel type out of ipt_chainlabel and ip6t_chainlabel,
and add backward-API #defines. The ABI naturally does not change
either, so no soversion bump.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/Makefile.am
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
nclude/libiptc/xtcshared.h
160f25b09fc5695a65a8aaf485ebece85e1f853c 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: remove unused HOOK_DROPPING thing

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc/libip4tc.c
ibiptc/libiptc.c
296dca39be1166c4b7c6367c1b97ee95aebddfc3 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> iptables-save: remove binary dumping dead code

Was never implemented, kill it.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables-save.c
ptables/iptables-save.c
9cf67deb62f127902e686c48b951861bf848d0ab 11-Sep-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: resolve compile failure

CC libip4tc.lo
In file included from libip4tc.c:118:0:
libiptc.c:70:8: error: redefinition of "struct xt_error_target"
../include/linux/netfilter/x_tables.h:69:8: note: originally defined here

Remove libiptc's duplicate definition and substitute names.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc/libiptc.c
34d23bd14002aeeae0374d2561ad329e5cdc96e2 11-Sep-2011 Jan Engelhardt <jengelh@medozas.de> Merge branch 'stable'
1e4965232d77ab752c9c781afcf854f4b173c7b1 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> doc: document iptables-restore's -T option

Commit v1.4.0-rc1-12-ge8665f8 completely forgot this.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables-restore.8
ptables/iptables-restore.8
b171b546cb529e2996df05fe91cba058fae9fd99 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> ip6tables-restore: implement missing -T option

Commit v1.4.0-rc1-12-ge8665f8 forgot to port the change to the
ip6tables part.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables-restore.c
5fa68e820a641039e48045a82560ed13471ecff4 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> doc: fix undesired newline in ip6tables-restore(8)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables-restore.8
5e5ea1ccf61d96879531929874109c17c1894908 08-Sep-2011 Jan Engelhardt <jengelh@medozas.de> build: sort file list before build

Manpage subsections are already sorted for obvious reasons. Since
$(wildcard) can actually return results unordered (just what the OS
can do) do the sorting with the .o file list too, for developer
comfort.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
62fc25fd1625f0f65b9eed3e15fe929dd0aff2c5 08-Sep-2011 Jan Engelhardt <jengelh@medozas.de> Merge branch 'master' of git://dev.medozas.de/iptables
891d5790b3f4caeed80f1449d280617c54df8837 08-Sep-2011 Jan Engelhardt <jengelh@medozas.de> Merge branch 'stable'
153c23d9b14285b24aae3e96da0b547dcc7ee051 03-Sep-2011 Tom Eastep <teastep@shorewall.net> libxt_CONNSECMARK: fix spacing in output

~# iptables -t mangle -A foo -j CONNSECMARK --save
~# iptables -t mangle -S
[...]
-A foo -j CONNSECMARK--save

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CONNSECMARK.c
bf42cf92ea0c53e5470a20d62d00e5e83379f4d5 05-Sep-2011 Jan Engelhardt <jengelh@medozas.de> Merge branch 'stable' of git://dev.medozas.de/iptables

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
f56b8a8bf4b1041cb875fd8439778f35276bdb30 03-Sep-2011 Jan Engelhardt <jengelh@medozas.de> iptables: move kernel version find routing into libxtables

That way, the remaining unreferenced symbols that do appear in
libipt_DNAT and libipt_SNAT as part of the new check can be resolved,
and the ugly -rdynamic hack can finally be removed.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
nclude/iptables.h
nclude/xtables.h.in
ptables/Makefile.am
ptables/iptables.c
ptables/xtables.c
751da923262746bf8fd3195e178504fb18c37dc5 03-Sep-2011 Jan Engelhardt <jengelh@medozas.de> build: scan for unreferenced symbols

To be notified of occurrences where we are missing any libraries, run
some ldd checks post building.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
9249ad37b2342eb48009e18f3982362e1018ea5a 03-Sep-2011 Jan Engelhardt <jengelh@medozas.de> libxt_RATEEST: link with -lm

$ ldd -r libxt_RATEEST.so
undefined symbol: log (./libxt_RATEEST.so)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
d4e72dc1c684c2f8361d87e6bde2902cd2ee8efb 03-Sep-2011 Jan Engelhardt <jengelh@medozas.de> libxt_statistic: link with -lm

$ ldd -r libxt_statistic.so
undefined symbol: lround (./libxt_statistic.so)

References: https://bugs.archlinux.org/task/25358
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
ptables/Makefile.am
5df067f91b8ffa7801d09e6dd13fe9bf4b7b490b 01-Sep-2011 Pablo Neira Ayuso <pablo@netfilter.org> Bump version to 1.4.12.1

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
dbe77cc974cee656eae37e75039dd1a410a4535b 28-Aug-2011 Jan Engelhardt <jengelh@medozas.de> include: refresh include files from kernel 3.1-rc3

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/linux/kernel.h
nclude/linux/netfilter.h
nclude/linux/netfilter/ipset/ip_set.h
nclude/linux/netfilter/nf_conntrack_common.h
nclude/linux/netfilter/nf_conntrack_tuple_common.h
nclude/linux/netfilter/x_tables.h
nclude/linux/netfilter/xt_CT.h
nclude/linux/netfilter/xt_TCPOPTSTRIP.h
nclude/linux/netfilter/xt_TPROXY.h
nclude/linux/netfilter/xt_cluster.h
nclude/linux/netfilter/xt_connbytes.h
nclude/linux/netfilter/xt_connlimit.h
nclude/linux/netfilter/xt_physdev.h
nclude/linux/netfilter/xt_policy.h
nclude/linux/netfilter/xt_quota.h
nclude/linux/netfilter/xt_sctp.h
nclude/linux/netfilter/xt_set.h
nclude/linux/netfilter/xt_socket.h
nclude/linux/netfilter/xt_time.h
nclude/linux/netfilter/xt_u32.h
nclude/linux/netfilter_ipv4/ip_tables.h
nclude/linux/netfilter_ipv4/ipt_CLUSTERIP.h
nclude/linux/netfilter_ipv4/ipt_ECN.h
nclude/linux/netfilter_ipv4/ipt_SAME.h
nclude/linux/netfilter_ipv4/ipt_TTL.h
nclude/linux/netfilter_ipv4/ipt_addrtype.h
nclude/linux/netfilter_ipv4/ipt_ah.h
nclude/linux/netfilter_ipv4/ipt_ecn.h
nclude/linux/netfilter_ipv4/ipt_ttl.h
nclude/linux/netfilter_ipv6/ip6_tables.h
nclude/linux/netfilter_ipv6/ip6t_HL.h
nclude/linux/netfilter_ipv6/ip6t_REJECT.h
nclude/linux/netfilter_ipv6/ip6t_ah.h
nclude/linux/netfilter_ipv6/ip6t_frag.h
nclude/linux/netfilter_ipv6/ip6t_hl.h
nclude/linux/netfilter_ipv6/ip6t_ipv6header.h
nclude/linux/netfilter_ipv6/ip6t_mh.h
nclude/linux/netfilter_ipv6/ip6t_opts.h
nclude/linux/netfilter_ipv6/ip6t_rt.h
nclude/linux/types.h
3775fb69f63b76191bc3571bfa8538c18173d90f 28-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_addrtype: add support for revision 1

Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but
there was no corresponding iptables patch so far.

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_addrtype.c
nclude/linux/netfilter/xt_addrtype.h
a49002efbdc5813ee193aa8fde3da3e35ff0d38f 28-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_addrtype: rename from libipt_addrtype

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_addrtype.c
xtensions/libipt_addrtype.man
xtensions/libxt_addrtype.c
xtensions/libxt_addrtype.man
2ca6273c73b42e8c74afd5f8b1fe10c5c93ce363 27-Aug-2011 Richard Weinberger <richard@nod.at> xtoptions: simplify xtables_parse_interface

mask is already filled with zeros, there is no need to zero it again.

References: http://marc.info/?l=netfilter-devel&m=131445196526269&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtables.c
3412bd0bfb8b8bac9834cbfd3392b3d5487133bf 19-Aug-2011 Tom Eastep <teastep@shorewall.net> libxt_conntrack: improve error message on parsing violation

Tom Eastep noted:

$ iptables -A foo -m conntrack --ctorigdstport 22
iptables v1.4.12: conntrack rev 2 does not support port ranges
Try `iptables -h' or 'iptables --help' for more information.

Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug,
but let's include Tom's patch nevertheless for the better error
message in case one actually does specify a range with rev 2.

References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
fdb2a27825e558393fb715374c07873830d4d149 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> xtoptions: fill in fallback value for nvals

Parsing for libxt_conntrack rev 2 is done by using rev 2's option
structure, which specifies XTTYPE_PORT, and using rev 3's parser
skeleton, which uses cb->nvals. Reading cb->nvals when not using
XTTYPE_PORTRC (or any other multi-value type) is undefined behavior.

Make it defined. Since XTTYPE_NONE is the only type that can take
void, nvals logically ought to be 1.

References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtoptions.c
debcf48f6a72914a9c06e99b175ad64ef1f6f1cb 02-Aug-2011 Fernando Luis Vázquez Cao <fernando@oss.ntt.co.jp> libxt_TOS: update linux kernel version list for backported fix

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TOS.man
d51a97bc52ee81a962b761c7e58a5eb9f07a2c8a 26-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_string: escape the escaping char too

References: http://bugzilla.netfilter.org/show_bug.cgi?id=740
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_string.c
ests/options-most.rules
f643eb37e49a212d40eb060bcdfafbc366c0d616 26-Aug-2011 Jan Engelhardt <jengelh@medozas.de> src: remove unused IPTABLES_MULTI define

This dead code has been lingering around since commit v1.4.5~7.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/Makefile.am
ptables/ip6tables-restore.c
ptables/ip6tables-save.c
ptables/ip6tables-standalone.c
ptables/iptables-restore.c
ptables/iptables-save.c
ptables/iptables-standalone.c
ptables/iptables-xml.c
f4daf54e5c184680559de33eb08f2a0fb701dbe9 25-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_string: replace hex codes by char equivalents

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_string.c
131d4fb53b45be85b1315f72f958cadf7b24a63f 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_string: simplify hex output routine

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_string.c
4a56bcbd49ef20a0203017c15ab1cec9bb140d1a 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_hashlimit: observe new default gc-expire time when saving

Since a while, --htable-gc-expire defaults to the chosen time quantum
instead of 10 fixed seconds, which leads the expiry value to be always
printed, which is redundant.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.c
ests/options-most.rules
7e42bda9330afe717561c47a02a3f58c8ee1a246 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> tests: add negation tests for libxt_statistic

Note: it is valid to check cb->invert before calling
xtables_option_parse.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ests/options-most.rules
03deef5241330db418652c42af4d517527743f22 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_policy: remove superfluous inversion

--dir cannot be inverted.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_policy.c
c2a47ead16fc488fbf7fd8aa12d306cedf4da441 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_physdev: restore inversion support

Bug origin is in commit v1.4.11~26^2~4.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_physdev.c
ests/options-most.rules
c4e1c0992937bce3ac72987aa43f4f3c219cf3e3 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_owner: restore inversion support

Bug origin is in commit v1.4.11~16^2~7.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_owner.c
ests/options-most.rules
c96e524e98de81b333d772aa9a4f9b93275525dd 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libipt_ttl: document that negation is available

Glitch since commit v1.2.1~75.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_ttl.c
xtensions/libipt_ttl.man
0859fdf5d0ae24c88e64246164c4959ad3b0d098 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_dst: restore setting IP6T_OPTS_LEN flag

Bug origin is in commit v1.4.11~26^2~18.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_dst.c
ests/options-most.rules
975aeec7d34419fece8710997b6ec88cc0abb580 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_hbh: restore setting IP6T_OPTS_LEN flag

Bug origin is in commit v1.4.11~26^2~17.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_hbh.c
ests/options-most.rules
de1f06dca906bfcb82d7c7c2d555fbf3229d12b6 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_hashlimit: remove inversion from hashlimit rev 0

Revision 0 indeed did not have inversion support, nor presence of
--hashlimit-above. This glitch was added in v1.4.11~16^2~10.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.c
97dac48e7dfd3e2f35e33fdad72bda5b3dfc2241 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_frag: restore inversion support

--fraglen also was not printed since v1.4.11~26^2~22.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_frag.c
ests/options-most.rules
735f3d76ccd3a7deab13703d7c227c87c666a97b 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT

When XTOPT_POINTER is used (and yields a non-zero offsetof), we can
flag the absence of XTOPT_PUT.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtoptions.c
bca5b9afbe4b3823989f1e78f178203eb3bfa37d 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: fix --ctproto 0 output

First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER.
(Next commit will flag this.) Furthermore, l4proto is of type
uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not
work => revert v1.4.12~1^2.

Bug goes back to v1.4.12~1^2.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
c148c4ad2e28b94125c0c9954a887f0a473d598b 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_hashlimit: default htable-expire must be in milliseconds

Bug goes back to v1.4.12~3^2~11.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.c
83c342b36a7048ab86827e09a4916064837293d3 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_dscp: restore inversion support

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_dscp.c
ests/options-most.rules
f17fd48448aafdc762a3b439864bcb1127b0da6c 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_dccp: fix random output of ! on --dccp-option

dccp-option tests info->typemask, but it really should look at
info->invflags instead.

This bug goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_dccp.c
ca48066aaa8179025c0b4e17ed40a4bc12487190 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_dccp: provide man pages options in short help too

This omission goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_dccp.c
xtensions/libxt_dccp.man
f677e7b10c72bd3007c89d51eea13a0c2c3d262b 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_dccp: spell out option name on save

This glitch goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_dccp.c
7e66a657d0fbb8a3f27fd78c7bb27859d44002aa 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_dccp: fix deprecated intrapositional ordering of !

This bug goes back to v1.4.3~63.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_dccp.c
d152d6acd6751884621e0b760fecc0d652aea479 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_dccp: restore missing XTOPT_INVERT tags for options

This regression goes back to v1.4.11~19^2.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_dccp.c
ests/options-most.rules
107dca41800f7aeb6600438ea3aaf0fd66019417 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: remove one misleading comment

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
79e1f97a966e82155ebc00b30e3b60c48d060448 21-Aug-2011 Jan Engelhardt <jengelh@medozas.de> doc: clarify libxt_connlimit defaults

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connlimit.man
3716dfd7eac3afa7fb3098952550e510c8df0220 12-Aug-2011 Dwight Davis <sivad_thgiwd@yahoo.ca> libxt_string: fix space around arguments

Fix oversight from commit v1.4.11~80.

References: http://bugs.debian.org/637499
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_string.c
ests/options-most.rules
886a89bf378e079e807cda2eb43573ca6c886d0a 20-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_set: put differing variable names in directly

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_SET.c
xtensions/libxt_set.c
b6ad32fe050126e5557c19ab970547d1472e4728 10-Aug-2011 Bernard Massot <bernard@massot.ath.cx> doc: fix typo in libxt_TRACE

References: http://bugzilla.netfilter.org/show_bug.cgi?id=736
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TRACE.man
3dafef40228c372976eb714836ea097115d8fd03 20-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_tcp: always print the mask parts

0xFF is unlikely to happen (given that ALL translates to 0x3F at
most), but assuming that through magic, 0xFF was put into memory,
iptables -S/iptables-save would ignore printing it, practically
outputting just one argument to --tcp-flags which currently wants two.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_tcp.c
085b233bd85173082cc872563505ad3755ac5455 20-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_set: update man page about kernel support on the feature

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_SET.man
xtensions/libxt_set.man
bc3aeaafcf33e3e6a51948568f4f7a16304f619b 15-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_u32: fix missing allowance for inversion

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_u32.c
ests/options-most.rules
91ca4603f649a9b9fed4f2e31a8c005cdbdacd1e 09-Aug-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
4982fe43cf247cda6ddb946a8f1fd58177124735 08-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libipq: add pkgconfig file

This is just to make sure that projects (still) using it do so with
the right cflags, e.g. for when the include file ends up in a
non-standard location due to ./configure having been called with
--include=/somewhere/else.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
ibipq/.gitignore
ibipq/Makefile.am
ibipq/libipq.pc.in
fa2ce1ca2a3448350dee30c153dafe65abe7135d 01-Aug-2011 Jan Engelhardt <jengelh@medozas.de> build: abort autogen on subcommand failure

Needed to stop an automated build process when automake requirements
are not fulfilled.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
utogen.sh
43896add0eb9c6bc94b7323e76f137d402e0f7fe 01-Aug-2011 Jan Engelhardt <jengelh@medozas.de> build: strengthen check for overlong lladdr components

ethermac[i] > UINT8_MAX is quite pointless, because ethermac[i] is
just uint8_t. To catch values that are not in the range "00"-"ff", use
a string length check (end-arg>2). I am willingly using 2 there,
because no one is going to specify an Ethernet LL address as
"0x00:0x24:0xbe:0xc2:0x7f:0x16" -- because it is always interpreted as
hexadecimal anyway even without the 0x prefix.

xtoptions.c: In function "xtopt_parse_ethermac":
xtoptions.c:760:3: warning: comparison is always false due to limited range of data type
xtoptions.c:766:2: warning: comparison is always false due to limited range of data type

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtoptions.c
41a9b481693b4c43c16d0588cc558dd455168af0 01-Aug-2011 Jan Engelhardt <jengelh@medozas.de> build: workaround broken linux-headers on RHEL-5

maigc.h was not invented yet, but they do not
ship proc_fs.h either, duh.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtables.c
67156c0b9a3d35f5e7836e5683d8ca0b46ac36ca 01-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_string: define _GNU_SOURCE for strnlen

On RHEL-5.6 and clones with its gcc-4.1.2 and glibc-2.5:

libxt_string.c: In function "parse_string":
libxt_string.c:84: warning: implicit declaration of function "strnlen"

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_string.c
ec29faeb07c3c71b4c1eda24ab877cb5aff0abb8 30-Jul-2011 The Android Open Source Project <initial-contribution@android.com> am 3b2deb17: Reconcile with honeycomb-LTE-release

* commit '3b2deb17f065c5664bb25e1a28489e5792eb63ff':
Remove the debug tag.
3b2deb17f065c5664bb25e1a28489e5792eb63ff 30-Jul-2011 The Android Open Source Project <initial-contribution@android.com> Reconcile with honeycomb-LTE-release

Change-Id: I33af94011c738b572ffa3716c9346f078eea843f
6f66fe95d98e5c18823e78670a28eb25d04c70fd 29-Jul-2011 Ying Wang <wangying@google.com> Remove the debug tag.

iptables are now needed by all products.
It should be added to core.mk.

Change-Id: Ie1f3a83b0e0ba15482b7b76c81ada3bf8faf6096
ptables/Android.mk
af655b0b58cfbaedbaadb0a686ff6219d0b075e2 29-Jul-2011 Ying Wang <wangying@google.com> am bcc59b4a: am d184710e: Remove the debug tag.

* commit 'bcc59b4ad65f77df454534ff2aa5c0cee9a9a767':
Remove the debug tag.
bcc59b4ad65f77df454534ff2aa5c0cee9a9a767 29-Jul-2011 Ying Wang <wangying@google.com> am d184710e: Remove the debug tag.

* commit 'd184710e9483514e1cebdcc75576369fdd9440a6':
Remove the debug tag.
d184710e9483514e1cebdcc75576369fdd9440a6 29-Jul-2011 Ying Wang <wangying@google.com> Remove the debug tag.

iptables are now needed by all products.
It should be added to core.mk.

Change-Id: Ie1f3a83b0e0ba15482b7b76c81ada3bf8faf6096
ptables/Android.mk
5a7f0b6b944a8c98bf74bac757102296e3b4fd61 27-Jul-2011 JP Abgrall <jpa@google.com> am b7ef9951: (-s ours) am e37d45ce: (-s ours) DO NOT MERGE: updating iptables to v1.4.11++ from master

* commit 'b7ef9951133f7a4eb86cd2016ed150d2b3bda684':
DO NOT MERGE: updating iptables to v1.4.11++ from master
b7ef9951133f7a4eb86cd2016ed150d2b3bda684 27-Jul-2011 JP Abgrall <jpa@google.com> am e37d45ce: (-s ours) DO NOT MERGE: updating iptables to v1.4.11++ from master

* commit 'e37d45ce390c2f5a7f1e64742b9100ecef0def54':
DO NOT MERGE: updating iptables to v1.4.11++ from master
e37d45ce390c2f5a7f1e64742b9100ecef0def54 26-Jul-2011 JP Abgrall <jpa@google.com> DO NOT MERGE: updating iptables to v1.4.11++ from master

It is based in master's iptables at
commit 8e3c7cabff2fbb0e2b7bbf870928dc2c46ed2740

Change-Id: Ie749254e1197237b832ffb3dd376b25146e33081
gitignore
ndroid.mk
OMMIT_NOTES
OPYING
leanSpec.mk
NSTALL
ODULE_LICENSE_GPL
akefile.am
OTICE
ules.make
utogen.sh
onfigure.ac
xtensions/.CLUSTERIP-test
xtensions/.NFLOG-test
xtensions/.NFLOG-test6
xtensions/.REJECT-test6
xtensions/.ah-test6
xtensions/.condition-test
xtensions/.condition-test6
xtensions/.connbytes-test
xtensions/.dccp-test
xtensions/.esp-test6
xtensions/.frag-test6
xtensions/.hashlimit-test6
xtensions/.ipv6header-test6
xtensions/.opts-test6
xtensions/.quota-test
xtensions/.recent-test
xtensions/.rt-test6
xtensions/.sctp-test6
xtensions/.set-test
xtensions/.statistic-test
xtensions/.string-test
xtensions/Android.mk
xtensions/GNUmakefile.in
xtensions/create_initext
xtensions/dscp_helper.c
xtensions/filter_init
xtensions/initext.c
xtensions/libip6t_2connmark.c
xtensions/libip6t_2hl.c
xtensions/libip6t_2mark.c
xtensions/libip6t_CONNMARK.c
xtensions/libip6t_CONNSECMARK.c
xtensions/libip6t_CONNSECMARK.man
xtensions/libip6t_HL.c
xtensions/libip6t_HL.man
xtensions/libip6t_LOG.c
xtensions/libip6t_LOG.man
xtensions/libip6t_MARK.c
xtensions/libip6t_MARK.man
xtensions/libip6t_NFLOG.c
xtensions/libip6t_NFQUEUE.c
xtensions/libip6t_NFQUEUE.man
xtensions/libip6t_REJECT.c
xtensions/libip6t_REJECT.man
xtensions/libip6t_SECMARK.c
xtensions/libip6t_SECMARK.man
xtensions/libip6t_TCPMSS.c
xtensions/libip6t_TCPMSS.man
xtensions/libip6t_ah.c
xtensions/libip6t_ah.man
xtensions/libip6t_condition.c
xtensions/libip6t_condition.man
xtensions/libip6t_dst.c
xtensions/libip6t_dst.man
xtensions/libip6t_esp.c
xtensions/libip6t_esp.man
xtensions/libip6t_eui64.c
xtensions/libip6t_frag.c
xtensions/libip6t_frag.man
xtensions/libip6t_hashlimit.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hbh.man
xtensions/libip6t_hl.c
xtensions/libip6t_hl.man
xtensions/libip6t_icmp6.c
xtensions/libip6t_icmp6.man
xtensions/libip6t_ipv6header.c
xtensions/libip6t_ipv6header.man
xtensions/libip6t_length.c
xtensions/libip6t_length.man
xtensions/libip6t_limit.c
xtensions/libip6t_limit.man
xtensions/libip6t_mac.c
xtensions/libip6t_mac.man
xtensions/libip6t_mark.man
xtensions/libip6t_mh.c
xtensions/libip6t_mh.man
xtensions/libip6t_multiport.c
xtensions/libip6t_multiport.man
xtensions/libip6t_owner.c
xtensions/libip6t_owner.man
xtensions/libip6t_physdev.c
xtensions/libip6t_physdev.man
xtensions/libip6t_policy.c
xtensions/libip6t_policy.man
xtensions/libip6t_rt.c
xtensions/libip6t_rt.man
xtensions/libip6t_sctp.c
xtensions/libip6t_standard.c
xtensions/libip6t_state.c
xtensions/libip6t_tcp.c
xtensions/libip6t_tcp.man
xtensions/libip6t_udp.c
xtensions/libip6t_udp.man
xtensions/libipt_2connmark.c
xtensions/libipt_2dscp.c
xtensions/libipt_2ecn.c
xtensions/libipt_2mark.c
xtensions/libipt_2set.c
xtensions/libipt_2tcpmss.c
xtensions/libipt_2tos.c
xtensions/libipt_2ttl.c
xtensions/libipt_CLASSIFY.c
xtensions/libipt_CLASSIFY.man
xtensions/libipt_CLUSTERIP.c
xtensions/libipt_CLUSTERIP.man
xtensions/libipt_CONNMARK.c
xtensions/libipt_CONNMARK.man
xtensions/libipt_CONNSECMARK.c
xtensions/libipt_CONNSECMARK.man
xtensions/libipt_DNAT.c
xtensions/libipt_DNAT.man
xtensions/libipt_DSCP.c
xtensions/libipt_DSCP.man
xtensions/libipt_ECN.c
xtensions/libipt_ECN.man
xtensions/libipt_LOG.c
xtensions/libipt_LOG.man
xtensions/libipt_MARK.c
xtensions/libipt_MARK.man
xtensions/libipt_MASQUERADE.c
xtensions/libipt_MASQUERADE.man
xtensions/libipt_MIRROR.c
xtensions/libipt_NETMAP.c
xtensions/libipt_NETMAP.man
xtensions/libipt_NFLOG.c
xtensions/libipt_NFQUEUE.c
xtensions/libipt_NFQUEUE.man
xtensions/libipt_NOTRACK.c
xtensions/libipt_NOTRACK.man
xtensions/libipt_REDIRECT.c
xtensions/libipt_REDIRECT.man
xtensions/libipt_REJECT.c
xtensions/libipt_REJECT.man
xtensions/libipt_SAME.c
xtensions/libipt_SAME.man
xtensions/libipt_SECMARK.c
xtensions/libipt_SECMARK.man
xtensions/libipt_SET.c
xtensions/libipt_SET.man
xtensions/libipt_SNAT.c
xtensions/libipt_SNAT.man
xtensions/libipt_TCPMSS.c
xtensions/libipt_TCPMSS.man
xtensions/libipt_TOS.c
xtensions/libipt_TOS.man
xtensions/libipt_TTL.c
xtensions/libipt_TTL.man
xtensions/libipt_ULOG.c
xtensions/libipt_ULOG.man
xtensions/libipt_addrtype.c
xtensions/libipt_addrtype.man
xtensions/libipt_ah.c
xtensions/libipt_ah.man
xtensions/libipt_comment.c
xtensions/libipt_comment.man
xtensions/libipt_condition.c
xtensions/libipt_condition.man
xtensions/libipt_connbytes.c
xtensions/libipt_connbytes.man
xtensions/libipt_connmark.man
xtensions/libipt_connrate.c
xtensions/libipt_connrate.man
xtensions/libipt_conntrack.c
xtensions/libipt_conntrack.man
xtensions/libipt_dccp.c
xtensions/libipt_dccp.man
xtensions/libipt_dscp.man
xtensions/libipt_dscp_helper.c
xtensions/libipt_ecn.c
xtensions/libipt_ecn.man
xtensions/libipt_esp.c
xtensions/libipt_esp.man
xtensions/libipt_hashlimit.c
xtensions/libipt_hashlimit.man
xtensions/libipt_helper.c
xtensions/libipt_helper.man
xtensions/libipt_icmp.c
xtensions/libipt_icmp.man
xtensions/libipt_iprange.c
xtensions/libipt_iprange.man
xtensions/libipt_length.c
xtensions/libipt_length.man
xtensions/libipt_limit.c
xtensions/libipt_limit.man
xtensions/libipt_mac.c
xtensions/libipt_mac.man
xtensions/libipt_mark.man
xtensions/libipt_multiport.c
xtensions/libipt_multiport.man
xtensions/libipt_owner.c
xtensions/libipt_owner.man
xtensions/libipt_physdev.c
xtensions/libipt_physdev.man
xtensions/libipt_pkttype.c
xtensions/libipt_pkttype.man
xtensions/libipt_policy.c
xtensions/libipt_policy.man
xtensions/libipt_quota.c
xtensions/libipt_quota.man
xtensions/libipt_realm.c
xtensions/libipt_realm.man
xtensions/libipt_recent.c
xtensions/libipt_recent.man
xtensions/libipt_sctp.c
xtensions/libipt_sctp.man
xtensions/libipt_set.h
xtensions/libipt_set.man
xtensions/libipt_standard.c
xtensions/libipt_state.c
xtensions/libipt_state.man
xtensions/libipt_statistic.c
xtensions/libipt_string.c
xtensions/libipt_string.man
xtensions/libipt_tcp.c
xtensions/libipt_tcp.man
xtensions/libipt_tcpmss.man
xtensions/libipt_tos.man
xtensions/libipt_ttl.c
xtensions/libipt_ttl.man
xtensions/libipt_udp.c
xtensions/libipt_udp.man
xtensions/libipt_unclean.c
xtensions/libxt_AUDIT.c
xtensions/libxt_AUDIT.man
xtensions/libxt_CHECKSUM.c
xtensions/libxt_CHECKSUM.man
xtensions/libxt_CLASSIFY.c
xtensions/libxt_CLASSIFY.man
xtensions/libxt_CONNMARK.c
xtensions/libxt_CONNMARK.man
xtensions/libxt_CONNSECMARK.c
xtensions/libxt_CONNSECMARK.man
xtensions/libxt_CT.c
xtensions/libxt_CT.man
xtensions/libxt_DSCP.c
xtensions/libxt_DSCP.man
xtensions/libxt_IDLETIMER.c
xtensions/libxt_IDLETIMER.man
xtensions/libxt_LED.c
xtensions/libxt_LED.man
xtensions/libxt_MARK.c
xtensions/libxt_MARK.man
xtensions/libxt_NFLOG.c
xtensions/libxt_NFLOG.man
xtensions/libxt_NFQUEUE.c
xtensions/libxt_NFQUEUE.man
xtensions/libxt_NOTRACK.c
xtensions/libxt_NOTRACK.man
xtensions/libxt_RATEEST.c
xtensions/libxt_RATEEST.man
xtensions/libxt_SECMARK.c
xtensions/libxt_SECMARK.man
xtensions/libxt_SET.c
xtensions/libxt_SET.man
xtensions/libxt_TCPMSS.c
xtensions/libxt_TCPMSS.man
xtensions/libxt_TCPOPTSTRIP.c
xtensions/libxt_TCPOPTSTRIP.man
xtensions/libxt_TEE.c
xtensions/libxt_TEE.man
xtensions/libxt_TOS.c
xtensions/libxt_TOS.man
xtensions/libxt_TPROXY.c
xtensions/libxt_TPROXY.man
xtensions/libxt_TRACE.c
xtensions/libxt_TRACE.man
xtensions/libxt_cluster.c
xtensions/libxt_cluster.man
xtensions/libxt_comment.c
xtensions/libxt_comment.man
xtensions/libxt_connbytes.c
xtensions/libxt_connbytes.man
xtensions/libxt_connlimit.c
xtensions/libxt_connlimit.man
xtensions/libxt_connmark.c
xtensions/libxt_connmark.man
xtensions/libxt_conntrack.c
xtensions/libxt_conntrack.man
xtensions/libxt_cpu.c
xtensions/libxt_cpu.man
xtensions/libxt_dccp.c
xtensions/libxt_dccp.man
xtensions/libxt_devgroup.c
xtensions/libxt_dscp.c
xtensions/libxt_dscp.man
xtensions/libxt_esp.c
xtensions/libxt_esp.man
xtensions/libxt_hashlimit.c
xtensions/libxt_hashlimit.man
xtensions/libxt_helper.c
xtensions/libxt_helper.man
xtensions/libxt_iprange.c
xtensions/libxt_iprange.man
xtensions/libxt_ipvs.c
xtensions/libxt_ipvs.man
xtensions/libxt_length.c
xtensions/libxt_length.man
xtensions/libxt_limit.c
xtensions/libxt_limit.man
xtensions/libxt_mac.c
xtensions/libxt_mac.man
xtensions/libxt_mark.c
xtensions/libxt_mark.man
xtensions/libxt_multiport.c
xtensions/libxt_multiport.man
xtensions/libxt_osf.c
xtensions/libxt_osf.man
xtensions/libxt_owner.c
xtensions/libxt_owner.man
xtensions/libxt_physdev.c
xtensions/libxt_physdev.man
xtensions/libxt_pkttype.c
xtensions/libxt_pkttype.man
xtensions/libxt_policy.c
xtensions/libxt_policy.man
xtensions/libxt_quota.c
xtensions/libxt_quota.man
xtensions/libxt_quota2.c
xtensions/libxt_quota2.man
xtensions/libxt_rateest.c
xtensions/libxt_rateest.man
xtensions/libxt_recent.c
xtensions/libxt_recent.man
xtensions/libxt_sctp.c
xtensions/libxt_sctp.man
xtensions/libxt_set.c
xtensions/libxt_set.h
xtensions/libxt_set.man
xtensions/libxt_socket.c
xtensions/libxt_socket.man
xtensions/libxt_standard.c
xtensions/libxt_state.c
xtensions/libxt_state.man
xtensions/libxt_statistic.c
xtensions/libxt_statistic.man
xtensions/libxt_string.c
xtensions/libxt_string.man
xtensions/libxt_tcp.c
xtensions/libxt_tcp.man
xtensions/libxt_tcpmss.c
xtensions/libxt_tcpmss.man
xtensions/libxt_time.c
xtensions/libxt_time.man
xtensions/libxt_tos.c
xtensions/libxt_tos.man
xtensions/libxt_u32.c
xtensions/libxt_u32.man
xtensions/libxt_udp.c
xtensions/libxt_udp.man
xtensions/rename-dups.sh
xtensions/tos_values.c
nclude/Makefile.am
nclude/ip6tables.h
nclude/iptables.h
nclude/iptables/internal.h
nclude/iptables/internal.h.in
nclude/iptables_common.h
nclude/libipq/ip_queue_64.h
nclude/libipq/libipq.h
nclude/libiptc/ipt_kernel_headers.h
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
nclude/libiptc/libxtc.h
nclude/linux/kernel.h
nclude/linux/netfilter.h
nclude/linux/netfilter/nf_conntrack_common.h
nclude/linux/netfilter/nf_conntrack_tuple_common.h
nclude/linux/netfilter/x_tables.h
nclude/linux/netfilter/xt_AUDIT.h
nclude/linux/netfilter/xt_CHECKSUM.h
nclude/linux/netfilter/xt_CLASSIFY.h
nclude/linux/netfilter/xt_CONNMARK.h
nclude/linux/netfilter/xt_CONNSECMARK.h
nclude/linux/netfilter/xt_CT.h
nclude/linux/netfilter/xt_DSCP.h
nclude/linux/netfilter/xt_IDLETIMER.h
nclude/linux/netfilter/xt_LED.h
nclude/linux/netfilter/xt_MARK.h
nclude/linux/netfilter/xt_NFLOG.h
nclude/linux/netfilter/xt_NFQUEUE.h
nclude/linux/netfilter/xt_RATEEST.h
nclude/linux/netfilter/xt_SECMARK.h
nclude/linux/netfilter/xt_TCPMSS.h
nclude/linux/netfilter/xt_TCPOPTSTRIP.h
nclude/linux/netfilter/xt_TEE.h
nclude/linux/netfilter/xt_TPROXY.h
nclude/linux/netfilter/xt_cluster.h
nclude/linux/netfilter/xt_comment.h
nclude/linux/netfilter/xt_connbytes.h
nclude/linux/netfilter/xt_connlimit.h
nclude/linux/netfilter/xt_connmark.h
nclude/linux/netfilter/xt_conntrack.h
nclude/linux/netfilter/xt_cpu.h
nclude/linux/netfilter/xt_dccp.h
nclude/linux/netfilter/xt_devgroup.h
nclude/linux/netfilter/xt_dscp.h
nclude/linux/netfilter/xt_esp.h
nclude/linux/netfilter/xt_hashlimit.h
nclude/linux/netfilter/xt_helper.h
nclude/linux/netfilter/xt_iprange.h
nclude/linux/netfilter/xt_ipvs.h
nclude/linux/netfilter/xt_length.h
nclude/linux/netfilter/xt_limit.h
nclude/linux/netfilter/xt_mac.h
nclude/linux/netfilter/xt_mark.h
nclude/linux/netfilter/xt_multiport.h
nclude/linux/netfilter/xt_osf.h
nclude/linux/netfilter/xt_owner.h
nclude/linux/netfilter/xt_physdev.h
nclude/linux/netfilter/xt_pkttype.h
nclude/linux/netfilter/xt_policy.h
nclude/linux/netfilter/xt_quota.h
nclude/linux/netfilter/xt_quota2.h
nclude/linux/netfilter/xt_rateest.h
nclude/linux/netfilter/xt_realm.h
nclude/linux/netfilter/xt_recent.h
nclude/linux/netfilter/xt_sctp.h
nclude/linux/netfilter/xt_set.h
nclude/linux/netfilter/xt_socket.h
nclude/linux/netfilter/xt_state.h
nclude/linux/netfilter/xt_statistic.h
nclude/linux/netfilter/xt_string.h
nclude/linux/netfilter/xt_tcpmss.h
nclude/linux/netfilter/xt_tcpudp.h
nclude/linux/netfilter/xt_time.h
nclude/linux/netfilter/xt_u32.h
nclude/linux/netfilter_ipv4.h
nclude/linux/netfilter_ipv4/ip_tables.h
nclude/linux/netfilter_ipv4/ipt_2connmark.h
nclude/linux/netfilter_ipv4/ipt_2dscp.h
nclude/linux/netfilter_ipv4/ipt_2ecn.h
nclude/linux/netfilter_ipv4/ipt_2mark.h
nclude/linux/netfilter_ipv4/ipt_2tcpmss.h
nclude/linux/netfilter_ipv4/ipt_2ttl.h
nclude/linux/netfilter_ipv4/ipt_CLASSIFY.h
nclude/linux/netfilter_ipv4/ipt_CLUSTERIP.h
nclude/linux/netfilter_ipv4/ipt_CONNMARK.h
nclude/linux/netfilter_ipv4/ipt_DSCP.h
nclude/linux/netfilter_ipv4/ipt_ECN.h
nclude/linux/netfilter_ipv4/ipt_FTOS.h
nclude/linux/netfilter_ipv4/ipt_LOG.h
nclude/linux/netfilter_ipv4/ipt_MARK.h
nclude/linux/netfilter_ipv4/ipt_NFQUEUE.h
nclude/linux/netfilter_ipv4/ipt_REJECT.h
nclude/linux/netfilter_ipv4/ipt_SAME.h
nclude/linux/netfilter_ipv4/ipt_TCPMSS.h
nclude/linux/netfilter_ipv4/ipt_TTL.h
nclude/linux/netfilter_ipv4/ipt_ULOG.h
nclude/linux/netfilter_ipv4/ipt_addrtype.h
nclude/linux/netfilter_ipv4/ipt_ah.h
nclude/linux/netfilter_ipv4/ipt_comment.h
nclude/linux/netfilter_ipv4/ipt_connlimit.h
nclude/linux/netfilter_ipv4/ipt_conntrack.h
nclude/linux/netfilter_ipv4/ipt_dstlimit.h
nclude/linux/netfilter_ipv4/ipt_ecn.h
nclude/linux/netfilter_ipv4/ipt_esp.h
nclude/linux/netfilter_ipv4/ipt_hashlimit.h
nclude/linux/netfilter_ipv4/ipt_helper.h
nclude/linux/netfilter_ipv4/ipt_iprange.h
nclude/linux/netfilter_ipv4/ipt_length.h
nclude/linux/netfilter_ipv4/ipt_limit.h
nclude/linux/netfilter_ipv4/ipt_multiport.h
nclude/linux/netfilter_ipv4/ipt_physdev.h
nclude/linux/netfilter_ipv4/ipt_pkttype.h
nclude/linux/netfilter_ipv4/ipt_policy.h
nclude/linux/netfilter_ipv4/ipt_realm.h
nclude/linux/netfilter_ipv4/ipt_rpc.h
nclude/linux/netfilter_ipv4/ipt_sctp.h
nclude/linux/netfilter_ipv4/ipt_ttl.h
nclude/linux/netfilter_ipv6.h
nclude/linux/netfilter_ipv6/ip6_tables.h
nclude/linux/netfilter_ipv6/ip6t_LOG.h
nclude/linux/netfilter_ipv6/ip6t_MARK.h
nclude/linux/netfilter_ipv6/ip6t_REJECT.h
nclude/linux/netfilter_ipv6/ip6t_TCPMSS.h
nclude/linux/netfilter_ipv6/ip6t_ah.h
nclude/linux/netfilter_ipv6/ip6t_esp.h
nclude/linux/netfilter_ipv6/ip6t_frag.h
nclude/linux/netfilter_ipv6/ip6t_hl.h
nclude/linux/netfilter_ipv6/ip6t_hl_.h
nclude/linux/netfilter_ipv6/ip6t_ipv6header.h
nclude/linux/netfilter_ipv6/ip6t_length.h
nclude/linux/netfilter_ipv6/ip6t_limit.h
nclude/linux/netfilter_ipv6/ip6t_mark_.h
nclude/linux/netfilter_ipv6/ip6t_mh.h
nclude/linux/netfilter_ipv6/ip6t_multiport.h
nclude/linux/netfilter_ipv6/ip6t_opts.h
nclude/linux/netfilter_ipv6/ip6t_owner.h
nclude/linux/netfilter_ipv6/ip6t_physdev.h
nclude/linux/netfilter_ipv6/ip6t_policy.h
nclude/linux/netfilter_ipv6/ip6t_rt.h
nclude/linux/types.h
nclude/net/netfilter/nf_conntrack_tuple.h
nclude/net/netfilter/nf_nat.h
nclude/xtables.h
nclude/xtables.h.in
p6tables-restore.8
p6tables-restore.c
p6tables-save.8
p6tables-save.c
p6tables-standalone.c
p6tables.8.in
p6tables.c
ptables-multi.c
ptables-restore.8
ptables-restore.c
ptables-save.8
ptables-save.c
ptables-standalone.c
ptables-xml.c
ptables.8.in
ptables.c
ptables.xslt
ptables/.gitignore
ptables/Android.mk
ptables/Makefile.am
ptables/ip6tables-multi.h
ptables/ip6tables-restore.8
ptables/ip6tables-restore.c
ptables/ip6tables-save.8
ptables/ip6tables-save.c
ptables/ip6tables-standalone.c
ptables/ip6tables.8.in
ptables/ip6tables.c
ptables/iptables-apply
ptables/iptables-apply.8
ptables/iptables-multi.h
ptables/iptables-restore.8
ptables/iptables-restore.c
ptables/iptables-save.8
ptables/iptables-save.c
ptables/iptables-standalone.c
ptables/iptables-xml.1
ptables/iptables-xml.c
ptables/iptables.8.in
ptables/iptables.c
ptables/iptables.xslt
ptables/xshared.c
ptables/xshared.h
ptables/xtables-multi.c
ptables/xtables-multi.h
ptables/xtables.c
ptables/xtables.pc.in
ptables/xtoptions.c
ibipq/Makefile.am
ibipq/ipq_create_handle.3
ibipq/ipq_errstr.3
ibipq/ipq_message_type.3
ibipq/ipq_read.3
ibipq/ipq_set_mode.3
ibipq/ipq_set_verdict.3
ibipq/libipq.3
ibipq/libipq.c
ibiptc/.gitignore
ibiptc/Android.mk
ibiptc/Makefile.am
ibiptc/libip4tc.c
ibiptc/libip6tc.c
ibiptc/libiptc.c
ibiptc/libiptc.pc.in
4/.gitignore
4/ax_check_linker_flags.m4
elease.sh
ests/options-ipv4.rules
ests/options-most.rules
tils/.gitignore
tils/Makefile.am
tils/nfnl_osf.c
tils/pf.os
47b5855bc396876295c6432e553351123a62534b 22-Jul-2011 Patrick McHardy <kaber@trash.net> Bump version to 1.4.12

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
4d8656ad9d0afd04820f125a85a7b673c7e74fe6 22-Jul-2011 Jan Engelhardt <jengelh@medozas.de> libxt_TCPMSS: restore build with IPv6-less libcs

Commit v1.4.10-149-gea2a02f added an netinet/ip6.h include, which is
not available on systems without IPv6 header files.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
xtensions/GNUmakefile.in
xtensions/libxt_TCPMSS.c
1757ec846419c76da4e104f9675b40e05ac3eee6 22-Jul-2011 Jan Engelhardt <jengelh@medozas.de> extensions: use multi-target registration

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPMSS.c
xtensions/libxt_TEE.c
8e3c7cabff2fbb0e2b7bbf870928dc2c46ed2740 12-Jul-2011 Jeff Brown <jeffbrown@google.com> Remove the simulator target from all makefiles.
Bug: 5010576

Change-Id: I7731e32d21a2bbb2710bdde1515abac9b8e58309
ndroid.mk
88e0a097c3f23dadf041b60445c6c9802c502f15 11-Jul-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
d22ceae71eaae9f641e002074fb49cd7925a7c2f 10-Jul-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: move more data into the xt_option_entry

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
34d9ce1b80618eebcf63e933cf4a15cc5482c0d2 10-Jul-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: restore network-byte order for v1,v2

References: http://bugs.debian.org/632804
References: http://marc.info/?l=netfilter-devel&m=130999299016674&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
3eab786d6a687187556c92b3dc0f0664d8352471 10-Jul-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: set clone's initial data to NULL

Avoid a crash in xs_init_match when a clone's m->udata points at the
parent.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtables.c
fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f 09-Jul-2011 Jan Engelhardt <jengelh@medozas.de> option: remove last traces of intrapositional negation

Intrapositional negation was deprecated in 1.4.3.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_SET.c
xtensions/libxt_rateest.c
xtensions/libxt_sctp.c
xtensions/libxt_set.c
xtensions/libxt_tcp.c
nclude/xtables.h.in
ptables/ip6tables.c
ptables/iptables.c
ptables/xtables.c
0c384449ae9511157cd9b34d73f8f4cb71123a45 09-Jul-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: ignore whitespace in the multiaddress argument parser

References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtables.c
c0e69db337540b22a3b3f739b1143341e7b759b7 09-Jul-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: properly reject empty hostnames

An empty hostname in the address list of an -s/-d argument, which may
be the result of a typo, is interpreted as 0/0, which, when combined
with -j ACCEPT, leads to an undesired opening of the firewall.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtables.c
795ea2e8d4d9f01a606d0d7aac22572801e06989 05-Jul-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
32cea83f26a2c342b9410e6dfb0530b33f8af928 05-Jul-2011 Jan Engelhardt <jengelh@medozas.de> iptables: restore negation for -f

This move was missed in commit v1.4.11~77^2~6.

References: http://bugs.debian.org/632695
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/iptables.c
d532d7663fd82984023a871aa953419ad1e905cb 04-Jul-2011 Jan Engelhardt <jengelh@medozas.de> doc: the -m option cannot be inverted

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables.8.in
ptables/iptables.8.in
9cf0c00c226db02f8f3d129225844920704b97c1 04-Jul-2011 Jan Engelhardt <jengelh@medozas.de> doc: fix version string in ip6tables.8

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables.8.in
411a4e50ec1030f2dc51c5b0156e0c7255c81905 04-Jul-2011 Jan Engelhardt <jengelh@medozas.de> build: install modules in arch-dependent location

Make it possible to have multiple types of ELF classes for the
extension modules by putting them in an arch-dependent path.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
NSTALL
onfigure.ac
411b390f3ffcd4708a0dfc0f2824a637de511cea 30-Jun-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
1c9508e1f3f853f33683eb7118e19b193a6c80b7 30-Jun-2011 Jan Engelhardt <jengelh@medozas.de> doc: mention multiple verbosity flags

"-vv" can be used to further increase the verbosity level. Document
this.

References: http://bugs.debian.org/616037
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables.8.in
ptables/iptables.8.in
358650c0e280dad8c1292efbf856ac310004a52b 22-Sep-2009 Martin F. Krafft <madduck@debian.org> iptables-apply: select default rule file depending on call name

ip6tables-apply points to iptables-apply (which is good). Since
iptables/ip6tables rule files are different, the reporter suggests
that the DEFAULT_FILE variable should depend on whether iptables-apply
or ip6tables-apply is run.

References: http://bugs.debian.org/547734
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/iptables-apply
92556c7047257284cc8659c769b800219cff47a5 30-Jun-2011 JP Abgrall <jpa@google.com> quota2: fix inversion handling for --quota


Change-Id: I55f21aaab3c90955b4ce61687651ada60f400037
Signed-off-by: JP Abgrall <jpa@google.com>
xtensions/libxt_quota2.c
2c841b56d9041c621b85314ba4faa4e824ca81be 27-Jun-2011 JP Abgrall <jpa@google.com> Merge remote branch 'remotes/goog/v1_4' into merge_v1_4_quota2
3c871010888e1479ef8fca2048485b979ec2661a 24-Jun-2011 Jan Engelhardt <jengelh@medozas.de> build: attempt to fix building under Linux 2.4

iptables no longer compiles for Linux 2.4 because it uses
linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for
Linux 2.6.

xtables.c:35:52: error: linux/magic.h: No such file or directory
xtables.c: In function 'proc_file_exists':
xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in
this function)
xtables.c:389: error: (Each undeclared identifier is reported only
once for each function it appears in.)

References: http://bugzilla.netfilter.org/show_bug.cgi?id=720
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
ptables/xtables.c
447ddfbfb3ed16ad0059f4559334670e9b9806ec 13-Jun-2011 Jakub Zawadzki <darkjames@darkjames.ath.cx> doc: fix group range in libxt_NFLOG's man

References: http://bugzilla.netfilter.org/show_bug.cgi?id=723
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_NFLOG.man
622abc73b097e7e778b432e422fd3c1f035bcfd3 15-Jun-2011 Massimo Maggi <massimo@mmmm.it> libxt_RATEEST: fix userspacesize field

I cannot delete a rule by matching it if the target of the rule is
RATEEST.

Copy-paste from terminal:

# iptables -t mangle -A PREROUTING -j RATEEST
--rateest-name somename --rateest-interval 250ms
--rateest-ewmalog 4s
# iptables -t mangle -D PREROUTING -j RATEEST
--rateest-name somename --rateest-interval 250ms
--rateest-ewmalog 4s
iptables: No chain/target/match by that name.

I saw in comments of the kernel code that the last part of the struct
xt_rateest_target_info is used only by kernel:

struct xt_rateest_target_info {
char name[IFNAMSIZ];
__s8 interval;
__u8 ewma_log;

/* Used internally by the kernel */
struct xt_rateest *est __attribute__((aligned(8)));
};

but in struct xtables_target, .size and .userspacesize are equal.
Simply correcting this solved the problem.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=724
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_RATEEST.c
36574090407b87fbb72c752698c805ef87046ae8 24-Jun-2011 JP Abgrall <jpa@google.com> xt_quota2: fixup so that it works with iptables

It was using xtables-addons conventions: mostly incorrect arg parsing.

Change-Id: I6d2ed5518d122616f252a9436b3b3dc1bd201133
Signed-off-by: JP Abgrall <jpa@google.com>
xtensions/libxt_quota2.c
5caed2aebebf7c72dfa982f247ac35ec67a1b852 21-Jun-2011 JP Abgrall <jpa@google.com> Adding the original quota2 from xtables-addons

The original xt_quota in the kernel is plain broken:
- counts quota at a per CPU level
(was written back when ubiquitous SMP was just a dream)
- provides no way to count across IPV4/IPV6.

This patch is the original unaltered code from:
http://sourceforge.net/projects/xtables-addons
at commit e84391ce665cef046967f796dd91026851d6bbf3

Change-Id: Ia8b21394ea79ef55514748e96f769e40355a6ccf
Signed-off-by: JP Abgrall <jpa@google.com>
xtensions/libxt_quota2.c
xtensions/libxt_quota2.man
nclude/linux/netfilter/xt_quota2.h
f53710b16c2bae1843c3f5fee390f496dfa82526 10-Jun-2011 Jiri Popelka <jpopelka@redhat.com> iptables: Coverity: RESOURCE_LEAK

xtables.c:320: alloc_fn: Calling allocation function "get_modprobe".
xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc".
xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)".
xtables.c:304: return_alloc: Returning allocated memory "ret".
xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()".
xtables.c:323: var_assign: Assigning: "modprobe" = "buf".
xtables.c:348: leaked_storage: Variable "buf" going out of scope
leaks the storage it points to.
xtables.c:348: leaked_storage: Returning without freeing "modprobe"
leaks the storage that it points to.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtables.c
d0101690d9ae347d8a8ee9e340c5db72480046a3 10-Jun-2011 Jiri Popelka <jpopelka@redhat.com> iptables: Coverity: VARARGS

xtables.c:931: va_init: Initializing va_list "args".
xtables.c:938: missing_va_end: va_end was not called for "args".
xtables.c:947: missing_va_end: va_end was not called for "args".
xtables.c:961: missing_va_end: va_end was not called for "args".

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/xtables.c
ee80faf4438102395bc4034894b6468453181be9 10-Jun-2011 Jiri Popelka <jpopelka@redhat.com> iptables: Coverity: REVERSE_INULL

ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in".
ip6tables-restore.c:463: check_after_deref: Dereferencing "in"
before a null check.
iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in".
iptables-restore.c:468: check_after_deref: Dereferencing "in" before a
null check.
iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in".
iptables-xml.c:873: check_after_deref: Dereferencing "in" before a
null check.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables-restore.c
ptables/iptables-restore.c
ptables/iptables-xml.c
474c18d7982407246dd724c6fa3939f78466620a 10-Jun-2011 Jiri Popelka <jpopelka@redhat.com> iptables: Coverity: NEGATIVE_RETURNS

libipq.c:232: var_tested_neg: Variable "h->fd" tests negative.
libipq.c:234: negative_returns: "h->fd" is passed to a parameter that
cannot be negative.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibipq/libipq.c
96d0d0130a9a08803406c5c18681903446088ebf 10-Jun-2011 Jiri Popelka <jpopelka@redhat.com> iptables: Coverity: DEADCODE

libiptc.c:407: dead_error_condition: On this path, the condition
"res > 0" cannot be false.
libiptc.c:396: at_least: After this line, the value of "res" is at
least 1.
libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as
false.
libiptc.c:396: new_values: Noticing condition "res < 0".
libiptc.c:425: new_values: Noticing condition "res < 0".
libiptc.c:407: new_values: Noticing condition "res > 0".
libiptc.c:435: dead_error_line: Execution cannot reach this statement
"return list_pos;".

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc/libiptc.c
f6677b5bcae125af28d227b9073426bddbd9190e 22-Jun-2011 Jan Engelhardt <jengelh@medozas.de> build: bump soversion for recent data structure change

Cf. commit v1.4.11.1-5-g2dba676.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
68146dad91611bd8d6d12c8ba27219130d99607b 22-Jun-2011 Jan Engelhardt <jengelh@medozas.de> libxt_hashlimit: use a more obvious expiry value by default

Due to the previous default expiry of 10 sec, "--hashlimit 1/min"
would allow matching up to 6/min if a properly timed. To do what the
user expects, the minimum expiry must equal the selected time quantum
however.

Cc: Jan Rovner <jan.rovner@diadema.cz>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.c
ests/options-most.rules
70cb0a6d3e09f64f9a05870d694ac0160319de9a 22-Jun-2011 Jan Engelhardt <jengelh@medozas.de> libxt_state: fix regression about inversion of main option

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_state.c
ests/options-most.rules
017e7b7e1cf4fb63208e46592d06cc030f6d552d 22-Jun-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_HL: fix option names from ttl -> hl

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_HL.c
ests/options-most.rules
12bc22a9d3e4ae4a3276dbae1cf3bd50ef5dbe9d 21-Jun-2011 Jan Engelhardt <jengelh@medozas.de> libxt_RATEEST: abolish global variables

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_RATEEST.c
4a96d2e2c9d8c43b58d9490cd1d2ae2d1b3e0bef 21-Jun-2011 Jan Engelhardt <jengelh@medozas.de> libxt_rateest: abolish global variables

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_rateest.c
2dba676b68ef842025f3afecba26cb0b2ae4c09b 18-Jun-2011 Jan Engelhardt <jengelh@medozas.de> extensions: support for per-extension instance "global" variable space

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
ptables/xshared.c
ptables/xtoptions.c
14190986f87301b18bcc473c842bd82d778d87a2 18-Jun-2011 Jan Engelhardt <jengelh@medozas.de> iptables: consolidate target/match init call

This is useful for the upcoming patch about per-instance auxiliary
data.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables.c
ptables/iptables.c
ptables/xshared.c
ptables/xshared.h
68818f746bf9c68de04a75fbe756bf2c73e0fb32 21-Jun-2011 Jan Engelhardt <jengelh@medozas.de> libxt_RATEEST: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_RATEEST.c
4e98e81ecdcc321d232edc42fac168d257e712ff 21-Jun-2011 Jan Engelhardt <jengelh@medozas.de> libipt_LOG: fix ignoring all but last flags

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_LOG.c
xtensions/libipt_LOG.c
ests/options-most.rules
3b7a22b44d74b9b05d5e4b0529ebf72c49dcbff5 17-Jun-2011 Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp> doc: document IPv6 TOS mangling bug in old Linux kernels

In Linux kernels up to and including 2.6.38, with the exception of longterm
releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug (*) whereby
IPv6 TOS mangling does not behave as documented and differs from the IPv4
version. The TOS mask indicates the bits one wants to zero out, so it needs to
be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its
mnemonics.

(*) Fixed by upstream commit:
1ed2f73d90fb49bcf5704aee7e9084adb882bfc5 (netfilter: IPv6: fix DSCP mangle code)

Signed-off-by: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_TOS.man
84e34cd5d7baf69dd378ca8025122e244e4029c1 14-Jun-2011 JP Abgrall <jpa@google.com> Merge remote branch 'goog/v1_4' into merge_v1.4.11_into_master
8b4807f0a1d98f1d980d3d616ad565c9b72d7c49 11-Jun-2011 JP Abgrall <jpa@google.com> Post-merge fixup. Add new Android.mk, re-checkin generated files

They have no more compilable files in the top dir.
Created extra Android.mk for each subdir.

Regenerated the
include/iptables/internal.h and
include/xtables.h
with
./autogen.sh
export ANDROID_ROOT=$(gettop)/prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/
./configure -host=arm-eabi CC=arm-linux-androideabi-gcc CPPFLAGS="$funky_includes" CFLAGS="-nostdlib" LDFLAGS="-Wl,-rpath-link=$ANDROID_ROOT/arm-linux-androideabi/lib -L$ANDROID_ROOT/arm-linux-androideabi/lib"

Change-Id: Ia57ed699edd32ffce16e94e2f13fb93d94924a04
ndroid.mk
xtensions/Android.mk
nclude/iptables/internal.h
nclude/xtables.h
ptables/Android.mk
ibiptc/Android.mk
ebf81627b1a2f50fd47add49f9976ed430a19673 11-Jun-2011 JP Abgrall <jpa@google.com> Merge git://git.netfilter.org/iptables into v1.4.11_upstream

Using theirs, as they have taken some of my prior changes\
with some improvements.


Conflicts:
include/xtables.h.in
iptables/xtables.c
iptables/xtoptions.c

Change-Id: I8e1e537fbb868eeebb448c8f1d9e33b283448aac
931d388ff33dee589bc00e4f9033be5ca7c43786 09-Jun-2011 Jan Engelhardt <jengelh@medozas.de> doc: include matches/targets in manpage again

Evil sed did not throw any warning whatsoever when it cannot find the
file.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/Makefile.am
c960bde4a82792c285110589cf8b2cf1438e1b8f 08-Jun-2011 Patrick McHardy <kaber@trash.net> Bump version to 1.4.11.1

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
0727c2cea3ccd2b5bad4d6467125132cc700ad39 08-Jun-2011 Vlad Dogaru <ddvlad@rosedu.org> doc: fix MASQUERADE section of man page

The section about MASQUERADE specifies that it takes a single option,
but in reality it takes two: --to-ports and --random.

Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_MASQUERADE.man
38ffc9dc5bb9f2b1d01bf0b0e28b7323b135f1ea 08-Jun-2011 Jan Engelhardt <jengelh@medozas.de> build: re-add missing CPPFLAGS for libiptc

These got lost on commit v1.4.11-12-g5c8f5b6.

Note: When /usr/include/libiptc/libiptc.h exists, this error is
masked away :-/ (IMO, #include-with-quotes "foo.h" should not
search system dirs...)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc/Makefile.am
780607f8b040a47cd2d4775376e2d30f567dc049 07-Jun-2011 Jan Engelhardt <jengelh@medozas.de> option: fix ignored negation before implicit extension loading

`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.

Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables/ip6tables.c
ptables/iptables.c
ptables/xshared.c
ptables/xshared.h
ests/options-most.rules
6a74dc80fcdf48e2b149e92aee08f3445055ea3b 07-Jun-2011 Jan Engelhardt <jengelh@medozas.de> tests: add some sample rulesets to test save-restore cycle

These rulesets use practically all options (I may have missed some)
for verification that the new Guided Option Parser would take the same
input as the old open-coded ones did. They might come in handy at some
point.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ests/options-ipv4.rules
ests/options-most.rules
033e25a3ad215ee3f5a07f0a3315f74c4abfaced 07-Jun-2011 Jan Engelhardt <jengelh@medozas.de> src: move all iptables pieces into a separate directory

(Unclutter top-level dir)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
gitignore
akefile.am
onfigure.ac
p6tables-multi.h
p6tables-restore.8
p6tables-restore.c
p6tables-save.8
p6tables-save.c
p6tables-standalone.c
p6tables.8.in
p6tables.c
ptables-apply
ptables-apply.8
ptables-multi.h
ptables-restore.8
ptables-restore.c
ptables-save.8
ptables-save.c
ptables-standalone.c
ptables-xml.1
ptables-xml.c
ptables.8.in
ptables.c
ptables.xslt
ptables/.gitignore
ptables/Makefile.am
ptables/ip6tables-multi.h
ptables/ip6tables-restore.8
ptables/ip6tables-restore.c
ptables/ip6tables-save.8
ptables/ip6tables-save.c
ptables/ip6tables-standalone.c
ptables/ip6tables.8.in
ptables/ip6tables.c
ptables/iptables-apply
ptables/iptables-apply.8
ptables/iptables-multi.h
ptables/iptables-restore.8
ptables/iptables-restore.c
ptables/iptables-save.8
ptables/iptables-save.c
ptables/iptables-standalone.c
ptables/iptables-xml.1
ptables/iptables-xml.c
ptables/iptables.8.in
ptables/iptables.c
ptables/iptables.xslt
ptables/xshared.c
ptables/xshared.h
ptables/xtables-multi.c
ptables/xtables-multi.h
ptables/xtables.c
ptables/xtables.pc.in
ptables/xtoptions.c
shared.c
shared.h
tables-multi.c
tables-multi.h
tables.c
tables.pc.in
toptions.c
5c8f5b60aa8e24da0bd25824f0f85bf7a4a39ea7 07-Jun-2011 Jan Engelhardt <jengelh@medozas.de> src: move all libiptc pieces into its directory

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
gitignore
akefile.am
onfigure.ac
ibiptc.pc.in
ibiptc/.gitignore
ibiptc/Makefile.am
ibiptc/libiptc.pc.in
4598ed7d3e22d74ffaad7948ddc3455ac9aa7576 07-Jun-2011 Maciej Żenczykowski <zenczykowski@gmail.com> xtables-multi: fix absence of xml translator in IPv6-only builds

Commit v1.4.11-4-gde791ff did not actually build the iptables-xml code
into the xtables-multi binary.

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
ptables-multi.h
ptables-xml.c
tables-multi.c
tables-multi.h
7ba421f1d968e5aa819bc5b49bd40cd127daa5fa 03-Jun-2011 JP Abgrall <jpa@google.com> android build: support lack of __ANDROID__ in older toolchains

The external master repo uses
arm-eabi-4.4.3
which doesn't define
__ANDROID__
causing the newly added conditionals to fail, leading to
an redefinition of 'struct iphdr'.


Change-Id: If92e3e7c221f903c8f6f92d7dba91de59314769e
ndroid.mk
a1cd1f2a4a35427c68cd0d1bd2761d5be42b12b1 07-Mar-2011 Elie De Brauwer <eliedebrauwer@gmail.com> doc: fix trivial typo in libipt_SNAT

The word "occur" had ufortunately been removed in v1.3.8~23.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=707
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_SNAT.man
6918795519ddbf4d0efa9aa5b1b51cdafb99c55a 03-Apr-2011 Mike Frysinger <vapier@gentoo.org> build: move remaining preprocessor flags to CPPFLAGS

References; http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
xtensions/GNUmakefile.in
ibipq/Makefile.am
tils/Makefile.am
5085c3a037fa9327377dec7540d9c3ef2d53a58e 01-Jun-2011 Jan Engelhardt <jengelh@medozas.de> build: move kinclude's preprocessor flags to kinclude_CPPFLAGS

References: http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
onfigure.ac
xtensions/GNUmakefile.in
8e336251e155888f0ac2c79259f8792fc31920a1 01-Jun-2011 Jan Engelhardt <jengelh@medozas.de> build: move basic preprocessor flags to regular_CPPFLAGS

This is where they belong, after all.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
onfigure.ac
xtensions/GNUmakefile.in
ibipq/Makefile.am
tils/Makefile.am
f3e7d3f9f00a6daaf2fad79f391013fb3fcde81a 27-May-2011 Jean-Baptiste Queru <jbq@google.com> Merge iptables 1.4 onto master (do-over)

Change-Id: I934953eee1a457cd1c82e9e4a412f4725033ff3e
a6793dbb87751a6a201c76ad75efb5d6b7f1e484 30-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: iptables-xml should be in manpage section 1

References: http://bugs.debian.org/623112
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
ptables-xml.1
ptables-xml.8
0e6d4dcaccdc86079d7252f6569a9fc6656a63c4 30-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: update GPL license text

The Open Build Service/rpmlint flagged the outdated address in the
license text :-)

iptables.x86_64: W: incorrect-fsf-address
/usr/share/doc/packages/iptables/COPYING
The Free Software Foundation address in this file seems to be outdated
or misspelled. Ask upstream to update the address, or if this is a
license file, possibly the entire file with a new copy available from
the FSF.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
OPYING
de791ff2d7ac85fa0a707bbd6d98457bb18c5cbb 30-May-2011 Jan Engelhardt <jengelh@medozas.de> build: fix absence of xml translator in IPv6-only builds

Due to iptables-xml being listed under IPV4 only, its symlink was not
created on `./configure --disable-ipv4 && make install`.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
71e402bbb3db7b54571f0e44354fd37706ff90aa 30-May-2011 Jan Engelhardt <jengelh@medozas.de> build: fix installation of symlinks

Commit v1.4.11~20 forgot to change the symlink target names to the new
executable name.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
7d91a2accc92d13bb32bf881831e9c9a8b4d7734 30-May-2011 Jan Engelhardt <jengelh@medozas.de> build: remove dead code parts

gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags
no-op code.

CC libiptc/libip4tc.lo
In file included from libiptc/libip4tc.c:118:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:113:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC xtables_multi-iptables-xml.o
iptables-xml.c: In function "do_rule_part":
iptables-xml.c:376:8: warning: variable "thisChain" set but not used
CC xtables_multi-ip6tables.o
ip6tables.c: In function "print_firewall":
ip6tables.c:552:10: warning: variable "flags" set but not used

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables-xml.c
ibiptc/libiptc.c
874b76221f74a00520a712ef89b5254a1ed896f8 29-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_owner: restore inversion support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_owner.c
172e9b15271c276aa1485b4a2fb63928a65b13ae 26-May-2011 Patrick McHardy <kaber@trash.net> Bump version to 1.4.11

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
790845385fb84ce8e79a96e91fc6c4f7df60713d 25-May-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
db50b83bc3cd634beb71f38978ad7d035c88ff11 23-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_time: deprecate --localtz option, document kernel TZ caveats

Comparing against the kernel time zone has significant caveats. This
patch adds documentation about the issue, and makes --utc the default
setting for libxt_time.

Furthremore, throw a warning on using the "--localtz" option, to avoid
confusion with one's shell TZ environment variable, and rename it to
"--kerneltz" to be explicit about whose timezone will be used.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_time.c
xtensions/libxt_time.man
1201871343223d9781253283a64686be4e63ad52 23-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_time: --utc and --localtz are mutually exclusive

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_time.c
b1319cc083de658c0007da93f25d19874f75d55f 23-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_time: always ignore libc timezone

Since xt_time is meant to work across many months, libc doing
automatic conversion from local time to UTC (during parse) is
unwanted, especially when --utc is specified. The same goes for
dumping.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_time.c
d8784613a5be2821ff910cd4c2bfe889a9b306c5 25-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_NFQUEUE: add mutual exclusion between qnum and qbal

Only one is printed on save operation, which leads me to believe that
only one is meant to be used. The manpage seems to corroborate.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_NFQUEUE.c
089585f14fda80508e26ea019703add07cb72f64 25-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_NFQUEUE: avoid double attempt at parsing

Fixes this error:

NFQUEUE: option "--queue-num" can only be used once.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_NFQUEUE.c
6944f2c8190f1c4319aeac748470c71b0ba45025 24-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: have xtopt_parse_mint interpret partially-spec'd ranges

When ":n" or "n:" is specified, it will now be interpreted as "0:n"
and "n:<max>", respecitvely. nvals will always reflect the number of
(expanded) components. This restores the functionality of options that
take such partially-unspecified ranges.

This makes it possible to nuke the per-matchdata init functions of
some extensions and simply the extensions postparsing to the point
where it only needs to check for nvals==1 or ==2.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ah.c
xtensions/libip6t_frag.c
xtensions/libip6t_rt.c
xtensions/libipt_ah.c
xtensions/libxt_conntrack.c
xtensions/libxt_esp.c
xtensions/libxt_length.c
toptions.c
1b6c7632e5e35ecce91f87a4ae36eca3103cfee2 24-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: unclutter xtopt_parse_mint

..by moving type-based actions into their own function.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
toptions.c
57e2e37ebe5319cf84381bdb319ea94143b1bf97 24-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: make multiint parser have greater range

Since parse_mint can handle XTTYPE_UINT64RC, it must allow numbers
larger than UINT32_MAX.

Cc: JP Abgrall <jpa@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
toptions.c
0b7a140944738d67b9c4e6f09992c8407eefb18a 24-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: use uintmax for xtables_strtoul

Addendum to 2305d5fb42fc059f38fc1bdf53411dbeecdb310b.

I noticed that unsigned long long is not consistently used, for
example, min/max are still just unsigned long, and strtoul is being
called.

Instead of changing it to unsigned long long, just use uintmax
functions right away so this does not need size-related changing in
the future.

Cc: JP Abgrall <jpa@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
tables.c
toptions.c
5e35b7d435c5bc1b3641f76a6601a55d32d63ac8 24-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: more detailed error message on multi-int parsing

Now shows where exactly the error is.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
toptions.c
319046c3f96f810f81a5a2e6189ba87527e882f1 24-May-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_rt: restore --rt-type storing

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_rt.c
5a66f40d2f64e8792e1360906d3d6a1c829ba2b7 24-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_u32: --u32 option is required

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_u32.c
c52f7aa866ee3cdc0e0dc67f3eae629055a126dc 23-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_ipvs: restore network-byte order

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_ipvs.c
9039600d2a50970274b5a13f6f616e38cc9c3e6d 23-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: remove redundant .IP calls in libxt_time

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_time.man
4f0d5a7fd4cb1452493921446603c837316e0179 23-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: use .IP list for TCPMSS

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPMSS.man
17f7937f79af4d260c60cb800e56fc0df0a48b37 23-May-2011 Lutz Jaenicke <ljaenicke@innominate.com> libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags

Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_devgroup.c
10345ca36786592aa176036f11dd186b24ba1c76 21-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: clarify that -p all is a special keyword only

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.8.in
ptables.8.in
25ea60de20fb5f7981a0170eb05c0c9a61525763 17-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: make usage of libxt_rateest more obvious

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_rateest.man
88cfbe258b0d30ef26fae8da5484b08e65292a09 21-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: add some coded option examples to libxt_hashlimit

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.man
60b9051f64869434c5bab6739556cb1975232267 20-May-2011 JP Abgrall <jpa@google.com> androidify build: Add Android.mk and support script

The Android.mk is based on what a generated makefile would look like.

The extra filter_init script is to work around the fact that we can't have
-D_INIT=lib$*_init
passed down as some compile flags due to $*.
This is used to rename all the modules' init() functions.

Some modules are excluded because they are not needed and would require
more changes in bionic to accommodate the needed types.

Change-Id: I9422a5d30ff22a56f28b2c80f6aba8d28b28a051
Signed-off-by: JP Abgrall <jpa@google.com>
ndroid.mk
xtensions/filter_init
463628b03eec6e7456ca5121f9b81af7f4690e08 12-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_rateest: streamline case display of units

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_rateest.c
d61b02fbbbe7f6e643aad8649c8559c175c68c52 20-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: check for negative numbers in xtables_strtou*

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
2305d5fb42fc059f38fc1bdf53411dbeecdb310b 19-May-2011 JP Abgrall <jpa@google.com> libxt_quota: make sure uint64 is not truncated

The xtables_strtoul() would cram a long long into a long.
The parse_int would try to cram a UINT64 into a long.
nclude/xtables.h.in
tables.c
toptions.c
67db7615580f5c3490a39310f5adcb4e767ea6a8 20-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_quota: readd missing XTOPT_PUT request

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_quota.c
16bd81be22ba2753e26f6a9ee6cb291e1e707d0d 19-May-2011 JP Abgrall <jpa@google.com> androidifying: fixup includes and extraneous typedefs for __ANDROID__

The current could would take steps to define missing types, and include
extra stuff based on GLIBC defines/versions.
Make those places be ANDROID aware.

Change-Id: I2d1f03e3c0f7f53250288a84db4c9ccf0431d482
Signed-off-by: JP Abgrall <jpa@google.com>
nclude/libiptc/ipt_kernel_headers.h
ibiptc/libip4tc.c
ibiptc/libip6tc.c
tables.c
b3d101788ebac83cdf7aa71f78069cf1af4a748d 19-May-2011 JP Abgrall <jpa@google.com> androidifying build: allow check-in of generated files.

internal.h and xtables.h are generated at ./configure time from their *.h.in and
are gitignored.

These were generated with:

./autogen.sh
export ANDROID_ROOT=$(gettop)/prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/
./configure -host=arm-eabi CC=arm-linux-androideabi-gcc CFLAGS="-nostdlib" LDFLAGS="-Wl,-rpath-link=$ANDROID_ROOT/arm-linux-androideabi/lib -L$ANDROID_ROOT/arm-linux-androideabi/lib"

Change-Id: Ic0178d74d846cc989d4fa29029bf5e04911c85bc
Signed-off-by: JP Abgrall <jpa@google.com>
gitignore
nclude/iptables/internal.h
nclude/xtables.h
b65b9fe5096bd49a9ec2f0f6c2f23d274cfc88ee 19-May-2011 JP Abgrall <jpa@google.com> xtoptions + quota: parse and store 64bit values

The xtables_strtoul() would cram a long long into a long.
The parse_int would try to cram a UINT64 into a long.
The quota_parse would just ignore whatever value was parsed.

Change-Id: Ie1f05e98e974a255d962dd757a5592458f942f8b
xtensions/libxt_quota.c
nclude/xtables.h.in
tables.c
toptions.c
ae06c6dc6d68d11ed15d4c6c47b7b7a709d3c9cb 18-May-2011 Lutz Jaenicke <ljaenicke@innominate.com> libipt_REDIRECT: "--to-ports" is not mandatory

The REDIRECT target can be called without the --to-ports option
being specified. From the manual page:
...without this, the destination port is never altered.

Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_REDIRECT.c
c02c92d1fcaa1223caf9a5eef32bedcb78f1e714 18-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: retract _NE types and use a flag instead

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TPROXY.c
nclude/xtables.h.in
toptions.c
65c0621d48e818d75f8c2810e93eb405a6d31406 13-May-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_rt: rt-0-not-strict should take no arg

This unfortunately got mixed up during the getopt -> guided parser
move.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_rt.c
9bfedca6347c2e079e569954197777813f4ef2fb 13-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: resolve erroneous rev-2 port range message

--ctorigdstport 13
ip6tables-restore v1.4.10: conntrack rev 2 does not support port ranges

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
fe9922cb4f1fb75072970dd09605fdc056b96195 13-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: fix assignment to wrong member

Of course the range end ought to be set, not doing the start value
twice.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
10dbcd0bfb5a62a71a706d11134f83b0539f4dd3 13-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: correct printed module name

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
f25b2355e889290879c8cecad3dd24ec0c384fb8 13-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_[SD]NAT: avoid false error about multiple destinations specified

iptables-restore v1.4.10: DNAT: Multiple --to-destination not supported

xtables_option_parse sets cb->xflags already, so that it cannot be
directly used to test whether an option is being used for the second
time. Thus use a private option/flag (X_TO_DEST/SRC) that is not under
the control of xtables_option_parse.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_DNAT.c
xtensions/libipt_SNAT.c
e82d031af24c8155357c6f2d2b2e236bd6cf67e4 13-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_[SD]NAT: flag up module name on error

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_DNAT.c
xtensions/libipt_SNAT.c
85f423addb46736e414f70b59c9f885e99aeb488 12-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: collapse double protocol parsing

Un-dent xtables_parse_protocol, and make xtopt_parse_protocol make use
of it.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
toptions.c
cdc8e0b252c14a17b47e1c89a2fa4dbac2002473 12-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_policy: use XTTYPE_PROTOCOL type

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_policy.c
ab847dfe38529d2aa67cc8178a54d5b45af11cfa 12-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: avoid running into .also checks when option not used

If a particular option was not specified, it should not be subject to
.also checks in xtables_option_fcheck2 either.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
toptions.c
15392934cf81ef85e2a1c21380c61a7a42e260d5 12-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_policy: option table fixes, improved error tracking

Most of the flags are multi-use in this extension. Also transfer
--next => --strict requirement to option table.

Furthermore, augment the error messages emitted from fcheck to contain
the policy element number, and elaborate on what an "empty policy
element" is.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_policy.c
xtensions/libxt_policy.man
449cdd6bcc8d1867bbd26ecbcae9832ab01eb04a 12-May-2011 Jan Engelhardt <jengelh@medozas.de> src: combine default_command functions
p6tables.c
ptables.c
shared.c
shared.h
dcd1ad89105faf1f3a9a3febdb970b70c5466518 09-May-2011 Jan Engelhardt <jengelh@medozas.de> src: replace old IP*T_ALIGN macros

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
p6tables.c
ptables.c
ibiptc/libip4tc.c
ibiptc/libip6tc.c
59ce5bd1d05225911051a4c46ce5ccdd7c1ed078 12-May-2011 Patrick McHardy <kaber@trash.net> Merge branch 'floating/opts' of git://dev.medozas.de/iptables
8075493a00e06857147263574333df4073ea671b 11-May-2011 Patrick McHardy <kaber@trash.net> Merge branch 'opts' of git://dev.medozas.de/iptables
77b6230adfe51836ad5b31b41638b43e9b0062e2 11-May-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
c29f7ef7cb5a31620060ef721d3c65b343eb537a 09-May-2011 Patrick McHardy <kaber@trash.net> Merge branch 'opts' of git://dev.medozas.de/iptables
8d14aeb8c4c3dc8ce9264b04b97f2e8634c1f381 09-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_SAME: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_SAME.c
c0bba1a8033ce15d1eec80da94c8f249a967568e 09-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_REDIRECT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_REDIRECT.c
bf07750fd4fc5f5e603e59e72d62696d2389e9b3 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_MASQUERADE: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_MASQUERADE.c
9f4a637ee5856e8f260e3f3867782ed5584e00f9 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_SNAT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_SNAT.c
f875e84427de17b34ecb69a56d87161571ffab76 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_DNAT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_DNAT.c
ce4b79577fa9c1ed68c36797890d39ca5ba9a8bf 07-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_iprange: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_iprange.c
4eb3d6da8f677f978126bb00928f64da15c3d623 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_CLUSTERIP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_CLUSTERIP.c
7e79d139c1ea6e1b72bbedc53c0426c9d5ffa0e0 07-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_mac: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_mac.c
cb225e26856accf5661dcbc3cf34d7f77b2f0c36 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_ETHERMAC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
1f8e52ed2ac513476dc93fedde915079c4387728 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_rt: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_rt.c
7752e649cec9d23b867d166ace38d213f0584077 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_mh: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_mh.c
73425492d4c57d34a616d948666ac75ecc612eed 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
58e9118dc61c9ff656c0140c429f0fa892c36ac5 09-May-2011 Jan Engelhardt <jengelh@medozas.de> doc: S/DNAT allows to omit IP addresses

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_DNAT.c
xtensions/libipt_DNAT.man
xtensions/libipt_SNAT.c
xtensions/libipt_SNAT.man
7c816547270050ccc29fb07c9e62c230e015c8e3 14-Mar-2011 Changli Gao <xiaosuo@gmail.com> iptables: fix the dead loop when meeting unknown options

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
shared.c
edc2b1adf32d2b11e126174f525293b3bca6e7bc 09-May-2011 Patrick McHardy <kaber@trash.net> Merge branch 'opts' of git://dev.medozas.de/iptables
372203af4c70fb20bc7ff3a49788b9bbf57d2eb1 07-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_ipvs: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_ipvs.c
170cf49a630fd0d237818b537c01794dde00b07a 07-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_PROTOCOL support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
0f77e2e40a498688f3d8f8a65bf74ce13db893b2 07-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_limit: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_limit.c
ef7d2e845f72fd3a01c9d89e73c90de5dcca73a7 08-May-2011 Jan Engelhardt <jengelh@medozas.de> libipt_NETMAP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_NETMAP.c
87a34d7aef2cba833f4f36536575dee304bbece5 07-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_multiport: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_multiport.c
nclude/xtables.h.in
toptions.c
94cd683a969e024ec870df258fafd790b8a1abf1 06-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_osf: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_osf.c
21d243c3152f0798683aacbf95acfc8c1378924e 06-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_owner: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_owner.c
d441ad6a68c5d65344449962f4648d297d453b6c 06-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_policy: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_policy.c
66266abd17adc9631f3769ef0b82968c0bac6f38 05-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_HOSTMASK support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
fe02f76e013941a7f65f57f297d3177bcfeb0623 04-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_hashlimit: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.c
fa9b759bacc0ad6a093892ef508811e7feb981b0 04-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_PLEN support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
269cbfd30aac18c1fd251be83430dabc60abee0c 05-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: flag invalid uses of XTOPT_PUT

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
toptions.c
d7282413763b0ba85d512c1cd49174b762ff449c 04-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: do not overlay addr and mask parts, and cleanup

XTTYPE_HOSTMASK will require that what has now become haddr,
hmask/hlen are not overlays of another. Thus relax the structure and
always set all members of the {haddr, hmask, hlen} triplet now for all
types that touch any of the members.

Add some more comments and clean out ONEHOST.
xtensions/libxt_TEE.c
xtensions/libxt_TPROXY.c
nclude/xtables.h.in
toptions.c
51a746e6b1d66ca546fd2f8a1f7809868174e637 04-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_recent: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_recent.c
27adf1ec123b949f1c7b48fbdef67d1d4ed18901 01-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connlimit: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connlimit.c
e8b42fee7eaa1ba6df203fe0bc4496cae226cbd2 02-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: support for XTTYPE_PLENMASK

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
6cfb28bb9032dcf2749ff80f88ad37b9fe5e7c2a 01-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_NFLOG: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_NFLOG.c
a0b2facfa1fe70d9a9e628b09bc4895de0bfd672 01-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_IDLETIMER: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_IDLETIMER.c
3c7f501545828965908cc28fc40f7da2be747561 02-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_statistic: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_statistic.c
f012b3c9190cd95ac170072f759a97575613ea07 02-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_DOUBLE support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
39d3aa36ea38668a2c343b5af42b2d8d3616a9de 02-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_statistic: increase precision on create and dump

Currently, libxt_statistic only dumps the probability with a
granularity of 1/1000000. Assuming only stuffed packets with 1440
bytes payload, this would match approximately every 1.341 GB, which is
pretty low for a high-volume router. Trying to match any larger
interval than that (e.g. 2 GB) will cause libxt_statistic to output
"--probability 0.000000", and when restored, will cause it to never
match again.

Bump the dump precision to what xt_statistic can really do, and adjust
the manpage to include a word about it.

Furthermore, employ explicit rounding when reading the argument from
the command line, because the previous implicit conversion would use
truncation, which is not very exact.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_statistic.c
xtensions/libxt_statistic.man
d118d21ea3108f94ca1f84f11dd39f3f12e9ee2b 02-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_statistic: streamline and document possible placement of negation

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_statistic.c
xtensions/libxt_statistic.man
dd6e4b90b5b2dbc2bbaac5008e26949a18478197 07-May-2011 Jan Engelhardt <jengelh@medozas.de> extensions: const annotations

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ipv6header.c
xtensions/libip6t_rt.c
xtensions/libxt_dccp.c
xtensions/libxt_multiport.c
xtensions/libxt_policy.c
xtensions/libxt_sctp.c
xtensions/libxt_tcp.c
xtensions/libxt_udp.c
e1639b0bc28420ca01d733749c8db16d5a3fbd0c 05-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: output name of extension on rev detect failure

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
752a30dfe4429ec2623a3c1181e1499b87158c5c 06-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_owner: remove ifdef IPT_COMM_OWNER

Ever since we keep a copy of the header files anyway, IPT_COMM_OWNER
is always available.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_owner.c
104fb318d22231c9edf9d61ef84cc84386e52d6b 07-May-2011 Jan Engelhardt <jengelh@medozas.de> extensions: remove bogus use of XT_GETOPT_TABLEEND

Commit v1.4.8-36-g32b8e61 added this end marker in a little too many
places: at non-getopt places. Fix that.

Also change the definition of XT_GETOPT_TABLEEND to reference a struct
getopt member by name so that this cannot happen again.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPOPTSTRIP.c
xtensions/libxt_rateest.c
nclude/xtables.h.in
373e8513c4b9b0491e46ae89397ead03d093ee76 06-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_u32: add missing call to xtables_option_parse

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_u32.c
0787a82873fe9db5dea478942b183e6ff2a8500d 02-May-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
toptions.c
06312dab6c530a214a4e7bad1b2329381430bddc 01-May-2011 Jan Engelhardt <jengelh@medozas.de> libxt_tos: add inversion support back again

It was unfortunately removed during the option parser switch.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_tos.c
753bbed383cde1c18e05b5b726b6c28afbde3a3c 20-Apr-2011 Jan Engelhardt <jengelh@medozas.de> libxt_dccp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_dccp.c
2e73af96178f0ed7ebbd99478f1bc05ec5c86dc7 19-Apr-2011 Jan Engelhardt <jengelh@medozas.de> libxt_udp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_udp.c
f30231a02e145020fb47524f9a0daeb498a4f7d0 17-Apr-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_PORTRC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
ee1fbbe536c6dd3a252886815314cf910d672ca6 29-Apr-2011 Jan Engelhardt <jengelh@medozas.de> extensions: remove unused TOS code

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/tos_values.c
d8f591993eb610b41f3170a94a879edd24ad348a 29-Apr-2011 Jan Engelhardt <jengelh@medozas.de> libxt_tos: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_tos.c
61cc52b6f9edfa3efb1d0c9ea9531abb42828ec2 29-Apr-2011 Jan Engelhardt <jengelh@medozas.de> libxt_TOS: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TOS.c
nclude/xtables.h.in
toptions.c
26ed9ea93564bb5ffdb5238eaa202cd9bcf6d6d1 05-Apr-2011 Maciej Żenczykowski <maze@google.com> combine ip6?tables-multi into xtables-multi

Signed-off-by: Maciej Zenczykowski <maze@google.com>
gitignore
akefile.am
p6tables-multi.c
ptables-multi.c
tables-multi.c
9a9694fbf1796a6a5011b60b2a15c01fa3c61368 06-Apr-2011 Maciej Żenczykowski <maze@google.com> Move common parts of libext{4,6}.a into libext.a

Signed-off-by: Maciej Zenczykowski <maze@google.com>
gitignore
akefile.am
xtensions/GNUmakefile.in
nclude/xtables.h.in
p6tables-restore.c
p6tables-save.c
p6tables-standalone.c
ptables-restore.c
ptables-save.c
ptables-standalone.c
57664121bce6d3ae05a186c7627c919fb0799649 14-Apr-2011 Maciej Żenczykowski <maze@google.com> Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.

This enables one to have a single configuration file for both ipv4 and ipv6
firewall rules.

Example:
iptables-restore config
ip6tables-restore config

Where the file 'config' contains:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ssh - [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -6 -p icmpv6 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ssh
-A ssh -j ACCEPT

COMMIT

Signed-off-by: Maciej Zenczykowski <maze@google.com>
p6tables.c
ptables.c
b32b361a725c8fe3a3aa494e6cdec09a80785aac 19-Apr-2011 Maciej Zenczykowski <maze@google.com> Don't load ip6?_tables module when already loaded

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
shared.h
tables.c
57a92c7b7ed01ad8f49c680af63341409c3afb1a 18-Apr-2011 Patrick McHardy <kaber@trash.net> Merge branch 'floating/opts' of git://dev.medozas.de/iptables
e39f367d905670e39e6f08d2b73c715a6d0b4bfb 17-Apr-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> SET target revision 2 added

The new revision of the SET target supports the following new operations

- specifying the timeout value of the entry to be added
- flag to instruct the kernel that if the entry already
exists then reset the timeout value to the specified one (or
to the default from the set definition)
xtensions/libxt_SET.c
xtensions/libxt_SET.man
xtensions/libxt_set.c
nclude/linux/netfilter/xt_set.h
44517bda3d8130638882f69478a8091316f30cbb 14-Apr-2011 Jan Engelhardt <jengelh@medozas.de> xtoptions: respect return value in xtables_getportbyname

If ret was negative, ntohs may make it positive, which is undesired.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
toptions.c
d44c31ac8e52f34e058f44aba14f679abcc7edf9 14-Apr-2011 Jan Engelhardt <jengelh@medozas.de> libxt_TEE: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TEE.c
3a32dcbb5512bfc1fd385c26fb906ce8562200da 14-Apr-2011 Jan Engelhardt <jengelh@medozas.de> build: bump libxtables ABI version

Adding the x6_* members to struct xtables_{match,target} caused a
change requiring a bump.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
1f2474ae5276e49005c8e234dec091b007e3fce2 08-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libipt_ULOG: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_ULOG.c
64cb56e3e894f6b8b523ecb45f91abe43b07cf0c 09-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_TPROXY: use guided option parser

I am starting with a simple module here that does not require a
final_check function.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TPROXY.c
b8592fa3352018646b0befaa48f930f75c5b7d92 14-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_PORT support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
2b01f706e7ba48d72e57f8e47457a86d9ed44992 14-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_ONEHOST support

The bonus of the POSIX socket API is that it is almost protocol-agnostic
and that there are ready-made functions to take over the gist of address
parsing and packing.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
0dd344a9bedc24feb6ad99d4620bdc7da171c72d 15-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip[6]t_LOG: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_LOG.c
xtensions/libipt_LOG.c
41a4cea0f4109fb76762dca073c3c1217658ee06 15-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_SYSLOGLEVEL support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
c618a0b1d3696c30f7791a427da9ba60186dfe05 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_string: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_string.c
33d180871bea281a448efd0c1a49517318162382 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: pass struct xt_entry_{match,target} to x6 parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
ea2a02f7e961011b2e226c25a5e8ff49e1f84278 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_TCPMSS: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPMSS.c
478be25c3b64e0f2ddbd2aa97ebe78df7ca00c0a 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_NFQUEUE: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_NFQUEUE.c
a05562e1e2fb2e18f34d29ec57c4217a3014d1f2 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_CT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CT.c
0eff54bd407aae6b99c3b189d356929e399b5a38 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT16 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
09631dc60ce41bc484a42fcf4d4ddf7036820bd1 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connbytes: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connbytes.c
bc438c4cbdab09fafbbceecddd54e44e4234a4a1 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT64RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
8bf513ada0aae0e4b1ac5160113fc532c2f525d0 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT8RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
ba77b9b142b55c856b0a2950eddece7ad7e6bfbc 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_tcpmss: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_tcpmss.c
c15f9e3f6d8552cddfc858b115d996c7cf5b47e9 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_length: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_length.c
564eaf48e14411803a353206eefbb89d525c63ff 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT16RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
f04d48879fea70451148d7867d5a388efe63b48f 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libipt_realm: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_realm.c
5d8e61ef4636383ca47cd748cd7457a238de37a6 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_devgroup: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_devgroup.c
2e0ec4fa0fb5162c441cd666f55fe76777e40d5e 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: linked-list name<->id map

This consolidates the maps from libxt_devgroup and libxt_realm.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
1e6c1ee1bf2822d5fdf61725148700a410fb8b86 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_quota: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_quota.c
8b5bdea659f1fb86b3288a2568ab104a90b914e5 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT64 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
7299fa4b615d7f7ee12cde444266f6b31f667f9f 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_CONNMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CONNMARK.c
xtensions/libxt_connmark.c
60756e7f8be9242b606f1b5fbcb38f45e4de29c5 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_MARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_MARK.c
xtensions/libxt_mark.c
d25e217578492d17f7752bf77cfab5f2c2509795 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_MARKMASK32 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
316ae9d2f1996caea4cf221201accb8c2087a154 13-Apr-2011 Patrick McHardy <kaber@trash.net> Merge branch 'opts' of git://dev.medozas.de/iptables
cd50f26ad6016ae57af1f822f8aa3ceb2ef9727a 12-Apr-2011 Patrick McHardy <kaber@trash.net> Merge branch 'opts' of git://dev.medozas.de/iptables
884d2675f1a880ffcc072da69ab8c9aaea2a3bce 12-Apr-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
aeb8af909befedbfc85e9f184471b219e4ea191a 09-Apr-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Fix set match/target direction parser

The direction parser did not catch when more src/dst direction
parameters were supplied than allowed.
xtensions/libxt_set.h
c0431520a5f91e754cec8d827d8f978da4241717 06-Apr-2011 Jan Engelhardt <jengelh@medozas.de> doc: avoid duplicate entries in manpage

Commit v1.4.9-35-gd4105ad changed from [A-Z] and [a-z] to use
[[:alnum:]], which unfortunately drew matches into the target section,
and targets into the match section. [[:upper:]] and [[:lower:]] should
have been used instead, of course.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
4f7f187ffe1773487071b413491f062d141309dd 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_u32: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_u32.c
d64d54777b4a9405a8229a533e44a2e80f000a9f 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_time: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_time.c
72ef3d3063ce7a12ee199f9539e958b4f4ca561d 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_state: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_state.c
de31da35a8042db0ea1b106b77d03a5920e7198b 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_pkttype: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_pkttype.c
2291d887cea2412af380f1ae995ddfee0362386b 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_physdev: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_physdev.c
76e18aeaa67940544a3d5b740a37dce4f169a108 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_helper: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_helper.c
cc2511ee64df98e45d0b42a93a9b789b9726d4b9 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_comment: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_comment.c
693420f27bea05ef22a218cd599e42af5b014453 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_TCPOPTSTRIP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPOPTSTRIP.c
03fe3d289ded9b1b8640e4be1398b0cf1f7e4fa0 02-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_SECMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_SECMARK.c
942f140a57745f5e12d6a8cd2a4ca3f51ef4403a 06-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_LED: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_LED.c
72c359784a03b1ea46a9964e5c1f8636a52507dd 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_DSCP: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_DSCP.c
xtensions/libxt_dscp.c
35459f05f5addd1b92c32a241863995aa619495b 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_CLASSIFY: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CLASSIFY.c
ba3b73f0d3aae8188ff0b75d0839c841352f7760 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libxt_AUDIT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_AUDIT.c
94c5d622b2c88d78a153b9e2986467c84417020d 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libipt_addrtype: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_addrtype.c
e36463232e2f1fe9363700b2740c2a82dbf1821d 03-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libipt_ECN: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_ECN.c
xtensions/libipt_ecn.c
b26d08b56eb81779589eb43fb0f636ac9eb51cb2 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_ipv6header: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ipv6header.c
1b8db4f4ca250f13a0e7edddb31cfc1f82d42806 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libip[6]t_icmp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_icmp6.c
xtensions/libipt_icmp.c
7a969bb06cef93b6b0dadbb784c30d33856445d1 03-Mar-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_hbh: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_hbh.c
082e9e11ed345572e2bf4790a5f8ba5245164fc6 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_dst: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_dst.c
b313d8f3f78c62cce930728bc9163ecf942c22e8 16-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip[6]t_REJECT: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_REJECT.c
xtensions/libipt_REJECT.c
4a0a17620017c1f45946b2cde7139ef18ea3d93c 15-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_STRING support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
a3876fa13ffe792e209cc1a8ac1214946c898eea 27-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_esp: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_esp.c
7c51e38d7586e2f6207c78743cc955e8778a925d 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_frag: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_frag.c
4d6ede0b324e5e9dcbb1d7cc2a7aebed9e56821a 16-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip[6]t_ah: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ah.c
xtensions/libipt_ah.c
04bb988275ac76815a15788a7fc75ac78f3bb833 27-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT32RC support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
dba0839a103fe0384b41a8f08a3b3a5f9eba732b 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip[6]t_hl: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_hl.c
xtensions/libipt_ttl.c
fa728c88fd0bfdc3f2bdb79beed91cd9e1fca5e5 13-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip[6]t_HL: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_HL.c
xtensions/libipt_TTL.c
dfe99f1bf291b4b954d3608dbe95a43e16a8bb49 27-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT8 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
b18ffe3636b07cd817628de81643136e4755a944 27-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_cluster: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_cluster.c
d78254d7f9d18ef76377a3013302430cce8ea702 27-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: min-max option support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
93112921153c43dc0521be499f6a792d2aaae5e9 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_cpu: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_cpu.c
a93142d5f55db74ebd7d49be9bd88f7a499ded40 16-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: XTTYPE_UINT32 support

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
toptions.c
97265fb806dffc6fd87ee5e0f0963dfbe7a094f6 27-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_CONNSECMARK: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CONNSECMARK.c
3af739b0e7c3b6dcc986645c57c982d0add5006b 10-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: provide better final_check

This passes the per-extension data block to the new x6_fcheck function
pointer, which can then do last alterations without using hacks
like global variables (think libxt_statistic).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
p6tables.c
ptables.c
toptions.c
9c5c10554c61f0b22cbc65b27b765fa8172040f7 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_socket: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_socket.c
f92bca9da4ee68f05dbb827a8444804a8edb1b87 27-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_CHECKSUM: use guided option parser

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CHECKSUM.c
aa37acc1423126f555135935c687eb91995b9440 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: guided option parser

This patchset seeks to drastically reduce the code in the individual
extensions by centralizing their argument parsing (breakdown of
strings), validation, and in part, assignment.

As a secondary goal, this reduces the number of static storage duration
variables in flight.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
nclude/xtables.h.in
p6tables.c
ptables.c
shared.h
tables.c
toptions.c
458d84de2412b43604a8efe2b82a2084a2859a46 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> extensions: add missing checks for specific flags (2)

Addendum to v1.4.10-75-g4e5d4bf. It does not make sense to use
ipv6header's --soft without specifying any options.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ipv6header.c
6a86854bf91227a70392fc2665ed4f99af0229e3 05-Apr-2011 Maciej Zenczykowski <maze@google.com> convert ip6?tables-multi to actually use their own header files

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
p6tables-multi.c
ptables-multi.c
37911de507d0597980ad218a044a482501a21b01 05-Apr-2011 Maciej Zenczykowski <maze@google.com> move 'int line' definition from ip6?tables.c into xtables.c

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
p6tables.c
ptables.c
tables.c
742e9a43c314b45a76acdac8f53d36f1337154bf 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v6: rename do_command() to do_command6()

(actually only applies to two comments, since the
function has long been called do_command6)

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
p6tables.c
c1e04bd1b057151afaf7e6138089f2fe2c1b7d1c 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v4: rename do_command() to do_command4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/iptables.h
ptables-restore.c
ptables-standalone.c
ptables-xml.c
ptables.c
9680f2ecbdb7e5c61ab60e7399e9ca9f1013fd8d 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v6: rename print_rule() to print_rule6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/ip6tables.h
p6tables-save.c
p6tables.c
bb9fe8059f40f0dde9c780498f5af42f5aa6a179 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v4: rename print_rule() to print_rule4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/iptables.h
ptables-save.c
ptables.c
85aae15567b8ae1eaedf9f011ba7aef80dfca208 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v6: rename delete_chain() to delete_chain6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/ip6tables.h
p6tables-restore.c
p6tables.c
e5c061afabf018634a507f00df5b1d0c4bd53a37 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v4: rename delete_chain() to delete_chain4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/iptables.h
ptables-restore.c
ptables.c
74ace0a46048d01611a44c24f6fe5f59d936231b 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v6: rename flush_entries() to flush_entries6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/ip6tables.h
p6tables-restore.c
p6tables.c
cc38d058d14e84d3008a0c0035348e0ad5f0d5d2 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v4: rename flush_entries() to flush_entries4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/iptables.h
ptables-restore.c
ptables.c
241e73594f6d75e32a7e89ebdb6b7f7917a48df0 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v6: rename for_each_chain() to for_each_chain6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/ip6tables.h
p6tables-restore.c
p6tables.c
e70844a98d125679cfe0c62e48d0f19bf175280d 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v4: rename for_each_chain() to for_each_chain4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/iptables.h
ptables-restore.c
ptables.c
a85112dc330188035a8d7a58cab499d7672e4d87 04-Apr-2011 Maciej Zenczykowski <maze@google.com> xtables.h: init_extensions() no longer exists

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/xtables.h.in
49d8c5d564cad70c5c1bef2d5571e8e494454210 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v6: rename init_extensions() to init_extensions6()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/GNUmakefile.in
nclude/xtables.h.in
p6tables-restore.c
p6tables-save.c
p6tables-standalone.c
5e8f947becc00a79e78b2a6cf0e25fd674c57ec4 04-Apr-2011 Maciej Zenczykowski <maze@google.com> v4: rename init_extensions() to init_extensions4()

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/GNUmakefile.in
nclude/xtables.h.in
ptables-restore.c
ptables-save.c
ptables-standalone.c
2c6ac071a9c660b61a76565d1024d372deac8a98 04-Apr-2011 Maciej Zenczykowski <maze@google.com> xtables: delay (statically built) match/target initialization

Matches and targets built into the iptables static binary will always
be registered as the binary starts up, this may potentially (as a result
of kernel version support checking) result in modules being autoloaded.

This is undesirable (for example it may cause CONNMARK target to load
and thus cause the kernel to load the conntrack module, which isn't a
no-op).

Transition to a system where matches and targets are registered into
a pending list, from whence they get fully registered only when
required.

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
tables.c
cf3e52d00b7d3fedf98ef7710c337c441270d936 04-Apr-2011 Maciej Zenczykowski <maze@google.com> xtables_ip6addr_to_numeric: fix typo in comment

An IPv6 address consists of eight hexadecimal 16-bit values seperated
by colons, or alternatively, six (not five) of these followed by a colon
and an IPv4 address in standard dotted decimal quad notation
(for IPv4 mapped addresses and the like).

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
tables.c
a239728ec064666025de2723997d87b176d57fd6 04-Apr-2011 Maciej Zenczykowski <maze@google.com> mark newly opened fds as FD_CLOEXEC (close on exec)

(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_realm.c
p6tables-restore.c
p6tables-save.c
ptables-restore.c
ptables-save.c
ptables-xml.c
tables.c
8d6492d582c7284217c042d5638cf50174e5fbfd 04-Apr-2011 Maciej Zenczykowski <maze@google.com> man pages: allow underscores in match and target names

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/GNUmakefile.in
df37d99b0cba63443d4224187f2d5a0c299ad7ad 04-Apr-2011 Mark Montague <mark@catseye.org> iptables: documentation for iptables and ip6tables "security" tables

Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.

Signed-off-by: Mark Montague <mark@catseye.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_CONNSECMARK.man
xtensions/libxt_SECMARK.man
p6tables.8.in
ptables.8.in
c7948744bf591e0c46b6d19ccfa408cc59e11ef1 16-Mar-2011 Thomas Graf <tgraf@redhat.com> iptables: add manual page section for AUDIT target

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_AUDIT.man
d59b9db031abee37a9aa9776662dd15370faabf4 08-Mar-2011 Stefan Tomanek <stefan.tomanek@wertarbyte.de> iptables: add -C to check for existing rules

It is often useful to check whether a specific rule is already present
in a chain without actually modifying the iptables config.

Services like fail2ban usually employ techniques like grepping through
the output of "iptables -L" which is quite error prone.

This patch adds a new operation -C to the iptables command which
mostly works like -D; it can detect and indicate the existence of the
specified rule by modifying the exit code. The new operation
TC_CHECK_ENTRY uses the same code as the -D operation, whose functions
got a dry-run parameter appended.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
p6tables.8.in
p6tables.c
ptables.8.in
ptables.c
ibiptc/libip4tc.c
ibiptc/libip6tc.c
ibiptc/libiptc.c
9cc4f24e72f87ca191c2e723e7cd293f6477481c 07-Mar-2011 Stefan Tomanek <stefan.tomanek@wertarbyte.de> ip(6)tables-multi: unify subcommand handling

I found the subcommand handling and naming done by iptables-multi and
ip6tables-multi very confusing and complicated; this patch
reorganizes the subcommands in a single table, allowing both variants
of them to be used (iptables/main) and also prints a list of the
allowed commands if an unknown command is entered by the user.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-multi.c
ptables-multi.c
shared.c
shared.h
f96cb8094ceffb9ffe8e94b4ee6800aa581dd021 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> doc: add VERSION section to manpages

This shall make it easier to identify outdated HTML renditions on the
interwebs, since many of them do not display the .TH header like man(1)
does.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.8.in
ptables.8.in
ee52e00adfb10250e1828b94e43d9482bb201827 01-Mar-2011 Jan Engelhardt <jengelh@medozas.de> iptables: fix an inversion

Revisiting the original condition (viewable in git log -1 -p
v1.4.10-57-gacef604), one can notice an unforuntate inversion. This
commit corrects this.

Testcase: -A INPUT -p tcp --dport 1

Reported-by: Florian Westphal
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
shared.c
2ad8dc895ec28a173c629c695c2e11c41b625b6e 22-Feb-2011 Wes Campaigne <westacular@gmail.com> xtables: use all IPv6 addresses resolved from a hostname

Fixes a long-standing issue where host_to_ip6addr would only ever
examine/return the first item of the address chain returned by
getaddrinfo, instead of traversing the chain and copying each of them.

This has always been how host_to_ip6addr behaves, and all of the other
related IPv6 code is already written to handle multiple possible
addresses.

[Style fixups. Removal of redundant i<*naddrs check. -j.eng]

Signed-off-by: Wes Campaigne <westacular@gmail.com>
tables.c
adcb28101d53c2a7f372de256b1af50804fee899 22-Feb-2011 Wes Campaigne <westacular@gmail.com> xtables: fix the broken detection/removal of redundant addresses

[To observe this issue, populate a hostname (DNS or local db)
with multiple adresses across multiple subnets (cf. prefixlen
below)

# e.g. /etc/hosts
127.0.0.2 lo-x
127.0.0.3 lo-x
127.0.1.4 lo-x
127.0.1.5 lo-x
127.0.2.6 lo-x

Then invoke xtables_ipparse_any by e.g. `-m conntrack
--ctorigsrc lo-x/24`. -j.eng]

This same block of code, apparently to detect if addresses are
identical after applying the mask, and to skip the duplicates and the
ones made redundant by the mask, has been present and unchanged from
as far back as I could find (circa iptables 1.2).

By inspection, it was wrong, and always has been: once the code finds
a duplicate, it will drop the rest of the array one by one as it
re-detects the same duplicate over and over. When the addresses came
from a single hostname lookup, and their order was random, then this
created unpredictable behaviour by iptables, which seem to ignore some
of those addresses at random times.

I suspect the original idea also involved a swap between the duplicate
and the address from the (current) end of the array, but a line of
code to do that seems to have never existed. I have finally added it.
(Well, as much as is needed: there does not need to be a full swap,
because we are just going to ignore the duplicate, pretend the array
is one shorter, and never look at the contents of the end again. So,
we can get away with just copying from the end.)

[Reword comment about shuffle: replace by mentioning tail copy to
replace dup. -j.eng]

Signed-off-by: Wes Campaigne <westacular@gmail.com>
tables.c
11e250ba02349cb1e34058673db3d0b54eb56c44 22-Feb-2011 Wes Campaigne <westacular@gmail.com> xtables: fix excessive memory allocation in host_to_ipaddr

host_to_ipaddr was unnecessarily asking for an array of length n^2 to
store just n addresses.

Signed-off-by: Wes Campaigne <westacular@gmail.com>
tables.c
64230aa45c5ad8505d81812d19bd2ee9a37e3467 22-Feb-2011 Wes Campaigne <westacular@gmail.com> libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6

[Split hunk from Wes's submission. Added commit message. -j.eng]

ai_protocol normally specifies the L4 protocol one wants to
specifically inquire about when a service (2nd parameter to
getaddrinfo) is specified. Such a service lookup would potentially
yield nothing, because there just is not any "mytunnel 2222/ipv6" in
/etc/services, since IPPROTO_IPV6 itself is not a protocol with a
concept of (port-based) services to begin with.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
4b110b426df7bf486a3e7884c56ebb3487023601 21-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: fix memory scribble beyond end of array

When using -s "", the "n" variable in the code remains uninitialized
and usually scribbes beyond the end of the array.

Furthermore, "n" is just as big as entries in the last host lookup.
When specifying more than one item to -s, e.g. "-s host,host", "n" is
less than "count", and we are not masking the addresses at all
(leaving them at addr/32 resp. addr/128).

The issue goes back to the initial code from v1.4.5~21.

References: http://bugs.debian.org/611990
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
2d039bcf8421c992fb74849facc2d7205960f68e 21-Feb-2011 Jan Engelhardt <jengelh@medozas.de> doc: rateest options can be optional

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_rateest.man
8a5270b14908b3173de080a958e50e21e2f046de 20-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_quota: require --quota to be specified

It is pretty pointless to use -m quota without specifying --quota.
There would be nothing left to count down on.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_quota.c
37f6d57c4e030a459ccafafd8a574e327315e148 20-Feb-2011 Jan Engelhardt <jengelh@medozas.de> doc: fix odd partial sentence in libipt_TTL

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_TTL.man
887f58666af9ccde7051169aa9d6160d7e09ec46 20-Feb-2011 Jan Engelhardt <jengelh@medozas.de> doc: mention other possible nf_loggers for TRACE

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TRACE.man
094f104af71ca859c7c44406baed401659ad9421 19-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libipt_ECN: set proper option flags

When specifying --ecn-tcp-remove, *flags will be wrongly set to denote
that --ecn-ip-ect had been specified.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_ECN.c
4e5d4bff933d77158d9d32b4f87c5842decf670e 19-Feb-2011 Jan Engelhardt <jengelh@medozas.de> extensions: add missing checks for specific flags

With "!flags", any option will be accepted. The extensions however
want one very specific option to be used (or wrong help text).

Commits: DNAT: v1.3.8~23, osf: v1.4.6~3

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_DNAT.c
xtensions/libipt_ECN.c
xtensions/libxt_osf.c
b9210cfd9da3d57610be4e86ef45c48dd1b65edf 19-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_hbh: remove unimplemented --hbh-not-strict

Same as with ip6t_dst.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_hbh.c
7a1043bcb6ac6315c991cf02c9a12568398fc837 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libip6t_dst: remove unimplemented --dst-not-strict

This was never ever implemented in the kernel, so just remove it.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_dst.c
86786bf3a5e875232ae63d9f9b3dbb542ac2e392 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> Remove unused CVS expanded keywords

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_ECN.c
xtensions/libipt_TTL.c
xtensions/libipt_ttl.c
p6tables-restore.c
ptables-restore.c
ptables-xml.c
ibipq/ipq_create_handle.3
ibipq/ipq_errstr.3
ibipq/ipq_message_type.3
ibipq/ipq_read.3
ibipq/ipq_set_mode.3
ibipq/ipq_set_verdict.3
ibipq/libipq.3
e88a7c2c7175742b58b6aa03f2b5aba2d80330a1 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> extensions: remove redundant init functions

The main program already zeroes the per-extension data block.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ah.c
xtensions/libip6t_dst.c
xtensions/libip6t_frag.c
xtensions/libip6t_hbh.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_rt.c
xtensions/libipt_SAME.c
xtensions/libxt_NFLOG.c
xtensions/libxt_RATEEST.c
xtensions/libxt_TCPOPTSTRIP.c
xtensions/libxt_dccp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_sctp.c
xtensions/libxt_string.c
12a18d6043092bd2574b2bced635259b16317e57 18-Feb-2011 Jan Engelhardt <jengelh@medozas.de> doc: fix misspelling of "field"

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ah.c
xtensions/libip6t_frag.c
xtensions/libip6t_rt.c
c2efcd321271e6658d9cad87eff0a09d16f2766e 17-Feb-2011 Jan Engelhardt <jengelh@medozas.de> doc: fix wrong sentence about negation in xt_limit

This is an update to commit v1.4.7~6.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_limit.man
87dc7c4c842deb1e2e3d38089ffcad9f238d98de 17-Feb-2011 Max Kellerman <max@duempel.org> xtables: use strspn() to check if string needs to be quoted

Problem: the call xtables_save_string("'") prints just a single quote,
not enclosed in double quoted and not escaped.

Steps to reproduce:

$ iptables -A foo -m comment --comment "'" -j ACCEPT
$ iptables-multi save|grep foo
-A foo -m comment --comment ' -j ACCEPT

The cause was the use of strcspn() to locate the first character which
justified quoting the string in double quotes. That however was
wrong, because the way strcspn() was called, it returned a pointer to
the first character that was not to be escaped, which did the right
thing most of the time, but not for strings consisting only of quote
characters. This patch changes strcspn() to strspn().

Signed-off-by: Patrick McHardy <kaber@trash.net>
tables.c
e1df221d7a1b3df0224d94865ec05ba336995608 15-Feb-2011 Jan Engelhardt <jengelh@medozas.de> extensions: fix indent of vtable

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_LOG.c
xtensions/libipt_LOG.c
xtensions/libipt_ecn.c
xtensions/libxt_recent.c
c0f6d17764e9bc1724cedd78b880a80446363146 16-Feb-2011 Jan Engelhardt <jengelh@medozas.de> libxt_devgroup: option whitespace update following v1.4.10-49-g7386635

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_devgroup.c
aa66aeda34bea5a8d05717899a229e57aa3237d5 16-Feb-2011 Jan Engelhardt <jengelh@medozas.de> ip6tables: spacing fixes for -o argument

For aesthetic consistency, put a space after -o.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
af3d73ec867debb5e38c6c6fde66f05093714fec 11-Feb-2011 Jan Engelhardt <jengelh@medozas.de> iptables: fix segfault target option parsing

With v1.4.10-58-g94e247b, target option parsing started to happen in the
wrong case.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
7ada0bb7aafd94ef7c9c076e8be50c80bc549a4f 09-Feb-2011 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
58b491f8cb5b4a0315037d0e1f61f8162a556e8a 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> iptables: fix error message for unknown options

-From: iptables v1.4.10: option "-q" requires an argument
+To: iptables v1.4.10: unknown option "-q"

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
17e310b2610448605567644f667c79f41d76f51e 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: move match option handling from do_command6 into its own functions

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
9bb76094b26d22c7a85d98a075640f054b7910f4 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: move jump option handling from do_command6 into its own function

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
shared.h
94e247b80a0c28140056ee07ea24e54ca5dbebaf 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: unclutter command_default function

(Essentially, 5 levels of indentation have been stripped compared to the
original layout, and this is surely a result that looks a lot better
than it did before.)

Things to note:

1. If the m->parse call succeeded, we can return from the function and
do not need to go through the other code. As such, "m" is guaranteed to
be useless at the end of the match loop, and so, conditions can be
removed.

2. Since the per-extension parse function only ever get their own option
codes (since v1.4.10-26-gd09b6d5), their return value no longer has a
meaning and can be ignored.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
acef6043f647806096c41294b00472f6ce7462d7 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: deduplicate and simplify implicit protocol extension loading

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
shared.c
shared.h
f4b6e5290e869fccb87c03da5603a38b7e55abc5 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: put shared option flags into xshared

This will be needed for the find_proto function.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
shared.h
f1e71016dddb65709afe0746a96a3fefbec3ba27 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: move OPT_FRAGMENT to the end so the list can be shared
ptables.c
f6992cbb211a42f776333fe65dfad49f17455a3f 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: deduplicate find_proto function

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
shared.c
shared.h
7a548b32d9ad8d6e4a8398573d4fa8c4e4a1f9e0 07-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: share iptables_command_state across the two programs

struct iptables_command_state and quite a bit of the code looks worthy
of deduplication.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
shared.h
f935ae05040d2d790433abee49ef79f4a8ed393c 06-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: move large default: block from do_command6 into its own function

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
3a9d8b0bcaeeb7f260c881fbaaea62f705d0d47e 06-Feb-2011 Jan Engelhardt <jengelh@medozas.de> src: collect do_command variables in a struct

This will make it easier to put the code for the cases into separate
functions.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
e76ec99b48745b0e3c8aecbc91ed5bba186cf25f 06-Feb-2011 Pablo Neira Ayuso <pablo@netfilter.org> libxt_cluster: fix inversion in the cluster match

In libxt_cluster.c, we use:

info->flags |= (1 << XT_CLUSTER_F_INV);

but we should use instead:

info->flags |= XT_CLUSTER_F_INV;

since the definition of XT_CLUSTER_F_INV is:

enum xt_cluster_flags {
XT_CLUSTER_F_INV = (1 << 0)
};

This fixes the inversion in the cluster match.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_cluster.c
9ee2a9fe2f74b616da34878104bd1ff406534ad1 03-Feb-2011 Patrick McHardy <kaber@trash.net> extensions: add extension for devgroup match

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_devgroup.c
nclude/linux/netfilter/xt_devgroup.h
73866357e4a7a0fdc1b293bf8863fee2bd56da9e 18-Dec-2010 Jan Engelhardt <jengelh@medozas.de> iptables: do not print trailing whitespaces

Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.

It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)

Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.

References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_HL.c
xtensions/libip6t_LOG.c
xtensions/libip6t_REJECT.c
xtensions/libip6t_ah.c
xtensions/libip6t_dst.c
xtensions/libip6t_frag.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hl.c
xtensions/libip6t_icmp6.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_mh.c
xtensions/libip6t_rt.c
xtensions/libipt_CLUSTERIP.c
xtensions/libipt_DNAT.c
xtensions/libipt_ECN.c
xtensions/libipt_LOG.c
xtensions/libipt_MASQUERADE.c
xtensions/libipt_NETMAP.c
xtensions/libipt_REDIRECT.c
xtensions/libipt_REJECT.c
xtensions/libipt_SAME.c
xtensions/libipt_SNAT.c
xtensions/libipt_TTL.c
xtensions/libipt_ULOG.c
xtensions/libipt_addrtype.c
xtensions/libipt_ah.c
xtensions/libipt_ecn.c
xtensions/libipt_icmp.c
xtensions/libipt_realm.c
xtensions/libipt_ttl.c
xtensions/libxt_AUDIT.c
xtensions/libxt_CHECKSUM.c
xtensions/libxt_CLASSIFY.c
xtensions/libxt_CONNMARK.c
xtensions/libxt_CONNSECMARK.c
xtensions/libxt_CT.c
xtensions/libxt_DSCP.c
xtensions/libxt_IDLETIMER.c
xtensions/libxt_LED.c
xtensions/libxt_MARK.c
xtensions/libxt_NFLOG.c
xtensions/libxt_NFQUEUE.c
xtensions/libxt_RATEEST.c
xtensions/libxt_SECMARK.c
xtensions/libxt_SET.c
xtensions/libxt_TCPMSS.c
xtensions/libxt_TCPOPTSTRIP.c
xtensions/libxt_TEE.c
xtensions/libxt_TOS.c
xtensions/libxt_TPROXY.c
xtensions/libxt_cluster.c
xtensions/libxt_comment.c
xtensions/libxt_connbytes.c
xtensions/libxt_connlimit.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_cpu.c
xtensions/libxt_dccp.c
xtensions/libxt_dscp.c
xtensions/libxt_esp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_helper.c
xtensions/libxt_iprange.c
xtensions/libxt_ipvs.c
xtensions/libxt_length.c
xtensions/libxt_limit.c
xtensions/libxt_mac.c
xtensions/libxt_mark.c
xtensions/libxt_multiport.c
xtensions/libxt_osf.c
xtensions/libxt_owner.c
xtensions/libxt_physdev.c
xtensions/libxt_pkttype.c
xtensions/libxt_policy.c
xtensions/libxt_quota.c
xtensions/libxt_rateest.c
xtensions/libxt_recent.c
xtensions/libxt_sctp.c
xtensions/libxt_set.c
xtensions/libxt_socket.c
xtensions/libxt_state.c
xtensions/libxt_statistic.c
xtensions/libxt_string.c
xtensions/libxt_tcp.c
xtensions/libxt_tcpmss.c
xtensions/libxt_time.c
xtensions/libxt_tos.c
xtensions/libxt_u32.c
xtensions/libxt_udp.c
xtensions/tos_values.c
p6tables.c
ptables.c
tables.c
bb8be30857edd501e701c2f22db6c59bd6839c87 31-Jan-2011 Jan Engelhardt <jengelh@medozas.de> iptables: remove more redundant casts

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-restore.c
ptables-restore.c
00696591b1f2582cb0c5a8c1887c2f24b6aafedd 31-Jan-2011 Jan Engelhardt <jengelh@medozas.de> iptables: remove bogus address-of

Casts are bad. &curtable is actually of type char (*)[], which is
quite different from what add_argv expects.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-restore.c
ptables-restore.c
6a0448eecdee4c6a19303b75c1707915a80cbfbb 31-Jan-2011 Jan Engelhardt <jengelh@medozas.de> iptables: warn when parameter limit is exceeded

While testing many match extensions in a single rule, I ran into this
error not warned about. Arguments were just ignored, causing
surprising "Need to specify an argument to --whatever" when the
argument was in fact given on the command line.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-restore.c
ptables-restore.c
df288236cd254798be3759fef4cbc3e535f5a1c3 31-Jan-2011 Jan Engelhardt <jengelh@medozas.de> xtables: set custom opts to NULL on free

When inside ip6tables-restore, xtables_free_opts can be called
multiple times, especially when trying to exit with an error message
from outside do_command. So set it to NULL so that we do not attempt
to free a dangling pointer.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
298d70e8564f03c844435123bf36e84419c2f65a 31-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_u32: enclose argument in quotes

Otherwise ip6tables-save piped to ip6tables-restore can cause a parse
error when the expression list is empty.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_u32.c
927385017047dce3f01c0aee73ab2989b108bbf0 30-Jan-2011 Jan Engelhardt <jengelh@medozas.de> iptables: improve error reporting with extension loading troubles

ip6tables v1.4.8: Could not load match "osf":
/usr/lib/xtables/libip6t_osf.so: cannot open shared object file: No
such file or directory

Given that libxt_osf.so exists, a better error is now emitted.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=637
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
fbd47262d2417c17f1c57896dea8a0c55fb6c770 25-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_quota: clarifications on matching

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_quota.man
6f03bf79952753fbc0dc8611aa4d6e70a108dbc7 21-Jan-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Fix listing/saving the new revision of the SET target

Instead of the dimension of the set, the max dimension was used at
listing/saving the src,dst parameters, which produced broken output.
xtensions/libxt_SET.c
f46f8c1c5b6d9f5685b9d945e95647eaf6c2d35b 20-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connlimit: remove duplicate member that caused size change

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/linux/netfilter/xt_connlimit.h
c8f28cc8b84133f20421470e9a61a5a0c78b9c4a 20-Jan-2011 Patrick McHardy <kaber@trash.net> extensions: libxt_conntrack: add support for specifying port ranges

Add support for revision 3 of the conntrack match, which allows to
specify port ranges for origsrc/origdst/replsrc/repldst.

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_conntrack.c
xtensions/libxt_conntrack.man
nclude/linux/netfilter/xt_conntrack.h
6924b4987d88fbe383bec4da4cf331cc466c245e 20-Jan-2011 Florian Westphal <fw@strlen.de> extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option

--queue-bypass: if no userpace program is listening on the queue, then
allow packets to continue through the ruleset instead of dropping them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_NFQUEUE.c
xtensions/libxt_NFQUEUE.man
nclude/linux/netfilter/xt_NFQUEUE.h
773438bd93851dc1a9129a638925c04868820297 20-Jan-2011 Thomas Graf <tgraf@redhat.com> libxt_AUDIT: add AUDIT target

libxt module for the AUDIT target.

-j AUDIT --type (accept|reject|drop)

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_AUDIT.c
nclude/linux/netfilter/xt_AUDIT.h
5da9e63f66ca190cb90193ebb9eebf5aa523b4d1 19-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connlimit: support for dstaddr-supporting revision 1

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connlimit.c
xtensions/libxt_connlimit.man
nclude/linux/netfilter/xt_connlimit.h
2cae5334de3a817947742e0b466355e5f5566474 18-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connlimit: add a --connlimit-upto option

Direct specifications like "upto" are easier to grasp than "not
above". This patch adds such an upto variant similar to what
libxt_hashlimit already has.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connlimit.c
xtensions/libxt_connlimit.man
8d5e773508b154dcfa8d866f68f64ef1ad773957 18-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connlimit: reword help text to say prefix length

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connlimit.c
xtensions/libxt_connlimit.man
9c60365e043a430f74115bbfaf58ce0df7585f49 18-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_quota: print negation when it has been selected

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_quota.c
281439ba6b96b729ef1400a49ec53eda298bb9f8 09-Jan-2011 Li Yewang <lyw@cn.fujitsu.com> xtables: fix typo in error message of xtables_register_match()

Signed-off-by: Li Yewang <lyw@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
tables.c
8ad33a34a34ba2bcd360352ad3b7772916832702 09-Jan-2011 Florian Westphal <fwestphal@astaro.com> libxt_time: fix random --datestart skips

Frank Lichtenheld points out that -m time --datestart ...
sometimes messes up --datestart:

$ iptables -A INPUT -m time --datestart 2010-11-24T16:50:00 -j ACCEPT
$ iptables-save | grep 11
-A INPUT -m time --datestart 2010-11-24T16:50:00 -j ACCEPT
$ iptables-save | iptables-restore
$ iptables-save | grep 11
-A INPUT -m time --datestart 2010-11-24T15:50:00 -j ACCEPT

--datestart moved by one hour.

As the --timestart option does not care about DST, always set
dst=0 when parsing --starttime input.

Reported-by: Frank Lichtenheld <flichtenheld@astaro.com>
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_time.c
63ef52ac6bf8d555779456166009bd2f6b0a1081 09-Dec-2010 Stephen Beahm <stephenbeahm@comcast.net> libipt_REDIRECT: avoid dereference of uninitialized pointer

When using --to-ports with a port name instead of a numerical
specification, a segfault occurs.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=691
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_REDIRECT.c
dfbedfedf610210c4ee3f00e9c4f9ea24c4ffe23 08-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxtables: do some option structure checking

libxt_recent's use of numeric values >200 always looked worrisome. Now
here is a validation routine for such.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
e814c8b894e5b8d1570c18aec2c67dfb0c0a59c0 08-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libipt_CLUSTERIP: const annotations

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_CLUSTERIP.c
da580fe55ebf234febf4a8880f53a80870e9088f 08-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_sctp: fix a typo

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_sctp.c
d09b6d591ca7d7d7575cb6aa20384c9830f777ab 08-Jan-2011 Jan Engelhardt <jengelh@medozas.de> extensions: remove no longer necessary default: cases

Match and target parse functions now only get option characters they
have defined themselves.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_HL.c
xtensions/libip6t_LOG.c
xtensions/libip6t_REJECT.c
xtensions/libip6t_ah.c
xtensions/libip6t_dst.c
xtensions/libip6t_frag.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hl.c
xtensions/libip6t_icmp6.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_mh.c
xtensions/libip6t_rt.c
xtensions/libipt_CLUSTERIP.c
xtensions/libipt_DNAT.c
xtensions/libipt_ECN.c
xtensions/libipt_LOG.c
xtensions/libipt_MASQUERADE.c
xtensions/libipt_NETMAP.c
xtensions/libipt_REDIRECT.c
xtensions/libipt_REJECT.c
xtensions/libipt_SAME.c
xtensions/libipt_SNAT.c
xtensions/libipt_TTL.c
xtensions/libipt_ULOG.c
xtensions/libipt_addrtype.c
xtensions/libipt_ah.c
xtensions/libipt_ecn.c
xtensions/libipt_icmp.c
xtensions/libipt_realm.c
xtensions/libipt_ttl.c
xtensions/libxt_CHECKSUM.c
xtensions/libxt_CLASSIFY.c
xtensions/libxt_CONNMARK.c
xtensions/libxt_CONNSECMARK.c
xtensions/libxt_CT.c
xtensions/libxt_DSCP.c
xtensions/libxt_IDLETIMER.c
xtensions/libxt_MARK.c
xtensions/libxt_NFLOG.c
xtensions/libxt_NFQUEUE.c
xtensions/libxt_RATEEST.c
xtensions/libxt_SECMARK.c
xtensions/libxt_SET.c
xtensions/libxt_TCPMSS.c
xtensions/libxt_TOS.c
xtensions/libxt_cluster.c
xtensions/libxt_comment.c
xtensions/libxt_connbytes.c
xtensions/libxt_connlimit.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_cpu.c
xtensions/libxt_dccp.c
xtensions/libxt_dscp.c
xtensions/libxt_esp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_helper.c
xtensions/libxt_iprange.c
xtensions/libxt_ipvs.c
xtensions/libxt_length.c
xtensions/libxt_limit.c
xtensions/libxt_mac.c
xtensions/libxt_mark.c
xtensions/libxt_multiport.c
xtensions/libxt_osf.c
xtensions/libxt_physdev.c
xtensions/libxt_pkttype.c
xtensions/libxt_policy.c
xtensions/libxt_quota.c
xtensions/libxt_rateest.c
xtensions/libxt_recent.c
xtensions/libxt_sctp.c
xtensions/libxt_set.c
xtensions/libxt_state.c
xtensions/libxt_statistic.c
xtensions/libxt_string.c
xtensions/libxt_tcp.c
xtensions/libxt_tcpmss.c
xtensions/libxt_udp.c
fa503ad59f73d20d85f4cdf53324a01d2ad8591e 08-Jan-2011 Jan Engelhardt <jengelh@medozas.de> ip[6]tables: only call target's parse function when option char is in range

Same as previous commit. Doing this actually allows to remove code
that is no longer needed.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
1e128bd804b676ee91beca48312de9b251845d09 08-Jan-2011 Jan Engelhardt <jengelh@medozas.de> ip[6]tables: only call match's parse function when option char is in range

Normally, extensions use a "default:" case in switch(c) to just return
if they do not handle c. Apparently, libip6t_hl does that too late and
checks for hl-specific parsing state before it has established that c
refers to one of its own options.

Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic.

One way to fix this is to move the flags checks into case '2', '3',
'4'. Doing this replication feels bad, so as an alternative, let's
just free extensions from having to deal with other extension's
options passing thru.

References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
shared.h
tables.c
1dc27393b7ba401e6228a5ee2472a6eb72836c43 08-Jan-2011 Jan Engelhardt <jengelh@medozas.de> xtables: reorder num_old substraction for clarity

When going over this again, I noticed we happen to malloc too much.
That is no problem, but I felt moving the num_old adjustment upwards
makes things more clear, and also addresses the allocation.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
5b1fecc7d017df093db7c667bcd1718e45b1df67 07-Jan-2011 Jan Engelhardt <jengelh@medozas.de> iptables: abort on empty interface specification

Fiedler Roman brings to attention that if, in a faulty script,
"$some_variable" expands to an empty string, iptables should probably
catch this most likely undesired invocation. If no/all interfaces were
really desired, one can either omit -i completely, or use -i +.

References: http://marc.info/?l=netfilter&m=129439862903487&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
7ac405297ec38449b30e3b05fd6bf2082fd3d803 07-Jan-2011 Jan Engelhardt <jengelh@medozas.de> src: use C99/POSIX types

"u_int" was a non-standardized extension predating C99 on some platforms.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_LOG.c
xtensions/libip6t_ah.c
xtensions/libip6t_dst.c
xtensions/libip6t_frag.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hl.c
xtensions/libip6t_icmp6.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_mh.c
xtensions/libip6t_rt.c
xtensions/libipt_CLUSTERIP.c
xtensions/libipt_LOG.c
xtensions/libipt_NETMAP.c
xtensions/libipt_addrtype.c
xtensions/libipt_ah.c
xtensions/libipt_icmp.c
xtensions/libxt_CONNMARK.c
xtensions/libxt_DSCP.c
xtensions/libxt_MARK.c
xtensions/libxt_TOS.c
xtensions/libxt_connlimit.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_dccp.c
xtensions/libxt_esp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_iprange.c
xtensions/libxt_ipvs.c
xtensions/libxt_length.c
xtensions/libxt_limit.c
xtensions/libxt_mark.c
xtensions/libxt_multiport.c
xtensions/libxt_owner.c
xtensions/libxt_policy.c
xtensions/libxt_quota.c
xtensions/libxt_rateest.c
xtensions/libxt_sctp.c
xtensions/libxt_tcp.c
xtensions/libxt_tcpmss.c
xtensions/libxt_tos.c
xtensions/libxt_u32.c
xtensions/libxt_udp.c
xtensions/tos_values.c
p6tables.c
ptables.c
ibipq/libipq.c
ibiptc/libip4tc.c
tables.c
4a1d810bb52aa5d5c450f7adcde5145d40261b54 26-Dec-2010 Jan Engelhardt <jengelh@medozas.de> xt_comment: remove redundant cast
xtensions/libxt_comment.c
nclude/linux/netfilter/xt_comment.h
d1435e0772e40c310dff35abe7bf1e7de5b18ee4 18-Dec-2010 Jan Engelhardt <jengelh@medozas.de> src: const annotations

Also one int -> uint here on the way through.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
f6d6449c88812634e663cef4e09db7b691af3eb5 28-Sep-2010 Rob Leslie <rob@mars.org> iptables-restore: resolve confusing policy error message

When iptables-restore (and ip6tables-restore) is unable to set a
chain's policy, it responds with a confusing message, e.g.:

iptables-restore v1.4.9: Can't set policy "PREROUTING" on "ACCEPT"
line 16: Bad built-in chain name

This is due to the chain and policy arguments being used in the wrong
order. The attached patch corrects this problem.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-restore.c
ptables-restore.c
3a84b3d5de492e40aff7bae5038b06dd6b6041c4 15-Dec-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
a3f101331deb9314caa0cfa1061c925865e79380 11-Dec-2010 Jan Engelhardt <jengelh@medozas.de> build: stop on error in subcommand

make only evaluates $? of an entire shell invocation. As such, if any
command in the chain can fail, $? needs to be thrown, and early so.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
da41ea1688f03f8869b9c50e878ae505988ead9a 06-Dec-2010 Jan Engelhardt <jengelh@medozas.de> Merge commit 'v1.4.10'
f3578faae096f191a44742777275a23b566d7566 06-Dec-2010 Jan Engelhardt <jengelh@medozas.de> libxt_owner: output numeric IDs when save is requested

References: http://bugzilla.netfilter.org/show_bug.cgi?id=683
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_owner.c
d4105ad56335058af4b0b1be1278e01f5c0bd4ac 04-Dec-2010 Jan Engelhardt <jengelh@medozas.de> build: fix globbing of extensions in other locales

In the fi_FI locale, [a-z] would not include 'w', for example. Rectify
this by using [[:alnum:]] (to counter against different ordering) and
forcing the POSIX locale (so that the alphabet has at least the 26
base characters).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
4d2a77ff8cb4115925477cd5ce0ea972494107ab 03-Dec-2010 Jan Engelhardt <jengelh@medozas.de> socket: add support for revision 1

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_socket.c
xtensions/libxt_socket.man
9e152fa9f1283ce4f4274cf251b2b2e69bbdfee6 03-Dec-2010 Jan Engelhardt <jengelh@medozas.de> TPROXY: add support for revision 1

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TPROXY.c
b4af04be14560b3fcc6cf23200148d408014a2f5 03-Dec-2010 Jan Engelhardt <jengelh@medozas.de> include: update files with headers from Linux 2.6.37-rc1

Also includes the type change to __u{8,16,32} kernel types already.
xtensions/libxt_SECMARK.c
xtensions/libxt_time.c
nclude/linux/netfilter/xt_CHECKSUM.h
nclude/linux/netfilter/xt_CT.h
nclude/linux/netfilter/xt_IDLETIMER.h
nclude/linux/netfilter/xt_SECMARK.h
nclude/linux/netfilter/xt_TCPOPTSTRIP.h
nclude/linux/netfilter/xt_TPROXY.h
nclude/linux/netfilter/xt_cluster.h
nclude/linux/netfilter/xt_connlimit.h
nclude/linux/netfilter/xt_ipvs.h
nclude/linux/netfilter/xt_physdev.h
nclude/linux/netfilter/xt_policy.h
nclude/linux/netfilter/xt_quota.h
nclude/linux/netfilter/xt_sctp.h
nclude/linux/netfilter/xt_socket.h
nclude/linux/netfilter/xt_time.h
nclude/linux/netfilter/xt_u32.h
2d68ae7ce6e40e3977ee11a57296cf76801ae320 28-Nov-2010 Jan Engelhardt <jengelh@medozas.de> iptables: do not emit orig_opts twice

This just happened to cross my eye; there was no error, but fixing
this up saves a pitfall, and some memory.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
d3b2e391e3b944581e20e216af76339cc87d0590 28-Nov-2010 Jan Engelhardt <jengelh@medozas.de> iptables: reset options at the start of each command

For each new command, iptables is supposed to start afresh with a
blank option set (opts) that only contains the program-specific
options (orig_opts), without any extension options. We failed to
restore this pointer (in function do_command) after the previous free
call in xtables_free_opts.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
2f09f1b39ced2ae7109382dcf066785bab4a966a 17-Nov-2010 Florian Westphal <fwestphal@astaro.com> libxt_conntrack: fix --ctdir save/dump output format

$ iptables-save | iptables-restore
iptables-restore v1.4.6: conntrack: Bad value for "--ctdir" option: "ORIGINAL-j"

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_conntrack.c
a905ea5c97149da9d76cd278b0447e3316087a45 15-Nov-2010 Jan Engelhardt <jengelh@medozas.de> Merge branch 'master' of git://dev.medozas.de/iptables into m2
710a132ce9fbecedbf9447f2b2a134f2359a583c 15-Nov-2010 Jan Engelhardt <jengelh@medozas.de> Revert "Revert "libxtables: change option precedence order to be intuitive""

This reverts commit e84f131b5f992577119bd3679241f69ec394e0a7.
Solution follows.
nclude/xtables.h.in
p6tables.c
ptables.c
tables.c
59e8114c6792242e80785f4461d5e663fb9a3d64 15-Nov-2010 Jan Engelhardt <jengelh@medozas.de> iptables: fix longopt reecognition and workaround getopt(3) behavior

* On the first call to getopt, opts was NULL, so long options would
not be recognized until a match/target was loaded.

Whacky getopt behavior:

* If the longopts parameter is NULL, getopt fails to recognize unknown
options, such that `iptables-multi main --append` will print a garbage
help message ("main needs an argument").

* If the longopts parameter is NULL on the first call, but not on
subsequent calls, it completely screws up option parsing, taking
the --dport in `iptables-multi main -A INPUT -p tcp --dport 1000`
as --destination instead, but not accepting "--destination 1.2.3.4"
either.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
tables.c
e84f131b5f992577119bd3679241f69ec394e0a7 15-Nov-2010 Patrick McHardy <kaber@trash.net> Revert "libxtables: change option precedence order to be intuitive"

This reverts commit 600f38db82548a683775fd89b6e136673e924097.

The commit breaks option parsing:

iptables v1.4.9: host/network `port' not found
Try `iptables -h' or 'iptables --help' for more information.

Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/xtables.h.in
p6tables.c
ptables.c
tables.c
648fd1ad68ae2ec675ac07efee80783912535404 02-Nov-2010 Jan Engelhardt <jengelh@medozas.de> libxt_TOS: avoid an undesired overflowing computation

The @bits parameter was wrongly labeled and should have been @max
already. This makes the - overflowing - 1<<bits redundant of course.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/tos_values.c
600f38db82548a683775fd89b6e136673e924097 29-Oct-2010 Jan Engelhardt <jengelh@medozas.de> libxtables: change option precedence order to be intuitive

When using `-m mark --mark 2 -m connmark --mark 2`, the user currently
gets an error about the (libxt_mark) --mark option being used twice.
This is because libxt_connmark's option table does not override any
previous options. This patch changes this behavior, since the current
behavior does not allow connmark's option to be used at all, which is
illogical.

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/xtables.h.in
p6tables.c
ptables.c
tables.c
8d89535b38e719f644d858e83f73bee9adf5b1a0 29-Oct-2010 Patrick McHardy <kaber@trash.net> Bump version to 1.4.10

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
81defdb2c3ad0e461f6487dc75abb8d4fc77519b 13-Sep-2010 Jan Engelhardt <jengelh@medozas.de> libiptc: add Libs.private to pkgconfig files

This is needed when doing static linking.
(pkg-config --static --libs libiptc)

References: http://bugzilla.netfilter.org/show_bug.cgi?id=675
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc.pc.in
tables.pc.in
655ae6b096b7ba3854159dc1eefadce91ec65550 13-Sep-2010 Jan Engelhardt <jengelh@medozas.de> libiptc: build with -Wl,--no-as-needed

Since libiptc does not reference any symbols in libip(4|6)tc, the linker
may ignore the dependencies. Use --no-as-needed to explicitly force a
DT_NEEDED entry.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=674
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
onfigure.ac
4/ax_check_linker_flags.m4
5429b41c2bb4ac8fe672a1513a041c0ed0c241f6 13-Sep-2010 Jan Engelhardt <jengelh@medozas.de> iptables: limit chain name length to be consistent with targets

Creationg of chain names longer than the ones being able to jump to
should be inhibited for consistency.

References: http://marc.info/?l=netfilter-devel&m=128397022618316&w=2
Cc: Stig Thormodsrud <stig@vyatta.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
0195836374cd195b13e0653ec9355a8ecd174313 13-Sep-2010 Jan Engelhardt <jengelh@medozas.de> iptables-xml: resolve compiler warnings

iptables-xml.c: In function "parse_counters":
iptables-xml.c:70:8: warning: assignment from incompatible pointer type
iptables-xml.c:71:8: warning: assignment from incompatible pointer type

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables-xml.c
0428e5a6541c3f5eaaf683d8da9ea60c44eac4c7 03-Aug-2010 Jan Engelhardt <jengelh@medozas.de> build: fix static linking

Gabor Z. Papp noted this link-time error when configuring with
--enable-static:

extensions/libext4.a(initext4.o): In function "init_extensions":
extensions/initext4.c:144: undefined reference to "libxt_IDLETIMER_init"
extensions/initext4.c:145: undefined reference to "libxt_TEE_init"

Indeed, since the two modules did not use our special macro "_init"
(which expands to libxt_foo_init), initext4.c could not find them by
that name. Correct this.

References: http://marc.info/?l=netfilter&m=128085480927924&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_IDLETIMER.c
xtensions/libxt_TEE.c
371cea299f0b2eb100b9fc9fb99089640d2d606f 25-Jul-2010 Jan Engelhardt <jengelh@medozas.de> xtables: remove unnecessary cast

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
a653f2936c56bfc541f13a7888484d5ae21c057a 03-Aug-2010 Patrick McHardy <kaber@trash.net> Merge branch 'iptables-next'
d8b511ed36f00280dd141e59c08874c7fb116504 03-Aug-2010 Patrick McHardy <kaber@trash.net> Bump version to 1.4.9

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
422342e47c18e70757231f2210b13df8e1f5931c 02-Aug-2010 Changli Gao <xiaosuo@gmail.com> libxt_quota: don't ignore the quota value on deletion

Don't ignore the quota value on deletion, then we can remove a special
rule everytime.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_quota.c
nclude/linux/netfilter/xt_quota.h
c6775d6c192f7e337360f238cc3ab224a406d5b8 23-Jul-2010 Jan Engelhardt <jengelh@medozas.de> doc: consistent use of markup

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CONNMARK.man
xtensions/libxt_MARK.man
xtensions/libxt_TOS.man
xtensions/libxt_TPROXY.man
xtensions/libxt_connlimit.man
xtensions/libxt_connmark.man
xtensions/libxt_conntrack.man
xtensions/libxt_hashlimit.man
xtensions/libxt_iprange.man
xtensions/libxt_ipvs.man
xtensions/libxt_recent.man
xtensions/libxt_set.man
xtensions/libxt_time.man
xtensions/libxt_u32.man
32b8e61e4e5bd405d9ad07bf9468498dfbb19f9e 23-Jul-2010 Jan Engelhardt <jengelh@medozas.de> all: consistent syntax use in struct option

Try to inhibit copypasting old stuff.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_HL.c
xtensions/libip6t_LOG.c
xtensions/libip6t_REJECT.c
xtensions/libip6t_ah.c
xtensions/libip6t_dst.c
xtensions/libip6t_frag.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hl.c
xtensions/libip6t_icmp6.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_mh.c
xtensions/libip6t_rt.c
xtensions/libipt_CLUSTERIP.c
xtensions/libipt_DNAT.c
xtensions/libipt_ECN.c
xtensions/libipt_LOG.c
xtensions/libipt_MASQUERADE.c
xtensions/libipt_NETMAP.c
xtensions/libipt_REDIRECT.c
xtensions/libipt_REJECT.c
xtensions/libipt_SAME.c
xtensions/libipt_SNAT.c
xtensions/libipt_TTL.c
xtensions/libipt_ULOG.c
xtensions/libipt_addrtype.c
xtensions/libipt_ah.c
xtensions/libipt_ecn.c
xtensions/libipt_icmp.c
xtensions/libipt_realm.c
xtensions/libipt_ttl.c
xtensions/libxt_CHECKSUM.c
xtensions/libxt_CLASSIFY.c
xtensions/libxt_CONNMARK.c
xtensions/libxt_CONNSECMARK.c
xtensions/libxt_CT.c
xtensions/libxt_DSCP.c
xtensions/libxt_IDLETIMER.c
xtensions/libxt_LED.c
xtensions/libxt_MARK.c
xtensions/libxt_NFLOG.c
xtensions/libxt_NFQUEUE.c
xtensions/libxt_RATEEST.c
xtensions/libxt_SECMARK.c
xtensions/libxt_SET.c
xtensions/libxt_TCPMSS.c
xtensions/libxt_TCPOPTSTRIP.c
xtensions/libxt_TOS.c
xtensions/libxt_TPROXY.c
xtensions/libxt_cluster.c
xtensions/libxt_comment.c
xtensions/libxt_connbytes.c
xtensions/libxt_connlimit.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_cpu.c
xtensions/libxt_dccp.c
xtensions/libxt_dscp.c
xtensions/libxt_esp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_helper.c
xtensions/libxt_iprange.c
xtensions/libxt_ipvs.c
xtensions/libxt_length.c
xtensions/libxt_limit.c
xtensions/libxt_mac.c
xtensions/libxt_mark.c
xtensions/libxt_multiport.c
xtensions/libxt_osf.c
xtensions/libxt_owner.c
xtensions/libxt_physdev.c
xtensions/libxt_pkttype.c
xtensions/libxt_policy.c
xtensions/libxt_quota.c
xtensions/libxt_rateest.c
xtensions/libxt_recent.c
xtensions/libxt_sctp.c
xtensions/libxt_set.c
xtensions/libxt_state.c
xtensions/libxt_statistic.c
xtensions/libxt_string.c
xtensions/libxt_tcp.c
xtensions/libxt_tcpmss.c
xtensions/libxt_time.c
xtensions/libxt_tos.c
xtensions/libxt_u32.c
xtensions/libxt_udp.c
xtensions/tos_values.c
nclude/xtables.h.in
854fe779211ffa051009b68b3f07673938b714c5 23-Jul-2010 Jan Engelhardt <jengelh@medozas.de> doc: minimal spelling updates to xt_cpu

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_cpu.man
7071387eaa708a82fd572e1a27443c1765c297f9 23-Jul-2010 Jan Engelhardt <jengelh@medozas.de> doc: remove extra empty line from xt_cpu

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_cpu.man
10ec8150ad83bddc66431810026daf97c60077d3 23-Jul-2010 Jan Engelhardt <jengelh@medozas.de> doc: let man(1) autoalign the text in xt_cpu

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_cpu.man
5031b4199192c6643b5c550523fc5c09578264e1 23-Jul-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' into iptables-next
2d59208943a3a2a6e0e30b6c84bb8ae80d444cd3 23-Jul-2010 Eric Dumazet <eric.dumazet@gmail.com> extension: add xt_cpu match

Kernel 2.6.36 supports xt_cpu match

In some situations a CPU match permits a better spreading of
connections, or select targets only for a given cpu.

With Remote Packet Steering or multiqueue NIC and appropriate IRQ
affinities, we can distribute trafic on available cpus, per session.
(all RX packets for a given flow are handled by a given cpu)

Some legacy applications being not SMP friendly, one way to scale a
server is to run multiple copies of them.

Instead of randomly choosing an instance, we can use the cpu number as a
key so that softirq handler for a whole instance is running on a single
cpu, maximizing cache effects in TCP/UDP stacks.

Using NAT for example, a four ways machine might run four copies of
server application, using a separate listening port for each instance,
but still presenting an unique external port :

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
-j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
-j REDIRECT --to-port 8081

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
-j REDIRECT --to-port 8082

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
-j REDIRECT --to-port 8083

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_cpu.c
xtensions/libxt_cpu.man
nclude/linux/netfilter/xt_cpu.h
8f5c1721c8b91f054719b488bc6833264bb876ed 23-Jul-2010 Eric Dumazet <eric.dumazet@gmail.com> extensions: REDIRECT: add random help

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_REDIRECT.c
59ccf53b9414d998afd6169cb2d6ba0f3c249081 23-Jul-2010 Eric Dumazet <eric.dumazet@gmail.com> extensions: REDIRECT: add random help

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_REDIRECT.c
c36d05e42406966440e3644110d3d2504c4b165c 23-Jul-2010 Hannes Eder <heder@google.com> libxt_ipvs: user-space lib for netfilter matcher xt_ipvs

The user-space library for the netfilter matcher xt_ipvs.

[ trivial up-port by Simon Horman <horms@verge.net.au> ]
Signed-off-by: Hannes Eder <heder@google.com>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
xtensions/libxt_ipvs.c
xtensions/libxt_ipvs.man
nclude/linux/netfilter/xt_ipvs.h
b14f160c11196aeb99000611207bd353c7ae2cb9 15-Jul-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' into iptables-next
0bcda81f5f6d121084131fb944e2940f614cc98c 15-Jul-2010 Patrick McHardy <kaber@trash.net> extensions: fix compilation of the new CHECKSUM target

Add missing header file.

Signed-off-by: Patrick McHardy <kaber@trash.net>
nclude/linux/netfilter/xt_CHECKSUM.h
b4fa7222923bc10476b8753f358e871f461eb2db 15-Jul-2010 Luciano Coelho <luciano.coelho@nokia.com> extensions: libxt_rateest: fix bps options for iptables-save

The output generated by the libxt_rateest extension for bps matches
was wrong and could not be restored properly. This patch fixes this
problem by using the correct options in the right order when saving
the table.

Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_rateest.c
9d1b11102b53103c00b7fddf4658a4d2bdee1338 15-Jul-2010 Michael S. Tsirkin <mst@redhat.com> extensions: libxt_CHECKSUM extension

This adds a `CHECKSUM' target, which can be used in the iptables mangle
table.

You can use this target to compute and fill in the checksum in
a packet that lacks a checksum. This is particularly useful,
if you need to work around old applications such as dhcp clients,
that do not work well with checksum offloads, but don't want to disable
checksum offload in your device.

The problem happens in the field with virtualized applications.
For reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.html

Typical expected use (helps old dhclient binary running in a VM):
iptables -A POSTROUTING -t mangle -p udp --dport bootpc \
-j CHECKSUM --checksum-fill

Includes fixes by Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_CHECKSUM.c
xtensions/libxt_CHECKSUM.man
67195a8c8a03d12994e91315e49e3d78c51a385a 15-Jul-2010 Luciano Coelho <luciano.coelho@nokia.com> extensions: libxt_IDLETIMER: use xtables_param_act when checking options

This patch changes custom error messages for illegal options into the
default iptables messages, by using xtables_param_act().

Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_IDLETIMER.c
xtensions/libxt_IDLETIMER.man
ce06c99ee107102a7168493b55970b53380ebbb6 02-Jul-2010 Jan Engelhardt <jengelh@medozas.de> xt_quota: also document negation

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_quota.c
xtensions/libxt_quota.man
e4540fcb86c2d7f4cdf51c49872847a03a11b433 02-Jul-2010 Samuel Ortiz <sameo@linux.intel.com> extensions: libxt_quota.c: Support option negation

The xt_quota_info flags should be set properly for the --quota option negation
support.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_quota.c
b1c768168ef1f79c4bdd02f6e681e6e1fbb8d533 02-Jul-2010 Luciano Coelho <luciano.coelho@nokia.com> extensions: libxt_rateest: fix typo in the man page

There were a few typos in some options in the rateest match section of the
man page: --rateest1-bps should be --rateest-bps1 and so on.

Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_rateest.man
127647892c7cac85baf8da62ed21232baa60f1c9 28-Jun-2010 Patrick McHardy <kaber@trash.net> extensions: libipt_LOG/libip6t_LOG: support macdecode option

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libip6t_LOG.c
xtensions/libipt_LOG.c
nclude/linux/netfilter_ipv4/ipt_LOG.h
nclude/linux/netfilter_ipv6/ip6t_LOG.h
78514bc3a9b1b724c9fc904941c5854644865673 25-Jun-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
e6d0d94139e826f7b5d8446ce174155c04963b07 25-Jun-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
76f7a230e4182ab2b64a68c9d84437035d925f3b 24-Jun-2010 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: do print netmask

References: http://bugzilla.netfilter.org/show_bug.cgi?id=659
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
dd2bbe0b614ad60fb2e267863471836aae424425 24-Jun-2010 Jan Engelhardt <jengelh@medozas.de> libxt_hashlimit: always print burst value

iptables -L lists the burst value, and so should iptables -S. I was
certainly surprised to see it gone even when explicitly specifying
--hashlimit-burst 5 on the command line.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.c
6a7696b5eeba301b76da12c77e9b0b5ce448bc6b 24-Jun-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
d40f1628c3717daebc437a398a285e371b5b6f7f 16-Jun-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> libxt_set: new revision added

libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):

ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
xtensions/libipt_SET.c
xtensions/libipt_SET.man
xtensions/libipt_set.c
xtensions/libipt_set.h
xtensions/libipt_set.man
xtensions/libxt_SET.c
xtensions/libxt_SET.man
xtensions/libxt_set.c
xtensions/libxt_set.h
xtensions/libxt_set.man
nclude/linux/netfilter/xt_set.h
nclude/linux/netfilter_ipv4/ip_set.h
nclude/linux/netfilter_ipv4/ipt_set.h
d96993e50b44b358ea5bd15f3944674eafd62542 15-Jun-2010 Luciano Coelho <luciano.coelho@nokia.com> extensions: add idletimer xt target extension

Add the extension plugin for the IDLETIMER x_tables target.

Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_IDLETIMER.c
xtensions/libxt_IDLETIMER.man
nclude/linux/netfilter/xt_IDLETIMER.h
4a498502c10e690798aa78eb92e3aed7ce79f4e0 08-Jun-2010 Shan Wei <shanwei@cn.fujitsu.com> xt_sctp: support FORWARD_TSN chunk type

The latest kernel has implemented Partial Reliability Extension
that defined in RFC3758.

This patch adds FORWARD_TSN chunk for tracing.

Signed-off-by: Shan Wei<shanwei@cn.fujitsu.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_sctp.c
xtensions/libxt_sctp.man
b9f458f87453a62cea7aeb0441e7a2ac05689f91 08-Jun-2010 Shan Wei <shanwei@cn.fujitsu.com> xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension

SACK-IMMEDIATELY extension has defined in:
http://tools.ietf.org/html/draft-tuexen-tsvwg-sctp-sack-immediately-03.

And the latest kernel has added a I flag in DATA chunk to support this extension.
So let iptables/netfilter can trace it.

Signed-off-by: Shan Wei<shanwei@cn.fujitsu.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_sctp.c
xtensions/libxt_sctp.man
11c2dd54b69e06ae3f35dea130ecba3df3859243 07-Jun-2010 Jan Engelhardt <jengelh@medozas.de> xtables: remove xtables_set_revision function

Since iptables uses its own copies of the header files anyway where the
revision field is exposed, there is no reach to access name[] beyond its
size.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
nclude/xtables.h.in
p6tables.c
ptables.c
tables.c
0cb675b8f18c4b074d4c69461638820708e98100 07-Jun-2010 Jan Engelhardt <jengelh@medozas.de> xtables: another try at chain name length checking

Since XT_EXTENSION_MAXNAMELEN is now available, make use of it
and clear the confusion.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-restore.c
p6tables.c
ptables-restore.c
ptables.c
tables.c
491c1660fced08e2d1a08c101c63af04250275d0 07-Jun-2010 Jan Engelhardt <jengelh@medozas.de> includes: sync header files from Linux 2.6.35-rc1

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/linux/kernel.h
nclude/linux/netfilter/x_tables.h
nclude/linux/netfilter/xt_CONNMARK.h
nclude/linux/netfilter/xt_MARK.h
nclude/linux/netfilter/xt_TEE.h
nclude/linux/netfilter/xt_connmark.h
nclude/linux/netfilter/xt_mark.h
nclude/linux/netfilter/xt_recent.h
nclude/linux/netfilter_ipv6.h
fdc19bea817086425c1ad2ad6a2b732eb610fb76 04-Jun-2010 Jan Engelhardt <jengelh@medozas.de> doc: xt_LED: nroff formatting requirements

Verbatim dashes need to be backslash-prefixed.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_LED.man
7cd3c2edb1dba13867b80dd29b02d6c945fcd03f 04-Apr-2010 Adam Nielsen <a.nielsen@shikadi.net> extensions: add the LED target

For the xt_LED target introduced in Linux 2.6.31.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_LED.c
xtensions/libxt_LED.man
c5424b94a548cd549b2be1396ce35f82f2df18bf 04-Jun-2010 Jan Engelhardt <jengelh@medozas.de> doc: xt_hashlimit: fix a typo

References: http://bugzilla.netfilter.org/show_bug.cgi?id=646
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.man
2b253f4b2c321066b4301a5a8d47b37fc69e6f80 04-Jun-2010 Jan Engelhardt <jengelh@medozas.de> doc: xt_string: correct copy-and-pasting in manpage

References: http://bugzilla.netfilter.org/show_bug.cgi?id=653
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_string.man
132538f5c9f697702e6e08a11b796bdcaaba5fea 24-May-2010 Jan Engelhardt <jengelh@medozas.de> utils: add missing include flags to Makefile

Fixes this compile error:

CC nfnl_osf.o
nfnl_osf.c:48:36: fatal error: linux/netfilter/xt_osf.h: No such file or directory
compilation terminated.

References: http://marc.info/?l=netfilter&m=127449929621579&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tils/Makefile.am
8532c70fd182057b440b41f013d8021a95bd72b2 21-May-2010 Patrick McHardy <kaber@trash.net> Revert "Revert "Merge branch 'iptables-next'""

This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099.

Revert the revert to restore the TEE target.
xtensions/libxt_TEE.c
xtensions/libxt_TEE.man
nclude/linux/netfilter/xt_TEE.h
63fc6258badea3f33cc0fc6b9ded6c94eaf53c4f 21-May-2010 Patrick McHardy <kaber@trash.net> Bump version to 1.4.8

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
110c1e4502e21ea38e0980e6f8af857d24330099 21-May-2010 Patrick McHardy <kaber@trash.net> Revert "Merge branch 'iptables-next'"

This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing
changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e.

Forgot to commit the version increase.
xtensions/libxt_TEE.c
xtensions/libxt_TEE.man
nclude/linux/netfilter/xt_TEE.h
65414babaebcd403e9bf2c27d9d74adb369bf3aa 20-May-2010 Patrick McHardy <kaber@trash.net> Merge branch 'iptables-next'
7278461dfad72e2008585dd0bac0e889e5bba99e 20-May-2010 Dmitry V. Levin <ldv@altlinux.org> extensions: MASQUERADE: fix --to-ports parser

Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
such port range errors as "1a-2" and "1-2a".
Also, original parser erroneously denied using port 0,
which is now allowed.

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_MASQUERADE.c
30290aea009cf3fd76f27336fb4370be3467c4da 20-May-2010 Patrick McHardy <kaber@trash.net> xtables: fix compilation when debugging is enabled

Reported by yang.xuhui@jfsys.com.

Signed-off-by: Patrick McHardy <kaber@trash.net>
tables.c
4a820b4c41de49482adce1a4e7424ca124b6b233 14-May-2010 Nick Kralevich <nnk@google.com> Get rid of warnings when compiled with -Wformat-security

Change-Id: I25730fd5beb8bc8674f73ebcdfccb129ffde3590
xtensions/libipt_owner.c
24bb07802df1608319f40f77c606d45c14d59231 14-May-2010 Dmitry V. Levin <ldv@altlinux.org> iptables: add noreturn attribute to exit_tryhelp()

Found by gcc -Wmissing-noreturn.

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
p6tables.c
ptables.c
84d758b3bc3121a5603261699c474f64672ef9f6 14-May-2010 Dmitry V. Levin <ldv@altlinux.org> extensions: REDIRECT: fix --to-ports parser

Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
several types of port range errors, including:
"-1", "-1a", "-1-a", "a-1", "1a-2", "1-2a", etc.
Also, original parser erroneously denied using port 0,
which is now allowed.

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_REDIRECT.c
d990c6d9a0bcb5e5469db35d392d587bf5753a51 13-May-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables into iptables-next
967cb7106f0f61cd7b8fbb10bc2451a3f7372a43 10-May-2010 Karl Hiramoto <karl@hiramoto.org> iptables: optionally disable largefile support

Many toolchains for embedded systems don't have largefile support:

usr/include/features.h:383:4: error: #error It appears you have defined _FILE_OFFSET_BITS=64. Unfortunately, uClibc was built without large file support enabled.
In file included from /build_armeb/staging_dir/usr/include/stdio.h:72,
from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/bits/uClibc_stdio.h:72:2: error: #error Sorry... uClibc was built without large file support!
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:83: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'fpos_t'
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:709: error: expected declaration specifiers or '...' before 'fpos_t'
/build_armeb/staging_dir/usr/include/stdio.h:711: error: expected ';', ',' or ')' before '*' token

Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
afbac0d462328d798f8612d3e793506c0a135a17 10-May-2010 Simon Lodal <simonl@parknet.dk> libxt_conntrack: document --ctstate UNTRACKED

Signed-off-by: Simon Lodal <simonl@parknet.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_conntrack.man
xtensions/libxt_state.man
bed2ba957d545b50c3eae6fb28fc0decadbc0dcb 09-May-2010 Pablo Neira Ayuso <pablo@netfilter.org> CT: fix --ctevents parsing

This patch fixes the following problem:

# iptables -t raw -I PREROUTING -t raw -j CT --ctevents assured
iptables v1.4.7: Unknown event type "assured"
Try `iptables -h' or 'iptables --help' for more information.

However, `assured' is one of the supported arguments for --ctevents.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_CT.c
ada4ff6155a02b0aed8400e46f34e72c91e36277 21-Apr-2010 Vincent Bernat <bernat@luffy.cx> iprange: fix xt_iprange v0 parsing

iprange_parse() was incomplete and did not include parsed ranges into
ipt_iprange_info structure resulting in always adding range
0.0.0.0-0.0.0.0 in the kernel.

Moreover, when using --dst-range, error messages may display
--src-range instead. Fix this too.

Signed-off-by: Vincent Bernat <bernat@luffy.cx>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_iprange.c
9f27e6b6f8638bde93e9901e999287ad5118f17c 20-Apr-2010 Patrick McHardy <kaber@trash.net> libxt_CT: print conntrack zone in ->print/->save

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_CT.c
c303bb0594fae1c4fd1097b2ce0814c5ffd0edc7 19-Apr-2010 Jan Engelhardt <jengelh@medozas.de> extensions: add support for xt_TEE

xt_TEE is firstly included in Linux 2.6.35.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TEE.c
xtensions/libxt_TEE.man
nclude/linux/netfilter/xt_TEE.h
db6d027bb9626129617ea3a3f2fe4b87ab307bf6 27-Mar-2010 Jan Engelhardt <jengelh@medozas.de> libxt_osf: import nfnl_osf program

xt_osf is pretty useless without the actual fingerprint loader. Import
nfnl_osf-2009-06-07 and make it a part of the iptables distribution.

Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
onfigure.ac
xtensions/libxt_osf.man
tils/.gitignore
tils/Makefile.am
tils/nfnl_osf.c
tils/pf.os
23e718b525f96b95510f50d20161c2bd92824ff1 27-Mar-2010 Jan Engelhardt <jengelh@medozas.de> doc: add manpage for libxt_osf

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_osf.c
xtensions/libxt_osf.man
204a253e63f8e0d270d51796a7db057135c3c609 17-Mar-2010 Jan Engelhardt <jengelh@medozas.de> libxt_recent: add a missing space in output

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_recent.c
937998088f9cf8518f8af57ff2d0b5500e247eb3 17-Mar-2010 Jan Engelhardt <jengelh@medozas.de> doc: remove claim that TCPMSS is limited to mangle

There was no real restriction, and in fact, the kernel module never
had such a limitation in the last years.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPMSS.man
c9be7f153f7bf112640057a0cb6108b686041029 16-Mar-2010 Jan Engelhardt <jengelh@medozas.de> doc: libxt_MARK: no longer restricted to mangle table

MARK used to be limited to the mangle table, but there was no real
restriction.

References: http://marc.info/?l=netfilter-devel&m=126806510332668&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_MARK.man
21d1283750d9c4df7ca80165d2b9dc0b9bd214eb 16-Mar-2010 Jan Engelhardt <jengelh@medozas.de> iptables: correctly check for too-long chain/target/match names

* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-restore.c
p6tables.c
ptables-restore.c
ptables.c
tables.c
89b6c32f88be47e83c3f6e7f8fee812088cb8c22 11-Mar-2010 Jan Engelhardt <jengelh@medozas.de> libxt_CT: add a manpage

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CT.c
xtensions/libxt_CT.man
3324ac52c80a6213b4bafa007f7b566a2f7ba071 11-Mar-2010 Jan Engelhardt <jengelh@medozas.de> libxt_comment: avoid use of IPv4-specific examples

Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.

References: http://bugs.debian.org/572628
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_comment.man
278d26e1424418cff04742f4c5a841da05a0ab08 09-Mar-2010 Jean-Baptiste Queru <jbq@google.com> Add an empty CleanSpec.mk

Change-Id: I7c914a64eeae528cb5756c3372ac05cbf2ec3641
leanSpec.mk
9fdbaa71452edaac9d5906716c15937f670341fa 08-Mar-2010 Patrick McHardy <kaber@trash.net> extensions: add CT extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_CT.c
nclude/linux/netfilter/nf_conntrack_common.h
nclude/linux/netfilter/xt_CT.h
cf7e42ffbb624c27591f6d55606bdccd358c7785 01-Mar-2010 Patrick McHardy <kaber@trash.net> iptables 1.4.7

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
elease.sh
390755ded5e4e8b0dcfa97443a95268bfa03e952 18-Feb-2010 Dmitry V. Levin <ldv@altlinux.org> libip4tc: Add static qualifier to dump_entry()

Change dump_entry() signature defined in libip4tc.c to match prototype
declared in libiptc.c and another static dump_entry() function defined
in libip6tc.c. This function is not a part of the public libiptc API.

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
ibiptc/libip4tc.c
fcf5723f415c81fcb2c93094cdcc39b35a316ff2 09-Feb-2010 Jan Engelhardt <jengelh@medozas.de> Lift restrictions on interface names

The kernel has few restrictions.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
tables.c
e89311d47d672b0372b5a96b1d67c334d27df783 05-Feb-2010 The Android Open Source Project <initial-contribution@android.com> am 013e402b: am 9bcf5f60: reconcile main tree with open-source eclair

Merge commit '013e402b01c84c2b75502c3e182205d1d687bcd0'

* commit '013e402b01c84c2b75502c3e182205d1d687bcd0':
android-2.1_r1 snapshot
013e402b01c84c2b75502c3e182205d1d687bcd0 05-Feb-2010 The Android Open Source Project <initial-contribution@android.com> am 9bcf5f60: reconcile main tree with open-source eclair

Merge commit '9bcf5f608f9c84fd747988ac19c4299c58d72b30' into eclair-plus-aosp

* commit '9bcf5f608f9c84fd747988ac19c4299c58d72b30':
android-2.1_r1 snapshot
9bcf5f608f9c84fd747988ac19c4299c58d72b30 05-Feb-2010 The Android Open Source Project <initial-contribution@android.com> reconcile main tree with open-source eclair
350661a6eb089f3e54e67e022db9e16ea280499f 31-Jan-2010 Jan Engelhardt <jengelh@medozas.de> includes: header updates

Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.

Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CONNMARK.c
xtensions/libxt_MARK.c
xtensions/libxt_TOS.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_iprange.c
xtensions/libxt_mark.c
xtensions/libxt_owner.c
xtensions/libxt_tos.c
xtensions/tos_values.c
nclude/linux/netfilter.h
nclude/linux/netfilter/nf_conntrack_common.h
nclude/linux/netfilter/x_tables.h
nclude/linux/netfilter/xt_CLASSIFY.h
nclude/linux/netfilter/xt_CONNMARK.h
nclude/linux/netfilter/xt_CONNSECMARK.h
nclude/linux/netfilter/xt_DSCP.h
nclude/linux/netfilter/xt_LED.h
nclude/linux/netfilter/xt_MARK.h
nclude/linux/netfilter/xt_NFLOG.h
nclude/linux/netfilter/xt_NFQUEUE.h
nclude/linux/netfilter/xt_RATEEST.h
nclude/linux/netfilter/xt_SECMARK.h
nclude/linux/netfilter/xt_TCPMSS.h
nclude/linux/netfilter/xt_connbytes.h
nclude/linux/netfilter/xt_connmark.h
nclude/linux/netfilter/xt_conntrack.h
nclude/linux/netfilter/xt_dccp.h
nclude/linux/netfilter/xt_dscp.h
nclude/linux/netfilter/xt_esp.h
nclude/linux/netfilter/xt_hashlimit.h
nclude/linux/netfilter/xt_iprange.h
nclude/linux/netfilter/xt_length.h
nclude/linux/netfilter/xt_limit.h
nclude/linux/netfilter/xt_mark.h
nclude/linux/netfilter/xt_multiport.h
nclude/linux/netfilter/xt_owner.h
nclude/linux/netfilter/xt_physdev.h
nclude/linux/netfilter/xt_policy.h
nclude/linux/netfilter/xt_quota.h
nclude/linux/netfilter/xt_rateest.h
nclude/linux/netfilter/xt_realm.h
nclude/linux/netfilter/xt_recent.h
nclude/linux/netfilter/xt_sctp.h
nclude/linux/netfilter/xt_state.h
nclude/linux/netfilter/xt_statistic.h
nclude/linux/netfilter/xt_string.h
nclude/linux/netfilter/xt_tcpmss.h
nclude/linux/netfilter/xt_tcpudp.h
nclude/linux/netfilter_ipv4.h
nclude/linux/netfilter_ipv4/ip_tables.h
nclude/linux/netfilter_ipv4/ipt_ECN.h
nclude/linux/netfilter_ipv4/ipt_SAME.h
nclude/linux/netfilter_ipv4/ipt_TOS.h
nclude/linux/netfilter_ipv4/ipt_ah.h
nclude/linux/netfilter_ipv4/ipt_ecn.h
nclude/linux/netfilter_ipv4/ipt_iprange.h
nclude/linux/netfilter_ipv4/ipt_owner.h
nclude/linux/netfilter_ipv4/ipt_policy.h
nclude/linux/netfilter_ipv4/ipt_tos.h
nclude/linux/netfilter_ipv6.h
nclude/linux/netfilter_ipv6/ip6_tables.h
nclude/linux/netfilter_ipv6/ip6t_ah.h
nclude/linux/netfilter_ipv6/ip6t_frag.h
nclude/linux/netfilter_ipv6/ip6t_ipv6header.h
nclude/linux/netfilter_ipv6/ip6t_mh.h
nclude/linux/netfilter_ipv6/ip6t_opts.h
nclude/linux/netfilter_ipv6/ip6t_owner.h
nclude/linux/netfilter_ipv6/ip6t_policy.h
nclude/linux/netfilter_ipv6/ip6t_rt.h
nclude/linux/types.h
028ad9ec6d5c27c107c9a7a316617cbe366abb0f 31-Jan-2010 Jan Engelhardt <jengelh@medozas.de> policy: fix error message showing wrong option
xtensions/libxt_policy.c
15005ab74d61402bfe87d607efe25f592a6c1809 29-Jan-2010 The Android Open Source Project <initial-contribution@android.com> reconcile android-2.1_r1 snapshot
44dff302a0f9a1d9c437e5322b80cf334194c120 20-Jan-2010 San Mehat <san@google.com> iptables: Remove debug module tag

Signed-off-by: San Mehat <san@google.com>
ndroid.mk
cd46b143c32f2cf76ada7a9503243ba9e45bb163 19-Jan-2010 Jan Engelhardt <jengelh@medozas.de> doc: mention requirement of additional packages for ipset

References: https://bugzilla.novell.com/561177
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_SET.man
xtensions/libipt_set.man
2d8f775cc03638d53053b3a448ca505646441542 19-Jan-2010 Jan Engelhardt <jengelh@medozas.de> doc: fix limit manpage to reflect actual supported syntax

References: https://bugzilla.novell.com/561179
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_limit.man
27c8d2a55a40c4a6232a76924f524ca7368e4b36 19-Jan-2010 Jan Engelhardt <jengelh@medozas.de> doc: fix recent manpage to reflect actual supported syntax

References: https://bugzilla.novell.com/561180
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_recent.man
6ce22ff936611347f1154c8546c93f4781be199d 19-Jan-2010 Jan Engelhardt <jengelh@medozas.de> recent: reorder cases in code (cosmetic cleanup)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_recent.c
bcade483c8bd69b396ed20e98ccf33b1a30fe9b2 13-Jan-2010 The Android Open Source Project <initial-contribution@android.com> android-2.1_r1 snapshot
00294095405560855d0815a5c39e948d67bf798d 28-Dec-2009 Jan Engelhardt <jengelh@medozas.de> libipq: build as shared library

Antique software (see link) built as shared library requires objects
compiled with -fPIC, so the standard archive won't do.

References: http://bugs.debian.org/527733
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibipq/Makefile.am
88bdf3cd2fbfad5ef24736ff7b14bea01a39c3ff 09-Dec-2009 Patrick McHardy <kaber@trash.net> Bump version to v1.4.6

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
b1f40e1d31b900f90fd5641a483788ed9cb91c64 24-Nov-2009 Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://dev.medozas.de/iptables
f294f843473718f8d32745600b9a97c0b799e7c5 20-Nov-2009 Patrick McHardy <kaber@trash.net> conntrack: fix --expires parsing

Using ranges in --ctexpire results in a parsing error:

conntrack: Bad value for "--expires" option: "1:1000"

The first value is parsed twice, after which the end pointer doesn't
point to the expected '\0' but to the colon.

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_conntrack.c
1bd2f0a20596e47c082c2415369a209ed1b329f6 18-Nov-2009 Jan Engelhardt <jengelh@medozas.de> doc: name resolution clarification

Sometimes there are users who wonder about when name resolutions/DNS
queries are done, so let's add that for completeness.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.8.in
ptables.8.in
7573631fa9f6f15b28a13cc5d22f2a446f69fd64 17-Nov-2009 Jan Engelhardt <jengelh@medozas.de> doc: explain experienced --hitcount limit

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_recent.man
9bbd6a1466e38dc6d72eed74166562e3ed88f449 15-Nov-2009 Jean-Baptiste Queru <jbq@google.com> merge from open-source master
949f4b9272b82e164dbee928c26927f66d6c0dc2 15-Nov-2009 Jean-Baptiste Queru <jbq@google.com> merge from open-source master

Merge commit 'goog/stage-korg-master' into HEAD
3d0891a9e0276cef5d70e391fb86a7ec5fe48ecf 15-Nov-2009 Jean-Baptiste Queru <jbq@google.com> merge from eclair
75cb763b54a89bf9b9c61740c760abce89df06f3 15-Nov-2009 Jan Engelhardt <jengelh@medozas.de> iptables: take masks into consideration for replace command

The two commands:

-A OUPUT -d 10.11.12.13/32 -j LOG
-R OUTPUT 1 -j LOG -d 10.11.12.13

will replace 10.11.12.13/32 by 10.11.12.13/0, which is not right.
(No regression, this problem was there forever.)

Reported-by: Werner Pawlitschko <werner.pawlitschko@arcor.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
94684f5b6b11ee4dcfa3ac71f263a4aa94cb66dd 13-Nov-2009 Jean-Baptiste Queru <jbq@google.com> eclair snapshot
xtensions/create_initext
588b615bc78ddef3752f356d1e243129c4dbba96 12-Nov-2009 Patrick McHardy <kaber@trash.net> extensions: add osf extension

From Evgeniy Polyakov <zbr@ioremap.net>

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_osf.c
nclude/linux/netfilter/xt_osf.h
596c69007acb569843391e4c98dc21d6f2336e7b 06-Nov-2009 Patrick McHardy <kaber@trash.net> DNAT: fix incorrect check during parsing

Specifying --random before --to-dest results in:

Multiple --to-destination not supported

Fix the flags check to only test the IPT_DNAT_OPT_DEST bit.

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_DNAT.c
5fdf032a02b671bc1a18cec0e803c17c64175ab1 04-Nov-2009 Jan Engelhardt <jengelh@medozas.de> CONNMARK: print mark rules with mask 0xffffffff as set instead of xset

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CONNMARK.c
3d915e1ac610bce44250b4aea556f4726387388d 04-Nov-2009 Patrick McHardy <kaber@trash.net> MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_MARK.c
bbe83862a5e1baf15f7c923352d4afdf59bc70e2 24-Oct-2009 Jan Engelhardt <jengelh@medozas.de> iptables/extensions: make bundled options work again

When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".

Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_ah.c
xtensions/libip6t_dst.c
xtensions/libip6t_frag.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hl.c
xtensions/libip6t_icmp6.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_mh.c
xtensions/libip6t_rt.c
xtensions/libipt_SET.c
xtensions/libipt_addrtype.c
xtensions/libipt_ah.c
xtensions/libipt_icmp.c
xtensions/libipt_realm.c
xtensions/libipt_set.c
xtensions/libxt_comment.c
xtensions/libxt_connbytes.c
xtensions/libxt_connlimit.c
xtensions/libxt_conntrack.c
xtensions/libxt_dccp.c
xtensions/libxt_dscp.c
xtensions/libxt_esp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_length.c
xtensions/libxt_limit.c
xtensions/libxt_mac.c
xtensions/libxt_multiport.c
xtensions/libxt_physdev.c
xtensions/libxt_pkttype.c
xtensions/libxt_rateest.c
xtensions/libxt_sctp.c
xtensions/libxt_state.c
xtensions/libxt_string.c
xtensions/libxt_tcp.c
xtensions/libxt_tcpmss.c
xtensions/libxt_u32.c
xtensions/libxt_udp.c
p6tables.c
ptables.c
bf97128c7262f17a02fec41cdae75b472ba77f88 03-Nov-2009 Jan Engelhardt <jengelh@medozas.de> libxtables: hand argv to xtables_check_inverse

In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
xtensions/libip6t_HL.c
xtensions/libip6t_LOG.c
xtensions/libip6t_REJECT.c
xtensions/libip6t_ah.c
xtensions/libip6t_dst.c
xtensions/libip6t_frag.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hl.c
xtensions/libip6t_icmp6.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_mh.c
xtensions/libip6t_rt.c
xtensions/libipt_DNAT.c
xtensions/libipt_LOG.c
xtensions/libipt_MASQUERADE.c
xtensions/libipt_NETMAP.c
xtensions/libipt_REDIRECT.c
xtensions/libipt_REJECT.c
xtensions/libipt_SAME.c
xtensions/libipt_SET.c
xtensions/libipt_SNAT.c
xtensions/libipt_TTL.c
xtensions/libipt_ULOG.c
xtensions/libipt_addrtype.c
xtensions/libipt_ah.c
xtensions/libipt_ecn.c
xtensions/libipt_icmp.c
xtensions/libipt_realm.c
xtensions/libipt_set.c
xtensions/libipt_ttl.c
xtensions/libxt_NFLOG.c
xtensions/libxt_cluster.c
xtensions/libxt_comment.c
xtensions/libxt_connbytes.c
xtensions/libxt_connlimit.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_dccp.c
xtensions/libxt_dscp.c
xtensions/libxt_esp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_helper.c
xtensions/libxt_iprange.c
xtensions/libxt_length.c
xtensions/libxt_limit.c
xtensions/libxt_mac.c
xtensions/libxt_mark.c
xtensions/libxt_multiport.c
xtensions/libxt_physdev.c
xtensions/libxt_pkttype.c
xtensions/libxt_policy.c
xtensions/libxt_quota.c
xtensions/libxt_rateest.c
xtensions/libxt_recent.c
xtensions/libxt_sctp.c
xtensions/libxt_state.c
xtensions/libxt_string.c
xtensions/libxt_tcp.c
xtensions/libxt_tcpmss.c
xtensions/libxt_udp.c
nclude/xtables.h.in
p6tables.c
ptables.c
tables.c
2be22fb36dd1268baecb42ddf35b7a40a6de21d7 24-Oct-2009 Jan Engelhardt <jengelh@medozas.de> style: reduce indent in xtables_check_inverse

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
4f0d7b660e0ae8f678142fd2a1722b27ad472169 27-Oct-2009 Jan Engelhardt <jengelh@medozas.de> iptables: fix undersized deletion mask creation

The mask created for the -D rulespec is simply too small.
xtables_targets points to whatever target has last been loaded, so
xtables_targets->size is quite almost wrong, as we need to use the
size of the target for the specific rule that is about to be deleted.

This bug existed ever since iptables history is tracked, and requires
certain circumstances to be visible, where the deletion operation is
one. Furthermore, multiple userspace target extensions must have been
loaded, and a target B whose .size is smaller than the target A of
the rule we are about to delete must have been loaded more recently
than target A. The minimal testcase is (rule 60007 gets wrongly
removed)

*nat
-F
-X
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60007
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
-A POSTROUTING -p udp -j CONNMARK --set-mark 0
-D POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
COMMIT

References: http://bugzilla.netfilter.org/show_bug.cgi?id=606
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
7c4d668c9c2ee007c82063b7fc784cbbf46b2ec4 26-Oct-2009 Jan Engelhardt <jengelh@medozas.de> libiptc: fix wrong maptype of base chain counters on restore

When a ruleset that does not reset any chain policies/counters, such as

*filter
COMMIT

is sourced by iptables-restore, the previous policy and counters
(i.e. the ones read from the kernel) are reused. The counter skew
offsetting is wrong however, causing the read value to be readded to
the kernel value. This manifests itself in practice by the counter
value almost doubling everytime iptables-restore is called.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc/libiptc.c
58df90174164fd673e8c4103f7ce0c4e55ef1aec 20-Sep-2009 Olaf Rempel <razzor@kopf-tisch.de> build: restore --disable-ipv6 functionality on system w/o v6 headers

Commit 332e4acc (iptables: accept multiple IP address specifications
for -s, d) broke the --disable-ipv6 configure option.

> ./.libs/libxtables.so: undefined reference to `in6addr_any'

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
467060c1543d25638186c085fc60e492182ca028 29-Oct-2009 Jan Engelhardt <jengelh@medozas.de> iprange: warn on reverse range (log)

Reverse ranges like B-A cause packets to be generally never matched,
as an address S does not match >=B && <=A (except for the border case
where S=A=B).

The kernel module itself does not check for reverse ranges, and it
seems nicer to check that in userspace anyway.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
f8ff2d12707a5d4215731a1ed90780e62ad8263e 25-Oct-2009 Jan Engelhardt <jengelh@medozas.de> iprange: do accept non-ranges for xt_iprange v1 (log)

Details for commit v1.4.5-11-ga10a12a:

"When upgraded to new lenny kernel from 2.6.24 from etch'n'half
iprange now does not allow to use single ip-address as its argument:

# iptables -A FORWARD -m iprange --src-range 192.168.0.0"

References: http://bugs.debian.org/547139

What we have here is that the user is now using iprange v1 from
previously v0.
Add recognition for single addresses to v1.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
7fa7329fc972513021131416dbd9d535141bd2ea 18-Sep-2009 Jan Engelhardt <jengelh@medozas.de> iprange: roll address parsing into a loop
xtensions/libxt_iprange.c
648a7bafa7acc33d986f113275a20199a6ad2aaa 18-Sep-2009 Jan Engelhardt <jengelh@medozas.de> iprange: warn on reverse range
xtensions/libxt_iprange.c
a10a12afee2083d240a304ceac7f3d9902a6f60a 18-Sep-2009 Jan Engelhardt <jengelh@medozas.de> iprange: do accept non-ranges for xt_iprange v1

[fill in details]
xtensions/libxt_iprange.c
51651b64fffc58d4f58d005fa7dc0d9669147c57 23-Oct-2009 Jan Engelhardt <jengelh@medozas.de> libiptc: avoid strict-aliasing warnings

In file included from libiptc/libip4tc.c:117:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘iptc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip4tc.c: In function ‘dump_entry’:
libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:112:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘ip6tc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip6tc.c: In function ‘dump_entry’:
libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc/libip4tc.c
ibiptc/libip6tc.c
ibiptc/libiptc.c
a9c79c7ba494b39bad959a0c833e58a343686272 23-Oct-2009 Jan Engelhardt <jengelh@medozas.de> libiptc: remove unused functions

Fix the two warnings in libiptc.c:

CC libiptc/libip4tc.lo
libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used
CC libiptc/libip6tc.lo
libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ibiptc/libiptc.c
4a0fbe37a9879ade6a6bf99ab105316284eb4102 24-Oct-2009 Jan Engelhardt <jengelh@medozas.de> realm: remove static initializations

Save a little disk space, they are initialized to zero anyway.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_realm.c
22bdd6966f2c3ccded984a37ba0b97470bcf9323 16-Oct-2009 Tim Small <tim@buttersideup.com> doc: update TCPMSS manpage with Linux 2.6.25 changes

References: http://bugs.debian.org/551272

[j.eng: modified --set-mss option description to be understandable]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPMSS.man
94aa2ea67d7b8a669e8541f094661a1dc89722a3 11-Oct-2009 Jan Engelhardt <vapier@gentoo.org> Support for nommu arches

Linux systems that lack a MMU cannot call fork(). Fortunately, the
only place in iptables that uses fork() follows it by an exec(), so
we can easily convert the code to vfork().

References: http://bugzilla.netfilter.org/show_bug.cgi?id=614

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
7b041d47428cdbc3da522d8194c2568ef5db0e5d 21-Oct-2009 sobtwmxt <sobtwmxt@sdf.lonestar.org> doc: fix typo in length manpage

References: http://bugs.debian.org/551867
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_length.man
bc57906530df924324efef494a4fcff65d25e4ce 05-Oct-2009 Jan Engelhardt <jengelh@medozas.de> doc: mention maximum mark size in manpages
xtensions/libxt_CONNMARK.man
xtensions/libxt_MARK.man
xtensions/libxt_SECMARK.man
2463f7dcee97efe7dfc4b2e1f6a3c552f23a8d8c 14-Sep-2009 Patrick McHardy <kaber@trash.net> Merge branch 'zero' of git://dev.medozas.de/iptables
f93a0cea9ddb988f28c4996c7b96ef65f05f1d30 14-Sep-2009 Patrick McHardy <kaber@trash.net> Bump version number to 1.4.5

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
elease.sh
cdff3088dbab62bba0ab1d4311263a032e4bde14 24-Aug-2009 Patrick McHardy <kaber@trash.net> man: fix incorrect plural in libipt_set.man

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_set.man
fe086ba83d17dfe5dec57da413fac4bc8110f0bb 19-Aug-2009 Jan Engelhardt <jengelh@medozas.de> iptables: manpage updates for augmented -Z syntax

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.8.in
ptables.8.in
b34199ee303d98ba00ed5ee19d4d5b19dd4cf563 19-Aug-2009 Mohit Mehta <mohit.mehta@vyatta.com> iptables: expose option to zero packet/byte counters for a specific rule

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
352ccfb847dfd290a7b761cd87445a48e551acb5 20-Aug-2009 Jan Engelhardt <jengelh@medozas.de> manpages: more fixes to minuses, hyphens, dashes

Debian still carries patches patches to the iptables nroff code touching
ASCII minuses, so I thought, what's it this time.

Eventually, this patch tries to straighten things once more, per
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Hyphens and
http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Dashes .

Titles will get the em dash; all typed commands or parameters with a
hyphen get a minus (so that man(1) hyperlinking and copy-pasting does
work), but other mentions get the hyphen.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_NFLOG.man
xtensions/libxt_connbytes.man
p6tables-restore.8
p6tables-save.8
p6tables.8.in
ptables-restore.8
ptables-save.8
ptables-xml.8
ptables.8.in
ibipq/ipq_create_handle.3
ibipq/ipq_errstr.3
ibipq/ipq_message_type.3
ibipq/ipq_read.3
ibipq/ipq_set_mode.3
ibipq/ipq_set_verdict.3
ibipq/libipq.3
cfb048f5b5778a57144b00866cd0734e9617a4ea 20-Aug-2009 Laurence J. Lane <ljlane@debian.org> manpage: fix lintian warnings

Description: extraneous slash caused this lintian warning:
W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz
220: cannot use newline as a starting delimiter
W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz
1823: warning: `precedence'' not defined

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_TOS.man
ptables.8.in
4a682aa233ea02b342a9cc827d25e4c6c11dd349 20-Aug-2009 Trent W. Buck <trentbuck@gmail.com> ipt_set: fix a typo in the manpage

References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539101
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_set.man
4282d89a798adcf50973a22c5a17563b5e9421cb 20-Aug-2009 Florian Westphal <fwestphal@astaro.com> libxt_NFQUEUE: add new v1 version with queue-balance option

New version that adds support for specifying a queue range instead
of a single queue id.
The kernel will distribute flows across the given queue range.

This is useful for multicore systems, simply start multiple instances
of the userspace program on queues x, x+1, .. x+n and use
"--queue-balance x:x+n".
Packets belonging to the same connection are put into the same queue.

With fixes from Jan Engelhardt.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libxt_NFQUEUE.c
xtensions/libxt_NFQUEUE.man
nclude/linux/netfilter/xt_NFQUEUE.h
8e4dacaed17701cb1891b962bb856e0e8cfbb5c8 05-Aug-2009 Jan Engelhardt <jengelh@medozas.de> Merge branch 'stable'

Conflicts:
extensions/libxt_conntrack.c

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
4de57f410efa6af852aa2b493b586de65529399f 26-Jul-2009 Jean-Baptiste Queru <jbq@google.com> reconcile korg/master into goog/master
ad71ae7b56c78b9ee4fa41cbb5196e250c27d53c 26-Jul-2009 Jean-Baptiste Queru <jbq@google.com> Merge korg/donut into korg/master
80fcb7b40823fed288e253c4a798eb4ee405102c 25-Jul-2009 Jan Engelhardt <jengelh@medozas.de> build: build only iptables-multi

I see no pressing reason to install all single programs when the
multi binary can do the job. Within the build directory, developers
can run the components by means of, for example,

./ip6tables-multi {main|restore|save} ...

And when make install-ed, symlinks are available.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
b79ec69027fd8b65e7eccd78a445b6665e8ad53b 23-Jul-2009 Jan Engelhardt <jengelh@medozas.de> build: combine iptables-multi and iptables-static

Changed the Makefile so that:

1. --enable-shared / --disable-shared control the linkage against
libdl (and thus the potential to use 3rd party extensions)

2. --enable-static / --disable-static controls whether shipped
extensions are built-in or provided as modules

iptables-static becomes redundant by this action; iptables-multi now
has the feature.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
NSTALL
akefile.am
xtensions/GNUmakefile.in
nclude/xtables.h.in
p6tables-restore.c
p6tables-save.c
p6tables-standalone.c
ptables-restore.c
ptables-save.c
ptables-standalone.c
4186f8aa0b113ea1a52aa90292ff89b96bed9c39 23-Jul-2009 Jan Engelhardt <jengelh@medozas.de> build: fix struct size mismatch

Mixing code compiled with and without -DNO_SHARED_LIBS is fine as
long as the structs have the same layout. This patch prevents a
potential (currently non-triggerable) "ip6tables: target (null)<123>
is missing a version" error.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
de054f7709b20c97d3e1f16465d5617d9e7683d5 25-Jul-2009 Jan Engelhardt <jengelh@medozas.de> multi binary: allow subcommand via argv[1]

libtool does not play well with symlinks when trying to run commands
in the build directory. So provide an alternate way to call
iptables-multi: when argv[0] is not a recognized name, inspect [1]
for an alternate identifer.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-multi.c
ptables-multi.c
bb5c136dd49e04ce28b2479200f32ea8f92c1b70 23-Jul-2009 Jan Engelhardt <jengelh@medozas.de> build: order of dependent libs is sensitive

libiptc.la must come after its components or `make install` won't get
things right.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
add2457a23b9894905b498b13c8328f9cffcaada 25-Jun-2009 Jan Engelhardt <jengelh@medozas.de> COMMIT_NOTES: notice to check for soversion bumps

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
OMMIT_NOTES
c284de545d03aad9a04a4e17cfb55d911a96810c 25-Jun-2009 Jan Engelhardt <jengelh@medozas.de> xtables: warn of missing version identifier in extensions

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
f2a77520693f0a6dd1df1f87be4b81913961c1f5 25-Jun-2009 Jan Engelhardt <jengelh@medozas.de> extensions: collapse data variables to use multi-reg calls

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_addrtype.c
xtensions/libxt_CONNMARK.c
xtensions/libxt_MARK.c
xtensions/libxt_TOS.c
xtensions/libxt_connlimit.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_hashlimit.c
xtensions/libxt_iprange.c
xtensions/libxt_mark.c
xtensions/libxt_multiport.c
xtensions/libxt_owner.c
xtensions/libxt_policy.c
xtensions/libxt_string.c
xtensions/libxt_tos.c
9a8fc4f89ef120d7beda3724994a1544346b947d 25-Jun-2009 Jan Engelhardt <jengelh@medozas.de> xtables: add multi-registration functions

Similar to the ones that are present in the kernel.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
tables.c
7d68df47fad305673958351a4e2a5c6e75927caa 12-Jun-2009 Jan Engelhardt <jengelh@medozas.de> extensions: remove empty help and parse functions

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_eui64.c
xtensions/libipt_MIRROR.c
xtensions/libipt_unclean.c
xtensions/libxt_NOTRACK.c
xtensions/libxt_TRACE.c
xtensions/libxt_socket.c
xtensions/libxt_standard.c
f89c1716a7743ca6e2e6164d3b64c15b2e285e1e 12-Jun-2009 Jan Engelhardt <jengelh@medozas.de> iptables: allow for help-less extensions

This is for extensions that do not take any options, and which
subsequently do not offer any help text either.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
p6tables.c
ptables.c
shared.c
shared.h
92edcb0cf517ddb7976e396eabc7a79f8a1016ba 12-Jun-2009 Jan Engelhardt <jengelh@medozas.de> iptables: allow for parse-less extensions

This means we can do some code removal in extensions.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
c5e85736c207f211d82d2878a5781f512327dfce 12-Jun-2009 Jan Engelhardt <jengelh@medozas.de> extensions: collapse registration structures

There are no different code paths between IPV4 and IPV6, so
data can be consolidated here.

text data bss dec hex filename
243757 12212 2576 258545 3f1f1 ip6tables-static[before.i586]
243613 9428 2576 255617 3e681 ip6tables-static[after.i586]
-144 -2784

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CONNMARK.c
xtensions/libxt_CONNSECMARK.c
xtensions/libxt_DSCP.c
xtensions/libxt_MARK.c
xtensions/libxt_NFLOG.c
xtensions/libxt_NFQUEUE.c
xtensions/libxt_NOTRACK.c
xtensions/libxt_TCPOPTSTRIP.c
xtensions/libxt_TOS.c
xtensions/libxt_comment.c
xtensions/libxt_connbytes.c
xtensions/libxt_connmark.c
xtensions/libxt_dccp.c
xtensions/libxt_dscp.c
xtensions/libxt_esp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_helper.c
xtensions/libxt_mac.c
xtensions/libxt_owner.c
xtensions/libxt_physdev.c
xtensions/libxt_recent.c
xtensions/libxt_sctp.c
xtensions/libxt_state.c
xtensions/libxt_tcp.c
xtensions/libxt_tcpmss.c
xtensions/libxt_tos.c
xtensions/libxt_udp.c
cc4344042e8c0bb6eef877975588321aa152660d 01-Jun-2009 Jan Engelhardt <jengelh@medozas.de> libiptc: split v4 and v6

The split can save some diskspace for constrained systems running
which are only running one protocol.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
332e4acc574e3a348fe611d55bf642de0d50fbda 09-Apr-2009 Michael Granzow <mgranzow@zeus.com> iptables: accept multiple IP address specifications for -s, -d

libiptc already supports adding and deleting multiple rules with
different addresses, so it only needs to be wired up to the options.

# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP

References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2

Adjustments made: syntax, removal of unneeded variables, manpage
adjustment, soversion bump.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
nclude/xtables.h.in
p6tables.8.in
p6tables.c
ptables.8.in
ptables.c
tables.c
efebafa0021f36f4547b7fcc47620274f333e001 25-Jun-2009 Jan Engelhardt <jengelh@medozas.de> libxt_helper: fix invalid passed option to check_inverse

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_helper.c
b97b42147ea65d7d24d70a2ffe925dbf091f26bc 25-Jun-2009 Jan Engelhardt <jengelh@medozas.de> xt_conntrack: revision 2 for enlarged state_mask member

This complements the xt_conntrack revision 2 code added to the kenrel.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
nclude/linux/netfilter/xt_conntrack.h
f9bf812aed50949db584cdf93752193c802fefcb 16-Jun-2009 Patrick McHardy <kaber@trash.net> Bump version

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
4ada8440f43e8335c96706b749f606b527c8a038 11-Jun-2009 Patrick McHardy <kaber@trash.net> Merge branch 'stable' of git://dev.medozas.de/iptables
2d280014e281b520280b1a11662aea0da2ffc59c 11-Jun-2009 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Updated set/SET match and target to support multiple ipset protocols.

By checking the protocol version of the kernel part, the sockopt type
of ipset protocols are all supported. Forward compatibility with the
netlink based protocol is missing.

The --set option of the set match is replaced by --match-set to avoid
clashing with the recent match, but the old option is also kept.

Manpages are updated, references to bindings removed.
xtensions/libipt_SET.c
xtensions/libipt_SET.man
xtensions/libipt_set.c
xtensions/libipt_set.h
xtensions/libipt_set.man
18c475d7040abc6d3094ee0348904deafe997508 10-Jun-2009 Jan Engelhardt <jengelh@medozas.de> manpages: markup corrections

The manpage of xt_cluster and xt_recent had some unclosed tags.
Backslashes in commands are also not wanted because manpages are a
freeform, automatically-wrapped text.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_TCPMSS.man
xtensions/libxt_TPROXY.man
xtensions/libxt_cluster.man
xtensions/libxt_connlimit.man
xtensions/libxt_recent.man
f1afcc896e7f8be3a6419681fd8cdee1d600a3aa 10-Jun-2009 Jan Engelhardt <jengelh@medozas.de> iptables: close open file descriptors

Just for correctness, close some file descriptors that were opened.
(E.g. ip6tables-save reading from procfs files.)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-restore.c
p6tables-save.c
ptables-restore.c
ptables-save.c
ptables-xml.c
a3726818e07d47136010f09762637a3e597329e3 07-Jun-2009 kd6lvw <kd6lvw@yahoo.com> libxt_connlimit: initialize v6_mask

When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the
code uses a left shift on v6_mask[n]. This requires v6_mask to be
filled with all one-bits beforehand, but this initialization was not
done.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=597
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connlimit.c
ae737f0070c9aaccb722ba342b12043fb124d9e2 06-Jun-2009 Ian Bruce <ian_bruce@fastmail.net> libxt_tcp: manpage corrections and suggestions

From: Ian Bruce <ian_bruce@fastmail.net>

The commit corrects some minor errors in the iptables(8) man page,
related to port ranges in the "tcp" module.

Reference: http://bugs.debian.org/531677
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_tcp.man
156f58692bbe9e509b32670f93582bead785c926 21-May-2009 Frank Tobin <ftobin+netfilter@neverending.org> libxt_tcp: fix a manpage syntax typo

Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=596
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_tcp.man
ecd48dd6ba534deea7fd4d0ce20c7b5c00f4128f 08-Jun-2009 Jan Engelhardt <jengelh@medozas.de> extensions: remove redundant casts

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_realm.c
xtensions/libxt_multiport.c
6d7d91e86729e3b2bcca6821409e8d78e83430e7 08-Jun-2009 Jan Engelhardt <jengelh@medozas.de> DNAT/SNAT: add manpage documentation for --persistent flag

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_DNAT.man
xtensions/libipt_SAME.man
xtensions/libipt_SNAT.man
42979363f3958b4436c6d2503753c182c58e55ea 01-Jun-2009 Jan Engelhardt <jengelh@medozas.de> extensions: use NFPROTO_UNSPEC for .family field

This constant would be the designated one for the .family field; it
also, given recent changes, makes grep for NFPROTO_UNSPEC work to
finally recollect all manpages.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CLASSIFY.c
xtensions/libxt_MARK.c
xtensions/libxt_RATEEST.c
xtensions/libxt_SECMARK.c
xtensions/libxt_TRACE.c
xtensions/libxt_cluster.c
xtensions/libxt_length.c
xtensions/libxt_limit.c
xtensions/libxt_mark.c
xtensions/libxt_pkttype.c
xtensions/libxt_quota.c
xtensions/libxt_rateest.c
xtensions/libxt_standard.c
xtensions/libxt_statistic.c
xtensions/libxt_string.c
xtensions/libxt_time.c
xtensions/libxt_u32.c
cdcfd887b0dcb3c5cff3c2ae49fc34d0cbac5c44 01-Jun-2009 Jan Engelhardt <jengelh@medozas.de> build: fix manpage collection

Florian Westphal points out that v1.4.3.2-9-gc304d77 greps for the
keyword in the wrong file, and that files with NFPROTO_UNSPEC are
skipped.

This patch corrects that part, and makes `make` now output the
manpages it collected.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
67cf1a928952f1d1ca32f529d78036cebc1b8800 01-Jun-2009 Jan Engelhardt <jengelh@medozas.de> policy: merge ipv6 and ipv4 variant

The files duplicate most of their code, and struct ipt_policy_info
being defined to xt_policy_info makes them actually have even more in
common.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_policy.c
xtensions/libipt_policy.c
xtensions/libxt_policy.c
cd30054544021bad206efb6b98df640528e1cba1 31-May-2009 Jan Engelhardt <jengelh@medozas.de> policy: use direct xt_policy_info instead of ipt/ip6t

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_policy.c
xtensions/libipt_policy.c
9d08310f7611b044ad40f4b1c240d9012fbe050f 31-May-2009 Jan Engelhardt <jengelh@medozas.de> libip6t_policy: remove redundant functions

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_policy.c
537ac62eb7dadbcad1c8d8671b1d8dc55b85d49f 27-May-2009 Iliyan Malchev <malchev@google.com> am fb7e6872: remove *.orig files left over from a merge

Merge commit 'fb7e687240030cec7de1060ea9fe14b2d07e84f8'

* commit 'fb7e687240030cec7de1060ea9fe14b2d07e84f8':
remove *.orig files left over from a merge
c304d776e9bf546829c90d0cbaeae6a3a79ef9db 26-May-2009 Jan Engelhardt <jengelh@medozas.de> manpages: do not include v4-only modules in ip6tables manpage

References: http://bugs.debian.org/529954
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/GNUmakefile.in
74670b185f8f92c499e1a67139405524da32fc66 13-May-2009 Jan Engelhardt <jengelh@medozas.de> addrtype: fix one manpage type

References: http://bugs.debian.org/528457
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libipt_addrtype.man
2c69b55e55f2efc5a334b87ccdceaa9de0ecb658 30-Apr-2009 Jan Engelhardt <jengelh@medozas.de> iptables: replace open-coded sizeof by ARRAY_SIZE

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/dscp_helper.c
xtensions/libip6t_LOG.c
xtensions/libip6t_REJECT.c
xtensions/libip6t_icmp6.c
xtensions/libip6t_ipv6header.c
xtensions/libip6t_mh.c
xtensions/libipt_LOG.c
xtensions/libipt_REJECT.c
xtensions/libipt_icmp.c
xtensions/libxt_dccp.c
xtensions/libxt_hashlimit.c
xtensions/libxt_limit.c
xtensions/libxt_pkttype.c
xtensions/libxt_sctp.c
xtensions/libxt_tcp.c
p6tables-restore.c
ptables-restore.c
ptables-xml.c
69f564e3890976461de0016cd81171ff8bfa8353 26-May-2009 Jan Engelhardt <jengelh@medozas.de> extensions: add const qualifiers in print/save functions

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libip6t_hl.c
xtensions/libipt_DNAT.c
xtensions/libipt_MASQUERADE.c
xtensions/libipt_NETMAP.c
xtensions/libipt_REDIRECT.c
xtensions/libipt_SAME.c
xtensions/libipt_SET.c
xtensions/libipt_SNAT.c
xtensions/libipt_realm.c
xtensions/libipt_set.c
xtensions/libxt_CONNSECMARK.c
xtensions/libxt_RATEEST.c
xtensions/libxt_SECMARK.c
xtensions/libxt_comment.c
xtensions/libxt_connbytes.c
xtensions/libxt_connmark.c
xtensions/libxt_conntrack.c
xtensions/libxt_hashlimit.c
xtensions/libxt_helper.c
xtensions/libxt_limit.c
xtensions/libxt_mark.c
xtensions/libxt_physdev.c
xtensions/libxt_pkttype.c
xtensions/libxt_quota.c
xtensions/libxt_rateest.c
xtensions/libxt_state.c
xtensions/libxt_statistic.c
xtensions/libxt_time.c
771871e1d9c39310cb6e2c595270d2e651309e6d 22-May-2009 Jan Engelhardt <jengelh@medozas.de> xtables: use extern "C"

This fixes linking errors for 3rd-party C++ code.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
nclude/xtables.h.in
c65b5f2c7dcbd7ca5bd7759ab5180bd4e898e90a 25-May-2009 Jan Engelhardt <jengelh@medozas.de> Add new COMMIT_NOTES document

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
OMMIT_NOTES
e55cc4aaa6e35448c14370e5261c3387d26b257d 12-May-2009 Pablo Neira Ayuso <pablo@netfilter.org> xtables: fix segfault if incorrect protocol name is used

This patch fixes a segfault that can be triggered if you use an
incorrect protocol, e.g.

# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
Segmentation fault

With this patch:

# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
iptables v1.4.3.2: unknown protocol `lala' specified
Try `iptables -h' or 'iptables --help' for more information

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
tables.c
cd958a6c92c84095a439780b53832bb3aae2d512 06-May-2009 Pablo Neira Ayuso <pablo@netfilter.org> extensions: add `cluster' match support

This patch adds support for the cluster match to iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtensions/libxt_cluster.c
xtensions/libxt_cluster.man
nclude/linux/netfilter/xt_cluster.h
fb7e687240030cec7de1060ea9fe14b2d07e84f8 28-Apr-2009 Iliyan Malchev <malchev@google.com> remove *.orig files left over from a merge

Signed-off-by: Iliyan Malchev <malchev@google.com>
akefile.orig
xtensions/Makefile.orig
ibipq/Makefile.orig
ibiptc/Makefile.orig
50dba603bf4602267fce81feb3d91f513a4d03b0 23-Apr-2009 Jean-Baptiste Queru <jbq@google.com> Merge donut into master
467fa9fe70f08342a50b859ddd431c848a956679 17-Apr-2009 Patrick McHardy <kaber@trash.net> SNAT/DNAT: add support for persistent multi-range NAT mappings

Add support for persistent mappings (2.6.29-rc2+) as replacement for the
removed SAME target.

Signed-off-by: Patrick McHardy <kaber@trash.net>
xtensions/libipt_DNAT.c
xtensions/libipt_SNAT.c
nclude/net/netfilter/nf_nat.h
b5508d20e6d1bea01d398b74103ee85630b05f58 06-Apr-2009 Pablo Neira Ayuso <pablo@netfilter.org> build: bump version to 1.4.3.2

This patch bumps iptables version to 1.4.3.2

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
093d5fc9d1826b8f0ccfbb3160c98a3c844d0273 05-Apr-2009 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack: properly output negation symbol

Because the wrong flag was checked, the "!" was either wrongly
printed, or not printed at all.
This was broken since v1.4.0-29-ga8ad34c.

Reported-by: Steven Jan Springl <steven@springl.ukfsn.org>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_conntrack.c
c9ccba543b52cb443f110670420967ac6a41c302 04-Apr-2009 Jan Engelhardt <jengelh@medozas.de> CLASSIFY: document non-standard interpretation behavior

Most other extensions use strtoul (by means of xtables_strtoui)
and would abide by the standard convention of hex/octal prefixes
0x/0, and decimal otherwise, but CLASSIFY is an exception.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_CLASSIFY.c
xtensions/libxt_CLASSIFY.man
ea6f406fa77aa7b4fc52ccc9b572ae96196e570d 04-Apr-2009 Jan Engelhardt <jengelh@medozas.de> Merge branch 'plus'
517de3d32e3eb261cfa7fce33751f9e37bae7112 04-Apr-2009 Jan Engelhardt <jengelh@medozas.de> Merge commit 'v1.4.3'

Connect history to the tag.
b1d968c30dde563c2738fdacb723c18232fb5ccb 04-Apr-2009 Jan Engelhardt <jengelh@medozas.de> iptables: print negation extrapositioned

This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.

Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089
Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables.c
ptables.c
9c0fa7d8c84dc2478bd36d31b328b697fbe4d0af 03-Apr-2009 Jan Engelhardt <jengelh@medozas.de> libxtables: provide IPv6 zero address variable

µClibc may not provide the in6addr_any variable when IPv6 is
disabled. So just provide it ourselves.

Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=569
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
a094eb0f2a57592b6f3cf42fdbb9d49fead2d57c 03-Apr-2009 Jan Engelhardt <jengelh@medozas.de> build: add configure option to disable ipv4 iptables

This patch complements the previous one.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
onfigure.ac
xtensions/GNUmakefile.in
8e58613df53f5f83e8ab92dec61d8065c68d967d 03-Apr-2009 Jan Engelhardt <jengelh@medozas.de> build: add configure option to disable ip6tables

This also skips building the IPv6 extensions. It does not #ifdef out
all code however, I think that would make it too ugly.

Inspired-by: http://bugzilla.netfilter.org/show_bug.cgi?id=560
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
onfigure.ac
xtensions/GNUmakefile.in
c7f70f1b16ac9395bb13d1832b5c83b09594224f 30-Mar-2009 Jan Engelhardt <jengelh@medozas.de> build: do not run ldconfig for DESTDIR installations

Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=560
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
c4edfa63eda06f02cc5bc1a65d366c55bd2eda30 30-Mar-2009 Jan Engelhardt <jengelh@medozas.de> libxtables: reorder .version member

When the structure's layout changes, as it did between v1.4.1 and
v1.4.2, trying to compare the version string makes iptables segfault
while it tries to determine whether the module is compatible in the
first place.

By moving the member to a known offset in the struct and keeping it
there, objects (both iptables and 3rd party) compiled from this
commit onwards will avoid the segfault.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
onfigure.ac
nclude/xtables.h.in
fb4bb1bb0f8b76e0259184c6bc2c81ceb79268b3 09-Nov-2008 Alexey Tarasov <tarasov@dodologics.com> Changed /bin/bash to /bin/sh, cause extended features of bash are not used
This allows script to be executed on FreeBSD correcty from makefiles during building
process.
xtensions/create_initext
ad69a7d6b553e42efcf3dce315910a1fbbcc9b41 29-Mar-2009 The Android Open Source Project <initial-contribution@android.com> Merge branch 'open_source_contributions_cherry_picked' into google_internal
cdf51d0183213c4bcac9ef4818155c1d3fbb897e 24-Mar-2009 Jan Engelhardt <jengelh@medozas.de> iptables-multi: support "iptables-static" as a callable name

iptables multi-purpose version: unknown applet name iptables-static

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-multi.c
ptables-multi.c
ed7925b77010dd17531ea0424b49d2b72af4add9 24-Mar-2009 Jan Engelhardt <jengelh@medozas.de> libxt_tcpmss: fix an inversion while parsing --mss

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_tcpmss.c
6e70f46f2a146bb7c657f71724c999147a5925dc 24-Mar-2009 Pablo Neira Ayuso <pablo@netfilter.org> iptables: refer to dmesg if we hit EINVAL

With this patch, iptables refers to dmesg for further
troubleshooting if we hit EINVAL.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
p6tables-standalone.c
ptables-standalone.c
ca6ccdb172b1846152dea421c215122759b84d29 24-Mar-2009 Pablo Neira Ayuso <pablo@netfilter.org> build: bump version to 1.4.3.1

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
onfigure.ac
1288bf7e5c39af3ca690a12f419dde507c5a556d 24-Mar-2009 Peter Volkov <pva@gentoo.org> build: fix linker issue when LDFLAGS contains --as-needed

The link of iptables-save fails on:

$ make LDFLAGS="-Wl,--as-needed"
[...]
extensions/libext4.a(libxt_RATEEST.o): In function `RATEEST_final_check':
extensions/libxt_RATEEST.c:164: undefined reference to `log'

Helpful Reference: http://www.gentoo.org/proj/en/qa/asneeded.xml
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
akefile.am
bf02bd290c03fd47b256258e06157f4d9d76e46d 24-Mar-2009 Jan Engelhardt <jengelh@medozas.de> libxt_hashlimit: add missing space for iptables-save output

Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=568
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_hashlimit.c
854d2d9bd7556cfd8a676b0bc18dc059a9a2dd25 24-Mar-2009 Peter Volkov <pva@gentoo.org> libxtables: fix compile error due to incomplete change

Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update
the constant in one place, and the compile error triggered only
when -DNO_SHARED_LIBS (configure --disable-shared) was in effect.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.c
ccf3fba1f2a7547d73135bc5499f9e4b1826f758 19-Mar-2009 Jan Engelhardt <jengelh@medozas.de> iptables-save: minor corrections to the manpage markup

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-save.8
ptables-save.8
3fb2e4a1607cbe186d20d35b45dd92b031c0be02 23-Mar-2009 Patrick McHardy <kaber@trash.net> Bump version to 1.4.3

Signed-off-by: Patrick McHardy <kaber@trash.net>
onfigure.ac
elease.sh
c9477d0dcd01af5d1ee6c95c757a8c814fb3be63 23-Mar-2009 Jesper Dangaard Brouer <hawk@comx.dk> libiptc: give credits to my self

Add notes about my scalability work on the library libiptc.
This should make in more obvious who to complain to.

Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
ibiptc/libiptc.c
a9fe5b3d62e4e974e9517b23d0bf7f0f146ed11e 23-Mar-2009 Jesper Dangaard Brouer <hawk@comx.dk> libiptc: fix whitespaces and typos

Cleanup whitespaces while going through the code.

Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
ibiptc/libiptc.c
64ff47cde38e48b621883947fd61b9b1357f9451 23-Mar-2009 Jesper Dangaard Brouer <hawk@comx.dk> libiptc: fix chain rename bug in libiptc

Chain renaming (TC_RENAME_CHAIN) can result in an unsorted
chain list. That breaks the requirement of the binary search
done in iptcc_bsearch_chain_index().

Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
ibiptc/libiptc.c
7cd15e367cc81c839ef2ca061d201c46ca1deb7c 23-Mar-2009 Christoph Paasch <christoph.paasch@gmail.com> libiptc: avoid compile warnings for iptc_insert_chain

iptc_insert_chain is too big to get inlined and so it generates
a warning while compiling.

Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
ibiptc/libiptc.c
fbb5639c02218acfd84c4f25f134efecb564fee1 19-Mar-2009 Jan Engelhardt <jengelh@medozas.de> iptables-save: module loading corrections

1. Ignore the absence of /proc/net/ip_tables_names, which happens
when x_tables.ko is not loaded. This is equivalent to having
x_tables.ko, but no tabe modules, loaded. As such, success should
be returned.

2. Load table when explicitly requested by the -t option. Users might
expect "*foo" etc. to be output when `iptables-save -t foo` is
executed. So do autoload x_tables.ko and the table in this case.

*. Do this for both iptables-save and ip6tables-save, and adjust
the manpages for the new -M (modprobe program location) option that
is introduced.

Based upon a patch by Soren Hansen.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p6tables-save.8
p6tables-save.c
ptables-save.8
ptables-save.c
421157976351606bee0d2a33acee89178521f78a 19-Mar-2009 Jan Engelhardt <jengelh@medozas.de> libxt_comment: output quotes must be escaped in

Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519584
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_comment.c
467e72c34e3285ba42c839f48b7580e7ab11f51a 19-Mar-2009 Jan Engelhardt <jengelh@medozas.de> libxtables: add -I/-L flags to pkgconfig files

These are needed in case iptables gets installed into a non-standard
path. It also enables automatic detection of these locations from 3rd
party programs via pkgconfig.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
tables.pc.in
11285f59574f52dfc507507433f7d93e925e32c2 19-Mar-2009 Jean-Baptiste Queru <jbq@google.com> Merge commit 'remotes/korg/cupcake' into cupcake_to_master
71bc61f926ca2d8ec57d9fbd698c2af32c9a9f64 17-Mar-2009 Jan Engelhardt <jengelh@medozas.de> libxt_connbytes: document nf_ct_acct behavior

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connbytes.man
a73a34ad9c9bb30dafbd7b5ca15b902e83c50ee2 17-Mar-2009 Jan Engelhardt <jengelh@medozas.de> libxt_connbytes: minor manpage adustments

Use explicit paragraph separator and conntrack(8).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
xtensions/libxt_connbytes.man
38725a4411b0e0f34a3077e37b0be860352085a8 15-Mar-2009 Jan Engelhardt <jengelh@medozas.de> Merge commit 'nf/master'
e0390bee2aa51dd76725c1a9e0d2cb53379767b8 15-Mar-2009 Jan Engelhardt <jengelh@medozas.de> iptables: turn deprecation warning into enforcing mode

The deprecation warning was added 7 months ago in v1.4.2-rc1-13-g1eada72
with a warning "next release". Next release is coming up, so enforce it.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
ptables.c
4008138e2b5248940265b160fae001d8954fae21 04-Mar-2009 The Android Open Source Project <initial-contribution@android.com> auto import from //depot/cupcake/@135843
ndroid.mk
OMMIT_NOTES
OPYING
NCOMPATIBILITIES
NSTALL
ODULE_LICENSE_GPL
akefile.orig
OTICE
ules.make
xtensions/.CLUSTERIP-test
xtensions/.NFLOG-test
xtensions/.NFLOG-test6
xtensions/.REJECT-test6
xtensions/.ah-test6
xtensions/.condition-test
xtensions/.condition-test6
xtensions/.connbytes-test
xtensions/.dccp-test
xtensions/.esp-test6
xtensions/.frag-test6
xtensions/.hashlimit-test6
xtensions/.ipv6header-test6
xtensions/.opts-test6
xtensions/.quota-test
xtensions/.recent-test
xtensions/.rt-test6
xtensions/.sctp-test6
xtensions/.set-test
xtensions/.statistic-test
xtensions/.string-test
xtensions/Makefile.orig
xtensions/create_initext
xtensions/initext.c
xtensions/libip6t_2connmark.c
xtensions/libip6t_2hl.c
xtensions/libip6t_2mark.c
xtensions/libip6t_CONNMARK.c
xtensions/libip6t_CONNSECMARK.c
xtensions/libip6t_CONNSECMARK.man
xtensions/libip6t_HL.c
xtensions/libip6t_HL.man
xtensions/libip6t_LOG.c
xtensions/libip6t_LOG.man
xtensions/libip6t_MARK.c
xtensions/libip6t_MARK.man
xtensions/libip6t_NFLOG.c
xtensions/libip6t_NFQUEUE.c
xtensions/libip6t_NFQUEUE.man
xtensions/libip6t_REJECT.c
xtensions/libip6t_REJECT.man
xtensions/libip6t_SECMARK.c
xtensions/libip6t_SECMARK.man
xtensions/libip6t_TCPMSS.c
xtensions/libip6t_TCPMSS.man
xtensions/libip6t_ah.c
xtensions/libip6t_ah.man
xtensions/libip6t_condition.c
xtensions/libip6t_condition.man
xtensions/libip6t_dst.c
xtensions/libip6t_dst.man
xtensions/libip6t_esp.c
xtensions/libip6t_esp.man
xtensions/libip6t_eui64.c
xtensions/libip6t_eui64.man
xtensions/libip6t_frag.c
xtensions/libip6t_frag.man
xtensions/libip6t_hashlimit.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hbh.man
xtensions/libip6t_hl.man
xtensions/libip6t_icmp6.c
xtensions/libip6t_icmp6.man
xtensions/libip6t_ipv6header.c
xtensions/libip6t_ipv6header.man
xtensions/libip6t_length.c
xtensions/libip6t_length.man
xtensions/libip6t_limit.c
xtensions/libip6t_limit.man
xtensions/libip6t_mac.c
xtensions/libip6t_mac.man
xtensions/libip6t_mark.man
xtensions/libip6t_multiport.c
xtensions/libip6t_multiport.man
xtensions/libip6t_owner.c
xtensions/libip6t_owner.man
xtensions/libip6t_physdev.c
xtensions/libip6t_physdev.man
xtensions/libip6t_policy.c
xtensions/libip6t_policy.man
xtensions/libip6t_rt.c
xtensions/libip6t_rt.man
xtensions/libip6t_sctp.c
xtensions/libip6t_standard.c
xtensions/libip6t_state.c
xtensions/libip6t_tcp.c
xtensions/libip6t_tcp.man
xtensions/libip6t_udp.c
xtensions/libip6t_udp.man
xtensions/libipt_2connmark.c
xtensions/libipt_2dscp.c
xtensions/libipt_2ecn.c
xtensions/libipt_2mark.c
xtensions/libipt_2set.c
xtensions/libipt_2tcpmss.c
xtensions/libipt_2tos.c
xtensions/libipt_2ttl.c
xtensions/libipt_CLASSIFY.c
xtensions/libipt_CLASSIFY.man
xtensions/libipt_CLUSTERIP.c
xtensions/libipt_CLUSTERIP.man
xtensions/libipt_CONNMARK.c
xtensions/libipt_CONNMARK.man
xtensions/libipt_CONNSECMARK.c
xtensions/libipt_CONNSECMARK.man
xtensions/libipt_DNAT.c
xtensions/libipt_DNAT.man
xtensions/libipt_DSCP.c
xtensions/libipt_DSCP.man
xtensions/libipt_ECN.c
xtensions/libipt_ECN.man
xtensions/libipt_LOG.c
xtensions/libipt_LOG.man
xtensions/libipt_MARK.c
xtensions/libipt_MARK.man
xtensions/libipt_MASQUERADE.c
xtensions/libipt_MASQUERADE.man
xtensions/libipt_MIRROR.c
xtensions/libipt_MIRROR.man
xtensions/libipt_NETMAP.c
xtensions/libipt_NETMAP.man
xtensions/libipt_NFLOG.c
xtensions/libipt_NFQUEUE.c
xtensions/libipt_NFQUEUE.man
xtensions/libipt_NOTRACK.c
xtensions/libipt_NOTRACK.man
xtensions/libipt_REDIRECT.c
xtensions/libipt_REDIRECT.man
xtensions/libipt_REJECT.c
xtensions/libipt_REJECT.man
xtensions/libipt_SAME.c
xtensions/libipt_SAME.man
xtensions/libipt_SECMARK.c
xtensions/libipt_SECMARK.man
xtensions/libipt_SET.c
xtensions/libipt_SET.man
xtensions/libipt_SNAT.c
xtensions/libipt_SNAT.man
xtensions/libipt_TCPMSS.c
xtensions/libipt_TCPMSS.man
xtensions/libipt_TOS.c
xtensions/libipt_TOS.man
xtensions/libipt_TTL.c
xtensions/libipt_TTL.man
xtensions/libipt_ULOG.c
xtensions/libipt_ULOG.man
xtensions/libipt_addrtype.c
xtensions/libipt_addrtype.man
xtensions/libipt_ah.c
xtensions/libipt_ah.man
xtensions/libipt_comment.c
xtensions/libipt_comment.man
xtensions/libipt_condition.c
xtensions/libipt_condition.man
xtensions/libipt_connbytes.c
xtensions/libipt_connbytes.man
xtensions/libipt_connmark.man
xtensions/libipt_connrate.c
xtensions/libipt_connrate.man
xtensions/libipt_conntrack.c
xtensions/libipt_conntrack.man
xtensions/libipt_dccp.c
xtensions/libipt_dccp.man
xtensions/libipt_dscp.man
xtensions/libipt_dscp_helper.c
xtensions/libipt_ecn.man
xtensions/libipt_esp.c
xtensions/libipt_esp.man
xtensions/libipt_hashlimit.c
xtensions/libipt_hashlimit.man
xtensions/libipt_helper.c
xtensions/libipt_helper.man
xtensions/libipt_icmp.c
xtensions/libipt_icmp.man
xtensions/libipt_iprange.c
xtensions/libipt_iprange.man
xtensions/libipt_length.c
xtensions/libipt_length.man
xtensions/libipt_limit.c
xtensions/libipt_limit.man
xtensions/libipt_mac.c
xtensions/libipt_mac.man
xtensions/libipt_mark.man
xtensions/libipt_multiport.c
xtensions/libipt_multiport.man
xtensions/libipt_owner.c
xtensions/libipt_owner.man
xtensions/libipt_physdev.c
xtensions/libipt_physdev.man
xtensions/libipt_pkttype.c
xtensions/libipt_pkttype.man
xtensions/libipt_policy.c
xtensions/libipt_policy.man
xtensions/libipt_quota.c
xtensions/libipt_quota.man
xtensions/libipt_realm.c
xtensions/libipt_realm.man
xtensions/libipt_recent.c
xtensions/libipt_recent.man
xtensions/libipt_sctp.c
xtensions/libipt_sctp.man
xtensions/libipt_set.h
xtensions/libipt_set.man
xtensions/libipt_standard.c
xtensions/libipt_state.c
xtensions/libipt_state.man
xtensions/libipt_statistic.c
xtensions/libipt_string.c
xtensions/libipt_string.man
xtensions/libipt_tcp.c
xtensions/libipt_tcp.man
xtensions/libipt_tcpmss.man
xtensions/libipt_tos.man
xtensions/libipt_ttl.man
xtensions/libipt_udp.c
xtensions/libipt_udp.man
xtensions/libipt_unclean.c
xtensions/libipt_unclean.man
xtensions/rename-dups.sh
nclude/ip6tables.h
nclude/iptables.h
nclude/iptables_common.h
nclude/libipq/ip_queue_64.h
nclude/libipq/libipq.h
nclude/libiptc/ipt_kernel_headers.h
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
nclude/libipulog/libipulog.h
nclude/linux/netfilter_ipv4/ipt_2connmark.h
nclude/linux/netfilter_ipv4/ipt_2dscp.h
nclude/linux/netfilter_ipv4/ipt_2ecn.h
nclude/linux/netfilter_ipv4/ipt_2mark.h
nclude/linux/netfilter_ipv4/ipt_2tcpmss.h
nclude/linux/netfilter_ipv4/ipt_2ttl.h
nclude/linux/netfilter_ipv4/ipt_CLASSIFY.h
nclude/linux/netfilter_ipv4/ipt_CLUSTERIP.h
nclude/linux/netfilter_ipv4/ipt_CONNMARK.h
nclude/linux/netfilter_ipv4/ipt_DSCP.h
nclude/linux/netfilter_ipv4/ipt_ECN.h
nclude/linux/netfilter_ipv4/ipt_FTOS.h
nclude/linux/netfilter_ipv4/ipt_MARK.h
nclude/linux/netfilter_ipv4/ipt_NFQUEUE.h
nclude/linux/netfilter_ipv4/ipt_SAME.h
nclude/linux/netfilter_ipv4/ipt_TCPMSS.h
nclude/linux/netfilter_ipv4/ipt_TTL.h
nclude/linux/netfilter_ipv4/ipt_ULOG.h
nclude/linux/netfilter_ipv4/ipt_addrtype.h
nclude/linux/netfilter_ipv4/ipt_ah.h
nclude/linux/netfilter_ipv4/ipt_comment.h
nclude/linux/netfilter_ipv4/ipt_connlimit.h
nclude/linux/netfilter_ipv4/ipt_conntrack.h
nclude/linux/netfilter_ipv4/ipt_dstlimit.h
nclude/linux/netfilter_ipv4/ipt_esp.h
nclude/linux/netfilter_ipv4/ipt_hashlimit.h
nclude/linux/netfilter_ipv4/ipt_helper.h
nclude/linux/netfilter_ipv4/ipt_iprange.h
nclude/linux/netfilter_ipv4/ipt_length.h
nclude/linux/netfilter_ipv4/ipt_limit.h
nclude/linux/netfilter_ipv4/ipt_multiport.h
nclude/linux/netfilter_ipv4/ipt_physdev.h
nclude/linux/netfilter_ipv4/ipt_pkttype.h
nclude/linux/netfilter_ipv4/ipt_policy.h
nclude/linux/netfilter_ipv4/ipt_realm.h
nclude/linux/netfilter_ipv4/ipt_rpc.h
nclude/linux/netfilter_ipv4/ipt_sctp.h
nclude/linux/netfilter_ipv6/ip6t_HL.h
nclude/linux/netfilter_ipv6/ip6t_MARK.h
nclude/linux/netfilter_ipv6/ip6t_REJECT.h
nclude/linux/netfilter_ipv6/ip6t_TCPMSS.h
nclude/linux/netfilter_ipv6/ip6t_ah.h
nclude/linux/netfilter_ipv6/ip6t_esp.h
nclude/linux/netfilter_ipv6/ip6t_frag.h
nclude/linux/netfilter_ipv6/ip6t_hl_.h
nclude/linux/netfilter_ipv6/ip6t_length.h
nclude/linux/netfilter_ipv6/ip6t_limit.h
nclude/linux/netfilter_ipv6/ip6t_mark_.h
nclude/linux/netfilter_ipv6/ip6t_multiport.h
nclude/linux/netfilter_ipv6/ip6t_owner.h
nclude/linux/netfilter_ipv6/ip6t_physdev.h
nclude/linux/netfilter_ipv6/ip6t_policy.h
p6tables-restore.8
p6tables-restore.c
p6tables-save.8
p6tables-save.c
p6tables-standalone.c
p6tables.8.in
p6tables.c
ptables-multi.c
ptables-restore.8
ptables-restore.c
ptables-save.8
ptables-save.c
ptables-standalone.c
ptables-xml.c
ptables.8.in
ptables.c
ptables.xslt
ibipq/Makefile.orig
ibipq/ipq_create_handle.3
ibipq/ipq_destroy_handle.3
ibipq/ipq_errstr.3
ibipq/ipq_get_msgerr.3
ibipq/ipq_get_packet.3
ibipq/ipq_message_type.3
ibipq/ipq_perror.3
ibipq/ipq_read.3
ibipq/ipq_set_mode.3
ibipq/ipq_set_verdict.3
ibipq/libipq.3
ibipq/libipq.c
ibiptc/Makefile.orig
ibiptc/libip4tc.c
ibiptc/libip6tc.c
ibiptc/libiptc.c
ibiptc/linux_list.h
ibiptc/linux_stddef.h
11c93ca183254ad93f561b6b32419f7ee46266fd 04-Mar-2009 The Android Open Source Project <initial-contribution@android.com> auto import from //depot/cupcake/@135843
ndroid.mk
OMMIT_NOTES
OPYING
NCOMPATIBILITIES
NSTALL
ODULE_LICENSE_GPL
akefile.orig
OTICE
ules.make
xtensions/.CLUSTERIP-test
xtensions/.NFLOG-test
xtensions/.NFLOG-test6
xtensions/.REJECT-test6
xtensions/.ah-test6
xtensions/.condition-test
xtensions/.condition-test6
xtensions/.connbytes-test
xtensions/.dccp-test
xtensions/.esp-test6
xtensions/.frag-test6
xtensions/.hashlimit-test6
xtensions/.ipv6header-test6
xtensions/.opts-test6
xtensions/.quota-test
xtensions/.recent-test
xtensions/.rt-test6
xtensions/.sctp-test6
xtensions/.set-test
xtensions/.statistic-test
xtensions/.string-test
xtensions/Makefile.orig
xtensions/create_initext
xtensions/initext.c
xtensions/libip6t_2connmark.c
xtensions/libip6t_2hl.c
xtensions/libip6t_2mark.c
xtensions/libip6t_CONNMARK.c
xtensions/libip6t_CONNSECMARK.c
xtensions/libip6t_CONNSECMARK.man
xtensions/libip6t_HL.c
xtensions/libip6t_HL.man
xtensions/libip6t_LOG.c
xtensions/libip6t_LOG.man
xtensions/libip6t_MARK.c
xtensions/libip6t_MARK.man
xtensions/libip6t_NFLOG.c
xtensions/libip6t_NFQUEUE.c
xtensions/libip6t_NFQUEUE.man
xtensions/libip6t_REJECT.c
xtensions/libip6t_REJECT.man
xtensions/libip6t_SECMARK.c
xtensions/libip6t_SECMARK.man
xtensions/libip6t_TCPMSS.c
xtensions/libip6t_TCPMSS.man
xtensions/libip6t_ah.c
xtensions/libip6t_ah.man
xtensions/libip6t_condition.c
xtensions/libip6t_condition.man
xtensions/libip6t_dst.c
xtensions/libip6t_dst.man
xtensions/libip6t_esp.c
xtensions/libip6t_esp.man
xtensions/libip6t_eui64.c
xtensions/libip6t_eui64.man
xtensions/libip6t_frag.c
xtensions/libip6t_frag.man
xtensions/libip6t_hashlimit.c
xtensions/libip6t_hbh.c
xtensions/libip6t_hbh.man
xtensions/libip6t_hl.man
xtensions/libip6t_icmp6.c
xtensions/libip6t_icmp6.man
xtensions/libip6t_ipv6header.c
xtensions/libip6t_ipv6header.man
xtensions/libip6t_length.c
xtensions/libip6t_length.man
xtensions/libip6t_limit.c
xtensions/libip6t_limit.man
xtensions/libip6t_mac.c
xtensions/libip6t_mac.man
xtensions/libip6t_mark.man
xtensions/libip6t_multiport.c
xtensions/libip6t_multiport.man
xtensions/libip6t_owner.c
xtensions/libip6t_owner.man
xtensions/libip6t_physdev.c
xtensions/libip6t_physdev.man
xtensions/libip6t_policy.c
xtensions/libip6t_policy.man
xtensions/libip6t_rt.c
xtensions/libip6t_rt.man
xtensions/libip6t_sctp.c
xtensions/libip6t_standard.c
xtensions/libip6t_state.c
xtensions/libip6t_tcp.c
xtensions/libip6t_tcp.man
xtensions/libip6t_udp.c
xtensions/libip6t_udp.man
xtensions/libipt_2connmark.c
xtensions/libipt_2dscp.c
xtensions/libipt_2ecn.c
xtensions/libipt_2mark.c
xtensions/libipt_2set.c
xtensions/libipt_2tcpmss.c
xtensions/libipt_2tos.c
xtensions/libipt_2ttl.c
xtensions/libipt_CLASSIFY.c
xtensions/libipt_CLASSIFY.man
xtensions/libipt_CLUSTERIP.c
xtensions/libipt_CLUSTERIP.man
xtensions/libipt_CONNMARK.c
xtensions/libipt_CONNMARK.man
xtensions/libipt_CONNSECMARK.c
xtensions/libipt_CONNSECMARK.man
xtensions/libipt_DNAT.c
xtensions/libipt_DNAT.man
xtensions/libipt_DSCP.c
xtensions/libipt_DSCP.man
xtensions/libipt_ECN.c
xtensions/libipt_ECN.man
xtensions/libipt_LOG.c
xtensions/libipt_LOG.man
xtensions/libipt_MARK.c
xtensions/libipt_MARK.man
xtensions/libipt_MASQUERADE.c
xtensions/libipt_MASQUERADE.man
xtensions/libipt_MIRROR.c
xtensions/libipt_MIRROR.man
xtensions/libipt_NETMAP.c
xtensions/libipt_NETMAP.man
xtensions/libipt_NFLOG.c
xtensions/libipt_NFQUEUE.c
xtensions/libipt_NFQUEUE.man
xtensions/libipt_NOTRACK.c
xtensions/libipt_NOTRACK.man
xtensions/libipt_REDIRECT.c
xtensions/libipt_REDIRECT.man
xtensions/libipt_REJECT.c
xtensions/libipt_REJECT.man
xtensions/libipt_SAME.c
xtensions/libipt_SAME.man
xtensions/libipt_SECMARK.c
xtensions/libipt_SECMARK.man
xtensions/libipt_SET.c
xtensions/libipt_SET.man
xtensions/libipt_SNAT.c
xtensions/libipt_SNAT.man
xtensions/libipt_TCPMSS.c
xtensions/libipt_TCPMSS.man
xtensions/libipt_TOS.c
xtensions/libipt_TOS.man
xtensions/libipt_TTL.c
xtensions/libipt_TTL.man
xtensions/libipt_ULOG.c
xtensions/libipt_ULOG.man
xtensions/libipt_addrtype.c
xtensions/libipt_addrtype.man
xtensions/libipt_ah.c
xtensions/libipt_ah.man
xtensions/libipt_comment.c
xtensions/libipt_comment.man
xtensions/libipt_condition.c
xtensions/libipt_condition.man
xtensions/libipt_connbytes.c
xtensions/libipt_connbytes.man
xtensions/libipt_connmark.man
xtensions/libipt_connrate.c
xtensions/libipt_connrate.man
xtensions/libipt_conntrack.c
xtensions/libipt_conntrack.man
xtensions/libipt_dccp.c
xtensions/libipt_dccp.man
xtensions/libipt_dscp.man
xtensions/libipt_dscp_helper.c
xtensions/libipt_ecn.man
xtensions/libipt_esp.c
xtensions/libipt_esp.man
xtensions/libipt_hashlimit.c
xtensions/libipt_hashlimit.man
xtensions/libipt_helper.c
xtensions/libipt_helper.man
xtensions/libipt_icmp.c
xtensions/libipt_icmp.man
xtensions/libipt_iprange.c
xtensions/libipt_iprange.man
xtensions/libipt_length.c
xtensions/libipt_length.man
xtensions/libipt_limit.c
xtensions/libipt_limit.man
xtensions/libipt_mac.c
xtensions/libipt_mac.man
xtensions/libipt_mark.man
xtensions/libipt_multiport.c
xtensions/libipt_multiport.man
xtensions/libipt_owner.c
xtensions/libipt_owner.man
xtensions/libipt_physdev.c
xtensions/libipt_physdev.man
xtensions/libipt_pkttype.c
xtensions/libipt_pkttype.man
xtensions/libipt_policy.c
xtensions/libipt_policy.man
xtensions/libipt_quota.c
xtensions/libipt_quota.man
xtensions/libipt_realm.c
xtensions/libipt_realm.man
xtensions/libipt_recent.c
xtensions/libipt_recent.man
xtensions/libipt_sctp.c
xtensions/libipt_sctp.man
xtensions/libipt_set.h
xtensions/libipt_set.man
xtensions/libipt_standard.c
xtensions/libipt_state.c
xtensions/libipt_state.man
xtensions/libipt_statistic.c
xtensions/libipt_string.c
xtensions/libipt_string.man
xtensions/libipt_tcp.c
xtensions/libipt_tcp.man
xtensions/libipt_tcpmss.man
xtensions/libipt_tos.man
xtensions/libipt_ttl.man
xtensions/libipt_udp.c
xtensions/libipt_udp.man
xtensions/libipt_unclean.c
xtensions/libipt_unclean.man
xtensions/rename-dups.sh
nclude/ip6tables.h
nclude/iptables.h
nclude/iptables_common.h
nclude/libipq/ip_queue_64.h
nclude/libipq/libipq.h
nclude/libiptc/ipt_kernel_headers.h
nclude/libiptc/libip6tc.h
nclude/libiptc/libiptc.h
nclude/libipulog/libipulog.h
nclude/linux/netfilter_ipv4/ipt_2connmark.h
nclude/linux/netfilter_ipv4/ipt_2dscp.h
nclude/linux/netfilter_ipv4/ipt_2ecn.h
nclude/linux/netfilter_ipv4/ipt_2mark.h
nclude/linux/netfilter_ipv4/ipt_2tcpmss.h
nclude/linux/netfilter_ipv4/ipt_2ttl.h
nclude/linux/netfilter_ipv4/ipt_CLASSIFY.h
nclude/linux/netfilter_ipv4/ipt_CLUSTERIP.h
nclude/linux/netfilter_ipv4/ipt_CONNMARK.h
nclude/linux/netfilter_ipv4/ipt_DSCP.h
nclude/linux/netfilter_ipv4/ipt_ECN.h
nclude/linux/netfilter_ipv4/ipt_FTOS.h
nclude/linux/netfilter_ipv4/ipt_MARK.h
nclude/linux/netfilter_ipv4/ipt_NFQUEUE.h
nclude/linux/netfilter_ipv4/ipt_SAME.h
nclude/linux/netfilter_ipv4/ipt_TCPMSS.h
nclude/linux/netfilter_ipv4/ipt_TTL.h
nclude/linux/netfilter_ipv4/ipt_ULOG.h
nclude/linux/netfilter_ipv4/ipt_addrtype.h
nclude/linux/netfilter_ipv4/ipt_ah.h
nclude/linux/netfilter_ipv4/ipt_comment.h
nclude/linux/netfilter_ipv4/ipt_connlimit.h
nclude/linux/netfilter_ipv4/ipt_conntrack.h
nclude/linux/netfilter_ipv4/ipt_dstlimit.h
nclude/linux/netfilter_ipv4/ipt_esp.h
nclude/linux/netfilter_ipv4/ipt_hashlimit.h
nclude/linux/netfilter_ipv4/ipt_helper.h
nclude/linux/netfilter_ipv4/ipt_iprange.h
nclude/linux/netfilter_ipv4/ipt_length.h
nclude/linux/netfilter_ipv4/ipt_limit.h
nclude/linux/netfilter_ipv4/ipt_multiport.h
nclude/linux/netfilter_ipv4/ipt_physdev.h
nclude/linux/netfilter_ipv4/ipt_pkttype.h
nclude/linux/netfilter_ipv4/ipt_policy.h
nclude/linux/netfilter_ipv4/ipt_realm.h
nclude/linux/netfilter_ipv4/ipt_rpc.h
nclude/linux/netfilter_ipv4/ipt_sctp.h
nclude/linux/netfilter_ipv6/ip6t_HL.h
nclude/linux/netfilter_ipv6/ip6t_MARK.h
nclude/linux/netfilter_ipv6/ip6t_REJECT.h
nclude/linux/netfilter_ipv6/ip6t_TCPMSS.h
nclude/linux/netfilter_ipv6/ip6t_ah.h
nclude/linux/netfilter_ipv6/ip6t_esp.h
nclude/linux/netfilter_ipv6/ip6t_frag.h
nclude/linux/netfilter_ipv6/ip6t_hl_.h
nclude/linux/netfilter_ipv6/ip6t_length.h
nclude/linux/netfilter_ipv6/ip6t_limit.h
nclude/linux/netfilter_ipv6/ip6t_mark_.h
nclude/linux/netfilter_ipv6/ip6t_multiport.h
nclude/linux/netfilter_ipv6/ip6t_owner.h
nclude/linux/netfilter_ipv6/ip6t_physdev.h
nclude/linux/netfilter_ipv6/ip6t_policy.h
p6tables-restore.8