• Home
  • History
  • Annotate
  • only in /external/iptables/include/linux/netfilter/
History log of /external/iptables/include/linux/netfilter/
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
8a3f924e490f4a746baf713342bfd4db201106f1 22-Mar-2017 Lorenzo Colitti <lorenzo@google.com> Update to iptables 1.6.1.

This merges upstream b013e3e80e96 ("iptables 1.6.1 release")

Conflicts:
include/libiptc/ipt_kernel_headers.h

Bug: 30950746
Bug: 36108349
Test: see top of change stack.
Change-Id: Ib2b5ae0e0c330798aa375b153e3e2cba2348bb1c
f17f9ace8a84f6986235fc2d0fedc1fd5148a3bd 08-Dec-2016 Willem de Bruijn <willemb@google.com> extensions: libxt_bpf: support ebpf pinned objects

Exercise the new kernel feature introduced in commit 2c16d6033264
("netfilter: xt_bpf: support ebpf") to load pinned eBPF programs.

The new interface allows instantiating a bpf match using

-m bpf --object-pinned ${PATH}

where ${PATH} points to a node in a bpf virtual filesystem. See
also the revised man page.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_bpf.h
85b794373f9f914a8fc2f015dd9013d91fe7404e 26-Sep-2016 Vishwanath Pai <vpai@akamai.com> extensions: libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates

Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.

To support this we have to increase the size of the variables avg and
burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2
and xt_hashlimit_mtinfo2 and also create newer versions of all the
functions for match, checkentry and destory.

Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Joshua Hunt <johunt@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_hashlimit.h
7070b1f3c88a0c3d4e315c00cca61f05b0fbc882 24-Jun-2016 Vishwanath Pai <vpai@akamai.com> extensions: libxt_NFLOG: nflog-range does not truncate packets

The option --nflog-range has never worked, but we cannot just fix this
because users might be using this feature option and their behavior would
change. Instead add a new option --nflog-size. This option works the same
way nflog-range should have, and both of them are mutually exclusive. When
someone uses --nflog-range we print a warning message informing them that
this feature has no effect.

To indicate the kernel that the user has set --nflog-size we have to pass a
new flag XT_NFLOG_F_COPY_LEN.

Also updated the man page to reflect the new option and added tests to
extensions/libxt_NFLOG.t

Reported-by: Joe Dollard <jdollard@akamai.com>
Reviewed-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_NFLOG.h
5d359b97a59f27d4bace5a43695c1fed37e61bd9 22-Dec-2015 Tejun Heo <tj@kernel.org> libxt_cgroup2: add support for cgroup2 path matching

This patch updates xt_cgroup so that it supports revision 1 interface
which includes cgroup2 path based matching.

v3: Folded into xt_cgroup as a new revision interface as suggested by
Pablo.

v2: cgroup2_match->userspacesize and ->save and man page updated as
per Jan.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cgroup.h
13ad9f2f6b02cf836c826bba0e7a845d3a90949f 22-Dec-2015 Tejun Heo <tj@kernel.org> libxt_cgroup: prepare for multi revisions

libxt_cgroup will grow cgroup2 path based match. Postfix existing
symbols with _v0 and prepare for multi revision registration. While
at it, rename O_CGROUP to O_CLASSID and fwid to classid.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cgroup.h
c1b62f09259cdfa618cf63032de67689c991bd3e 24-Aug-2015 Daniel Borkmann <daniel@iogearbox.net> libxt_CT: add support for recently introduced zone options

This adds the user space front-end and man-page bits for the additional
zone features (direction, mark) of the CT target.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_CT.h
de2fa7133374831bcb5080a43e567e2e41f84ee7 16-Jun-2015 Harout Hedeshian <harouth@codeaurora.org> extensions: libxt_socket: add --restore-skmark option

xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.

Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.

Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.

Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.

iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3

Bug: 20663075
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

(cherry picked from commit 3b20fc71c99acd604d635deacef99769e36191b5)

Change-Id: If746841dea9db9f1c7ad1d74ed37fa13109e37ff
t_socket.h
586aef2c0dd9b6d534930994cc73b6d5a734854c 20-Jun-2013 Eric Dumazet <edumazet@google.com> xt_socket: add --nowildcard flag

xt_socket module can be a nice replacement to conntrack module
in some cases (SYN filtering for example)

But it lacks the ability to match the 3rd packet of TCP
handshake (ACK coming from the client).

Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism

The wildcard is the legacy socket match behavior, that ignores
LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent)

iptables -I INPUT -p tcp --syn -j SYN_CHAIN
iptables -I INPUT -m socket -j ACCEPT

Bug: 20663075
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_socket.h
16964a99a61ff1d7cb0c260ed50b9f91f7b7a783 16-Jun-2015 Harout Hedeshian <harouth@codeaurora.org> extensions: libxt_socket: add --restore-skmark option

xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.

Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.

Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.

Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.

iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3

Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_socket.h
a40cd9b784590ee09f1be4897f28bb0b2ce1096d 06-Nov-2014 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Alignment problem between 64bit kernel 32bit userspace

Sven-Haegar Koch reported the issue:

sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.

In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32

which was introduced by the counter extension in ipset.

The patch fixes the alignment issue with introducing a new set match
revision with the fixed underlying 'struct ip_set_counter_match'
structure.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
pset/ip_set.h
t_set.h
da6c162ce5fb42fa5439ae0b95c321fb476b9cb7 05-Nov-2014 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'ipset'

This provides the ipset skbinfo extension.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
a491c610a1994e7a51c04035314dbc8cef250808 01-Oct-2014 Pablo Neira Ayuso <pablo@netfilter.org> refresh nf_tables.h cached copy

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
6d9ae2952a440b4ff28e86df6d18b53caa7ecd94 02-Sep-2014 Anton Danilov <littlesmilingcloud@gmail.com> xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)

This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.

Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
pset/ip_set.h
t_set.h
01dcfdab11a6583d899bfc34758e8f9996774d21 16-May-2014 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'next-3.14'
11ef84b856859e7d4a08625d09c8573e5f5eef63 02-Apr-2014 JP Abgrall <jpa@google.com> Merge remote-tracking branch 'upstream/stable-1.4.20' into update

Conflicts:
.gitignore
include/linux/types.h
libiptc/libiptc.c

Change-Id: I2c949ba9de090db9ae09d914f4ac5c13e5b7d4da
d6217f93926b174bb2e894c8a8fc3d73b01942e9 13-Mar-2014 Jiri Popelka <jpopelka@redhat.com> update FSF address in license text

http://www.gnu.org/licenses/gpl-2.0.html
http://www.fsf.org/about/contact/

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_osf.h
6465867eb48506687872b838b1ddfee61d1a0aeb 23-Dec-2013 Daniel Borkmann <dborkman@redhat.com> iptables: add libxt_cgroup frontend

This patch adds the user space extension/frontend for process matching
based on cgroups from the kernel patch entitled "netfilter: xtables:
lightweight process control group matching".

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cgroup.h
3cefc136d13f426fd68808ddfd39ada0c90f23db 22-Dec-2013 Daniel Borkmann <dborkman@redhat.com> iptables: snat: add randomize-full support

This patch provides the userspace part for snat in order to make
randomize-full support available in {ip,nf}tables. It allows for
enabling full port randomization that was motivated in [1] and
introduced to the kernel in [2].

Joint work between Hannes Frederic Sowa and Daniel Borkmann.

[1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
[2] http://patchwork.ozlabs.org/patch/304306/

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_nat.h
d34f0611975b1da6320112df00513ba42310f356 13-Dec-2013 Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> include: Update nftables API header in sync with kernel's one

Many changes were missing.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
d6a127cd5710f8c60e95bfd0378ca352c07140a9 18-Sep-2013 Pablo Neira Ayuso <pablo@netfilter.org> xtables: batch rule-set updates into one single netlink message

With this patch, all rule-set updates are put in one single batch
of netlink messages that is sent to user-space using the new
nfnetlink batch infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
fnetlink.h
2a87a024e1f77407e332086a4fa664e048280195 25-Jan-2013 Pablo Neira Ayuso <pablo@netfilter.org> xtables: nft: add protocol and flags for xtables over nf_tables

Add protocol and flags for the compatibility layer.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
9e62dc8637f210cdeaed784396fecab9b6e5f043 20-Jan-2013 Pablo Neira Ayuso <pablo@netfilter.org> xtables-restore: support atomic commit

Use new services in nf_tables to support atomic commit.

Commit per table, although we support global commit at once,
call commit for each table to emulate iptables-restore
behaviour by now.

Keep table dormant/wake up code in iptables/nft.c as it can
be used in the future.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
9c541721d318598db45986ee2fd61491fadb53d0 29-Dec-2012 Pablo Neira Ayuso <pablo@netfilter.org> nft: adapt chain rename to recent Patrick's updates

This patch gets existing code in sync with Patrick's chain
renaming new approach.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
5705ea1f4e3c9cd3d5d9cbcf84b9733ce1f07e57 19-Nov-2012 Pablo Neira Ayuso <pablo@netfilter.org> xtables-restore: add support for dormant tables

This patch adds support for dormant tables for xtables-restore.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
42239cb39ecf7650fefb5cc301ab943be11de6fb 03-Nov-2012 Pablo Neira Ayuso <pablo@netfilter.org> headers: remove unused compatibility definitions

They belong to nf_tables_compat.h

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
4493582ccb60a443fc7efeca78edafbefc689aa3 31-Oct-2012 Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> nft: Add support for chain rename options (-E)

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
f_tables.h
1373cbb1068a1dc57540faebcf2f5f0fcbe83b53 31-Oct-2012 Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> headers: Make nf_tables.h up to date

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
f_tables.h
384958620abab397062b67fb2763e813b63f74f0 27-Sep-2012 Pablo Neira Ayuso <pablo@netfilter.org> use nf_tables and nf_tables compatibility interface

This patch adds the following utilities:

* xtables
* xtables-restore
* xtables-save
* xtables-config

They all use Patrick's nf_tables infrastructure plus my compatibility
layer.

xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.

Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.

The following options are also not yet implemented:

-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)

-R and -E (this requires adding this feature to nf_tables)

-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)

-IPv6 support.

But those are a matter of time to get them done.

A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.

However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_tables.h
f_tables_compat.h
fnetlink.h
0bb8765cc28cf1ddde70f3f5bfed96a067b1ead3 18-Dec-2013 fan.du <fan.du@windriver.com> iptables: Add IPv4/6 IPcomp match support

This patch enables user to set iptables ACTIONs for IPcomp
flow specified by its SPI value.

For example:
iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP
ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP

IPcomp packet with spi as 0x12 will be dropped.

Signed-off-by: Fan Du <fan.du@windriver.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_ipcomp.h
cf1f03f8f3cf2db577a9ddee254cc7f886129d18 04-Sep-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> extensions: libxt_set, libxt_SET: check the set family too

Do not accept silently sets with wrong protocol family but reject
them with an error message. It makes straightforward to catch user
errors.

[ Use afinfo instead to avoid a binary interface update --pablo ]

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
pset/ip_set.h
ab566725f515bd8ea47a069c3289a80c60e6aa70 28-Aug-2013 Patrick McHardy <kaber@trash.net> extensions: add SYNPROXY extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_SYNPROXY.h
64d45792fe8f50294034bb699ff74ecae178e975 20-Jun-2013 Eric Dumazet <edumazet@google.com> xt_socket: add --nowildcard flag

xt_socket module can be a nice replacement to conntrack module
in some cases (SYN filtering for example)

But it lacks the ability to match the 3rd packet of TCP
handshake (ACK coming from the client).

Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism

The wildcard is the legacy socket match behavior, that ignores
LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent)

iptables -I INPUT -p tcp --syn -j SYN_CHAIN
iptables -I INPUT -m socket -j ACCEPT

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_socket.h
7b26bafb9be05a23b47653640aadbb61d0032665 28-Jan-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> libxt_CT: Add the "NOTRACK" alias

Available since Linux kernel 3.8.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_CT.h
34844da8f53ec80b34ad094f2fca2519a7079ec2 01-May-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Introduce a new revision for the set match with the counters support

The revision add the support of matching the packet/byte counters
if the set was defined with the extension. Also, a new flag is
introduced to suppress updating the packet/byte counters if required.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
pset/ip_set.h
t_set.h
ce7d0619ce49587ca78456caf467cf25f7cbbc4e 02-Apr-2013 holger@eitzenberger.org <holger@eitzenberger.org> extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_NFQUEUE.h
ccbf6b6448a4210432b76fd4660798705b05f8c4 06-May-2013 Florian Westphal <fw@strlen.de> extensions: add connlabel match

allows to "tag" connections with up to 128 label names.

Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0

Labels can then be attached to flows, e.g.

-A PREROUTING -i eth0 -m connlabel --label "from eth0" --set

Signed-off-by: Florian Westphal <fw@strlen.de>
t_connlabel.h
e0a0dd703b3448f0f07fc59b7232bf1f1cce7b86 23-Jan-2013 Willem de Bruijn <willemb@google.com> extensions: add libxt_bpf extension

Add user-space code to support the new BPF iptables extension.

Pablo has mangled the original patch to:

* include a copy of include/linux/netfilter/xt_bpf.h in the tree.
* I have also remove the --bytecode-file option. The original
proposal was to accept BPF code in a file in human readable
format. Now, with the nfbpf_compile utility, it's very easy
to generate the filter using tcpdump-like syntax.
* I have remove the trailing comma in the backtick format, the
parser works just fine for me here.
* Fix error message if --bytecode is missing.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_bpf.h
e612a9d285477e9951349dd137305393a1255b19 28-Jan-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Add the "state" alias to the "conntrack" match
t_conntrack.h
9d284c1c67188dfa8a4c7a6e36eb9a10bd9c15e2 25-Oct-2012 Pablo Neira Ayuso <pablo@netfilter.org> Merge branch 'next' branch that contains new features scheduled for
Linux kernel 3.7
8d8896a3833292d091ee5a028f3461083bb956bd 17-Sep-2012 Florian Westphal <fw@strlen.de> libxt_time: add support to ignore day transition

Currently, if you want to do something like:
"match Monday, starting 23:00, for two hours"
You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
The rule
--weekdays Mo --timestart 23:00 --timestop 01:00
looks correct, but it will first match on monday from midnight to 1 a.m.
and then again for another hour from 23:00 onwards.

This permits userspace to explicitly ignore the day transition and
match for a single, continuous time period instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_time.h
d637ead63658d741501974c381889b3857073308 21-Sep-2012 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> New set match revision with --return-nomatch flag support
pset/ip_set.h
0e37f00980eb6b4fc2c5f979cc5fa83c0fff9d30 22-Aug-2012 Patrick McHardy <kaber@trash.net> extensions: add IPv6 MASQUERADE extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_nat.h
e62f426c7ead7c0025d15860df97426db6509942 22-Aug-2012 Patrick McHardy <kaber@trash.net> Convert the NAT targets to use the kernel supplied nf_nat.h header

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f_conntrack_tuple_common.h
f_nat.h
74ded7257e5da5e309844d386290f24ae91950a6 17-May-2012 Denys Fedoryshchenko <denys@visp.net.lb> libxt_recent: add --mask netmask

This new option will be available in the Linux kernel 3.5

[ Pablo fixed coding-style issues and cleaned up this. Added
manpages as well ]

Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_recent.h
abdef13f36b63758f8775eb86febd96bf062df6f 08-May-2012 Florian Westphal <fw@strlen.de> libxt_hashlimit: add support for byte-based operation

allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ]
to make hashlimit match when X bytes/second are exceeded;
optionally, Y bytes will not be matched (i.e. bursted).

[ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ]

libxt_hashlimit.c: In function ‘parse_bytes’:
libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat]

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_hashlimit.h
4df8cb6ab176f3c1f2bf9498d0abde8d9362087b 23-Apr-2012 Hans Schillstrom <hans.schillstrom@ericsson.com> extensions: add HMARK target

The target allows you to set mark packets based Jenkins' hash calculation:

h(t, rnd) = x

mark = (x % mod) + offset

where:

* t is a tuple that is used for the hashing:

t = [ src, dst, proto, sport, dport ]

Note that you can customize the tuple, thus, removing some component
that you don't want to use for the calculation. You can also use spi
instead of sport and dport, btw.

* rnd is the random seed that is explicitly passed via --hmark-rnd
* mod is the modulus, to determine the range of possible marks
* offset determines where the mark starts from

This target only works for the "raw" and "mangle" tables.

This can be used to distribute flows between a cluster of
systems and uplinks.

Initially based on work from Hans Schillingstrom. Pablo took it
over and introduced several improvements.

Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_HMARK.h
e07e0d31f48d951e0f03ba254d4754810732c241 30-Mar-2012 Ashish Sharma <ashishsharma@google.com> Modify iptables to talk to xt_IDLETIMER version 1.

Change-Id: Ib144c5289681cdff21b21be74173164d097710e7
t_IDLETIMER.h
e8f32983048d6aa4a908b6a92da55fa71c859623 29-Feb-2012 Pablo Neira Ayuso <pablo@netfilter.org> libxt_CT: add --timeout option

This patch adds the --timeout option to allow to attach timeout
policy objects to flows, eg.

iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \
-j CT --timeout custom-tcp-policy

You need the nfct(8) tool which is available at:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git
To define the cttimeout policies.

Example of usage:
nfct timeout add custom-tcp-policy inet tcp established 1000

The new nfct tool also requires libnetfilter_cttimeout:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_CT.h
f233df44196f568075a5d70fc29f31b72b512783 27-Mar-2012 Pablo Neira Ayuso <pablo@netfilter.org> extensions: add nfacct match

This patch provides the user-space iptables support for the nfacct match.
This can be used as it follows:

nfacct add http-traffic
iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic
nfacct get http-traffic

See also man nfacct(8) for more information.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_nfacct.h
98e1769b65b71989e3f16b25529b40f374aef323 28-Dec-2011 Patrick McHardy <kaber@trash.net> extensions: add IPv6 capable ECN match extension

Patrick submitted this patch by 9th Jun 2011, I'm recovering
and applying it to iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_ecn.h
166b92d3fb2a7fc008df1b59332ef528a9a573ea 14-Jul-2011 Florian Westphal <fw@strlen.de> extensions: add rpfilter module

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_rpfilter.h
dbe77cc974cee656eae37e75039dd1a410a4535b 28-Aug-2011 Jan Engelhardt <jengelh@medozas.de> include: refresh include files from kernel 3.1-rc3

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
pset/ip_set.h
f_conntrack_common.h
f_conntrack_tuple_common.h
_tables.h
t_CT.h
t_TCPOPTSTRIP.h
t_TPROXY.h
t_cluster.h
t_connbytes.h
t_connlimit.h
t_physdev.h
t_policy.h
t_quota.h
t_sctp.h
t_set.h
t_socket.h
t_time.h
t_u32.h
3775fb69f63b76191bc3571bfa8538c18173d90f 28-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libxt_addrtype: add support for revision 1

Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but
there was no corresponding iptables patch so far.

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_addrtype.h
5caed2aebebf7c72dfa982f247ac35ec67a1b852 21-Jun-2011 JP Abgrall <jpa@google.com> Adding the original quota2 from xtables-addons

The original xt_quota in the kernel is plain broken:
- counts quota at a per CPU level
(was written back when ubiquitous SMP was just a dream)
- provides no way to count across IPV4/IPV6.

This patch is the original unaltered code from:
http://sourceforge.net/projects/xtables-addons
at commit e84391ce665cef046967f796dd91026851d6bbf3

Change-Id: Ia8b21394ea79ef55514748e96f769e40355a6ccf
Signed-off-by: JP Abgrall <jpa@google.com>
t_quota2.h
e39f367d905670e39e6f08d2b73c715a6d0b4bfb 17-Apr-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> SET target revision 2 added

The new revision of the SET target supports the following new operations

- specifying the timeout value of the entry to be added
- flag to instruct the kernel that if the entry already
exists then reset the timeout value to the specified one (or
to the default from the set definition)
t_set.h
9ee2a9fe2f74b616da34878104bd1ff406534ad1 03-Feb-2011 Patrick McHardy <kaber@trash.net> extensions: add extension for devgroup match

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_devgroup.h
f46f8c1c5b6d9f5685b9d945e95647eaf6c2d35b 20-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connlimit: remove duplicate member that caused size change

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_connlimit.h
c8f28cc8b84133f20421470e9a61a5a0c78b9c4a 20-Jan-2011 Patrick McHardy <kaber@trash.net> extensions: libxt_conntrack: add support for specifying port ranges

Add support for revision 3 of the conntrack match, which allows to
specify port ranges for origsrc/origdst/replsrc/repldst.

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_conntrack.h
6924b4987d88fbe383bec4da4cf331cc466c245e 20-Jan-2011 Florian Westphal <fw@strlen.de> extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option

--queue-bypass: if no userpace program is listening on the queue, then
allow packets to continue through the ruleset instead of dropping them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_NFQUEUE.h
773438bd93851dc1a9129a638925c04868820297 20-Jan-2011 Thomas Graf <tgraf@redhat.com> libxt_AUDIT: add AUDIT target

libxt module for the AUDIT target.

-j AUDIT --type (accept|reject|drop)

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_AUDIT.h
5da9e63f66ca190cb90193ebb9eebf5aa523b4d1 19-Jan-2011 Jan Engelhardt <jengelh@medozas.de> libxt_connlimit: support for dstaddr-supporting revision 1

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_connlimit.h
4a1d810bb52aa5d5c450f7adcde5145d40261b54 26-Dec-2010 Jan Engelhardt <jengelh@medozas.de> xt_comment: remove redundant cast
t_comment.h
b4af04be14560b3fcc6cf23200148d408014a2f5 03-Dec-2010 Jan Engelhardt <jengelh@medozas.de> include: update files with headers from Linux 2.6.37-rc1

Also includes the type change to __u{8,16,32} kernel types already.
t_CHECKSUM.h
t_CT.h
t_IDLETIMER.h
t_SECMARK.h
t_TCPOPTSTRIP.h
t_TPROXY.h
t_cluster.h
t_connlimit.h
t_ipvs.h
t_physdev.h
t_policy.h
t_quota.h
t_sctp.h
t_socket.h
t_time.h
t_u32.h
422342e47c18e70757231f2210b13df8e1f5931c 02-Aug-2010 Changli Gao <xiaosuo@gmail.com> libxt_quota: don't ignore the quota value on deletion

Don't ignore the quota value on deletion, then we can remove a special
rule everytime.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_quota.h
2d59208943a3a2a6e0e30b6c84bb8ae80d444cd3 23-Jul-2010 Eric Dumazet <eric.dumazet@gmail.com> extension: add xt_cpu match

Kernel 2.6.36 supports xt_cpu match

In some situations a CPU match permits a better spreading of
connections, or select targets only for a given cpu.

With Remote Packet Steering or multiqueue NIC and appropriate IRQ
affinities, we can distribute trafic on available cpus, per session.
(all RX packets for a given flow are handled by a given cpu)

Some legacy applications being not SMP friendly, one way to scale a
server is to run multiple copies of them.

Instead of randomly choosing an instance, we can use the cpu number as a
key so that softirq handler for a whole instance is running on a single
cpu, maximizing cache effects in TCP/UDP stacks.

Using NAT for example, a four ways machine might run four copies of
server application, using a separate listening port for each instance,
but still presenting an unique external port :

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
-j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
-j REDIRECT --to-port 8081

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
-j REDIRECT --to-port 8082

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
-j REDIRECT --to-port 8083

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_cpu.h
c36d05e42406966440e3644110d3d2504c4b165c 23-Jul-2010 Hannes Eder <heder@google.com> libxt_ipvs: user-space lib for netfilter matcher xt_ipvs

The user-space library for the netfilter matcher xt_ipvs.

[ trivial up-port by Simon Horman <horms@verge.net.au> ]
Signed-off-by: Hannes Eder <heder@google.com>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_ipvs.h
b14f160c11196aeb99000611207bd353c7ae2cb9 15-Jul-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' into iptables-next
0bcda81f5f6d121084131fb944e2940f614cc98c 15-Jul-2010 Patrick McHardy <kaber@trash.net> extensions: fix compilation of the new CHECKSUM target

Add missing header file.

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_CHECKSUM.h
78514bc3a9b1b724c9fc904941c5854644865673 25-Jun-2010 Patrick McHardy <kaber@trash.net> Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
d40f1628c3717daebc437a398a285e371b5b6f7f 16-Jun-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> libxt_set: new revision added

libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):

ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
t_set.h
d96993e50b44b358ea5bd15f3944674eafd62542 15-Jun-2010 Luciano Coelho <luciano.coelho@nokia.com> extensions: add idletimer xt target extension

Add the extension plugin for the IDLETIMER x_tables target.

Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_IDLETIMER.h
491c1660fced08e2d1a08c101c63af04250275d0 07-Jun-2010 Jan Engelhardt <jengelh@medozas.de> includes: sync header files from Linux 2.6.35-rc1

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
_tables.h
t_CONNMARK.h
t_MARK.h
t_TEE.h
t_connmark.h
t_mark.h
t_recent.h
8532c70fd182057b440b41f013d8021a95bd72b2 21-May-2010 Patrick McHardy <kaber@trash.net> Revert "Revert "Merge branch 'iptables-next'""

This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099.

Revert the revert to restore the TEE target.
t_TEE.h
110c1e4502e21ea38e0980e6f8af857d24330099 21-May-2010 Patrick McHardy <kaber@trash.net> Revert "Merge branch 'iptables-next'"

This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing
changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e.

Forgot to commit the version increase.
t_TEE.h
c303bb0594fae1c4fd1097b2ce0814c5ffd0edc7 19-Apr-2010 Jan Engelhardt <jengelh@medozas.de> extensions: add support for xt_TEE

xt_TEE is firstly included in Linux 2.6.35.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_TEE.h
9fdbaa71452edaac9d5906716c15937f670341fa 08-Mar-2010 Patrick McHardy <kaber@trash.net> extensions: add CT extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
f_conntrack_common.h
t_CT.h
350661a6eb089f3e54e67e022db9e16ea280499f 31-Jan-2010 Jan Engelhardt <jengelh@medozas.de> includes: header updates

Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.

Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
f_conntrack_common.h
_tables.h
t_CLASSIFY.h
t_CONNMARK.h
t_CONNSECMARK.h
t_DSCP.h
t_LED.h
t_MARK.h
t_NFLOG.h
t_NFQUEUE.h
t_RATEEST.h
t_SECMARK.h
t_TCPMSS.h
t_connbytes.h
t_connmark.h
t_conntrack.h
t_dccp.h
t_dscp.h
t_esp.h
t_hashlimit.h
t_iprange.h
t_length.h
t_limit.h
t_mark.h
t_multiport.h
t_owner.h
t_physdev.h
t_policy.h
t_quota.h
t_rateest.h
t_realm.h
t_recent.h
t_sctp.h
t_state.h
t_statistic.h
t_string.h
t_tcpmss.h
t_tcpudp.h
588b615bc78ddef3752f356d1e243129c4dbba96 12-Nov-2009 Patrick McHardy <kaber@trash.net> extensions: add osf extension

From Evgeniy Polyakov <zbr@ioremap.net>

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_osf.h
4282d89a798adcf50973a22c5a17563b5e9421cb 20-Aug-2009 Florian Westphal <fwestphal@astaro.com> libxt_NFQUEUE: add new v1 version with queue-balance option

New version that adds support for specifying a queue range instead
of a single queue id.
The kernel will distribute flows across the given queue range.

This is useful for multicore systems, simply start multiple instances
of the userspace program on queues x, x+1, .. x+n and use
"--queue-balance x:x+n".
Packets belonging to the same connection are put into the same queue.

With fixes from Jan Engelhardt.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_NFQUEUE.h
b97b42147ea65d7d24d70a2ffe925dbf091f26bc 25-Jun-2009 Jan Engelhardt <jengelh@medozas.de> xt_conntrack: revision 2 for enlarged state_mask member

This complements the xt_conntrack revision 2 code added to the kenrel.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
t_conntrack.h
cd958a6c92c84095a439780b53832bb3aae2d512 06-May-2009 Pablo Neira Ayuso <pablo@netfilter.org> extensions: add `cluster' match support

This patch adds support for the cluster match to iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
t_cluster.h
978e27e8f8c2e49d0528c6c4ae3a56627fbe8492 21-Feb-2009 Jan Engelhardt <jengelh@medozas.de> include: resynchronize headers with 2.6.29-rc5

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
f_conntrack_common.h
f_conntrack_tuple.h
f_nat.h
t_NFLOG.h
t_connlimit.h
t_conntrack.h
t_quota.h
t_sctp.h
t_string.h
9cfc59f71f83ee97c4513fd340acf1e45073562b 09-Feb-2009 Eric Leblond <eric@inl.fr> xt_NFLOG: Set default NFLOG qthreshold to 0

By setting default NFLOG qthreshold to 0, userspace does not overwrite
the per-instance value.

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_NFLOG.h
af1660fe0e88cd9f1c770864e1c643718cb2cc62 22-Oct-2008 Jan Engelhardt <jengelh@medozas.de> Move libipt_recent to libxt_recent

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_recent.h
92b54aa2b436387f85783d3f420ccaa12fdaf891 15-Oct-2008 KOVACS Krisztian <hidden@sch.bme.hu> Add iptables support for the TPROXY target

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_TPROXY.h
78d2d14211466f1986882ba6bdf82e6429ce78dc 07-Jul-2008 Joonwoo Park <joonwpark81@gmail.com> xt_string: string extension case insensitive matching

The string extension can search patterns case insensitively with
--icase option. A new revision 1 was added, in the meantime invert
of xt_string_info was moved into flags as a flag.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
t_string.h
e0bba47e550420e371c97425cc6d39909a6e059b 05-Jun-2008 Patrick McHardy <kaber@trash.net> Resync header files with kernel

Resync headers and add types.h file for endian annotated types, which
are not available with old headers.
f_conntrack_common.h
t_RATEEST.h
t_conntrack.h
t_limit.h
t_physdev.h
t_policy.h
t_rateest.h
t_realm.h
t_statistic.h
t_string.h
ca7cd666949b68bf41a32de38ee38e332e89863b 11-Feb-2008 Jan Engelhardt <jengelh@medozas.de> Add all necessary header files - compilation fix for various cases

Allow iptables to compile without a kernel source tree. This
implies fixing build for older kernels, such as 2.6.17 which
lack xt_SECMARK.h.
_tables.h
t_SECMARK.h
9a8c77fc8df3155747c34dcea79b7834a2a9a40a 11-Feb-2008 Jan Engelhardt <jengelh@medozas.de> Add support for xt_hashlimit match revision 1
t_hashlimit.h
dbb77543ad6afe29e9a1881b2d4fc212de621a55 11-Feb-2008 Jan Engelhardt <jengelh@medozas.de> Fix -Wshadow warnings and clean up xt_sctp.h

Note: xt_sctp.h is still not merged upstream in the kernel as of
this commit. But a refactoring was really needed.
t_sctp.h
ca1da708b6d41dbc5df99335b4370bd1592b4de3 29-Jan-2008 Jan Engelhardt <jengelh@medozas.de> [IPTABLES]: libxt_owner: UID/GID range support

UID/GID range support for libxt_owner

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_owner.h
ff068719055ae2327d94c79048381c09d3b744c4 29-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_CONNMARK revision 1

Add support for xt_CONNMARK target revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_CONNMARK.h
aef4c1e7275633e4650d16440faaf4cb7163ac0e 20-Jan-2008 Sven Schnelle <svens@bitebene.org> libxt_TCPOPTSTRIP

Import libxt_TCPOPTSTRIP into iptables.

Signed-off-by: Sven Schnelle <svens@bitebene.org>
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_TCPOPTSTRIP.h
41daaa0cfbb1cb6b80a2ce2571f9f92f164f0228 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_iprange r0

Move libipt_iprange to libxt_iprange.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_iprange.h
d95d92f0a480008a89f4ffa69f0c67f55dbbe05f 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_mark r1

Introduce libxt_mark match revision 1 support.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_mark.h
a80b6046fa216c26dbc18d587f6255afa8444885 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_conntrack r0

Move libipt_conntrack to libxt_conntrack.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_conntrack.h
a7b0707bd83bac30a92871872dab79ec8cebebbb 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_connmark r1

Add support for xt_connmark match revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_connmark.h
f4b737fb0c52a95a48f2e313ed4cff43db720ad6 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_MARK r2

Add support for xt_MARK target revision 2.
Also consolidate libip6t_MARK.man and libipt_MARK.man.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_MARK.h
36f2eadca556da9bb4979b3f67f38020e80ef7d2 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_TOS

Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support
for xt_TOS target revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_DSCP.h
0720c1226381f5c71748673c43c12499f1f254c7 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_tos

Move libipt_tos revision 0 to libxt_tos revision 0 and add support
for xt_tos match revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_dscp.h
5c5cd885daf43256f7bd24a3a698306764438145 20-Jan-2008 Jan Engelhardt <jengelh@medozas.de> libxt_owner

libxt_owner merges libipt_owner and libip6t_owner, and adds support
for the xt_owner match revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_owner.h
6afc5b720ed78173e4e21b759df16577fbce13d6 15-Jan-2008 Patrick McHardy <kaber@trash.net> Add rateest match extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_rateest.h
2528258ddf066a5147394dc65cae3bde8e80e3c0 15-Jan-2008 Patrick McHardy <kaber@trash.net> Add RATEEST target extension

Signed-off-by: Patrick McHardy <kaber@trash.net>
t_RATEEST.h
2cfa903a2882a5d7819c697870af9ae3ab106386 25-Nov-2007 Jesper Brouer <jdb@comx.dk> Fix make/compile error for iptables-1.4.0rc1

Fixing a make/compile issue with iptables, release candidate 1.4.0rc1,
which has existed since SVN changeset 6920. This patch adds ip_tables.h
and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree.

Changeset 6920 added the include file x_tables.h from kernel source, but
didn't add ip_tables.h and ip6_tables.h.

At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these
kernel headers where changed, which actually removes certain
depencencies from ip_tables.h and ip6_tables.h to x_tables.h.

If compiling will fail, with old kernel headers (ip_tables.h and
ip6_tables.h) available in systems include path, because they depend on
certaine defines in x_tables.h with is missing in the version in SVN.

Jesper Brouer <jdb@comx.dk>
_tables.h
ad326ef9f734ac30548de292c59fc0e2fd81ac2a 23-Sep-2007 Jan Engelhardt <jengelh@medozas.de> Add the libxt_time iptables match

This is libipt_time from POM-ng enhanced by the following:

* day-of-month support (for example "match on the 15th of each month")
* inversion support for --weekdays and --monthdays
* match against UTC or local timezone
* a manpage

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
t_time.h
9640e529bd08c4c0458246fae0fd6b473c94ab46 10-Sep-2007 Jan Engelhardt <jengelh@medozas.de> Adds u32 to iptables.

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
t_u32.h
9e9022562d76644a2c9d1024b597729af68c81e5 05-Sep-2007 Patrick McHardy <kaber@trash.net> Build dccp match unconditionally
t_dccp.h
b8a0a100a68098c0329735b5724d9c0b425e72eb 05-Sep-2007 Patrick McHardy <kaber@trash.net> Build string match unconditionally
t_string.h
800b7e54e81f86d290a66330cecb1fe5a3a9a31a 05-Sep-2007 Patrick McHardy <kaber@trash.net> Build statistic match unconditionally
t_statistic.h
cddfd941e7a24dbc01a7dc79e4ce51f60f7128fc 05-Sep-2007 Patrick McHardy <kaber@trash.net> Build quota match unconditionally
t_quota.h
002d129b694633d47c76913b360329baa0d8e923 05-Sep-2007 Patrick McHardy <kaber@trash.net> Build NFLOG target unconditionally
t_NFLOG.h
f8137b1b4cc18d4ff528ac40b83345260bb644ae 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to helper match
t_helper.h
6aac50010e50aa42b42089110c8cf4d80b224f14 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to connbytes match
t_connbytes.h
a7bf6d0decd93ade089a98a8de76a529cd96427e 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to DSCP target
t_DSCP.h
e4cc20b2367362c2f9c84c0daaccd985e3236118 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to CLASSIFY target
t_CLASSIFY.h
1ff0b8d6a6669e6bbbacbfd719bd7e016a4c0406 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_state into libxt_state
t_state.h
c57c155312a544482a6b8a3c0f7224b00cfaae20 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_connmark into libxt_connmark
t_connmark.h
d62a9db1295608ef98394b830703389973346716 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_hashlimit into libxt_hashlimit
t_hashlimit.h
6e22228b00cc485282db16b9637315a60b6dbd10 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_MARK into libxt_MARK
t_MARK.h
5679958c748087a3e21fbfa26d2ea08a6572ee4f 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_CONNSECMARK into libxt_CONNSECMARK
t_CONNSECMARK.h
f36f4a8844132cbaacf3bbd5ec0254c17fcc97ae 04-Aug-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to CONNMARK match
t_CONNMARK.h
a2e89ccf65e8c881e77674cd2b15b9704b0c6822 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_NFQUEUE.c into libxt_NFQUEUE.c
t_NFQUEUE.h
45e4c6946426785d30733701d1ee8112e58538a4 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_TCPMSS.c into libxt_TCPMSS.c
t_TCPMSS.h
9ea637d5a7ebfb04e97db4cb114117474bbda9cf 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to comment match
t_comment.h
18e060822be3ad17368dbe3d7289dd21efd341a5 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to dscp match.
t_dscp.h
0a04e8d695549788213f842cc99c724a564a88df 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_esp.c into libxt_esp.c
t_esp.h
36087d952be182a6163fc508c2168b9c3b9209c2 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_length.c into libxt_length.c
t_length.h
4489c0d66d9a0e6033c9472fd54df155788010b7 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_limit.c into libxt_limit.c.
t_limit.h
ba2d891523121b651be54a4ce915bcee33d2ed38 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_mac.c into libxt_mac.c
t_mac.h
fec77fed67feb55aba4c33ae2367178c57ce83de 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_physdev.c into libxt_physdev.c
t_physdev.h
5fd6ec87600ac3bd96c2500f6f4a1a9010d8d31e 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to pkttype match
t_pkttype.h
19f29509c8a97219c578aeaf8be15cf005d46eb3 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_sctp.c into libxt_sctp.c
t_sctp.h
7999bd3ad9815f49c31d4ef9798adbbd87ba0094 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Add IPv6 support to tcpmss match
t_tcpmss.h
17908e4bd0bc8ddb7a85bda316864ad8e1e56a29 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Unifies libip[6]t_udp.c into libxt_udp.c
t_tcpudp.h
0af771d5c84ea9143cf947fb944a0e18189f0e63 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Use unified API in libipt_mark.c
t_mark.h
eb6e65e1ccfb52457d461b72cf5abe4e9f7187c6 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Use unified API in multiport match
t_multiport.h
0d502bcdbc97ed359e84f6a21dfa0049b3b60a6c 24-Jul-2007 Yasuyuki KOZAKAI <yasuyuki@netfilter.org> Introduces xtables match/target registration

- moves lib_dir to xtables.c
- introduces struct pfinfo which has protocol family dependent infomations.
- unifies load_ip[6]tables_ko() and moves them as load_xtables_ko()
- introduces xt_{match,match_rule,target,tryload} and replaces
ip[6]t_* with them
- unifies following functions and move them to xtables.c
- find_{match,find_target}
- compatible_revision, compatible_{match,target}_revision
- introduces xtables_register_{match,target} and make
register_{match,target}[6] call them. xtables_register_* register ONLY
matches/targets matched protocol family

Some concepts:
- source compatibility for libip[6]t_xxx.c with warning on compilation
not binary compatibility.
- binary compatibility between 2.4/2.6 kernel and iptables/ip6tables,
of cause.
- xtables is enough to support only one address family at runtime.
Then xtables keeps infomations of only the focused address famiy
in struct afinfo.
_tables.h
21df4af43dcc9f635baa2aff3ace53768d9704bc 09-Jul-2007 Jan Engelhardt <jengelh@medozas.de> PATCH: Add connlimit to iptables.

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
t_connlimit.h
40d54756cd8a2705e22b36f7aef03bb2c472a10b 18-Apr-2007 Patrick McHardy <kaber@trash.net> Use nf_conntrack headers instead of ip_conntrack ones and add sanitized versions.
f_conntrack_common.h
f_conntrack_tuple.h
f_conntrack_tuple_common.h
f_nat.h