d7aeda5ed45ac7ca959f12180690caa371b5b14b |
|
08-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
ip{6}tables-restore: fix breakage due to new locking approach Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances), ip{6}tables-restore does not work anymore: iptables-restore < x Another app is currently holding the xtables lock. Perhaps you want to use the -w option? do_command{6}(...) is called from ip{6}tables-restore for every iptables command contained in the rule-set file. Thus, hitting the lock error after the second command. Fix it by bypassing the locking in the ip{6}tables-restore path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 |
|
31-May-2013 |
Phil Oester <kernel@linuxace.com> |
ip[6]tables: Add locking to prevent concurrent instances There have been numerous complaints and bug reports over the years when admins attempt to run more than one instance of iptables simultaneously. Currently open bug reports which are related: 325: Parallel execution of the iptables is impossible 758: Retry iptables command on transient failure 764: Doing -Z twice in parallel breaks counters 822: iptables shows negative or other bad packet/byte counts As Patrick notes in 325: "Since this has been a problem people keep running into, I'd suggest to simply add some locking to iptables to catch the most common case." I started looking into alternatives to add locking, and of course the most common/obvious solution is to use a pidfile. But this has various downsides, such as if the application is terminated abnormally and the pidfile isn't cleaned up. And this also requires a writable filesystem. Using a UNIX domain socket file (e.g. in /var/run) has similar issues. Starting in 2.2, Linux added support for abstract sockets. These sockets require no filesystem, and automatically disappear once the application terminates. This is the locking solution I chose to implement in ip[6]tables. As an added bonus, since each network namespace has its own socket pool, an ip[6]tables instance running in one namespace will not lock out an ip[6]tables instance running in another namespace. A filesystem approach would have to recognize and handle multiple network namespaces. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
bf75fc041b35c75c2c592e01f1906771e00ce4eb |
|
20-Mar-2013 |
Mart Frauenlob <mart.frauenlob@chello.at> |
ip[6]tables: show --protocol instead of --proto in usage As the man page shows --protocol not --proto, also do so in the usage text displayed by ip[6]tables -h. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
efcdba41ca6bde51c8753cb30c869c370f0a3b93 |
|
28-Jan-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Introduce match/target aliases The match/target alias allows us to support the syntax of matches, targets targets merged into other matches/targets.
/external/iptables/iptables/iptables.c
|
2f655ede64e07a861e3ec50150f572ed98755013 |
|
29-Oct-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
libxtables: add xtables_print_num This function is used both by iptables and ip6tables, and refactorize to avoid longer than 80-chars per column lines of code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
d1e7922a587a239e16e0dbe654e63f76e1375e49 |
|
04-Jan-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
libxtables: add xtables_rule_matches_free This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
31da96d07b8abb35297201000f7f752019258cf6 |
|
29-Oct-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: remove unused leftover definitions Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
dd43527cb6bdf3d469100850ca10dcd2fb761304 |
|
07-Oct-2012 |
Jan Engelhardt <jengelh@inai.de> |
iptables: restore NOTRACK functionality, target aliasing Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL which was always false (true). real_name was never NULL, so cs->jumpto would always be used, which rendered -j NOTRACK unusable, since the chosen real name.revision is for example NOTRACK.1, which does not exist at the kernel side. # ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK dbg: Using NOTRACK.1 WARNING: The NOTRACK target is obsolete. Use CT instead. iptables: Protocol wrong type for socket. To reasonably support the extra-special verdict names, make it so that real_name remains NULL when an extension defined no alias, which we can then use to determine whether the user entered an alias name (which needs to be followed) or not. [ I have mangled this patch to remove a comment unnecessarily large. BTW, this patch gets this very close to the initial target aliasing proposal --pablo ] Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
2aaa7ec29059027756f076c4767b4fa034ebd166 |
|
08-Oct-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: fix standard target This regression was added by: commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf Author: Jan Engelhardt <jengelh@inai.de> Date: Tue Sep 4 05:24:47 2012 +0200 iptables: support for target aliase The result is that: iptables -I INPUT -j ACCEPT says: iptables: No chain/target/match by that name. This also breaks iptables-restore, of course. Jan, you'll have to explain me how you have tested this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
ec40b897289745da3d67de2cb14be30353003922 |
|
30-Sep-2012 |
Jan Engelhardt <jengelh@inai.de> |
Merge branch 'master' of git://git.inai.de/iptables
|
c436dad7cfdd80ca4a05ceed556c39babc266f55 |
|
27-Sep-2012 |
Jan Engelhardt <jengelh@inai.de> |
iptables: support for match aliases This patch allows for match names listed on the command line to be rewritten to new names and revisions, like we did for targets before. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
/external/iptables/iptables/iptables.c
|
cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf |
|
04-Sep-2012 |
Jan Engelhardt <jengelh@inai.de> |
iptables: support for target aliases This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
/external/iptables/iptables/iptables.c
|
067a9baf6dc82babe466078ab3c05354c7741271 |
|
07-Sep-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: fix wrong error messages iptables -P INPUT iptables v1.4.15: -X requires a chain and a policy Try `iptables -h' or 'iptables --help' for more information. Note that it says -X when we have used -P. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables.c
|
14da56743c6cdf25da35b7b5ca7a5d201771990d |
|
27-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
src: resolve old macro names that are indirections Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
1639fe86579f86f5f6a954a9b0adde2e16ad1980 |
|
27-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libiptc: combine common types: _handle No real API/ABI change incurred, since the definition of the structs' types is not visible anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
7e5e866a36a76c153e5903b8251f90cfe07a1d34 |
|
27-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libiptc: replace ipt_chainlabel by xt_chainlabel Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
f56b8a8bf4b1041cb875fd8439778f35276bdb30 |
|
03-Sep-2011 |
Jan Engelhardt <jengelh@medozas.de> |
iptables: move kernel version find routing into libxtables That way, the remaining unreferenced symbols that do appear in libipt_DNAT and libipt_SNAT as part of the new check can be resolved, and the ugly -rdynamic hack can finally be removed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
option: remove last traces of intrapositional negation Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
32cea83f26a2c342b9410e6dfb0530b33f8af928 |
|
05-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
iptables: restore negation for -f This move was missed in commit v1.4.11~77^2~6. References: http://bugs.debian.org/632695 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
14190986f87301b18bcc473c842bd82d778d87a2 |
|
18-Jun-2011 |
Jan Engelhardt <jengelh@medozas.de> |
iptables: consolidate target/match init call This is useful for the upcoming patch about per-instance auxiliary data. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
780607f8b040a47cd2d4775376e2d30f567dc049 |
|
07-Jun-2011 |
Jan Engelhardt <jengelh@medozas.de> |
option: fix ignored negation before implicit extension loading `iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it was not present in a subsequent `iptables -S`. Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto extension, cs.invert must not be touched until the next getopt call. This is now fixed by having command_default return a value to indicate whether to jump or not. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|
033e25a3ad215ee3f5a07f0a3315f74c4abfaced |
|
07-Jun-2011 |
Jan Engelhardt <jengelh@medozas.de> |
src: move all iptables pieces into a separate directory (Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables.c
|