8a3f924e490f4a746baf713342bfd4db201106f1 |
22-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Update to iptables 1.6.1. This merges upstream b013e3e80e96 ("iptables 1.6.1 release") Conflicts: include/libiptc/ipt_kernel_headers.h Bug: 30950746 Bug: 36108349 Test: see top of change stack. Change-Id: Ib2b5ae0e0c330798aa375b153e3e2cba2348bb1c
|
f17f9ace8a84f6986235fc2d0fedc1fd5148a3bd |
08-Dec-2016 |
Willem de Bruijn <willemb@google.com> |
extensions: libxt_bpf: support ebpf pinned objects Exercise the new kernel feature introduced in commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") to load pinned eBPF programs. The new interface allows instantiating a bpf match using -m bpf --object-pinned ${PATH} where ${PATH} points to a node in a bpf virtual filesystem. See also the revised man page. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_bpf.h
|
85b794373f9f914a8fc2f015dd9013d91fe7404e |
26-Sep-2016 |
Vishwanath Pai <vpai@akamai.com> |
extensions: libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates Create a new revision for the hashlimit iptables extension module. Rev 2 will support higher pps of upto 1 million, Version 1 supports only 10k. To support this we have to increase the size of the variables avg and burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2 and xt_hashlimit_mtinfo2 and also create newer versions of all the functions for match, checkentry and destory. Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_hashlimit.h
|
7070b1f3c88a0c3d4e315c00cca61f05b0fbc882 |
24-Jun-2016 |
Vishwanath Pai <vpai@akamai.com> |
extensions: libxt_NFLOG: nflog-range does not truncate packets The option --nflog-range has never worked, but we cannot just fix this because users might be using this feature option and their behavior would change. Instead add a new option --nflog-size. This option works the same way nflog-range should have, and both of them are mutually exclusive. When someone uses --nflog-range we print a warning message informing them that this feature has no effect. To indicate the kernel that the user has set --nflog-size we have to pass a new flag XT_NFLOG_F_COPY_LEN. Also updated the man page to reflect the new option and added tests to extensions/libxt_NFLOG.t Reported-by: Joe Dollard <jdollard@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_NFLOG.h
|
5d359b97a59f27d4bace5a43695c1fed37e61bd9 |
22-Dec-2015 |
Tejun Heo <tj@kernel.org> |
libxt_cgroup2: add support for cgroup2 path matching This patch updates xt_cgroup so that it supports revision 1 interface which includes cgroup2 path based matching. v3: Folded into xt_cgroup as a new revision interface as suggested by Pablo. v2: cgroup2_match->userspacesize and ->save and man page updated as per Jan. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <dborkman@redhat.com> Cc: Jan Engelhardt <jengelh@inai.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cgroup.h
|
13ad9f2f6b02cf836c826bba0e7a845d3a90949f |
22-Dec-2015 |
Tejun Heo <tj@kernel.org> |
libxt_cgroup: prepare for multi revisions libxt_cgroup will grow cgroup2 path based match. Postfix existing symbols with _v0 and prepare for multi revision registration. While at it, rename O_CGROUP to O_CLASSID and fwid to classid. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <dborkman@redhat.com> Cc: Jan Engelhardt <jengelh@inai.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cgroup.h
|
c1b62f09259cdfa618cf63032de67689c991bd3e |
24-Aug-2015 |
Daniel Borkmann <daniel@iogearbox.net> |
libxt_CT: add support for recently introduced zone options This adds the user space front-end and man-page bits for the additional zone features (direction, mark) of the CT target. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_CT.h
|
de2fa7133374831bcb5080a43e567e2e41f84ee7 |
16-Jun-2015 |
Harout Hedeshian <harouth@codeaurora.org> |
extensions: libxt_socket: add --restore-skmark option xt_socket is useful for matching sockets with IP_TRANSPARENT and taking some action on the matching packets. However, it lacks the ability to match only a small subset of transparent sockets. Suppose there are 2 applications, each with its own set of transparent sockets. The first application wants all matching packets dropped, while the second application wants them forwarded somewhere else. Add the ability to retore the skb->mark from the sk_mark. The mark is only restored if a matching socket is found and the transparent / nowildcard conditions are satisfied. Now the 2 hypothetical applications can differentiate their sockets based on a mark value set with SO_MARK. iptables -t mangle -I PREROUTING -m socket --transparent \ --restore-skmark -j action iptables -t mangle -A action -m mark --mark 10 -j action2 iptables -t mangle -A action -m mark --mark 11 -j action3 Bug: 20663075 Signed-off-by: Harout Hedeshian <harouth@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 3b20fc71c99acd604d635deacef99769e36191b5) Change-Id: If746841dea9db9f1c7ad1d74ed37fa13109e37ff
t_socket.h
|
586aef2c0dd9b6d534930994cc73b6d5a734854c |
20-Jun-2013 |
Eric Dumazet <edumazet@google.com> |
xt_socket: add --nowildcard flag xt_socket module can be a nice replacement to conntrack module in some cases (SYN filtering for example) But it lacks the ability to match the 3rd packet of TCP handshake (ACK coming from the client). Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism The wildcard is the legacy socket match behavior, that ignores LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent) iptables -I INPUT -p tcp --syn -j SYN_CHAIN iptables -I INPUT -m socket -j ACCEPT Bug: 20663075 Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_socket.h
|
16964a99a61ff1d7cb0c260ed50b9f91f7b7a783 |
16-Jun-2015 |
Harout Hedeshian <harouth@codeaurora.org> |
extensions: libxt_socket: add --restore-skmark option xt_socket is useful for matching sockets with IP_TRANSPARENT and taking some action on the matching packets. However, it lacks the ability to match only a small subset of transparent sockets. Suppose there are 2 applications, each with its own set of transparent sockets. The first application wants all matching packets dropped, while the second application wants them forwarded somewhere else. Add the ability to retore the skb->mark from the sk_mark. The mark is only restored if a matching socket is found and the transparent / nowildcard conditions are satisfied. Now the 2 hypothetical applications can differentiate their sockets based on a mark value set with SO_MARK. iptables -t mangle -I PREROUTING -m socket --transparent \ --restore-skmark -j action iptables -t mangle -A action -m mark --mark 10 -j action2 iptables -t mangle -A action -m mark --mark 11 -j action3 Signed-off-by: Harout Hedeshian <harouth@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_socket.h
|
a40cd9b784590ee09f1be4897f28bb0b2ce1096d |
06-Nov-2014 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Alignment problem between 64bit kernel 32bit userspace Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
pset/ip_set.h
t_set.h
|
da6c162ce5fb42fa5439ae0b95c321fb476b9cb7 |
05-Nov-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
Merge branch 'ipset' This provides the ipset skbinfo extension. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
a491c610a1994e7a51c04035314dbc8cef250808 |
01-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
refresh nf_tables.h cached copy Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
|
6d9ae2952a440b4ff28e86df6d18b53caa7ecd94 |
02-Sep-2014 |
Anton Danilov <littlesmilingcloud@gmail.com> |
xtables: SET target: Add mapping of meta informations (skbinfo ipset extension) This feature add support of mapping metainformation to packets like nftables maps or ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue. Usage of this functionality allowed only from mangle table. We can map tc priority only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision. If entry doesn't exist in the set nothing of fields changed. Example of classify by destination address: iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
pset/ip_set.h
t_set.h
|
01dcfdab11a6583d899bfc34758e8f9996774d21 |
16-May-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
Merge branch 'next-3.14'
|
11ef84b856859e7d4a08625d09c8573e5f5eef63 |
02-Apr-2014 |
JP Abgrall <jpa@google.com> |
Merge remote-tracking branch 'upstream/stable-1.4.20' into update Conflicts: .gitignore include/linux/types.h libiptc/libiptc.c Change-Id: I2c949ba9de090db9ae09d914f4ac5c13e5b7d4da
|
d6217f93926b174bb2e894c8a8fc3d73b01942e9 |
13-Mar-2014 |
Jiri Popelka <jpopelka@redhat.com> |
update FSF address in license text http://www.gnu.org/licenses/gpl-2.0.html http://www.fsf.org/about/contact/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_osf.h
|
6465867eb48506687872b838b1ddfee61d1a0aeb |
23-Dec-2013 |
Daniel Borkmann <dborkman@redhat.com> |
iptables: add libxt_cgroup frontend This patch adds the user space extension/frontend for process matching based on cgroups from the kernel patch entitled "netfilter: xtables: lightweight process control group matching". Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cgroup.h
|
3cefc136d13f426fd68808ddfd39ada0c90f23db |
22-Dec-2013 |
Daniel Borkmann <dborkman@redhat.com> |
iptables: snat: add randomize-full support This patch provides the userspace part for snat in order to make randomize-full support available in {ip,nf}tables. It allows for enabling full port randomization that was motivated in [1] and introduced to the kernel in [2]. Joint work between Hannes Frederic Sowa and Daniel Borkmann. [1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf [2] http://patchwork.ozlabs.org/patch/304306/ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_nat.h
|
d34f0611975b1da6320112df00513ba42310f356 |
13-Dec-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
include: Update nftables API header in sync with kernel's one Many changes were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
|
d6a127cd5710f8c60e95bfd0378ca352c07140a9 |
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: batch rule-set updates into one single netlink message With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
fnetlink.h
|
2a87a024e1f77407e332086a4fa664e048280195 |
25-Jan-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: nft: add protocol and flags for xtables over nf_tables Add protocol and flags for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
|
9e62dc8637f210cdeaed784396fecab9b6e5f043 |
20-Jan-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: support atomic commit Use new services in nf_tables to support atomic commit. Commit per table, although we support global commit at once, call commit for each table to emulate iptables-restore behaviour by now. Keep table dormant/wake up code in iptables/nft.c as it can be used in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
|
9c541721d318598db45986ee2fd61491fadb53d0 |
29-Dec-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: adapt chain rename to recent Patrick's updates This patch gets existing code in sync with Patrick's chain renaming new approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
|
5705ea1f4e3c9cd3d5d9cbcf84b9733ce1f07e57 |
19-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: add support for dormant tables This patch adds support for dormant tables for xtables-restore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
|
42239cb39ecf7650fefb5cc301ab943be11de6fb |
03-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
headers: remove unused compatibility definitions They belong to nf_tables_compat.h Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
|
4493582ccb60a443fc7efeca78edafbefc689aa3 |
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Add support for chain rename options (-E) Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
f_tables.h
|
1373cbb1068a1dc57540faebcf2f5f0fcbe83b53 |
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
headers: Make nf_tables.h up to date Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
f_tables.h
|
384958620abab397062b67fb2763e813b63f74f0 |
27-Sep-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
use nf_tables and nf_tables compatibility interface This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
f_tables_compat.h
fnetlink.h
|
0bb8765cc28cf1ddde70f3f5bfed96a067b1ead3 |
18-Dec-2013 |
fan.du <fan.du@windriver.com> |
iptables: Add IPv4/6 IPcomp match support This patch enables user to set iptables ACTIONs for IPcomp flow specified by its SPI value. For example: iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP IPcomp packet with spi as 0x12 will be dropped. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_ipcomp.h
|
cf1f03f8f3cf2db577a9ddee254cc7f886129d18 |
04-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
extensions: libxt_set, libxt_SET: check the set family too Do not accept silently sets with wrong protocol family but reject them with an error message. It makes straightforward to catch user errors. [ Use afinfo instead to avoid a binary interface update --pablo ] Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
pset/ip_set.h
|
ab566725f515bd8ea47a069c3289a80c60e6aa70 |
28-Aug-2013 |
Patrick McHardy <kaber@trash.net> |
extensions: add SYNPROXY extension Signed-off-by: Patrick McHardy <kaber@trash.net>
t_SYNPROXY.h
|
64d45792fe8f50294034bb699ff74ecae178e975 |
20-Jun-2013 |
Eric Dumazet <edumazet@google.com> |
xt_socket: add --nowildcard flag xt_socket module can be a nice replacement to conntrack module in some cases (SYN filtering for example) But it lacks the ability to match the 3rd packet of TCP handshake (ACK coming from the client). Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism The wildcard is the legacy socket match behavior, that ignores LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent) iptables -I INPUT -p tcp --syn -j SYN_CHAIN iptables -I INPUT -m socket -j ACCEPT Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_socket.h
|
7b26bafb9be05a23b47653640aadbb61d0032665 |
28-Jan-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
libxt_CT: Add the "NOTRACK" alias Available since Linux kernel 3.8. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_CT.h
|
34844da8f53ec80b34ad094f2fca2519a7079ec2 |
01-May-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Introduce a new revision for the set match with the counters support The revision add the support of matching the packet/byte counters if the set was defined with the extension. Also, a new flag is introduced to suppress updating the packet/byte counters if required. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
pset/ip_set.h
t_set.h
|
ce7d0619ce49587ca78456caf467cf25f7cbbc4e |
02-Apr-2013 |
holger@eitzenberger.org <holger@eitzenberger.org> |
extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_NFQUEUE.h
|
ccbf6b6448a4210432b76fd4660798705b05f8c4 |
06-May-2013 |
Florian Westphal <fw@strlen.de> |
extensions: add connlabel match allows to "tag" connections with up to 128 label names. Labels are defined in /etc/xtables/connlabel.conf, example: 0 from eth0 1 via eth0 Labels can then be attached to flows, e.g. -A PREROUTING -i eth0 -m connlabel --label "from eth0" --set Signed-off-by: Florian Westphal <fw@strlen.de>
t_connlabel.h
|
e0a0dd703b3448f0f07fc59b7232bf1f1cce7b86 |
23-Jan-2013 |
Willem de Bruijn <willemb@google.com> |
extensions: add libxt_bpf extension Add user-space code to support the new BPF iptables extension. Pablo has mangled the original patch to: * include a copy of include/linux/netfilter/xt_bpf.h in the tree. * I have also remove the --bytecode-file option. The original proposal was to accept BPF code in a file in human readable format. Now, with the nfbpf_compile utility, it's very easy to generate the filter using tcpdump-like syntax. * I have remove the trailing comma in the backtick format, the parser works just fine for me here. * Fix error message if --bytecode is missing. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_bpf.h
|
e612a9d285477e9951349dd137305393a1255b19 |
28-Jan-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Add the "state" alias to the "conntrack" match
t_conntrack.h
|
9d284c1c67188dfa8a4c7a6e36eb9a10bd9c15e2 |
25-Oct-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
Merge branch 'next' branch that contains new features scheduled for Linux kernel 3.7
|
8d8896a3833292d091ee5a028f3461083bb956bd |
17-Sep-2012 |
Florian Westphal <fw@strlen.de> |
libxt_time: add support to ignore day transition Currently, if you want to do something like: "match Monday, starting 23:00, for two hours" You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00. The rule --weekdays Mo --timestart 23:00 --timestop 01:00 looks correct, but it will first match on monday from midnight to 1 a.m. and then again for another hour from 23:00 onwards. This permits userspace to explicitly ignore the day transition and match for a single, continuous time period instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_time.h
|
d637ead63658d741501974c381889b3857073308 |
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
New set match revision with --return-nomatch flag support
pset/ip_set.h
|
0e37f00980eb6b4fc2c5f979cc5fa83c0fff9d30 |
22-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
extensions: add IPv6 MASQUERADE extension Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_nat.h
|
e62f426c7ead7c0025d15860df97426db6509942 |
22-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
Convert the NAT targets to use the kernel supplied nf_nat.h header Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_conntrack_tuple_common.h
f_nat.h
|
74ded7257e5da5e309844d386290f24ae91950a6 |
17-May-2012 |
Denys Fedoryshchenko <denys@visp.net.lb> |
libxt_recent: add --mask netmask This new option will be available in the Linux kernel 3.5 [ Pablo fixed coding-style issues and cleaned up this. Added manpages as well ] Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_recent.h
|
abdef13f36b63758f8775eb86febd96bf062df6f |
08-May-2012 |
Florian Westphal <fw@strlen.de> |
libxt_hashlimit: add support for byte-based operation allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ] to make hashlimit match when X bytes/second are exceeded; optionally, Y bytes will not be matched (i.e. bursted). [ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ] libxt_hashlimit.c: In function ‘parse_bytes’: libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_hashlimit.h
|
4df8cb6ab176f3c1f2bf9498d0abde8d9362087b |
23-Apr-2012 |
Hans Schillstrom <hans.schillstrom@ericsson.com> |
extensions: add HMARK target The target allows you to set mark packets based Jenkins' hash calculation: h(t, rnd) = x mark = (x % mod) + offset where: * t is a tuple that is used for the hashing: t = [ src, dst, proto, sport, dport ] Note that you can customize the tuple, thus, removing some component that you don't want to use for the calculation. You can also use spi instead of sport and dport, btw. * rnd is the random seed that is explicitly passed via --hmark-rnd * mod is the modulus, to determine the range of possible marks * offset determines where the mark starts from This target only works for the "raw" and "mangle" tables. This can be used to distribute flows between a cluster of systems and uplinks. Initially based on work from Hans Schillingstrom. Pablo took it over and introduced several improvements. Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_HMARK.h
|
e07e0d31f48d951e0f03ba254d4754810732c241 |
30-Mar-2012 |
Ashish Sharma <ashishsharma@google.com> |
Modify iptables to talk to xt_IDLETIMER version 1. Change-Id: Ib144c5289681cdff21b21be74173164d097710e7
t_IDLETIMER.h
|
e8f32983048d6aa4a908b6a92da55fa71c859623 |
29-Feb-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
libxt_CT: add --timeout option This patch adds the --timeout option to allow to attach timeout policy objects to flows, eg. iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \ -j CT --timeout custom-tcp-policy You need the nfct(8) tool which is available at: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git To define the cttimeout policies. Example of usage: nfct timeout add custom-tcp-policy inet tcp established 1000 The new nfct tool also requires libnetfilter_cttimeout: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_CT.h
|
f233df44196f568075a5d70fc29f31b72b512783 |
27-Mar-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
extensions: add nfacct match This patch provides the user-space iptables support for the nfacct match. This can be used as it follows: nfacct add http-traffic iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic nfacct get http-traffic See also man nfacct(8) for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_nfacct.h
|
98e1769b65b71989e3f16b25529b40f374aef323 |
28-Dec-2011 |
Patrick McHardy <kaber@trash.net> |
extensions: add IPv6 capable ECN match extension Patrick submitted this patch by 9th Jun 2011, I'm recovering and applying it to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_ecn.h
|
166b92d3fb2a7fc008df1b59332ef528a9a573ea |
14-Jul-2011 |
Florian Westphal <fw@strlen.de> |
extensions: add rpfilter module Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_rpfilter.h
|
dbe77cc974cee656eae37e75039dd1a410a4535b |
28-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
include: refresh include files from kernel 3.1-rc3 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
pset/ip_set.h
f_conntrack_common.h
f_conntrack_tuple_common.h
_tables.h
t_CT.h
t_TCPOPTSTRIP.h
t_TPROXY.h
t_cluster.h
t_connbytes.h
t_connlimit.h
t_physdev.h
t_policy.h
t_quota.h
t_sctp.h
t_set.h
t_socket.h
t_time.h
t_u32.h
|
3775fb69f63b76191bc3571bfa8538c18173d90f |
28-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_addrtype: add support for revision 1 Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but there was no corresponding iptables patch so far. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_addrtype.h
|
5caed2aebebf7c72dfa982f247ac35ec67a1b852 |
21-Jun-2011 |
JP Abgrall <jpa@google.com> |
Adding the original quota2 from xtables-addons The original xt_quota in the kernel is plain broken: - counts quota at a per CPU level (was written back when ubiquitous SMP was just a dream) - provides no way to count across IPV4/IPV6. This patch is the original unaltered code from: http://sourceforge.net/projects/xtables-addons at commit e84391ce665cef046967f796dd91026851d6bbf3 Change-Id: Ia8b21394ea79ef55514748e96f769e40355a6ccf Signed-off-by: JP Abgrall <jpa@google.com>
t_quota2.h
|
e39f367d905670e39e6f08d2b73c715a6d0b4bfb |
17-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
SET target revision 2 added The new revision of the SET target supports the following new operations - specifying the timeout value of the entry to be added - flag to instruct the kernel that if the entry already exists then reset the timeout value to the specified one (or to the default from the set definition)
t_set.h
|
9ee2a9fe2f74b616da34878104bd1ff406534ad1 |
03-Feb-2011 |
Patrick McHardy <kaber@trash.net> |
extensions: add extension for devgroup match Signed-off-by: Patrick McHardy <kaber@trash.net>
t_devgroup.h
|
f46f8c1c5b6d9f5685b9d945e95647eaf6c2d35b |
20-Jan-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_connlimit: remove duplicate member that caused size change Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_connlimit.h
|
c8f28cc8b84133f20421470e9a61a5a0c78b9c4a |
20-Jan-2011 |
Patrick McHardy <kaber@trash.net> |
extensions: libxt_conntrack: add support for specifying port ranges Add support for revision 3 of the conntrack match, which allows to specify port ranges for origsrc/origdst/replsrc/repldst. Signed-off-by: Patrick McHardy <kaber@trash.net>
t_conntrack.h
|
6924b4987d88fbe383bec4da4cf331cc466c245e |
20-Jan-2011 |
Florian Westphal <fw@strlen.de> |
extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option --queue-bypass: if no userpace program is listening on the queue, then allow packets to continue through the ruleset instead of dropping them. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_NFQUEUE.h
|
773438bd93851dc1a9129a638925c04868820297 |
20-Jan-2011 |
Thomas Graf <tgraf@redhat.com> |
libxt_AUDIT: add AUDIT target libxt module for the AUDIT target. -j AUDIT --type (accept|reject|drop) Signed-off-by: Thomas Graf <tgraf@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_AUDIT.h
|
5da9e63f66ca190cb90193ebb9eebf5aa523b4d1 |
19-Jan-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_connlimit: support for dstaddr-supporting revision 1 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_connlimit.h
|
4a1d810bb52aa5d5c450f7adcde5145d40261b54 |
26-Dec-2010 |
Jan Engelhardt <jengelh@medozas.de> |
xt_comment: remove redundant cast
t_comment.h
|
b4af04be14560b3fcc6cf23200148d408014a2f5 |
03-Dec-2010 |
Jan Engelhardt <jengelh@medozas.de> |
include: update files with headers from Linux 2.6.37-rc1 Also includes the type change to __u{8,16,32} kernel types already.
t_CHECKSUM.h
t_CT.h
t_IDLETIMER.h
t_SECMARK.h
t_TCPOPTSTRIP.h
t_TPROXY.h
t_cluster.h
t_connlimit.h
t_ipvs.h
t_physdev.h
t_policy.h
t_quota.h
t_sctp.h
t_socket.h
t_time.h
t_u32.h
|
422342e47c18e70757231f2210b13df8e1f5931c |
02-Aug-2010 |
Changli Gao <xiaosuo@gmail.com> |
libxt_quota: don't ignore the quota value on deletion Don't ignore the quota value on deletion, then we can remove a special rule everytime. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_quota.h
|
2d59208943a3a2a6e0e30b6c84bb8ae80d444cd3 |
23-Jul-2010 |
Eric Dumazet <eric.dumazet@gmail.com> |
extension: add xt_cpu match Kernel 2.6.36 supports xt_cpu match In some situations a CPU match permits a better spreading of connections, or select targets only for a given cpu. With Remote Packet Steering or multiqueue NIC and appropriate IRQ affinities, we can distribute trafic on available cpus, per session. (all RX packets for a given flow are handled by a given cpu) Some legacy applications being not SMP friendly, one way to scale a server is to run multiple copies of them. Instead of randomly choosing an instance, we can use the cpu number as a key so that softirq handler for a whole instance is running on a single cpu, maximizing cache effects in TCP/UDP stacks. Using NAT for example, a four ways machine might run four copies of server application, using a separate listening port for each instance, but still presenting an unique external port : iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \ -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \ -j REDIRECT --to-port 8081 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \ -j REDIRECT --to-port 8082 iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \ -j REDIRECT --to-port 8083 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_cpu.h
|
c36d05e42406966440e3644110d3d2504c4b165c |
23-Jul-2010 |
Hannes Eder <heder@google.com> |
libxt_ipvs: user-space lib for netfilter matcher xt_ipvs The user-space library for the netfilter matcher xt_ipvs. [ trivial up-port by Simon Horman <horms@verge.net.au> ] Signed-off-by: Hannes Eder <heder@google.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_ipvs.h
|
b14f160c11196aeb99000611207bd353c7ae2cb9 |
15-Jul-2010 |
Patrick McHardy <kaber@trash.net> |
Merge branch 'master' into iptables-next
|
0bcda81f5f6d121084131fb944e2940f614cc98c |
15-Jul-2010 |
Patrick McHardy <kaber@trash.net> |
extensions: fix compilation of the new CHECKSUM target Add missing header file. Signed-off-by: Patrick McHardy <kaber@trash.net>
t_CHECKSUM.h
|
78514bc3a9b1b724c9fc904941c5854644865673 |
25-Jun-2010 |
Patrick McHardy <kaber@trash.net> |
Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
|
d40f1628c3717daebc437a398a285e371b5b6f7f |
16-Jun-2010 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
libxt_set: new revision added libipt_set renamed to libxt_set and the support for the forthcoming ipset release added. I have tested backward (IPv4) and forward compatibility (IPv4/IPv6): ipset -N test iphash ipset -A test test-address iptables -N test-set iptables -A test-set -j LOG --log-prefix "match " iptables -A test-set -j DROP iptables -A OUTPUT -m set --match-set test dst -j test-set ping test-address
t_set.h
|
d96993e50b44b358ea5bd15f3944674eafd62542 |
15-Jun-2010 |
Luciano Coelho <luciano.coelho@nokia.com> |
extensions: add idletimer xt target extension Add the extension plugin for the IDLETIMER x_tables target. Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_IDLETIMER.h
|
491c1660fced08e2d1a08c101c63af04250275d0 |
07-Jun-2010 |
Jan Engelhardt <jengelh@medozas.de> |
includes: sync header files from Linux 2.6.35-rc1 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
_tables.h
t_CONNMARK.h
t_MARK.h
t_TEE.h
t_connmark.h
t_mark.h
t_recent.h
|
8532c70fd182057b440b41f013d8021a95bd72b2 |
21-May-2010 |
Patrick McHardy <kaber@trash.net> |
Revert "Revert "Merge branch 'iptables-next'"" This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099. Revert the revert to restore the TEE target.
t_TEE.h
|
110c1e4502e21ea38e0980e6f8af857d24330099 |
21-May-2010 |
Patrick McHardy <kaber@trash.net> |
Revert "Merge branch 'iptables-next'" This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e. Forgot to commit the version increase.
t_TEE.h
|
c303bb0594fae1c4fd1097b2ce0814c5ffd0edc7 |
19-Apr-2010 |
Jan Engelhardt <jengelh@medozas.de> |
extensions: add support for xt_TEE xt_TEE is firstly included in Linux 2.6.35. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_TEE.h
|
9fdbaa71452edaac9d5906716c15937f670341fa |
08-Mar-2010 |
Patrick McHardy <kaber@trash.net> |
extensions: add CT extension Signed-off-by: Patrick McHardy <kaber@trash.net>
f_conntrack_common.h
t_CT.h
|
350661a6eb089f3e54e67e022db9e16ea280499f |
31-Jan-2010 |
Jan Engelhardt <jengelh@medozas.de> |
includes: header updates Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
f_conntrack_common.h
_tables.h
t_CLASSIFY.h
t_CONNMARK.h
t_CONNSECMARK.h
t_DSCP.h
t_LED.h
t_MARK.h
t_NFLOG.h
t_NFQUEUE.h
t_RATEEST.h
t_SECMARK.h
t_TCPMSS.h
t_connbytes.h
t_connmark.h
t_conntrack.h
t_dccp.h
t_dscp.h
t_esp.h
t_hashlimit.h
t_iprange.h
t_length.h
t_limit.h
t_mark.h
t_multiport.h
t_owner.h
t_physdev.h
t_policy.h
t_quota.h
t_rateest.h
t_realm.h
t_recent.h
t_sctp.h
t_state.h
t_statistic.h
t_string.h
t_tcpmss.h
t_tcpudp.h
|
588b615bc78ddef3752f356d1e243129c4dbba96 |
12-Nov-2009 |
Patrick McHardy <kaber@trash.net> |
extensions: add osf extension From Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_osf.h
|
4282d89a798adcf50973a22c5a17563b5e9421cb |
20-Aug-2009 |
Florian Westphal <fwestphal@astaro.com> |
libxt_NFQUEUE: add new v1 version with queue-balance option New version that adds support for specifying a queue range instead of a single queue id. The kernel will distribute flows across the given queue range. This is useful for multicore systems, simply start multiple instances of the userspace program on queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets belonging to the same connection are put into the same queue. With fixes from Jan Engelhardt. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_NFQUEUE.h
|
b97b42147ea65d7d24d70a2ffe925dbf091f26bc |
25-Jun-2009 |
Jan Engelhardt <jengelh@medozas.de> |
xt_conntrack: revision 2 for enlarged state_mask member This complements the xt_conntrack revision 2 code added to the kenrel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_conntrack.h
|
cd958a6c92c84095a439780b53832bb3aae2d512 |
06-May-2009 |
Pablo Neira Ayuso <pablo@netfilter.org> |
extensions: add `cluster' match support This patch adds support for the cluster match to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cluster.h
|
978e27e8f8c2e49d0528c6c4ae3a56627fbe8492 |
21-Feb-2009 |
Jan Engelhardt <jengelh@medozas.de> |
include: resynchronize headers with 2.6.29-rc5 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
f_conntrack_common.h
f_conntrack_tuple.h
f_nat.h
t_NFLOG.h
t_connlimit.h
t_conntrack.h
t_quota.h
t_sctp.h
t_string.h
|
9cfc59f71f83ee97c4513fd340acf1e45073562b |
09-Feb-2009 |
Eric Leblond <eric@inl.fr> |
xt_NFLOG: Set default NFLOG qthreshold to 0 By setting default NFLOG qthreshold to 0, userspace does not overwrite the per-instance value. Signed-off-by: Patrick McHardy <kaber@trash.net>
t_NFLOG.h
|
af1660fe0e88cd9f1c770864e1c643718cb2cc62 |
22-Oct-2008 |
Jan Engelhardt <jengelh@medozas.de> |
Move libipt_recent to libxt_recent Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_recent.h
|
92b54aa2b436387f85783d3f420ccaa12fdaf891 |
15-Oct-2008 |
KOVACS Krisztian <hidden@sch.bme.hu> |
Add iptables support for the TPROXY target Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_TPROXY.h
|
78d2d14211466f1986882ba6bdf82e6429ce78dc |
07-Jul-2008 |
Joonwoo Park <joonwpark81@gmail.com> |
xt_string: string extension case insensitive matching The string extension can search patterns case insensitively with --icase option. A new revision 1 was added, in the meantime invert of xt_string_info was moved into flags as a flag. Signed-off-by: Joonwoo Park <joonwpark81@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
t_string.h
|
e0bba47e550420e371c97425cc6d39909a6e059b |
05-Jun-2008 |
Patrick McHardy <kaber@trash.net> |
Resync header files with kernel Resync headers and add types.h file for endian annotated types, which are not available with old headers.
f_conntrack_common.h
t_RATEEST.h
t_conntrack.h
t_limit.h
t_physdev.h
t_policy.h
t_rateest.h
t_realm.h
t_statistic.h
t_string.h
|
ca7cd666949b68bf41a32de38ee38e332e89863b |
11-Feb-2008 |
Jan Engelhardt <jengelh@medozas.de> |
Add all necessary header files - compilation fix for various cases Allow iptables to compile without a kernel source tree. This implies fixing build for older kernels, such as 2.6.17 which lack xt_SECMARK.h.
_tables.h
t_SECMARK.h
|
9a8c77fc8df3155747c34dcea79b7834a2a9a40a |
11-Feb-2008 |
Jan Engelhardt <jengelh@medozas.de> |
Add support for xt_hashlimit match revision 1
t_hashlimit.h
|
dbb77543ad6afe29e9a1881b2d4fc212de621a55 |
11-Feb-2008 |
Jan Engelhardt <jengelh@medozas.de> |
Fix -Wshadow warnings and clean up xt_sctp.h Note: xt_sctp.h is still not merged upstream in the kernel as of this commit. But a refactoring was really needed.
t_sctp.h
|
ca1da708b6d41dbc5df99335b4370bd1592b4de3 |
29-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
[IPTABLES]: libxt_owner: UID/GID range support UID/GID range support for libxt_owner Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_owner.h
|
ff068719055ae2327d94c79048381c09d3b744c4 |
29-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_CONNMARK revision 1 Add support for xt_CONNMARK target revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_CONNMARK.h
|
aef4c1e7275633e4650d16440faaf4cb7163ac0e |
20-Jan-2008 |
Sven Schnelle <svens@bitebene.org> |
libxt_TCPOPTSTRIP Import libxt_TCPOPTSTRIP into iptables. Signed-off-by: Sven Schnelle <svens@bitebene.org> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_TCPOPTSTRIP.h
|
41daaa0cfbb1cb6b80a2ce2571f9f92f164f0228 |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_iprange r0 Move libipt_iprange to libxt_iprange. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_iprange.h
|
d95d92f0a480008a89f4ffa69f0c67f55dbbe05f |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_mark r1 Introduce libxt_mark match revision 1 support. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_mark.h
|
a80b6046fa216c26dbc18d587f6255afa8444885 |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_conntrack r0 Move libipt_conntrack to libxt_conntrack. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_conntrack.h
|
a7b0707bd83bac30a92871872dab79ec8cebebbb |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_connmark r1 Add support for xt_connmark match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_connmark.h
|
f4b737fb0c52a95a48f2e313ed4cff43db720ad6 |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_MARK r2 Add support for xt_MARK target revision 2. Also consolidate libip6t_MARK.man and libipt_MARK.man. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_MARK.h
|
36f2eadca556da9bb4979b3f67f38020e80ef7d2 |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_TOS Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support for xt_TOS target revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_DSCP.h
|
0720c1226381f5c71748673c43c12499f1f254c7 |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_tos Move libipt_tos revision 0 to libxt_tos revision 0 and add support for xt_tos match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_dscp.h
|
5c5cd885daf43256f7bd24a3a698306764438145 |
20-Jan-2008 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_owner libxt_owner merges libipt_owner and libip6t_owner, and adds support for the xt_owner match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_owner.h
|
6afc5b720ed78173e4e21b759df16577fbce13d6 |
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
Add rateest match extension Signed-off-by: Patrick McHardy <kaber@trash.net>
t_rateest.h
|
2528258ddf066a5147394dc65cae3bde8e80e3c0 |
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
Add RATEEST target extension Signed-off-by: Patrick McHardy <kaber@trash.net>
t_RATEEST.h
|
2cfa903a2882a5d7819c697870af9ae3ab106386 |
25-Nov-2007 |
Jesper Brouer <jdb@comx.dk> |
Fix make/compile error for iptables-1.4.0rc1 Fixing a make/compile issue with iptables, release candidate 1.4.0rc1, which has existed since SVN changeset 6920. This patch adds ip_tables.h and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree. Changeset 6920 added the include file x_tables.h from kernel source, but didn't add ip_tables.h and ip6_tables.h. At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these kernel headers where changed, which actually removes certain depencencies from ip_tables.h and ip6_tables.h to x_tables.h. If compiling will fail, with old kernel headers (ip_tables.h and ip6_tables.h) available in systems include path, because they depend on certaine defines in x_tables.h with is missing in the version in SVN. Jesper Brouer <jdb@comx.dk>
_tables.h
|
ad326ef9f734ac30548de292c59fc0e2fd81ac2a |
23-Sep-2007 |
Jan Engelhardt <jengelh@medozas.de> |
Add the libxt_time iptables match This is libipt_time from POM-ng enhanced by the following: * day-of-month support (for example "match on the 15th of each month") * inversion support for --weekdays and --monthdays * match against UTC or local timezone * a manpage Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_time.h
|
9640e529bd08c4c0458246fae0fd6b473c94ab46 |
10-Sep-2007 |
Jan Engelhardt <jengelh@medozas.de> |
Adds u32 to iptables. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
t_u32.h
|
9e9022562d76644a2c9d1024b597729af68c81e5 |
05-Sep-2007 |
Patrick McHardy <kaber@trash.net> |
Build dccp match unconditionally
t_dccp.h
|
b8a0a100a68098c0329735b5724d9c0b425e72eb |
05-Sep-2007 |
Patrick McHardy <kaber@trash.net> |
Build string match unconditionally
t_string.h
|
800b7e54e81f86d290a66330cecb1fe5a3a9a31a |
05-Sep-2007 |
Patrick McHardy <kaber@trash.net> |
Build statistic match unconditionally
t_statistic.h
|
cddfd941e7a24dbc01a7dc79e4ce51f60f7128fc |
05-Sep-2007 |
Patrick McHardy <kaber@trash.net> |
Build quota match unconditionally
t_quota.h
|
002d129b694633d47c76913b360329baa0d8e923 |
05-Sep-2007 |
Patrick McHardy <kaber@trash.net> |
Build NFLOG target unconditionally
t_NFLOG.h
|
f8137b1b4cc18d4ff528ac40b83345260bb644ae |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to helper match
t_helper.h
|
6aac50010e50aa42b42089110c8cf4d80b224f14 |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to connbytes match
t_connbytes.h
|
a7bf6d0decd93ade089a98a8de76a529cd96427e |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to DSCP target
t_DSCP.h
|
e4cc20b2367362c2f9c84c0daaccd985e3236118 |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to CLASSIFY target
t_CLASSIFY.h
|
1ff0b8d6a6669e6bbbacbfd719bd7e016a4c0406 |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_state into libxt_state
t_state.h
|
c57c155312a544482a6b8a3c0f7224b00cfaae20 |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_connmark into libxt_connmark
t_connmark.h
|
d62a9db1295608ef98394b830703389973346716 |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_hashlimit into libxt_hashlimit
t_hashlimit.h
|
6e22228b00cc485282db16b9637315a60b6dbd10 |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_MARK into libxt_MARK
t_MARK.h
|
5679958c748087a3e21fbfa26d2ea08a6572ee4f |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_CONNSECMARK into libxt_CONNSECMARK
t_CONNSECMARK.h
|
f36f4a8844132cbaacf3bbd5ec0254c17fcc97ae |
04-Aug-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to CONNMARK match
t_CONNMARK.h
|
a2e89ccf65e8c881e77674cd2b15b9704b0c6822 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_NFQUEUE.c into libxt_NFQUEUE.c
t_NFQUEUE.h
|
45e4c6946426785d30733701d1ee8112e58538a4 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_TCPMSS.c into libxt_TCPMSS.c
t_TCPMSS.h
|
9ea637d5a7ebfb04e97db4cb114117474bbda9cf |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to comment match
t_comment.h
|
18e060822be3ad17368dbe3d7289dd21efd341a5 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to dscp match.
t_dscp.h
|
0a04e8d695549788213f842cc99c724a564a88df |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_esp.c into libxt_esp.c
t_esp.h
|
36087d952be182a6163fc508c2168b9c3b9209c2 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_length.c into libxt_length.c
t_length.h
|
4489c0d66d9a0e6033c9472fd54df155788010b7 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_limit.c into libxt_limit.c.
t_limit.h
|
ba2d891523121b651be54a4ce915bcee33d2ed38 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_mac.c into libxt_mac.c
t_mac.h
|
fec77fed67feb55aba4c33ae2367178c57ce83de |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_physdev.c into libxt_physdev.c
t_physdev.h
|
5fd6ec87600ac3bd96c2500f6f4a1a9010d8d31e |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to pkttype match
t_pkttype.h
|
19f29509c8a97219c578aeaf8be15cf005d46eb3 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_sctp.c into libxt_sctp.c
t_sctp.h
|
7999bd3ad9815f49c31d4ef9798adbbd87ba0094 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Add IPv6 support to tcpmss match
t_tcpmss.h
|
17908e4bd0bc8ddb7a85bda316864ad8e1e56a29 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_udp.c into libxt_udp.c
t_tcpudp.h
|
0af771d5c84ea9143cf947fb944a0e18189f0e63 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Use unified API in libipt_mark.c
t_mark.h
|
eb6e65e1ccfb52457d461b72cf5abe4e9f7187c6 |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Use unified API in multiport match
t_multiport.h
|
0d502bcdbc97ed359e84f6a21dfa0049b3b60a6c |
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Introduces xtables match/target registration - moves lib_dir to xtables.c - introduces struct pfinfo which has protocol family dependent infomations. - unifies load_ip[6]tables_ko() and moves them as load_xtables_ko() - introduces xt_{match,match_rule,target,tryload} and replaces ip[6]t_* with them - unifies following functions and move them to xtables.c - find_{match,find_target} - compatible_revision, compatible_{match,target}_revision - introduces xtables_register_{match,target} and make register_{match,target}[6] call them. xtables_register_* register ONLY matches/targets matched protocol family Some concepts: - source compatibility for libip[6]t_xxx.c with warning on compilation not binary compatibility. - binary compatibility between 2.4/2.6 kernel and iptables/ip6tables, of cause. - xtables is enough to support only one address family at runtime. Then xtables keeps infomations of only the focused address famiy in struct afinfo.
_tables.h
|
21df4af43dcc9f635baa2aff3ace53768d9704bc |
09-Jul-2007 |
Jan Engelhardt <jengelh@medozas.de> |
PATCH: Add connlimit to iptables. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
t_connlimit.h
|
40d54756cd8a2705e22b36f7aef03bb2c472a10b |
18-Apr-2007 |
Patrick McHardy <kaber@trash.net> |
Use nf_conntrack headers instead of ip_conntrack ones and add sanitized versions.
f_conntrack_common.h
f_conntrack_tuple.h
f_conntrack_tuple_common.h
f_nat.h
|