Cross Reference: /external/iptables/iptables/iptables.c

Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
d7aeda5ed45ac7ca959f12180690caa371b5b14b	08-Jul-2013	Pablo Neira Ayuso <pablo@netfilter.org>	ip{6}tables-restore: fix breakage due to new locking approach Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances), ip{6}tables-restore does not work anymore: iptables-restore < x Another app is currently holding the xtables lock. Perhaps you want to use the -w option? do_command{6}(...) is called from ip{6}tables-restore for every iptables command contained in the rule-set file. Thus, hitting the lock error after the second command. Fix it by bypassing the locking in the ip{6}tables-restore path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8	31-May-2013	Phil Oester <kernel@linuxace.com>	ip[6]tables: Add locking to prevent concurrent instances There have been numerous complaints and bug reports over the years when admins attempt to run more than one instance of iptables simultaneously. Currently open bug reports which are related: 325: Parallel execution of the iptables is impossible 758: Retry iptables command on transient failure 764: Doing -Z twice in parallel breaks counters 822: iptables shows negative or other bad packet/byte counts As Patrick notes in 325: "Since this has been a problem people keep running into, I'd suggest to simply add some locking to iptables to catch the most common case." I started looking into alternatives to add locking, and of course the most common/obvious solution is to use a pidfile. But this has various downsides, such as if the application is terminated abnormally and the pidfile isn't cleaned up. And this also requires a writable filesystem. Using a UNIX domain socket file (e.g. in /var/run) has similar issues. Starting in 2.2, Linux added support for abstract sockets. These sockets require no filesystem, and automatically disappear once the application terminates. This is the locking solution I chose to implement in ip[6]tables. As an added bonus, since each network namespace has its own socket pool, an ip[6]tables instance running in one namespace will not lock out an ip[6]tables instance running in another namespace. A filesystem approach would have to recognize and handle multiple network namespaces. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
bf75fc041b35c75c2c592e01f1906771e00ce4eb	20-Mar-2013	Mart Frauenlob <mart.frauenlob@chello.at>	ip[6]tables: show --protocol instead of --proto in usage As the man page shows --protocol not --proto, also do so in the usage text displayed by ip[6]tables -h. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
efcdba41ca6bde51c8753cb30c869c370f0a3b93	28-Jan-2013	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	Introduce match/target aliases The match/target alias allows us to support the syntax of matches, targets targets merged into other matches/targets. /external/iptables/iptables/iptables.c
2f655ede64e07a861e3ec50150f572ed98755013	29-Oct-2012	Pablo Neira Ayuso <pablo@netfilter.org>	libxtables: add xtables_print_num This function is used both by iptables and ip6tables, and refactorize to avoid longer than 80-chars per column lines of code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
d1e7922a587a239e16e0dbe654e63f76e1375e49	04-Jan-2013	Pablo Neira Ayuso <pablo@netfilter.org>	libxtables: add xtables_rule_matches_free This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
31da96d07b8abb35297201000f7f752019258cf6	29-Oct-2012	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: remove unused leftover definitions Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
dd43527cb6bdf3d469100850ca10dcd2fb761304	07-Oct-2012	Jan Engelhardt <jengelh@inai.de>	iptables: restore NOTRACK functionality, target aliasing Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL which was always false (true). real_name was never NULL, so cs->jumpto would always be used, which rendered -j NOTRACK unusable, since the chosen real name.revision is for example NOTRACK.1, which does not exist at the kernel side. # ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK dbg: Using NOTRACK.1 WARNING: The NOTRACK target is obsolete. Use CT instead. iptables: Protocol wrong type for socket. To reasonably support the extra-special verdict names, make it so that real_name remains NULL when an extension defined no alias, which we can then use to determine whether the user entered an alias name (which needs to be followed) or not. [ I have mangled this patch to remove a comment unnecessarily large. BTW, this patch gets this very close to the initial target aliasing proposal --pablo ] Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
2aaa7ec29059027756f076c4767b4fa034ebd166	08-Oct-2012	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: fix standard target This regression was added by: commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf Author: Jan Engelhardt <jengelh@inai.de> Date: Tue Sep 4 05:24:47 2012 +0200 iptables: support for target aliase The result is that: iptables -I INPUT -j ACCEPT says: iptables: No chain/target/match by that name. This also breaks iptables-restore, of course. Jan, you'll have to explain me how you have tested this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
ec40b897289745da3d67de2cb14be30353003922	30-Sep-2012	Jan Engelhardt <jengelh@inai.de>	Merge branch 'master' of git://git.inai.de/iptables
c436dad7cfdd80ca4a05ceed556c39babc266f55	27-Sep-2012	Jan Engelhardt <jengelh@inai.de>	iptables: support for match aliases This patch allows for match names listed on the command line to be rewritten to new names and revisions, like we did for targets before. Signed-off-by: Jan Engelhardt <jengelh@inai.de> /external/iptables/iptables/iptables.c
cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf	04-Sep-2012	Jan Engelhardt <jengelh@inai.de>	iptables: support for target aliases This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt <jengelh@inai.de> /external/iptables/iptables/iptables.c
067a9baf6dc82babe466078ab3c05354c7741271	07-Sep-2012	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: fix wrong error messages iptables -P INPUT iptables v1.4.15: -X requires a chain and a policy Try `iptables -h' or 'iptables --help' for more information. Note that it says -X when we have used -P. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/iptables.c
14da56743c6cdf25da35b7b5ca7a5d201771990d	27-Aug-2011	Jan Engelhardt <jengelh@medozas.de>	src: resolve old macro names that are indirections Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
1639fe86579f86f5f6a954a9b0adde2e16ad1980	27-Aug-2011	Jan Engelhardt <jengelh@medozas.de>	libiptc: combine common types: _handle No real API/ABI change incurred, since the definition of the structs' types is not visible anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
7e5e866a36a76c153e5903b8251f90cfe07a1d34	27-Aug-2011	Jan Engelhardt <jengelh@medozas.de>	libiptc: replace ipt_chainlabel by xt_chainlabel Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
f56b8a8bf4b1041cb875fd8439778f35276bdb30	03-Sep-2011	Jan Engelhardt <jengelh@medozas.de>	iptables: move kernel version find routing into libxtables That way, the remaining unreferenced symbols that do appear in libipt_DNAT and libipt_SNAT as part of the new check can be resolved, and the ugly -rdynamic hack can finally be removed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f	09-Jul-2011	Jan Engelhardt <jengelh@medozas.de>	option: remove last traces of intrapositional negation Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
32cea83f26a2c342b9410e6dfb0530b33f8af928	05-Jul-2011	Jan Engelhardt <jengelh@medozas.de>	iptables: restore negation for -f This move was missed in commit v1.4.11~77^2~6. References: http://bugs.debian.org/632695 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
14190986f87301b18bcc473c842bd82d778d87a2	18-Jun-2011	Jan Engelhardt <jengelh@medozas.de>	iptables: consolidate target/match init call This is useful for the upcoming patch about per-instance auxiliary data. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
780607f8b040a47cd2d4775376e2d30f567dc049	07-Jun-2011	Jan Engelhardt <jengelh@medozas.de>	option: fix ignored negation before implicit extension loading `iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it was not present in a subsequent `iptables -S`. Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto extension, cs.invert must not be touched until the next getopt call. This is now fixed by having command_default return a value to indicate whether to jump or not. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c
033e25a3ad215ee3f5a07f0a3315f74c4abfaced	07-Jun-2011	Jan Engelhardt <jengelh@medozas.de>	src: move all iptables pieces into a separate directory (Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de> /external/iptables/iptables/iptables.c