| 6de5f08a33fc4503b7199cece736979b4be91ef3 |
|
29-Nov-2016 |
Phil Sutter <phil@nwl.cc> |
tcp_xlate: Enclose LH flag values in parentheses
This fixes TCP flags matches:
| $ iptables-translate -A invalid -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
| nft add rule ip filter invalid tcp flags & fin|syn == fin|syn counter drop
Although the generated rule is syntactically correct and accepted by
nft, it will be interpreted in a different way than expected since
binary AND takes precedence over OR.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| 7a0992da44cfb6cab0ccd1beadcf326df8773552 |
|
24-Jul-2016 |
Pablo Neira Ayuso <pablo@netfilter.org> |
src: introduce struct xt_xlate_{mt,tg}_params
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| f035be35c749d5c5cbb7ffdbcd1c548b91bd3033 |
|
09-Jul-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-translate: fix multiple spaces issue
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| e65b672fb1aec0e71305bcbd3394d8073dc5b158 |
|
06-Apr-2016 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
extensions/libxt_tcp: fix nftables translate flags value, 'none' vs '0x0'
The iptables command:
-m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
should translate to:
tcp flags & fin|syn|rst|psh|ack|urg == 0x0
instead of:
tcp flags & fin|syn|rst|psh|ack|urg == none
Reported-by: Vadim A. Misbakh-Soloviov <netfilter@mva.name>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Tested-by: Vadim A. Misbakh-Soloviov <netfilter@mva.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| 9e14d4330655a6f58bf2674f0684d8252f688c16 |
|
09-Mar-2016 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()
The multiport match needs it, this basically leaves ->xlate() indirection
with almost the same interface as ->print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| 6b60dc5be58a5781cacc4e6f238454d5e8421760 |
|
01-Feb-2016 |
Pablo Neira Ayuso <pablo@netfilter.org> |
extensions: rename xt_buf to xt_xlate
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| fb2593ebbf656fcfd8359b7cbbc18be655046b8b |
|
11-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
extensions: libxt_tcp: add translation to nft
Translation for the TCP option matching is not yet implemented as we
don't have a way to match this yet.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| 3abf5cc5ac0c32eba2436567d25e175d7e0f42bc |
|
20-Aug-2012 |
Andreas Schwab <schwab@linux-m68k.org> |
libxt_tcp: print space before, not after "flags:"
tcp dpt:10flags: 0x17/0x02
^^
Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/extensions/libxt_tcp.c
|
| 3dafef40228c372976eb714836ea097115d8fd03 |
|
20-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxt_tcp: always print the mask parts
0xFF is unlikely to happen (given that ALL translates to 0x3F at
most), but assuming that through magic, 0xFF was put into memory,
iptables -S/iptables-save would ignore printing it, practically
outputting just one argument to --tcp-flags which currently wants two.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
option: remove last traces of intrapositional negation
Intrapositional negation was deprecated in 1.4.3.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| dd6e4b90b5b2dbc2bbaac5008e26949a18478197 |
|
07-May-2011 |
Jan Engelhardt <jengelh@medozas.de> |
extensions: const annotations
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 73866357e4a7a0fdc1b293bf8863fee2bd56da9e |
|
18-Dec-2010 |
Jan Engelhardt <jengelh@medozas.de> |
iptables: do not print trailing whitespaces
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| d09b6d591ca7d7d7575cb6aa20384c9830f777ab |
|
08-Jan-2011 |
Jan Engelhardt <jengelh@medozas.de> |
extensions: remove no longer necessary default: cases
Match and target parse functions now only get option characters they
have defined themselves.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 7ac405297ec38449b30e3b05fd6bf2082fd3d803 |
|
07-Jan-2011 |
Jan Engelhardt <jengelh@medozas.de> |
src: use C99/POSIX types
"u_int" was a non-standardized extension predating C99 on some platforms.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 32b8e61e4e5bd405d9ad07bf9468498dfbb19f9e |
|
23-Jul-2010 |
Jan Engelhardt <jengelh@medozas.de> |
all: consistent syntax use in struct option
Try to inhibit copypasting old stuff.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| bbe83862a5e1baf15f7c923352d4afdf59bc70e2 |
|
24-Oct-2009 |
Jan Engelhardt <jengelh@medozas.de> |
iptables/extensions: make bundled options work again
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| bf97128c7262f17a02fec41cdae75b472ba77f88 |
|
03-Nov-2009 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: hand argv to xtables_check_inverse
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| c5e85736c207f211d82d2878a5781f512327dfce |
|
12-Jun-2009 |
Jan Engelhardt <jengelh@medozas.de> |
extensions: collapse registration structures
There are no different code paths between IPV4 and IPV6, so
data can be consolidated here.
text data bss dec hex filename
243757 12212 2576 258545 3f1f1 ip6tables-static[before.i586]
243613 9428 2576 255617 3e681 ip6tables-static[after.i586]
-144 -2784
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 2c69b55e55f2efc5a334b87ccdceaa9de0ecb658 |
|
30-Apr-2009 |
Jan Engelhardt <jengelh@medozas.de> |
iptables: replace open-coded sizeof by ARRAY_SIZE
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 1829ed482efbc8b390cc760d012b3a4450494e1a |
|
21-Feb-2009 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: prefix exit_error to xtables_error
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 0f16c725aadaac7e670d632ecbaea3661ff00827 |
|
30-Jan-2009 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: prefix/order - move check_inverse to xtables.c
This also adds a warning that intrapositional negation support
is deprecated.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| aae6be9edc99e58164a3592c510fe5488141c698 |
|
30-Jan-2009 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: prefix - misc functions
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 5f2922cfc0bbfbeb878f5c12e9fb3eb602ae5507 |
|
27-Jan-2009 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: prefix/order - strtoui
This commit also throws out the redundant string_to_number_*.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| e917bca09924435f3fca23c01042543b1826c81e |
|
27-Jan-2009 |
Jan Engelhardt <jengelh@medozas.de> |
extensions: use UINT_MAX constants over open-coded numbers (2/2)
Use the handy constants for ranges.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 213e185afbb298e6708881e4c2adffdc47a8b6da |
|
27-Jan-2009 |
Jan Engelhardt <jengelh@medozas.de> |
src: remove redundant casts
All of them are implicitly convertable without any wanted side effects.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/extensions/libxt_tcp.c
|
| 03d99486d8283552705b58dc55b6085dffc38792 |
|
18-Nov-2008 |
Jan Engelhardt <jengelh@medozas.de> |
src: use NFPROTO_ constants
Resync netfilter.h from the latest kernel and make use of the new
NFPROTO_ constants that have been introduced.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
/external/iptables/extensions/libxt_tcp.c
|
| ecae0c3efc6851d767c759b77d897d113af821a0 |
|
23-Oct-2008 |
Thomas Jarosch <thomas.jarosch@intra2net.com> |
Fix compile warnings using gcc 4.3.2
libxt_dccp.c: In function 'port_to_service':
libxt_dccp.c:196: warning: implicit declaration of function 'htons'
libxt_sctp.c: In function 'port_to_service':
libxt_sctp.c:321: warning: implicit declaration of function 'htons'
libxt_tcp.c: In function 'port_to_service':
libxt_tcp.c:220: warning: implicit declaration of function 'htons'
libxt_udp.c: In function 'port_to_service':
libxt_udp.c:104: warning: implicit declaration of function 'htons'
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
/external/iptables/extensions/libxt_tcp.c
|
| ddac6c5bc636003d664d25c08ea3fe176565096c |
|
01-Sep-2008 |
Jan Engelhardt <jengelh@medozas.de> |
src: Update comments
A number of comments are redundant, some outdated and others outright
wrong in their own way. Remove and fixup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
/external/iptables/extensions/libxt_tcp.c
|
| 967279231a9ecfa99f26694a954afc535c63db1d |
|
13-Aug-2008 |
Jan Engelhardt <jengelh@medozas.de> |
Synchronize invert flag order with manpages
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
/external/iptables/extensions/libxt_tcp.c
|
| 8b7c64d6ba156a99008fcd810cba874c73294333 |
|
15-Apr-2008 |
Jan Engelhardt <jengelh@medozas.de> |
Remove old functions, constants
/external/iptables/extensions/libxt_tcp.c
|
| 9ee386a1b6d7704b259460152c959ab0e79e02aa |
|
29-Jan-2008 |
Max Kellermann <max@duempel.org> |
fix gcc warnings
Max Kellermann <max@duempel.org>
/external/iptables/extensions/libxt_tcp.c
|
| 181dead3f13befe02769ef479bcbb51801b7fc4e |
|
04-Oct-2007 |
Jan Engelhardt <jengelh@medozas.de> |
Unique symbols 1/6
Give symbols of libxt matches unique names (1/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
/external/iptables/extensions/libxt_tcp.c
|
| 0e2abed11985e16215559cefd90625f99317b96c |
|
04-Oct-2007 |
Jan Engelhardt <jengelh@medozas.de> |
Constify data structures
Constify more data structures. Make functions static.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
/external/iptables/extensions/libxt_tcp.c
|
| 830132ac9c0d270bf9dcfe85c2464e3fe8c73fb9 |
|
04-Oct-2007 |
Jan Engelhardt <jengelh@medozas.de> |
Delete empty ->final_check() functions
Deletes empty ->final_check() functions, and makes ip[6]tables
checks for NULL on these.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
/external/iptables/extensions/libxt_tcp.c
|
| 500f483fff529dcd88ec96b9d5054be6cd6363a0 |
|
08-Sep-2007 |
Patrick McHardy <kaber@trash.net> |
Fix sparse warnings: non-ANSI function declarations, 0 used as pointer
/external/iptables/extensions/libxt_tcp.c
|
| ea146a982e26c42f9954f140276f8deeb2edbe98 |
|
02-Sep-2007 |
Peter Riley <Peter.Riley@hotpop.com> |
Remove last vestiges of NFC (Peter Riley <Peter.Riley@hotpop.com>)
/external/iptables/extensions/libxt_tcp.c
|
| 661f112072bc13a1625c4eb5983695e122ea97da |
|
30-Jul-2007 |
Jan Engelhardt <jengelh@medozas.de> |
Make the option structures const.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
/external/iptables/extensions/libxt_tcp.c
|
| 18992db3bfdb3b695cae12b53434f560cbf8e2ae |
|
30-Jul-2007 |
Jan Engelhardt <jengelh@medozas.de> |
Remove the .next=NULL field. This is automatically initialized to zero.
I've kept .print=NULL and .save=NULL so it stands out
(since iptables will do the print/save then).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
/external/iptables/extensions/libxt_tcp.c
|
| 95f186e2fcc553e1e8e211b2f297c70425af8299 |
|
24-Jul-2007 |
Yasuyuki KOZAKAI <yasuyuki@netfilter.org> |
Unifies libip[6]t_tcp.c into libxt_tcp.c.
/external/iptables/extensions/libxt_tcp.c
|