debian/0000755000000000000000000000000012263347503007173 5ustar debian/iptables-dev.install0000644000000000000000000000025612263344316013144 0ustar usr/include lib/lib*.so lib/pkgconfig usr/lib include/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/ howtos/netfilter*html usr/share/doc/iptables-dev/html debian/control0000644000000000000000000000325212263346275010605 0ustar Source: iptables Section: net Priority: important Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Laurence J. Lane Build-Depends: debhelper (>= 9), autoconf, automake, libtool (>=2.2.6), libnfnetlink-dev, libnetfilter-conntrack-dev, libnetfilter-conntrack3, dh-autoreconf, linuxdoc-tools Standards-Version: 3.9.4 Homepage: http://www.netfilter.org/ Package: iptables Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, libxtables10 (=${binary:Version}) Description: administration tools for packet filtering and NAT iptables is the userspace command line program used to configure the Linux packet filtering ruleset. It is targeted towards system administrators. Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too. The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filter Package: libxtables10 Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Replaces: iptables (<< 1.4.16.3-3) Breaks: iptables (<< 1.4.16.3-3) Description: netfilter xtables library The user-space interface to the Netfilter xtables kernel framework. Package: iptables-dev Architecture: any Priority: optional Depends: ${misc:Depends}, iptables (=${binary:Version}) Conflicts: iptables (<<1.4.2-2) Breaks: linux-libc-dev (<< 3.5) Section: devel Description: iptables development files iptables is used to setup, maintain, and inspect the tables of packet filter rules in the Linux kernel. This package contains the available library (libiptc, libxtables), header, documentation and related files for iptables development. debian/iptables-dev.doc-base.netfilter-extensions0000644000000000000000000000060612263344316017342 0ustar Document: netfilter-extensions Title: Netfilter Extensions HOWTO Author: Fabrice MARIE Abstract: This document describes how to install and use current iptables extensions for netfilter. Section: Help/HOWTO Format: HTML Index: /usr/share/doc/iptables-dev/html/netfilter-extensions-HOWTO.html Files: /usr/share/doc/iptables-dev/html/netfilter-extensions-HOWTO-?.html debian/libxtables10.install0000644000000000000000000000002512263344316013051 0ustar lib/libxtables*.so.* debian/watch0000644000000000000000000000011712263344316010222 0ustar version=3 http://netfilter.org/projects/iptables/files/iptables-(\S+).tar.bz2 debian/iptables.docs0000644000000000000000000000002212263344316011641 0ustar INCOMPATIBILITIES debian/iptables.manpages0000644000000000000000000000003012263344316012503 0ustar iptables/*.8 debian/*.8 debian/changelog0000644000000000000000000013503612263347471011061 0ustar iptables (1.4.21-1ubuntu1) trusty; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/control: add linuxdoc-tools dep, remove libipq references - debian/rules: compile with --disable-libipq - 9000-howtos.patch: add howtos/ and install them - 9002-libxt_recent-Add-support-for-reap-option.patch: Some changes are upstream, patch needed for additional reap option checks. - debian/iptables.install: install NAT and packetfilter howtos into /usr/share/doc - debian/iptables-dev.doc-base.netfilter-extensions, debian/iptables-dev.doc-base.netfilter-hacking, debian/iptables.doc-base.nat, debian/iptables.doc-base.packet-filter: add howtos - debian/iptables-dev.install: remove usr/share/man/man3 only used with libipq manpages * Fix --with autoreconf in debian/rules -- Stéphane Graber Wed, 08 Jan 2014 17:20:40 -0500 iptables (1.4.21-1) unstable; urgency=low * New upstream release + Corrected spurious load_extension errors. Closes: #699537 + Corrected man page icmp defaults. Closes: #644819 + Corrected state man page. Closes: #654983 + Corrected address in hashlimit man page. Closes: #698393 + Removed syslogd man page references. Closes: #567564 + Added string match man page hex examples. Closes: #699904 + Merged 0201-iptables-xml_man_section.patch + Merged 0303-extension_cppflags.patch + Merged 0401-state-match-display.patch * Updated iptables-apply to v1.1. Closes: #580941 * Use mktemp instead of tmpfile for iptables-apply. Closes: #668582 * Add iptables-apply info to man pages. Closes: #660748 * Updated debian/copyright * Updated debian/control Description * Removed debian/builddir hack and other debian/rules cruft * Removed debug info from README.Debian -- Laurence J. Lane Sun, 01 Dec 2013 19:48:23 -0500 iptables (1.4.20-2ubuntu1) trusty; urgency=low * Re-apply mistakenly dropped delta with Debian: - debian/control: add linuxdoc-tools dep, remove libipq references - debian/rules: compile with --disable-libipq - 9000-howtos.patch: add howtos/ and install them - 9002-libxt_recent-Add-support-for-reap-option.patch: Some changes are upstream, patch needed for additional reap option checks. - debian/iptables.install: install NAT and packetfilter howtos into /usr/share/doc - debian/iptables-dev.doc-base.netfilter-extensions, debian/iptables-dev.doc-base.netfilter-hacking, debian/iptables.doc-base.nat, debian/iptables.doc-base.packet-filter: add howtos - debian/iptables-dev.install: remove usr/share/man/man3 only used with libipq manpages -- Stéphane Graber Wed, 23 Oct 2013 19:55:19 -0400 iptables (1.4.20-2) unstable; urgency=low * Fixed man page installation so that @PACKAGE_VERSION@ is expanded. Reported by Christoph Biedl. Thanks. Closes: #712403 * Fixed iptables-xml manpage mix-up * Restored missing connlabel extension -- Laurence J. Lane Sat, 17 Aug 2013 09:16:04 -0400 iptables (1.4.20-1) unstable; urgency=low * New upstream release * added 0401-state-match-display.patch for the missing state match display reported by Eugene Berdnikov and fixed by Phil Oester. Thanks. Closes: #718810 * upstream fix addresses concurrent invocation issues reported by Lamont Jones. Fixed upstream by Phil Oester and Pablo Neira Ayuso. Closes: #710997 -- Laurence J. Lane Thu, 08 Aug 2013 10:39:54 -0400 iptables (1.4.19.1-1) unstable; urgency=low * New upstream release * Bumped Standard-Version to 3.9.4 -- Laurence J. Lane Sat, 20 Jul 2013 17:30:47 -0400 iptables (1.4.18-1.1) unstable; urgency=low [ gregor herrmann ] * Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_queue.h": ship /usr/include/linux/netfilter_ipv4/ip_queue.h in iptables-dev; add Breaks on linux-libc-dev << 3.5 (Closes: #707535) [ Dominic Hargreaves ] * Non-maintainer upload -- Dominic Hargreaves Sat, 13 Jul 2013 16:09:01 +0100 iptables (1.4.18-1) unstable; urgency=low * New upstream release * New package for soname bump: libxtables10 -- Laurence J. Lane Sun, 24 Mar 2013 17:15:41 -0400 iptables (1.4.16.3-4) unstable; urgency=low * Added missing Breaks and Replaces for libxtables9. Thanks all. Closes: #692171 -- Laurence J. Lane Fri, 02 Nov 2012 22:52:47 -0400 iptables (1.4.16.3-3) unstable; urgency=low * Added versioned libxtables dependency -- Laurence J. Lane Sun, 28 Oct 2012 09:40:00 -0400 iptables (1.4.16.3-2) unstable; urgency=low * Moved libxtables into a separate package. Fixes problem with connman reported by Jonathan Nieder. Thanks. Closes: #691546 * Added nfnl_osf and xtables-mutil man page stubs. -- Laurence J. Lane Sat, 27 Oct 2012 09:36:56 -0400 iptables (1.4.16.3-1) unstable; urgency=low * New upstream release * Moved nfnl_osf to /usr/sbin. Fixes lib dependency problem reported by Matteo Cortese. Thanks. Closes: #667688 -- Laurence J. Lane Fri, 19 Oct 2012 12:07:42 -0400 iptables (1.4.14-3) unstable; urgency=low * Fixes iptables comment output error reported by Christoph Anton Mitterer. Fixed upstream by Pablo Neira Ayuso. Thanks. Closes: #679098 -- Laurence J. Lane Sat, 28 Jul 2012 11:58:38 -0400 iptables (1.4.14-2) unstable; urgency=low * Added missing 1.4.13-1.1 NMU fix -- Laurence J. Lane Mon, 11 Jun 2012 17:39:35 -0400 iptables (1.4.14-1) unstable; urgency=low * New upstream release -- Laurence J. Lane Mon, 11 Jun 2012 17:31:41 -0400 iptables (1.4.13-1.1) unstable; urgency=low * Non-maintainer upload. * Add build-arch and build-indep targets to BUILD_DIR_TARGETS (closes: #666335). Thanks to Lucas Nussbaum for the bug report. -- Jakub Wilk Sun, 22 Apr 2012 15:50:33 +0200 iptables (1.4.13-1) unstable; urgency=low * New upstream release -- Laurence J. Lane Tue, 27 Mar 2012 09:35:10 -0400 iptables (1.4.12.2-3) unstable; urgency=low * Added CPPFLAGS for extensions to enable hardening. Report and patch by Simon Ruderich. Thanks. Closes: #665286 -- Laurence J. Lane Thu, 22 Mar 2012 18:54:37 -0400 iptables (1.4.12.2-2) unstable; urgency=low * Added iptables-xml.1. Resolves issues reported by Thilo Six and Helge Kreutzmann. Thanks. Closes: #623112 * include/linux/types.h refresh adds __aligned_u64. Gleaned from a post by Autif Khan. Fixes FTBFS reported by Moritz Muehlenhoff. Thanks. Closes: #664066 -- Laurence J. Lane Thu, 15 Mar 2012 14:03:31 -0400 iptables (1.4.12.2-1) unstable; urgency=low * New upstream release -- Laurence J. Lane Thu, 05 Jan 2012 16:30:12 -0500 iptables (1.4.12.1-1) unstable; urgency=low * New upstream release * Depend on debhelper 9. Allows hardened build flags. Reported by Moritz Muehlenhoff. Thanks. Closes: #653737 -- Laurence J. Lane Sat, 31 Dec 2011 14:04:51 -0500 iptables (1.4.12-1) unstable; urgency=low * New upstream release + fixes state inversion bug reported by gpe92 Closes: #634769 + fixes ctorigdstport port number bug reported by Jim Barber. Closes: #632804 -- Laurence J. Lane Thu, 28 Jul 2011 17:17:14 -0400 iptables (1.4.11.1-3) unstable; urgency=low * Fixes fragmention inversion reported by Mark Wooding and fixed upstream by Jan Englehardt. Thanks. Closes: #632695 -- Laurence J. Lane Tue, 05 Jul 2011 09:59:28 -0400 iptables (1.4.11.1-2) unstable; urgency=low * Bugs reported by Markus Waldeck and fixed upstream by Jan Englehardt. Thanks. + missing target and match manpage extensions + LOG target option parsing -- Laurence J. Lane Tue, 21 Jun 2011 14:42:05 -0400 iptables (1.4.11.1-1) unstable; urgency=low * New upstream release * Upstream fixes by Jan Engelhardt. Thanks. + localtz option of time match reported by Damyan Ivanov. Closes: #615121 + segmentation faults on empty source address reported by Jussi Judin. Closes: #611990 + ipv6 TPROXY support requested by martin f krafft. Closes: # 529954 + "can't set policy error" reported by Rob Leslie. Closes: #598315 + formatting issues reported by jdanni. Closes: #429579 -- Laurence J. Lane Sun, 12 Jun 2011 12:33:47 -0400 iptables (1.4.10-1) unstable; urgency=low * New upstream release -- Laurence J. Lane Fri, 29 Oct 2010 12:29:39 -0400 iptables (1.4.9-1) unstable; urgency=low * New upstream release * remove extra iptables-xml.8. Reported by David Prevot. Thanks. Closes: #590619 -- Laurence J. Lane Sat, 07 Aug 2010 18:24:17 -0400 iptables (1.4.8-3) unstable; urgency=low * added missing iptables-xml symlink and man page. Reported by Carl Fürstenberg and others. Closes: #589059 -- Laurence J. Lane Fri, 16 Jul 2010 16:56:20 -0400 iptables (1.4.8-2) unstable; urgency=low * rebuild with clean source tree, Closes: #582448 * updated upstream changelog to 1.4.8 -- Laurence J. Lane Sat, 12 Jun 2010 13:26:16 -0400 iptables (1.4.8-1) unstable; urgency=low * New upstream release * Fixed iptables-apply DEFAULT_FILE variable. Problem reported by fixed by StalkR. Thanks. Closes: #582448 * Added versioned build dependency on libtool. Problem reported by Pawel Rozanski and Flavio Silveir. Thanks. Closes: #567066 -- Laurence J. Lane Mon, 31 May 2010 08:44:28 -0400 iptables (1.4.6-2) unstable; urgency=low * corrected debian changelog entry for 1.4.6-1 * updated upstream changelog. Problem reported by Klaus Ethgen. Thanks. Closes: 561236 -- Laurence J. Lane Sun, 20 Dec 2009 16:09:02 -0500 iptables (1.4.6-1) unstable; urgency=low * New upstream release * Fixes ignored mask with replace rule. Reported by Hugh McDonald and and fixed upstream. Thanks. Closes: #560910 * Fixes single ip address use with iprange. Reported by Sergey Kovalev and fixed upstream. Thanks. Closes: #547139 * Fixes TCP MSS clamp documentation. Reported and fixed by Tim Small. Added upstream. Thanks. Closes: #551272 -- Laurence J. Lane Mon, 14 Dec 2009 12:45:24 -0500 iptables (1.4.5-1) unstable; urgency=low * New upstream release * Bumped Standards Version to 3.8.3 * Moved to source format 3.0 (quilt) * s/macthes/matches/ in iptables(8). Reported by Trent W. Buck and fixed upstream. Closes: #539101 * s/packages/package in iptables-dev descrition. Reported by Pascal De Vuyst. Thanks. Closes: #557369 * Fixed iptables-apply default rule problem reported by StalkR. Fixed upstream. Thanks. Closes: #547734 -- Laurence J. Lane Sat, 28 Nov 2009 16:41:04 -0500 iptables (1.4.4-2) unstable; urgency=low * renamed debian/patches to debian/patch to avoid 3.0-quilt-by-default bug reports. Closes: #538608 * Bumped Standards Version to 3.8.2 -- Laurence J. Lane Tue, 28 Jul 2009 09:16:06 -0400 iptables (1.4.4-1) unstable; urgency=low * New upstream release * Upstream added Ian Bruce's man page errors fix. Thanks. Closes: #531677 * Upstream added Piotr Lewandowski's iptables(8) typo fix. Thanks. Closes: #528457 * Upstream fixed intraposition vs extraposition deprecation warning. Thanks. Closes: #528736 * Added ip6tables-apply symlinks for martin f krafft. Closes: #524862 -- Laurence J. Lane Thu, 18 Jun 2009 08:14:55 -0400 iptables (1.4.3.2-2) unstable; urgency=low * added iptables dependency to iptables-dev. Reported by Sebastian Harl. Thanks. Closes:# 524766 -- Laurence J. Lane Sun, 19 Apr 2009 14:57:46 -0400 iptables (1.4.3.2-1) unstable; urgency=low * New upstream release * Fixed negation extrapositoned stuff. Reported by Dr. Markus Waldeck. Fixed upstream. Thanks. Closes: #522309 -- Laurence J. Lane Mon, 06 Apr 2009 14:30:59 -0400 iptables (1.4.3.1-1) unstable; urgency=low * New upstream release * Fixed sparc64 ULOG problems reported by Andrey Chernomyrdin. Fixed upstream. Thanks. Closes: #232401 * Fixed sparc64 limit match problem reported by Arno van Amersfoort. Fixed upstream. Thanks. Closes: #468170 * Fixed "Unknown arg %s" problem reported by Guillem Cantallops Ramis. Fixed upstream. Thanks. Closes: #469548 * Fixed iptables-save output problem reported by Ivan Vilata i Balaguer. Fixed upstream. Closes: #514869 * Fixed iptables-save quoting problem reported by =?UTF-8?B?0YHRgtGA0L7QvdC90Lg=?= Closes: #519584. Fixed upstream. Thanks. Closes: #519584 * Fixed ip6tables(1) icmp codes problem reported by Dameon Wagner. Fixed upstream. Thanks. Closes: #515752 * Fixed string match non-null terminator reported by Franck Joncourt. Fixed upstream. Thanks. Closes: #513516 * Added libiptc upstream. Requested by many. Closes: #473533 * Fixed tcmpss inversion. Patch by Jan Engelhardt. Thanks. -- Laurence J. Lane Fri, 27 Mar 2009 17:02:43 -0400 iptables (1.4.2-6) unstable; urgency=high * added missing conntrack numeric fix. Reported by Bernhard Miklautz. Fixed in upstream git repo. Thanks. Closes: #502548 -- Laurence J. Lane Mon, 09 Feb 2009 14:31:24 -0500 iptables (1.4.2-5) unstable; urgency=low * fixed libxt_multiport man page typo. Reported and patched by Marc Fournier. Thanks. Closes: #511891 * fixed iptables-restore.8 formatting. Reported and patched by shaulkarl. Thanks. Closes: #512281 * fixed libxt_owner spacing. Reported by Dr. Markus Waldeck. Patched upstream by Daniel Drake. Thanks. Closes: #512320 -- Laurence J. Lane Mon, 19 Jan 2009 13:32:05 -0500 iptables (1.4.2-4) unstable; urgency=low * fixed debian/rules binary targets. Reported by Philipp Kern. Thanks. Closes: #511723 * fixed debian/rules build and install stamps. -- Laurence J. Lane Tue, 13 Jan 2009 19:07:08 -0500 iptables (1.4.2-3) unstable; urgency=low * added debian/builddir.mk support * corrected 1.4.2-1 changelog entry: 's@moved iptables@&-xml@'. Reported by jidanni. Thanks. * lintian override left out of 1.4.2-2 -- Laurence J. Lane Fri, 09 Jan 2009 15:36:33 -0500 iptables (1.4.2-2) unstable; urgency=low * lintian cleanups: - moved libxtables.so to iptables-dev package - added override for libxtables - added ${misc:Depends} for debhelper - changelog utf8 conversion -- Laurence J. Lane Sat, 03 Jan 2009 22:20:58 -0500 iptables (1.4.2-1) unstable; urgency=low * New upstream release. Reported by Torsten Werner. Thanks. closes: #503229 * moved iptables-xml from /usr/sbin to /usr/bin. Reported by Alexey Feldgendler. Thanks. closes: #509386 * -multi bins were included in buildd generated packages. Reported by Alexey Feldgendler. closes: 509385 * added missing iptables.xslt. Reported by Carl Fürstenberg. Thanks. closes: #501615. -- Laurence J. Lane Fri, 02 Jan 2009 17:19:08 -0500 iptables (1.4.1.1-4) unstable; urgency=low * removed howtos. closes: #500674 -- Laurence J. Lane Tue, 30 Sep 2008 12:10:15 -0400 iptables (1.4.1.1-3) unstable; urgency=low * added missing libipq. Fixes numerous FTBS reported by Steve Langasek and others. Thanks. closes: #494216 -- Laurence J. Lane Sun, 24 Aug 2008 19:52:26 -0400 iptables (1.4.1.1-2) unstable; urgency=low * fixed /bin/dash unnerving in howtos/Makefile. Reported by Daniel Schepler. Thanks. closes: #493440 -- Laurence J. Lane Sat, 02 Aug 2008 19:14:13 -0400 iptables (1.4.1.1-1) unstable; urgency=medium * New upstream release * removed kernel header dependency, fixed FTBS reported by Lucas Nussbaum. Fixed upstream. Thanks. closes: #482502 * removed all pomng extensions: TARPIT, IPV4OPTSSTRIP and ipv4options * changed standards version from 3.7.3 to 3.8.0 -- Laurence J. Lane Sat, 12 Jul 2008 05:28:33 -0400 iptables (1.4.0-4) unstable; urgency=low * fixed FTBFS reported by Lucas Nussbaum. Thanks. sid switched from 2.6.24 to 2.6.25 kernel header packages. closes: #479930 -- Laurence J. Lane Wed, 07 May 2008 22:15:18 -0400 iptables (1.4.0-3) unstable; urgency=low * removed erroneous libc6-dev dependency, fixes ia64 and aphla builds * fixed more hyphenations in man pages * added correct copyright notices, reported by Justin Pryzby. Thanks. closes: #290185 -- Laurence J. Lane Mon, 18 Feb 2008 12:26:49 -0500 iptables (1.4.0-2) unstable; urgency=low * added missing ipq_set_verdict.3 information. Reported and fixed by Luca Bedogni. Thanks. closes: #419650 * added -tblah segfault fix. Reported and fixed by Michael Spang. Thanks. closes: #458042 -- Laurence J. Lane Fri, 08 Feb 2008 00:08:05 -0500 iptables (1.4.0-1) unstable; urgency=low * New upstream release -- Laurence J. Lane Thu, 07 Feb 2008 00:20:34 -0500 iptables (1.3.8.0debian1-1) unstable; urgency=low * New upstream release * The 1.3.7 and 1.3.8 releases combined fix 35 upstream bugs! Reported by Fei Xie and fixed upstream. Thanks. closes: #433990 * extensions removed upstream: TRACE, ROUTE, connlimit, rpc * removed extraneous libselinux linking. Reported and fixed by Martin Orr. Thanks. closes: #431180 * fixed numreous manpage speeling and grammer erors. Reparted and fixd all up by A. Costa and aspell and gvim. Thx! closes: #410250 #410252 * removed patches for stuff fixed upstream: recent-man, hashlimit.man, iptables-rename-fix, replace-pad_cdir, svn-2006-10-21 -- Laurence J. Lane Sat, 28 Jul 2007 19:22:20 -0400 iptables (1.3.6.0debian1-5) unstable; urgency=high * cleaned dirty iptables/, fixes diff bloat and compilation problems Reported by Jan Wanger. Thanks. -- Laurence J. Lane Wed, 22 Nov 2006 22:42:21 -0500 iptables (1.3.6.0debian1-4) unstable; urgency=high * fixes errant /etc/{hosts,networks} entry padding. Reported by John Darrah and fixed by Pablo Neira Ayuso. Thanks. closes: #398082 -- Laurence J. Lane Sun, 19 Nov 2006 21:51:18 -0500 iptables (1.3.6.0debian1-3) unstable; urgency=high * fixes broken rename-chain option in iptables and ip6tables. Reported by Martin Clauss and Simon Natterer. Fixed by Krzysztof Oledzki. Thanks. closes: #397012 -- Laurence J. Lane Thu, 9 Nov 2006 05:58:51 -0500 iptables (1.3.6.0debian1-2) unstable; urgency=low * physdev-truncated.man.patch: fixed misssed instance of the error * debian/rules: fixed manpage mangling and moved it to scripts/manregex * iptables.8: added missing ipt_recent match arguments -- Laurence J. Lane Sun, 29 Oct 2006 14:03:13 -0500 iptables (1.3.6.0debian1-1) unstable; urgency=low * New upstream release * synched with upstream SVN 2006-10-21 + fixed "wierd" spelling error in iptables.c + fixed iptables segfault when given empty --log-prefix + adds revision support to ip6tables + adds support port range match to libip6t_multiport + adds endian annotation types to fix compilation for kernels > 2.6.18 * ipv6 updates in SVN by Rémi Denis-Courmont fixes the ip6tables port range bug reported by Alexander Dreweke. Thanks. closes: #329775 * debian/control: added info about missing kernel extensions * bumped standards version to 3.7.2, no changes * updated to patch-o-matic-ng-20061021 source * updated to kernel 2.6.18 source, closes: #393138 + renames icmpv6 extension to icmp6 + adds connbytes, quota and statistic extensions * enabled SELinux support and added build dependency on libselinux1-dev + adds SECMARK and CONNSECMARK extensions * iptables/Rules.make: link shared SE libs with gcc * added numerous manpage fixes * debian/changelog: missing leading dash, lintian cleanup * removed pomng iprange patch, migrated upstream to linux kernel * removed weird_character.patch, fixed upstream * removed weird_spelling.patch, fixed upsteam in 1.3.6 and SVN * removed link_with_gcc.patch, fixed upstream * removed esp-test6.patch, fixed upstream * removed atomic_t_silly_hack.patch, code moved somewhere or another -- Laurence J. Lane Fri, 27 Oct 2006 19:39:57 -0400 iptables (1.3.5.0debian1-1) unstable; urgency=low * New upstream release + added ipv6 state match support + updated IPsec (policy match) support + added in-kernel string match support + fixed ipv6 owner match + read upstream changelog v1.3.4 and v1.3.5 entries for more * updated to Linux kernel 2.6.17 source * updated to patch-o-matic-ng-20060812 source * combined upstream sources into an orig.tar.gz * removed build time patching and prep.sh script * removed Suggests: iproute * removed bzip2 and html2text build dependencies * removed ippool, deprecated * removed example script directory, unmaintained examples * removed README.Debian, too confusing * removed debian/iptables.postinst * pomng kernel extensions removed upstream: IPMARK, NETLINK, TCPLAG, XOR, account, condition, dstlimit, fuzzy, geoip, ip6t_ULOG, ipp2p, mport, nth, osf, pool, psd, quota, random, time * replaced debian/copyright GPL paste with stubs * updated debian/copyright source URLs * Thanks for the invaluable help Rémi Denis-Courmont. -- Laurence J. Lane Sun, 20 Aug 2006 21:29:33 -0400 iptables (1.3.3-2) unstable; urgency=low * added pomng exclude hack to prep.sh * excluded pomng's ip_queue_vwmark. Thanks ubuntu. * updated README.Debian * removed Suggests for ipmasq -- Laurence J. Lane Sat, 6 Aug 2005 18:01:31 -0400 iptables (1.3.3-1) unstable; urgency=low * New upstream release -- Laurence J. Lane Thu, 4 Aug 2005 22:08:27 -0400 iptables (1.3.2-1) unstable; urgency=low * New upstream release * removed libipt_physdev.c and libip6t_physdev.c from weird_*.patch -- Laurence J. Lane Sun, 24 Jul 2005 21:03:39 -0400 iptables (1.3.1-2) unstable; urgency=low * added missing 2.6.12 kernel headers * added libip6t_physdev.c to weird_spelling.patch * added libip6t_physdev.c to weird_character.patch * updated README.Debian, removed dead firewall package names and added a disclaimer about such packages, closes: #307934 * removed iptables-dev's build dependency on iptables, closes: #288193 -- Laurence J. Lane Sun, 19 Jun 2005 19:15:36 -0400 iptables (1.3.1-1) unstable; urgency=low * New upstream release, closes: #299638 * build with 2.6.12 kernel source and patch-o-matic-ng-20050618 * hashlimit module added upstream, closes: #312374 * removed example ppp scripts, closes: #287346 -- Laurence J. Lane Sat, 18 Jun 2005 20:45:11 -0400 iptables (1.2.11-10) unstable; urgency=medium * fixed scripts/prep.sh: patching and patch ordering * fixed a bashism reported by Geller Sandor in Bug#283822. Thanks. -- Laurence J. Lane Wed, 1 Dec 2004 19:11:34 -0500 iptables (1.2.11-9) unstable; urgency=medium * another prep.sh tweak for patch ordering * Bug#283721, Policy match save code puts in line feed that makes iptables-restore error, reported and fixed by Matthew Grant. Thanks. -- Laurence J. Lane Tue, 30 Nov 2004 23:04:01 -0500 iptables (1.2.11-8) unstable; urgency=medium * fixed broken atomic_t_silly_hack.patch -- Laurence J. Lane Sun, 7 Nov 2004 16:12:22 -0500 iptables (1.2.11-7) unstable; urgency=medium * oops, corrected prep.sh for arch specific patches again -- Laurence J. Lane Sat, 6 Nov 2004 22:46:20 -0500 iptables (1.2.11-6) unstable; urgency=medium * corrected prep.sh so arch specific patches are applied -- Laurence J. Lane Sat, 6 Nov 2004 12:22:25 -0500 iptables (1.2.11-5) unstable; urgency=low * 1.2.11-3 never really existed, changelog entry removed * restored missing all/###-man_pages.patch * Closes:#279285, Compile fails - declaration after code, reported and fixed by Kevin Shanahan. Thanks. all/###-libpt_time_struct.patch -- Laurence J. Lane Wed, 3 Nov 2004 22:40:26 -0500 iptables (1.2.11-4) unstable; urgency=medium * Closes: #219686, CAN-2004-0986, modprobe load error, reported by Faheem Mitha, fixed by upstream. Thanks. (modprobe.patch) * added missing upstream changelogs -- Laurence J. Lane Sun, 31 Oct 2004 18:56:52 -0500 iptables (1.2.11-2) unstable; urgency=low * Closes: #263154, upstream fix, corrects segfault on hostnames that resolve to multiple IPs. Reported by guillot. Thanks. -- Laurence J. Lane Tue, 3 Aug 2004 22:09:55 -0400 iptables (1.2.11-1) unstable; urgency=low * new upstream release * Closes: #256975, new upstream release * Closes: #229892, include man page additions for new extensions * Closes: #248605: iptables CONNMARK update * Closes: #218837: corrects limit module for sparc64 * obviates minor_buffer_overflows.patch and 64_32.patch -- Laurence J. Lane Fri, 9 Jul 2004 01:04:58 -0400 iptables (1.2.9-10) unstable; urgency=low * Closes: #246037, added default logging level to man pages, requested by Max Vozeler. Thanks. * conslidated all man page patches to 003-man_pages.patch. * added 006-64_32.patch, CVS pull, Sparc64 and HPPA makefile clean up for 64/32-bit builds. Reported by Igor Genibel. Thanks. -- Laurence J. Lane Tue, 15 Jun 2004 20:38:42 -0400 iptables (1.2.9-9) unstable; urgency=low * Closes: #248605, s390 FTBS, reported by Andreas Henriksson. Thanks. Removed extraneous patch from the s390 directory. -- Laurence J. Lane Sat, 15 May 2004 08:07:12 -0400 iptables (1.2.9-8) unstable; urgency=low * Closes: #247056, hppa (and s390) FTBFS, reported by Lamont Jones. Thanks. Resynced local patches. -- Laurence J. Lane Sun, 2 May 2004 22:26:03 -0400 iptables (1.2.9-7) unstable; urgency=low * Closes: #246554, debian/rules missing KERNEL_DIR for install target, reported by Paul Hampson. Thanks. * removed the debian/install kludge for the brain flub noted above * removed owner module support for version 2.4.19 and lower kernels * removed dead code from examples/oldinitscript and corrected logical errors, some discovered by by Adam Heath. Thanks. * updated kernel source to 2.4.26 -- Laurence J. Lane Sat, 1 May 2004 07:25:19 -0400 iptables (1.2.9-6) unstable; urgency=low * updated iptable's description in debian/control * renamed local patches and updated descriptions in README * added 002-weird_character.patch to accept dashes in interface names. This problem has been reported numerous times over the years. * updated 001-spell_weird.patch to include libipt_physdev.c * altered prep.sh to check build/stamp/prep * fixed this changelog, which was doubled at some point * updated doc-base files -- Laurence J. Lane Sat, 13 Mar 2004 13:33:33 -0500 iptables (1.2.9-5) unstable; urgency=low * added 005-atomic_t_silly_hack.patch for hppa and s390. Explicitly declare atomic_t typedef in ip_conntrack_icmp.h. FTBFS reported by Lamont Jones. Thanks. (see: #232418) * updated to kernel 2.4.25 headers * removed failed ip6tables owner module detection -- Laurence J. Lane Sun, 29 Feb 2004 09:24:44 -0500 iptables (1.2.9-4) unstable; urgency=low * added Suggests: iproute * updated package descriptions * removed iptables 1.2.9rc1 changelog * updated patch-o-matic to 20031219 * updated kernel headers to 2.4.24 * added patches/004-minor_buffer_overflows.patch -- Laurence J. Lane Tue, 10 Feb 2004 20:08:55 -0500 iptables (1.2.9-3) unstable; urgency=low * removed include/libulog/. Reported by rv@eychenne.org. Thanks. (closes: #226740) * updated toplevel README * added linux kernel copyright info to debian/copyright -- Laurence J. Lane Fri, 9 Jan 2004 18:21:29 -0500 iptables (1.2.9-2) unstable; urgency=low * updated README.Debian * added ip6tables owner module detection * removed debian/iptables.prerm * added linux kenel source 2.4.23 * removed linux kernel sources: 2.4.20 2.4.20 2.6.0-test9 -- Laurence J. Lane Tue, 30 Dec 2003 14:55:40 -0500 iptables (1.2.9-1) unstable; urgency=low * new upstream release, 1.2.9 final * removed local physdev patch, corrected upstream * dropped p-o-m connbytes * updated ppp example scripts from Kiryanov Vasiliy. Thanks. -- Laurence J. Lane Sun, 2 Nov 2003 20:53:31 -0500 iptables (1.2.9-0rc1+1) unstable; urgency=low * this is a test upload * new upstream release * removed local ROUTE patch, corrected upstream * added local physdev patch, see Bug#207954 -- Laurence J. Lane Mon, 27 Oct 2003 16:17:11 -0500 iptables (1.2.8-8) unstable; urgency=low * corrected distro -- Laurence J. Lane Sun, 19 Oct 2003 14:32:49 -0400 iptables (1.2.8-7) unstable; urgency=low * corrected control file for priority and kernel versions, again -- Laurence J. Lane Sun, 19 Oct 2003 09:03:36 -0400 iptables (1.2.8-6) unstable; urgency=low * updated z_owner, thanks to Eddie and Godwin * changed Priority to important, Bug#206685 -- Laurence J. Lane Sat, 18 Oct 2003 16:18:39 -0400 iptables (1.2.8-5) unstable; urgency=low * updated z_owner patch to handle 2.6.0-X kernels * updated package description, sync'd kerenel versions -- Laurence J. Lane Fri, 17 Oct 2003 13:17:37 -0400 iptables (1.2.8-4) unstable; urgency=low * added bzip2 build dependecy -- Laurence J. Lane Sun, 22 Jun 2003 23:41:05 -0400 iptables (1.2.8-3) unstable; urgency=low * added bzip2 build dependency -- Laurence J. Lane Sun, 22 Jun 2003 22:36:30 -0400 iptables (1.2.8-2) unstable; urgency=low * added ROUTE target corrections from Cedric de Launois * added reduced kernel source archives, netfilter only * removed extraneous "the" from iptables.8 * removed kernel source build dependencies * changed all description kernel versions to 2.4.xx * rewrote prep.sh -- Laurence J. Lane Sun, 22 Jun 2003 18:56:36 -0400 iptables (1.2.8-1) unstable; urgency=low * New upstream release * update to patch-o-matic-20030107 * added Kiryanov Vasiliy's ppp example scripts * removed 000-iptables-1.2.7a-tcpmss.patch, corrected upstream -- Laurence J. Lane Fri, 30 May 2003 06:10:01 -0400 iptables (1.2.7-12) unstable; urgency=low * moved iptables-dev to section devel * removed owner module information from README.Debian * restored local lintian overrides -- Laurence J. Lane Sun, 23 Mar 2003 04:22:56 -0500 iptables (1.2.7-11) unstable; urgency=low * added Goswin Brederlow's owner module detection patch * removed owner module alternatives -- Laurence J. Lane Sat, 22 Mar 2003 12:58:03 -0500 iptables (1.2.7-10) unstable; urgency=low * use kernel-source-2.4.20 instead of kernel-headers-2.4.20 -- Laurence J. Lane Wed, 5 Feb 2003 04:07:14 -0500 iptables (1.2.7-9) unstable; urgency=low * added a temporary ugly hack for Bug #171167, alternate owner plug-in for 2.4.20+ kernels. See README.Debian for details. -- Laurence J. Lane Sun, 26 Jan 2003 15:17:23 -0500 iptables (1.2.7-8) unstable; urgency=low * corrected -dev include dirs * removed init.d, /var/lib/iptables, and debconf-ization * added Suggests: ipmasq * rewrote README.Debian -- Laurence J. Lane Sat, 7 Dec 2002 14:31:40 -0500 iptables (1.2.7-7) unstable; urgency=low * Provide HOWTOs in English. Oops. * cosmetic bug in initd_{auto,}save, s/iptables/\$iptables_command/ * prime the pump in the init.d with "ip{6}tables -nL" * remove leading space in debconf template -- Laurence J. Lane Sun, 22 Sep 2002 21:28:28 -0400 iptables (1.2.7-6) unstable; urgency=low * init.d script $libdir correction, Bug#160646 * created libip{6,}tables.a for iptables-dev, Bug#160490 -- Laurence J. Lane Thu, 12 Sep 2002 13:54:40 -0400 iptables (1.2.7-5) unstable; urgency=low * blah, correct Maintainer and Standards Version -- Laurence J. Lane Sun, 8 Sep 2002 00:44:10 -0400 iptables (1.2.7-4) unstable; urgency=low * let's try uploading the correct packages -- Laurence J. Lane Sat, 7 Sep 2002 23:50:58 -0400 iptables (1.2.7-3) unstable; urgency=low * changed topdir Makefile, default to cat README * corrected debian/*.install and dh_install* calls -- Laurence J. Lane Sat, 7 Sep 2002 22:56:39 -0400 iptables (1.2.7-2) unstable; urgency=low * init.d, remove errant debugging enable_ipv6=true -- Laurence J. Lane Fri, 6 Sep 2002 23:53:25 -0400 iptables (1.2.7-1) unstable; urgency=low * added wacky source+patch build system * updated to debhelper 4 * init.d, dropped iptables_command variable, added enable_ipv6 variable * added --mss port/range fix -- Laurence J. Lane Fri, 6 Sep 2002 06:33:07 -0400 iptables (1.2.6a-6) unstable; urgency=low * debian/iptables.init: * initd_save: s/Savinging/Saving/, #148284 * init_load and initd_save: abort missing gracefully * added initd_abort * s/$@/$*/g parameter change * corrected sed call problem, #149241 -- Laurence J. Lane Thu, 6 Jun 2002 23:57:59 -0400 iptables (1.2.6a-5) unstable; urgency=high * removed ownercmd patch, closes: 142649 * removed postinst init.d call, closes: 142791 * corrected source URIs in copyright -- Laurence J. Lane Sun, 14 Apr 2002 10:44:57 -0400 iptables (1.2.6a-4) unstable; urgency=high * removed MARK_operations patch, severe breakage -- Laurence J. Lane Mon, 8 Apr 2002 22:41:32 -0400 iptables (1.2.6a-3) unstable; urgency=high * posinst: merged in missing bits from 1.2.5-x and remove bogus "/1" * undo MARK and REJECT changes, severe breakage -- Laurence J. Lane Wed, 3 Apr 2002 14:38:12 -0500 iptables (1.2.6a-2) unstable; urgency=low * corrected typo and bug in initd_autosave() -- Laurence J. Lane Mon, 1 Apr 2002 06:38:01 -0500 iptables (1.2.6a-1) unstable; urgency=medium * New upstream release, closes: 140202 * upstream man page update, closes: 137933 * upstream SEGV fix, closes: 134518 * new init.d setup, changes: * {en,dis}able via debconf rc.d symlink management, closes: 139282 * deprecated "save_active" and "save_inactive" * accept "load " instead of "[ruleset name]" * added uniform policy compliant output, closes: 140400 * removed init.d clear from dev scripts, closes: 139102 * deprecated enable_iptables_initd and iptables_prerm_default * replaced README.Debian * chmod /etc/default/iptables 0644, closes: 1.2.73 * build depend on kernel 2.4.18 source * adjusted update-rc.d runlevels, closes: 140428 * updated pom patch handling, more extension modules, closes: 117536 * removed debian/ip6tables*.8 -- Laurence J. Lane Sun, 31 Mar 2002 22:54:25 -0500 iptables (1.2.5-7) unstable; urgency=low * iptables.c: upstream patch for proto_num segfault * init.d, shut down rc.d change from K10 to K90, closes: #135599 -- Laurence J. Lane Fri, 1 Mar 2002 15:59:23 -0500 iptables (1.2.5-6) unstable; urgency=low * removed extraneous -e in echo call, closes: #133838 -- Laurence J. Lane Thu, 14 Feb 2002 13:28:06 -0500 iptables (1.2.5-5) unstable; urgency=low * diginix inspired most-of-pom build * debian/control: Build-Depends + kernel-source-2.4.17 * debian/control: corrected section override disparity warning * init.d adjustments, increased verbosity, warn for no active/inactive -- Laurence J. Lane Wed, 13 Feb 2002 12:49:12 -0500 iptables (1.2.5-4) unstable; urgency=low * /etc/default/iptables was still confusing people -- Laurence J. Lane Thu, 7 Feb 2002 13:04:41 -0500 iptables (1.2.5-3) unstable; urgency=low * use explicit init.d variable defaults, closes: #132464 -- Laurence J. Lane Tue, 5 Feb 2002 11:23:58 -0500 iptables (1.2.5-2) unstable; urgency=low * used a silver bullet on /var/state/iptables/, closes: #130710 * default to 'nothing' instead of halt before start/stop in init.d because halt effectively disables all IP traffic. * allow saved ruleset filenames as init.d arguments, load the ruleset * Added text to disavow any sense of security afforded by merely installing the iptables package. iptables a tool that can be used to configure firewalls, among other things. The package is most defintely not a one-stop-system-security-solution. closes: #130729 * updated README and descriptions (control) * added netfilter-extensions and netfilter-hacking HOWTOs * resurrected ip6tables-{sav,restor}e.8 from an older package -- Laurence J. Lane Sat, 2 Feb 2002 23:44:14 -0500 iptables (1.2.5-1) unstable; urgency=low * new upstream release * moved /var/state/iptables to /var/lib/iptables, closes: #130337 * moved state dir definitions from default/iptables to init.d/iptables * corrected autosave behavior -- Laurence J. Lane Wed, 23 Jan 2002 13:36:58 -0500 iptables (1.2.4-4) unstable; urgency=low * official upload with new init.d setup -- Laurence J. Lane Sun, 20 Jan 2002 19:24:43 -0500 iptables (1.2.4-3.2) unstable; urgency=low * added optional ip6tables support init.d * changed prerm script init.d call default from "nothing" to "clear" * adjust file permissions on "default" file and state dir in postinst -- Laurence J. Lane Thu, 17 Jan 2002 20:58:00 -0500 iptables (1.2.4-3.1) unstable; urgency=low * README.Debian update * debian/rules: remove dh_testroot from clean target * s/wierd/weird/ in ip{,6}tables.c, see Bug #102771 * indicate -C option not available in manpage/help, see Bug #108199 * added init.d script -- Laurence J. Lane Tue, 15 Jan 2002 19:10:12 -0500 iptables (1.2.4-3) unstable; urgency=low * gcc linking patch by LaMont Jones * Debian README update -- Laurence J. Lane Thu, 13 Dec 2001 07:47:48 -0500 iptables (1.2.4-2) unstable; urgency=low * corrected upstream changelog compilation * debian/control: corrected Sections -- Laurence J. Lane Fri, 9 Nov 2001 00:46:03 -0500 iptables (1.2.4-1) unstable; urgency=low * new upstream version -- Laurence J. Lane Thu, 1 Nov 2001 11:19:05 -0500 iptables (1.2.3-2) unstable; urgency=low * Everett Coleman II's string_to_number() correction for libipt_TOS.c -- Laurence J. Lane Sat, 22 Sep 2001 14:10:45 -0400 iptables (1.2.3-1) unstable; urgency=low * new upstream version * debian/changelog: removed emacs mode settings * added /usr/share/doc/iptables/changelog.gz * Olivier Baudron's string_to_number() / --log-level corrections for iptables.c, libip6t_LOG.c, and libip6t_length.c -- Laurence J. Lane Tue, 4 Sep 2001 10:41:29 -0400 iptables (1.2.2-10) unstable; urgency=low * ip6tables.c: correct IP6T_LIB_DIR path -- Laurence J. Lane Mon, 13 Aug 2001 07:01:15 -0400 iptables (1.2.2-9) unstable; urgency=low * debian/rules: extraneous MAKE caused build failures on some archs -- Laurence J. Lane Sat, 11 Aug 2001 16:47:07 -0400 iptables (1.2.2-8) unstable; urgency=low * debian/rules: move EXTRA_VARS to correct KERNEL_DIR build failures -- Laurence J. Lane Fri, 10 Aug 2001 10:23:03 -0400 iptables (1.2.2-7) unstable; urgency=low * Makefile: set LIBDIR and BINDIR * ip6tables.c: set IP6T_LIB_DIR -- Laurence J. Lane Wed, 8 Aug 2001 04:47:56 -0400 iptables (1.2.2-6) unstable; urgency=low * replace HTML guides with sgml2html (linuxdoc-tools) processed SGML, closes: #107872 * debian/changelog: updated source location, author names, et cetera * debian/rules: s/EXTRAVARS/EXTRA_VARS/g -- Laurence J. Lane Mon, 6 Aug 2001 22:58:22 -0400 iptables (1.2.2-5) unstable; urgency=low * debian/rules: * set $(EXTRAVARS) on command line before $(MAKE) (corrects all variable settings, including LIBDIR, closes: #107839) * use find/xarg in clean target to remove *.{a,o,so} -- Laurence J. Lane Mon, 6 Aug 2001 19:22:42 -0400 iptables (1.2.2-4) unstable; urgency=low * debian/control: updated package descriptions and upgrade standards version to 3.5.6.0 * restore original Makefile, all target and evironment variable hacks moved to debian/rules * reverted to libc6-dev kernel headers (unresolved issues here) * 1.2.2-3 changelog updates: * REJECT.c: CVS code corrects reject-with output (#99728, #105271) * iptables.8: CVS code corrects man page formatting (#97079) * debian/control: Build-Depend on kernel-headers-2.4.7 * debian/rules: remove object files with the clean target and use kernel-headers-2.4.7 for KERNEL headers * enabled libipq build -- Laurence J. Lane Fri, 3 Aug 2001 20:41:13 -0400 iptables (1.2.2-3) unstable; urgency=low * debian/rules: converted from debmake to debhelper * applied fixes from CVS tree, closes: #99728, #97079, #105271 * added iptables-dev package, closes: #106689, #101493 * README.Debian: update -- Laurence J. Lane Tue, 31 Jul 2001 22:45:45 -0400 iptables (1.2.2-2) unstable; urgency=low * removed debian/rules bash expansions, Closes: #98794 -- Laurence J. Lane Sat, 26 May 2001 12:26:55 -0400 iptables (1.2.2-1) unstable; urgency=low * new upstream version -- Laurence J. Lane Fri, 11 May 2001 14:02:25 -0400 iptables (1.2.1a-2) unstable; urgency=low * restore ip6tables, patch provided by Marc Martinez -- Laurence J. Lane Wed, 25 Apr 2001 00:05:26 -0400 iptables (1.2.1a-1) unstable; urgency=low * new upstream release and enabled save/restore, Closes: #94211 -- Laurence J. Lane Thu, 19 Apr 2001 21:02:20 -0400 iptables (1.2.1-1) unstable; urgency=low * new upstream release, Closes: #85318 * removed symlinks to bins * applied debian/patch-ULOG (minor build issue) -- Laurence J. Lane Fri, 16 Mar 2001 16:37:27 -0500 iptables (1.2-10) unstable; urgency=low * bins and libs moved from /usr to /, provided symlinks, Closes: #89529 * added lintian overrides for shared-lib-without-dependency-information -- Laurence J. Lane Wed, 14 Mar 2001 04:24:47 -0500 iptables (1.2-9) unstable; urgency=low * change to libc6's kernel 2.4 headers so sparc can build -- Laurence J. Lane Wed, 7 Mar 2001 13:04:14 -0500 iptables (1.2.7) unstable; urgency=low * --rename-chain correction by sfrost@debian.org, closes: #84275 * debian/rules custom KERNEL_DIR example, closes: #86617 -- Laurence J. Lane Mon, 19 Feb 2001 10:11:16 -0500 iptables (1.2-7) unstable; urgency=low * Build-Depend on kernel-headers-2.4.0-test11, closes: #85871 -- Laurence J. Lane Sat, 17 Feb 2001 07:44:46 -0500 iptables (1.2-6) unstable; urgency=low * Corrected modprobe call, closes: #85299 -- Laurence J. Lane Thu, 8 Feb 2001 22:33:09 -0500 iptables (1.2-5) unstable; urgency=low * Added Build-Depends, closes #84764 -- Laurence J. Lane Sun, 4 Feb 2001 11:46:44 -0500 iptables (1.2-4) unstable; urgency=low * Recompiled without patch-o-matic headers (closes: #81902) -- Laurence J. Lane Thu, 11 Jan 2001 07:03:38 -0500 iptables (1.2-3) unstable; urgency=low * Corrected ip6tables lib path (closes: #81403) * Added temporary ip6tables.8.gz -- Laurence J. Lane Tue, 9 Jan 2001 19:59:40 -0500 iptables (1.2-2) unstable; urgency=low * Removed iptables-{save,restore}.8 * Corrected orig.tar.gz source upload -- Laurence J. Lane Tue, 9 Jan 2001 08:28:55 -0500 iptables (1.2-1) unstable; urgency=low * New maintainer * Enabled ip6tables build -- Laurence J. Lane Mon, 8 Jan 2001 19:51:02 -0500 iptables (1.1.2-1.0) unstable; urgency=low * Non-maintainer upload * New upstream release -- Laurence J. Lane Sat, 14 Oct 2000 13:15:34 -0400 iptables (1.1.1-1.1) unstable; urgency=low * Non-maintainer upload * Bypass kernel patch checks in Makefile, see Bug#67397 -- Laurence J. Lane Thu, 5 Oct 2000 17:34:53 -0400 iptables (1.1.1-1.0) unstable; urgency=low * Non-maintainer upload * New upstream release * Added Packet Filtering and NAT HOWTOs -- Laurence J. Lane Sat, 15 Jul 2000 22:44:17 -0400 iptables (1.1.0-1) unstable; urgency=low * New upstream release -- Christoph Lameter Sun, 14 May 2000 12:09:55 -0700 iptables (1.0.0-3) unstable; urgency=low * Remove Makefile.orig (closes: #63434) -- Christoph Lameter Wed, 3 May 2000 11:23:33 -0700 iptables (1.0.0-2) unstable; urgency=low * make distclean rather than make clean in debian/rules to wipe out platform specific dependendies before shipping source. (closes: #62967) -- Christoph Lameter Mon, 24 Apr 2000 12:12:39 -0700 iptables (1.0.0-1) unstable; urgency=low * Added some more docs. * Rewrote copyright file * Upstream final 1.0.0 release. -- Christoph Lameter Sun, 26 Mar 2000 19:19:19 -0800 iptables (1.0.0alpha-1) unstable; urgency=low * Initial release. -- Christoph Lameter Sun, 26 Mar 2000 18:49:18 -0800 debian/iptables.lintian-overrides0000644000000000000000000000013012263344316014347 0ustar iptables binary: package-name-doesnt-match-sonames libip4tc0 libip6tc0 libipq0 libiptc0 debian/compat0000644000000000000000000000000212263344316010370 0ustar 9 debian/README.Debian0000644000000000000000000000020612263345140011225 0ustar Documentation: ============== The various netfilter and iptables HOWTOS can be found at: http://www.netfilter.org/documentation/ debian/iptables.install0000644000000000000000000000042112263344316012362 0ustar lib/libip*.so.* usr/sbin/ip* sbin usr/sbin/xt* sbin usr/sbin/nf* usr/sbin lib/xtables iptables/iptables-apply usr/sbin iptables/iptables.xslt usr/share/iptables usr/share/man/man8 usr/share/man/man1 howtos/NAT*html debian/tmp/howtos/packet*html usr/share/doc/iptables/html debian/iptables-dev.doc-base.netfilter-hacking0000644000000000000000000000074212263344316016550 0ustar Document: netfilter-hacking Title: Linux netfilter Hacking HOWTO Author: Rusty Russell Abstract: This document describes the netfilter architecture for Linux, how to hack it, and some of the major systems which sit on top of it, such as packet filtering, connection tracking and Network Address Translation. Section: Help/HOWTO Format: HTML Index: /usr/share/doc/iptables-dev/html/netfilter-hacking-HOWTO.html Files: /usr/share/doc/iptables-dev/html/netfilter-hacking-HOWTO-*.html debian/shlibs.local0000644000000000000000000000004712263344316011473 0ustar libxtables 10 libxtables10 (>= 1.4.18) debian/iptables.doc-base.nat0000644000000000000000000000057412263344316013163 0ustar Document: nat Title: Linux 2.4/2.6 NAT HOWTO Author: Rusty Russell Abstract: This document describes how to do masquerading, transparent proxying, port forwarding, and other forms of Network Address Translations with the 2.6+ Linux Kernels. Section: Help/HOWTO Format: HTML Index: /usr/share/doc/iptables/html/NAT-HOWTO.html Files: /usr/share/doc/iptables/html/NAT-HOWTO*.html debian/README.source0000644000000000000000000000032712263344316011353 0ustar This is a quilt style (using source format 3.0 (quilt)) package build with a quirky build directory hack. Look at /usr/share/doc/quilt/README.source for details on using quilt patch management with Debian packages. debian/rules0000755000000000000000000000060412263347412010252 0ustar #!/usr/bin/make -f export V=1 _dhopts := --with autoreconf _shlibdeps := \ -a -Xlib/xtables \ -l$(CURDIR)/debian/build/extensions/.libs _configure := \ --disable-libipq \ --enable-devel \ --libdir=/lib \ --with-xtlibdir=/lib/xtables %: dh $@ $(_dhopts) override_dh_shlibdeps: dh_shlibdeps $(_shlibdeps) override_dh_auto_configure: dh_auto_configure -- $(_configure) debian/patches/0000755000000000000000000000000012263347502010621 5ustar debian/patches/0102-add_manpages.patch0000644000000000000000000001217712263345140014631 0ustar From: Laurence J. Lane Subject: add binary man pages --- /dev/null +++ b/utils/nfnl_osf.8 @@ -0,0 +1,80 @@ +.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.ie \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.el \{\ +. de IX +.. +.\} +.\" ======================================================================== +.\" +.IX Title "NFNL_OSF 8" +.TH NFNL_OSF 8 "2012-10-27" "nfnl_osf" "nfnl_osf" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +nfnl_osf \- load and unload os fingerprint database +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +load and unload osf fingerprint database for the netfilter osf extension +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +nffl_osf has no official man page. Look at the osf module in \fB\f(BIiptables\-extensions\fB\|(8)\fR for more information. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIiptables\-extensions\fR\|(8) --- /dev/null +++ b/iptables/xtables-multi.8 @@ -0,0 +1,83 @@ +.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.ie \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.el \{\ +. de IX +.. +.\} +.\" ======================================================================== +.\" +.IX Title "XTABLES-MULTI 8" +.TH XTABLES-MULTI 8 "2012-10-27" "xtables 1.4.16.3" "xtables-multi" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +xtables\-multi \- xtables multi\-link binary for netfilter's iptables and ip6tables +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& n/a +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +xtables-multi has no official man page. It is a binary that behaves +according to the name it is called by. \fB\s-1SEE\s0 \s-1ALSO\s0\fR lists the names. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIiptables\fR\|(8), \fIip6tables\fR\|(8), \fIiptables\-save\fR\|(8), \fIip6tables\-save\fR\|(8), \fIiptables\-restore\fR\|(8), \fIip6tables\-resotre\fR\|(8) debian/patches/9002-libxt_recent-Add-support-for-reap-option.patch0000644000000000000000000000167512263344316022144 0ustar Description: Fix support for reap option. Origin: 79ddbf202a06e6f018e087a328c2ca91e65a8463 Author: Tim Gardner Last-Update: <2013-06-07> Index: iptables/extensions/libxt_recent.c =================================================================== --- iptables.orig/extensions/libxt_recent.c 2013-10-23 19:37:20.190616082 -0400 +++ iptables/extensions/libxt_recent.c 2013-10-23 19:37:20.186616082 -0400 @@ -170,10 +170,16 @@ static void recent_check(struct xt_fcheck_call *cb) { + struct xt_recent_mtinfo *info = cb->data; + if (!(cb->xflags & F_ANY_OP)) xtables_error(PARAMETER_PROBLEM, "recent: you must specify one of `--set', `--rcheck' " "`--update' or `--remove'"); + + if ((info->check_set & XT_RECENT_REAP) && !info->seconds) + xtables_error(PARAMETER_PROBLEM, + "recent: you must specify `--seconds' with `--reap'"); } static void recent_print(const void *ip, const struct xt_entry_match *match, debian/patches/0201-660748-iptables_apply_man.patch0000644000000000000000000000256312263345140016643 0ustar From afc5ba9e94f86a11d50f3554efeafd402faddacb Mon Sep 17 00:00:00 2001 From: "Laurence J. Lane" Date: Mon, 2 Sep 2013 16:46:50 -0400 Subject: [PATCH] iptables: mention iptables-reply in SEE ALSO Add iptables-apply(8) to the SEE ALSO section of *-save(8) and *-restore(8). References: http://bugs.debian.org/660748 Signed-off-by: Laurence J. Lane --- iptables/iptables-restore.8.in | 2 +- iptables/iptables-save.8.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -65,7 +65,7 @@ .br Andras Kis-Szabo contributed ip6tables-restore. .SH SEE ALSO -\fBiptables\-save\fP(8), \fBiptables\fP(8) +\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the --- a/iptables/iptables-save.8.in +++ b/iptables/iptables-save.8.in @@ -55,7 +55,7 @@ .br Andras Kis-Szabo contributed ip6tables-save. .SH SEE ALSO -\fBiptables\-restore\fP(8), \fBiptables\fP(8) +\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the debian/patches/0105-lintian_spelling.patch0000644000000000000000000000074012263345140015555 0ustar From: Laurence J. Lane Description: lintian spelling warning, s/specifing/specifying --- a/libipq/ipq_set_verdict.3 +++ b/libipq/ipq_set_verdict.3 @@ -30,7 +30,7 @@ .B ipq_set_verdict function issues a verdict on a packet previously obtained with .BR ipq_read , -specifing the intended disposition of the packet, and optionally +specifying the intended disposition of the packet, and optionally supplying a modified version of the payload data. .PP The debian/patches/0104-lintian_hyphens.patch0000644000000000000000000000734312263345140015423 0ustar From: Laurence J. Lane Description: man page hyphen cleanup --- a/extensions/libip6t_DNPT.man +++ b/extensions/libip6t_DNPT.man @@ -23,7 +23,7 @@ .PP You may need to enable IPv6 neighbor proxy: .IP -sysctl -w net.ipv6.conf.all.proxy_ndp=1 +sysctl \-w net.ipv6.conf.all.proxy_ndp=1 .PP You also have to use the .B NOTRACK --- a/extensions/libip6t_SNPT.man +++ b/extensions/libip6t_SNPT.man @@ -23,7 +23,7 @@ .PP You may need to enable IPv6 neighbor proxy: .IP -sysctl -w net.ipv6.conf.all.proxy_ndp=1 +sysctl \-w net.ipv6.conf.all.proxy_ndp=1 .PP You also have to use the .B NOTRACK --- a/extensions/libxt_HMARK.man +++ b/extensions/libxt_HMARK.man @@ -56,5 +56,5 @@ \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe .PP -iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000 +iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000 \-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef --- a/extensions/libxt_SET.man +++ b/extensions/libxt_SET.man @@ -21,5 +21,5 @@ when adding an entry if it already exists, reset the timeout value to the specified one or to the default from the set definition .PP -Use of -j SET requires that ipset kernel support is provided, which, for +Use of \-j SET requires that ipset kernel support is provided, which, for standard kernels, is the case since Linux 2.6.39. --- a/extensions/libxt_TOS.man +++ b/extensions/libxt_TOS.man @@ -32,5 +32,5 @@ a bug whereby IPv6 TOS mangling does not behave as documented and differs from the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs to be inverted before applying it to the original TOS field. However, the -aformentioned kernels forgo the inversion which breaks --set-tos and its +aformentioned kernels forgo the inversion which breaks \-\-set\-tos and its mnemonics. --- a/extensions/libxt_bpf.man +++ b/extensions/libxt_bpf.man @@ -4,7 +4,7 @@ \fB\-\-bytecode\fP \fIcode\fP Pass the BPF byte code format (described in the example below). .PP -The code format is similar to the output of the tcpdump -ddd command: one line +The code format is similar to the output of the tcpdump \-ddd command: one line that stores the number of instructions, followed by one line for each instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal notation. Fields encode the operation, jump offset if true, jump offset if --- a/extensions/libxt_cluster.man +++ b/extensions/libxt_cluster.man @@ -27,7 +27,7 @@ iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \-\-cluster\-hash\-seed 0xdeadbeef -\-j MARK -\-set\-mark 0xffff +\-j MARK \-\-set\-mark 0xffff .IP iptables \-A PREROUTING \-t mangle \-i eth1 \-m mark ! \-\-mark 0xffff \-j DROP --- a/extensions/libxt_osf.man +++ b/extensions/libxt_osf.man @@ -35,11 +35,11 @@ OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load fingerprints from a file, use: .PP -\fBnfnl_osf -f /usr/share/xtables/pf.os\fP +\fBnfnl_osf \-f /usr/share/xtables/pf.os\fP .PP To remove them again, .PP -\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP +\fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP .PP The fingerprint database can be downlaoded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . --- a/extensions/libxt_set.man +++ b/extensions/libxt_set.man @@ -61,5 +61,5 @@ The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does not clash with an option of other extensions. .PP -Use of -m set requires that ipset kernel support is provided, which, for +Use of \-m set requires that ipset kernel support is provided, which, for standard kernels, is the case since Linux 2.6.39. debian/patches/0401-580941-iptables_apply_update.patch0000644000000000000000000003336012263345140017347 0ustar From dafbc722de7bf7445a7650e5fe0778ac798dcd18 Mon Sep 17 00:00:00 2001 From: Laurence J. Lane Subject: [PATCH] iptables: update iptables-apply to v1.1 Bug: http://bugs.debian.org/580941 This is GW's update to iptables-apply. It does a code cleanup and adds two options: one runs a command and the other writes the sucessful rules file. I modified the script to use mktemp instead of tempfile. I also fixed a couple of hyphens in the man page addition. Signed-off-by: Laurence J. Lane --- iptables/iptables-apply | 304 ++++++++++++++++++++++++++++++------------- iptables/iptables-apply.8.in | 46 ++++--- 2 files changed, 243 insertions(+), 107 deletions(-) --- a/iptables/iptables-apply +++ b/iptables/iptables-apply @@ -1,173 +1,293 @@ #!/bin/bash -# # iptables-apply -- a safer way to update iptables remotely # -# Copyright © Martin F. Krafft +# Usage: +# iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} +# +# Versions: +# * 1.0 Copyright 2006 Martin F. Krafft +# Original version +# * 1.1 Copyright 2010 GW +# Added parameter -c (run command) +# Added parameter -w (save successfully applied rules to file) +# Major code cleanup +# # Released under the terms of the Artistic Licence 2.0 # set -eu -PROGNAME="${0##*/}"; -VERSION=1.0 +PROGNAME="${0##*/}" +VERSION=1.1 + + +### Default settings + +DEF_TIMEOUT=10 + +MODE=0 # apply rulesfile mode +# MODE=1 # run command mode + +case "$PROGNAME" in + (*6*) + SAVE=ip6tables-save + RESTORE=ip6tables-restore + DEF_RULESFILE="/etc/network/ip6tables.up.rules" + DEF_SAVEFILE="$DEF_RULESFILE" + DEF_RUNCMD="/etc/network/ip6tables.up.run" + ;; + (*) + SAVE=iptables-save + RESTORE=iptables-restore + DEF_RULESFILE="/etc/network/iptables.up.rules" + DEF_SAVEFILE="$DEF_RULESFILE" + DEF_RUNCMD="/etc/network/iptables.up.run" + ;; +esac -TIMEOUT=10 -function blurb() -{ - cat <<-_eof +### Functions + +function blurb() { + cat <<-__EOF__ $PROGNAME $VERSION -- a safer way to update iptables remotely - _eof + __EOF__ } -function copyright() -{ - cat <<-_eof - $PROGNAME is C Martin F. Krafft . - - The program has been published under the terms of the Artistic Licence 2.0 - _eof +function copyright() { + cat <<-__EOF__ + $PROGNAME has been published under the terms of the Artistic Licence 2.0. + + Original version - Copyright 2006 Martin F. Krafft . + Version 1.1 - Copyright 2010 GW . + __EOF__ } -function about() -{ +function about() { blurb echo copyright } -function usage() -{ - cat <<-_eof - Usage: $PROGNAME [options] ruleset - - The script will try to apply a new ruleset (as output by iptables-save/read - by iptables-restore) to iptables, then prompt the user whether the changes - are okay. If the new ruleset cut the existing connection, the user will not - be able to answer affirmatively. In this case, the script rolls back to the - previous ruleset. - - The following options may be specified, using standard conventions: - - -t | --timeout Specify the timeout in seconds (default: $TIMEOUT) - -V | --version Display version information - -h | --help Display this help text - _eof +function usage() { + blurb + echo + cat <<-__EOF__ + Usage: + $PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} + + The script will try to apply a new rulesfile (as output by iptables-save, + read by iptables-restore) or run a command to configure iptables and then + prompt the user whether the changes are okay. If the new iptables rules cut + the existing connection, the user will not be able to answer affirmatively. + In this case, the script rolls back to the previous working iptables rules + after the timeout expires. + + Successfully applied rules can also be written to savefile and later used + to roll back to this state. This can be used to implement a store last good + configuration mechanism when experimenting with an iptables setup script: + $PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD + + When called as ip6tables-apply, the script will use ip6tables-save/-restore + and IPv6 default values instead. Default value for rulesfile is + '$DEF_RULESFILE'. + + Options: + + -t seconds, --timeout seconds + Specify the timeout in seconds (default: $DEF_TIMEOUT). + -w savefile, --write savefile + Specify the savefile where successfully applied rules will be written to + (default if empty string is given: $DEF_SAVEFILE). + -c runcmd, --command runcmd + Run command runcmd to configure iptables instead of applying a rulesfile + (default: $DEF_RUNCMD). + -h, --help + Display this help text. + -V, --version + Display version information. + + __EOF__ } -SHORTOPTS="t:Vh"; -LONGOPTS="timeout:,version,help"; +function checkcommands() { + for cmd in "${COMMANDS[@]}"; do + if ! command -v "$cmd" >/dev/null; then + echo "Error: needed command not found: $cmd" >&2 + exit 127 + fi + done +} + +function revertrules() { + echo -n "Reverting to old iptables rules... " + "$RESTORE" <"$TMPFILE" + echo "done." +} + + +### Parsing and checking parameters + +TIMEOUT="$DEF_TIMEOUT" +SAVEFILE="" + +SHORTOPTS="t:w:chV"; +LONGOPTS="timeout:,write:,command,help,version"; OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $? for opt in $OPTS; do case "$opt" in - (-*) unset OPT_STATE;; + (-*) + unset OPT_STATE + ;; (*) case "${OPT_STATE:-}" in - (SET_TIMEOUT) - eval TIMEOUT=$opt - case "$TIMEOUT" in - ([0-9]*) :;; - (*) - echo "E: non-numeric timeout value." >&2 - exit 1 - ;; - esac + (SET_TIMEOUT) eval TIMEOUT=$opt;; + (SET_SAVEFILE) + eval SAVEFILE=$opt + [ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE" ;; esac ;; esac case "$opt" in + (-t|--timeout) OPT_STATE="SET_TIMEOUT";; + (-w|--write) OPT_STATE="SET_SAVEFILE";; + (-c|--command) MODE=1;; (-h|--help) usage >&2; exit 0;; (-V|--version) about >&2; exit 0;; - (-t|--timeout) OPT_STATE=SET_TIMEOUT;; (--) break;; esac shift done -case "$PROGNAME" in - (*6*) - SAVE=ip6tables-save - RESTORE=ip6tables-restore - DEFAULT_FILE=/etc/network/ip6tables - ;; - (*) - SAVE=iptables-save - RESTORE=iptables-restore - DEFAULT_FILE=/etc/network/iptables - ;; -esac - -FILE="${1:-$DEFAULT_FILE}"; - -if [[ -z "$FILE" ]]; then - echo "E: missing file argument." >&2 +# Validate parameters +if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then + TIMEOUT=$(($TIMEOUT)) +else + echo "Error: timeout must be a positive number" >&2 exit 1 fi -if [[ ! -r "$FILE" ]]; then - echo "E: cannot read $FILE" >&2 - exit 2 +if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then + echo "Error: savefile not writable: $SAVEFILE" >&2 + exit 8 fi -COMMANDS=(tempfile "$SAVE" "$RESTORE") +case "$MODE" in + (1) + # Treat parameter as runcmd (run command mode) + RUNCMD="${1:-$DEF_RUNCMD}" + if [ ! -x "$RUNCMD" ]; then + echo "Error: runcmd not executable: $RUNCMD" >&2 + exit 6 + fi + + # Needed commands + COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD") + checkcommands + ;; + (*) + # Treat parameter as rulesfile (apply rulesfile mode) + RULESFILE="${1:-$DEF_RULESFILE}"; + if [ ! -r "$RULESFILE" ]; then + echo "Error: rulesfile not readable: $RULESFILE" >&2 + exit 2 + fi + + # Needed commands + COMMANDS=(mktemp "$SAVE" "$RESTORE") + checkcommands + ;; +esac -for cmd in "${COMMANDS[@]}"; do - if ! command -v $cmd >/dev/null; then - echo "E: command not found: $cmd" >&2 - exit 127 - fi -done -umask 0700 +### Begin work -TMPFILE=$(tempfile -p iptap) +# Store old iptables rules to temporary file +TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX` trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 if ! "$SAVE" >"$TMPFILE"; then + # An error occured if ! grep -q ipt /proc/modules 2>/dev/null; then - echo "E: iptables support lacking from the kernel." >&2 + echo "Error: iptables support lacking from the kernel" >&2 exit 3 else - echo "E: unknown error saving current iptables ruleset." >&2 + echo "Error: unknown error saving old iptables rules: $TMPFILE" >&2 exit 4 fi fi +# Legacy to stop the fail2ban daemon if present [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop -echo -n "Applying new ruleset... " -if ! "$RESTORE" <"$FILE"; then - echo "failed." - echo "E: unknown error applying new iptables ruleset." >&2 - exit 5 -else - echo done. -fi +# Configure iptables +case "$MODE" in + (1) + # Run command in background and kill it if it times out + echo -n "Running command '$RUNCMD'... " + "$RUNCMD" & + CMD_PID=$! + ( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) & + CMDTIMEOUT_PID=$! + if ! wait "$CMD_PID"; then + echo "failed." + echo "Error: unknown error running command: $RUNCMD" >&2 + revertrules + exit 7 + else + echo "done." + fi + ;; + (*) + # Apply iptables rulesfile + echo -n "Applying new iptables rules from '$RULESFILE'... " + if ! "$RESTORE" <"$RULESFILE"; then + echo "failed." + echo "Error: unknown error applying new iptables rules: $RULESFILE" >&2 + revertrules + exit 5 + else + echo "done." + fi + ;; +esac +# Prompt user for confirmation echo -n "Can you establish NEW connections to the machine? (y/N) " -read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || : +read -n1 -t "$TIMEOUT" ret 2>&1 || : case "${ret:-}" in (y*|Y*) + # Success echo - echo ... then my job is done. See you next time. + + if [ ! -z "$SAVEFILE" ]; then + # Write successfully applied rules to the savefile + echo "Writing successfully applied rules to '$SAVEFILE'..." + if ! "$SAVE" >"$SAVEFILE"; then + echo "Error: unknown error writing successfully applied rules: $SAVEFILE" >&2 + exit 9 + fi + fi + + echo "... then my job is done. See you next time." ;; (*) - if [[ -z "${ret:-}" ]]; then - echo "apparently not..." + # Failed + echo + if [ -z "${ret:-}" ]; then + echo "Timeout! Something happened (or did not). Better play it safe..." else - echo + echo "No affirmative response! Better play it safe..." fi - echo "Timeout. Something happened (or did not). Better play it safe..." - echo -n "Reverting to old ruleset... " - "$RESTORE" <"$TMPFILE"; - echo done. + revertrules exit 255 ;; esac +# Legacy to start the fail2ban daemon again [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start exit 0 --- a/iptables/iptables-apply.8.in +++ b/iptables/iptables-apply.8.in @@ -1,6 +1,6 @@ .\" Title: iptables-apply -.\" Author: Martin F. Krafft -.\" Date: Jun 04, 2006 +.\" Author: Martin F. Krafft, GW +.\" Date: May 10, 2010 .\" .TH IPTABLES\-APPLY 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@" .\" disable hyphenation @@ -8,23 +8,37 @@ .SH NAME iptables-apply \- a safer way to update iptables remotely .SH SYNOPSIS -\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP +\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP .SH "DESCRIPTION" .PP -iptables\-apply will try to apply a new ruleset (as output by -iptables\-save/read by iptables\-restore) to iptables, then prompt the -user whether the changes are okay. If the new ruleset cut the existing -connection, the user will not be able to answer affirmatively. In this -case, the script rolls back to the previous ruleset after the timeout -expired. The timeout can be set with \fB\-t\fP. -.PP -When called as \fBip6tables\-apply\fP, the script will use -ip6tables\-save/\-restore instead. +iptables\-apply will try to apply a new rulesfile (as output by +iptables-save, read by iptables-restore) or run a command to configure +iptables and then prompt the user whether the changes are okay. If the +new iptables rules cut the existing connection, the user will not be +able to answer affirmatively. In this case, the script rolls back to +the previous working iptables rules after the timeout expires. +.PP +Successfully applied rules can also be written to savefile and later used +to roll back to this state. This can be used to implement a store last good +configuration mechanism when experimenting with an iptables setup script: +iptables-apply \-w /etc/network/iptables.up.rules \-c /etc/network/iptables.up.run +.PP +When called as ip6tables\-apply, the script will use +ip6tables\-save/\-restore and IPv6 default values instead. Default +value for rulesfile is '/etc/network/iptables.up.rules'. .SH OPTIONS .TP \fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR -Sets the timeout after which the script will roll back to the previous -ruleset. +Sets the timeout in seconds after which the script will roll back +to the previous ruleset (default: 10). +.TP +\fB\-w\fP \fIsavefile\fR, \fB\-\-write\fP \fIsavefile\fR +Specify the savefile where successfully applied rules will be written to +(default if empty string is given: /etc/network/iptables.up.rules). +.TP +\fB\-c\fP \fIruncmd\fR, \fB\-\-command\fP \fIruncmd\fR +Run command runcmd to configure iptables instead of applying a rulesfile +(default: /etc/network/iptables.up.run). .TP \fB\-h\fP, \fB\-\-help\fP Display usage information. @@ -36,9 +50,11 @@ \fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8). .SH LEGALESE .PP -iptables\-apply is copyright by Martin F. Krafft. +Original iptables-apply - Copyright 2006 Martin F. Krafft . +Version 1.1 - Copyright 2010 GW . .PP -This manual page was written by Martin F. Krafft +This manual page was written by Martin F. Krafft and +extended by GW . .PP Permission is granted to copy, distribute and/or modify this document under the terms of the Artistic License 2.0. debian/patches/0301-install_iptables_apply.patch0000644000000000000000000000257012263345140016761 0ustar From 1f6e159b2c353f287142d8e0e1dc86e2fb38d277 Mon Sep 17 00:00:00 2001 From: "Laurence J. Lane" Date: Fri, 6 Sep 2013 18:36:05 -0400 Subject: [PATCH] build: install iptables-apply Signed-off-by: Laurence J. Lane --- iptables/Makefile.am | 5 ++++- iptables/ip6tables-apply.8 | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 iptables/ip6tables-apply.8 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -27,7 +27,9 @@ sbin_PROGRAMS = xtables-multi man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 iptables-extensions.8 + ip6tables-save.8 iptables-extensions.8 \ + iptables-apply.8 ip6tables-apply.8 +sbin_SCRIPTS = iptables-apply CLEANFILES = iptables.8 vx_bin_links = iptables-xml @@ -52,3 +54,4 @@ for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-multi" "${DESTDIR}${bindir}/$$i"; done; for i in ${v4_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done; for i in ${v6_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done; + ${LN_S} -f iptables-apply "${DESTDIR}${sbindir}/ip6tables-apply" --- /dev/null +++ b/iptables/ip6tables-apply.8 @@ -0,0 +1 @@ +.so man8/iptables-apply.8 debian/patches/0101-changelog.patch0000644000000000000000000034327612263345140014163 0ustar Author: ljlane Description: iptables source doesn't include a changelog. This is a compilation of the external changelog files taken from ftp.netfilter.org. --- /dev/null +++ b/Changelog @@ -0,0 +1,3505 @@ +iptables v1.4.21 Changelog: +====================================================================== +Changes from 1.4.20: + +Eric Dumazet (1): + xt_socket: add --nowildcard flag + +Florian Westphal (3): + extensions: libxt_socket: update man page + doc: add libnetfilter_queue pointer to libxt_NFQUEUE.man + doc: merge ip6table man pages into ipv4 ones + +Jozsef Kadlecsik (1): + extensions: libxt_set, libxt_SET: check the set family too + +Kevin Cernekee (1): + ip6tables: Use consistent exit code for EAGAIN + +Laurence J. Lane (8): + iptables: libxt_hashlimit.man: correct address + iptables: libxt_conntrack.man extraneous commas + iptables: libip(6)t_REJECT.man default icmp types + iptables: iptables-xm1.1 correct man section + iptables: libxt_recent.{c,man} dead URL + iptables: libxt_string.man add examples + extensions: libxt_LOG: use generic syslog reference in manpage + iptables: extensions/GNUMakefile.in use CPPFLAGS + +Lutz Jaenicke (1): + iptables: correctly reference generated file + +Pablo Neira Ayuso (7): + Merge branch 'stable-1.4.20' + Merge branch 'stable-1.4.20' + ip[6]tables: fix incorrect alignment in commands_v_options + build: add software version to manpage first line at configure stage + extensions: libxt_cluster: add note on arptables-jf + utils: nfsynproxy: fix error while compiling the BPF filter + iptables 1.4.21 release + +Patrick McHardy (2): + extensions: add SYNPROXY extension + utils: add nfsynproxy tool + +Phil Oester (4): + iptables: state match incompatibilty across versions + libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks + iptables: improve chain name validation + iptables: spurious error in load_extension + +stephen hemminger (1): + xtables: trivial spelling fix + + +iptables v1.4.20 Changelog: +====================================================================== +Changes from 1.4.19.1: + + +Alexey Perevalov (1): + doc: clarify DEBUG usage macro + +Andy Spencer (1): + iptables: use autoconf to process .in man pages + +Eric Leblond (1): + configure: display summary + +Florian Westphal (2): + extensions: libipt_ULOG: man page should mention NFLOG as replacement + extensions: libxt_connlabel: use libnetfilter_conntrack + +Jozsef Kadlecsik (2): + Introduce a new revision for the set match with the counters support + libxt_CT: Add the "NOTRACK" alias + +Mart Frauenlob (7): + libip6t_mh: Correct command to list named mh types in manpage + extensions: libxt_DNAT: rename IPv4 manpage and tell about IPv6 support + extensions: libxt_REDIRECT: rename IPv4 manpage and tell about IPv6 support + extensions: libxt_NETMAP: rename IPv4 manpage and tell about IPv6 support + extensions: libxt_SNAT: rename IPv4 manpage and tell about IPv6 support + extensions: libxt_MASQUERADE: rename IPv4 manpage and tell about IPv6 support + extensions: libxt_LOG: rename IPv4 manpage and tell about IPv6 support + +Pablo Neira Ayuso (7): + extensions: libxt_LED: fix parsing of delay + Merge branch 'stable' + Merge branch 'stable' + ip{6}tables-restore: fix breakage due to new locking approach + libxt_recent: restore minimum value for --seconds + iptables-xml: fix parameter parsing (similar to 2165f38) + iptables 1.4.20 release + +Patrick McHardy (1): + extensions: add copyright statements + +Phil Oester (7): + xtables: improve get_modprobe handling + ip[6]tables: Add locking to prevent concurrent instances + iptables: Fix connlabel.conf install location + ip6tables: don't print out /128 + libip6t_LOG: target output is different to libipt_LOG + build: additional include path required after UAPI changes + iptables: iptables-xml: Fix various parsing bugs + +Russell Senior (1): + libxt_recent: restore reap functionality to recent module + +Willem de Bruijn (1): + build: fail in configure on missing dependency with --enable-bpf-compiler + +holger@eitzenberger.org (1): + extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter + + + +iptables v1.4.19.1 Changelog: +====================================================================== +Changes from 1.4.19: + + +Florian Westphal (1): + Revert "extensions: add connlabel match" duplicate + +Michael Roth (1): + doc: mention SNAT in INPUT chain since kernel 2.6.36 + +Pablo Neira Ayuso (2): + build: bump version to 1.4.19 + iptables 1.4.19.1 release + + + +iptables v1.4.19 Changelog: +====================================================================== +Changes from 1.4.18: + + +Florian Westphal (3): + libxt_NFQUEUE: fix bypass option documentation + extensions: add connlabel match + extensions: add connlabel match + +Mart Frauenlob (3): + ip[6]tables: show --protocol instead of --proto in usage + libxt_recent: Fix missing space in manpage for --mask option + extensions: libxt_multiport: Update manpage to list valid protocols + +Nicolas Dichtel (1): + utils: nfnl_osf: use the right nfnetlink lib + +Pablo Neira Ayuso (11): + libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency + Revert "build: resolve link failure for ip6t_NETMAP" + libxt_osf: fix missing --ttl and --log in save output + libxt_osf: fix bad location for location in --genre + libip6t_SNPT: add manpage + libip6t_DNPT: add manpage + Merge branch 'stable' + utils: updates .gitignore to include nfbpf_compile + extensions: libxt_bpf: clarify --bytecode argument + libxtables: fix parsing of dotted network mask format + build: bump version to 1.4.19 + +Patrick McHardy (1): + libxt_conntrack: fix state match alias state parsing + +Willem de Bruijn (2): + extensions: add libxt_bpf extension + utils: nfbpf_compile + + + +iptables v1.4.18 Changelog: +====================================================================== +Changes from 1.4.17: + + +Florian Westphal (1): + doc: rpfilter: invert option should have own paragraph + +Jan Engelhardt (11): + build: resolve link failure for ip6t_NETMAP + doc: fixup omissions in ip6tables-restore.8 + doc: document iptables-restore's -t option + doc: document iptables-restore's -v option + doc: document iptables-restore's -M option + doc: document iptables-restore's -h option + doc: name the supported log levels for ipt_LOG + doc: mention -m in the manpage + doc: document the -4 and -6 options + extensions: S/DNPT: add missing save function + build: bump SONAME for libxtables + +Jozsef Kadlecsik (3): + Introduce match/target aliases + Add the "state" alias to the "conntrack" match + Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables + +Pablo Neira Ayuso (7): + iptables: remove unused leftover definitions + libxtables: add xtables_rule_matches_free + libxtables: add xtables_print_num + Merge branch 'stable' into 'master' + doc: document nat table for IPv6 + doc: iptables provides up to 5 independent tables + build: bump version to 1.4.18 + +Ulrich Weber (3): + extensions: libip6t_DNPT: fix wording in DNPT target + extension: libip6t_DNAT: allow port DNAT without address + extensions: libip6t_DNAT: set IPv6 DNAT --to-destination + + + + +iptables v1.4.17 Changelog: +====================================================================== +Changes from 1.4.16.3: + + +Florian Westphal (1): + libxt_time: add support to ignore day transition + +Jozsef Kadlecsik (1): + Manpage update: matches are evaluated in the order they are specified. + +Pablo Neira Ayuso (2): + Merge branch 'next' branch that contains new features scheduled for Linux kernel 3.7 + bump version to 1.4.17 + +Patrick McHardy (7): + Convert the NAT targets to use the kernel supplied nf_nat.h header + extensions: add IPv6 MASQUERADE extension + extensions: add IPv6 SNAT extension + extensions: add IPv6 DNAT target + extensions: add IPv6 REDIRECT extension + extensions: add IPv6 NETMAP extension + extensions: add NPT extension + +Tom Eastep (1): + extensions: libxt_statistic: Fix save output + + + +iptables v1.4.16.3 Changelog: +====================================================================== +Changes from 1.4.16.2: + + +Jan Engelhardt (2): + build: remove symlink-only extensions from static object list + build: resolve compile abort in libxt_limit on RHEL5 + +Pablo Neira Ayuso (1): + bump iptables to 1.4.16.3 + + + +iptables v1.4.16.2 Changelog: +====================================================================== +Changes from 1.4.16.1: + + +Jan Engelhardt (1): + iptables: restore NOTRACK functionality, target aliasing + +Pablo Neira Ayuso (1): + bump version to 1.4.16.2 + + + +iptables v1.4.16.1 Changelog: +====================================================================== +Changes from 1.4.16: + + +Pablo Neira Ayuso (2): + iptables: fix standard target + bump version to 1.4.16.1 + + + +iptables v1.4.16 Changelog: +====================================================================== +Changes from 1.4.15: + +Andreas Schwab (1): + libxt_tcp: print space before, not after "flags:" + +Jan Engelhardt (23): + iptables-restore: warn about -t in rule lines + doc: grammatical updates to libxt_SET + libxt_u32: do bounds checking for @'s operands + libxt_devgroup: consolidate devgroup specification parsing + libxt_devgroup: guard against negative numbers + libxt_LED: guard against negative numbers + libxt_*limit: avoid division by zero + Merge remote-tracking branch 'nf/stable' + build: support for automake-1.12 + build: separate AC variable replacements from xtables.h + build: have `make clean` remove dep files too + libxtables: consolidate preference logic + iptables: support for target aliases + libxt_NOTRACK: replace as an alias to CT --notrack + iptables: support for match aliases + libxt_state: replace as an alias to xt_conntrack + Merge branch 'master' of git://git.inai.de/iptables + doc: clean up interpunction in state list for xt_conntrack + doc: deduplicate extension descriptions into a new manpage + doc: trim "state" manpage and reference conntrack instead + doc: have NOTRACK manpage point to CT instead + doc: mention iptables-apply in the SEE ALSO sections + Merge branch 'master' of git://git.inai.de/iptables + +Jozsef Kadlecsik (1): + New set match revision with --return-nomatch flag support + +Michal Kube¿ek (1): + libip6t_frag: match any frag id by default + +Pablo Neira Ayuso (6): + include: add missing linux/netfilter_ipv4/ip_queue.h + ip[6]tables-restore: cleanup to reduce one level of indentation + include: add missing linux/netfilter_ipv4/ip_queue.h + iptables: fix wrong error messages + extensions: libxt_addrtype: fix type in help message + bump version to 1.4.16 + + + +iptables v1.4.15 Changelog: +====================================================================== +Changes from 1.4.14: + + +Denys Fedoryshchenko (1): + libxt_recent: add --mask netmask + +Eldad Zack (1): + libxt_recent: remove unused variable + +Florian Westphal (2): + libxt_devgroup: add man page snippet + libxt_hashlimit: add support for byte-based operation + +Hans Schillstrom (3): + extensions: add HMARK target + libxt_HMARK: fix output of iptables -L + libxt_HMARK: correct a number of errors introduced by Pablo's rework + +Pablo Neira Ayuso (6): + libxtables: add xtables_ip[6]mask_to_cidr + libxt_HMARK: fix ct case example + iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7) + Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)" + iptables-restore: fix parameter parsing (shows up with gcc-4.7) + bump version to 1.4.15 + + +iptables v1.4.14 Changelog: +====================================================================== +Changes from 1.4.13: + + +Florian Westphal (3): + ip(6)tables-restore: make sure argv is NULL terminated + extensions: libxt_rateest: output all options in save hook + tests: add rateest match rules + +Miguel GAIO (1): + libiptc: fix retry path in TC_INIT + +Pablo Neira Ayuso (3): + libxt_CT: add --timeout option + libipt_ULOG: fix --ulog-cprange + Bump version to 1.4.14 + + + +iptables v1.4.13 Changelog: +====================================================================== +Changes from 1.4.12.2: + + +Florian Westphal (1): + extensions: add rpfilter module + +Franz Flasch (2): + iptables: missing free() in function cache_add_entry() + iptables: missing free() in function delete_entry() + +Jonh Wendell (1): + libiptc: Returns the position the entry was inserted + +Maciej ¿enczykowski (1): + src: mark newly opened fds as FD_CLOEXEC (close on exec) + +Pablo Neira Ayuso (7): + Revert "libiptc: Returns the position the entry was inserted" + extensions: add nfacct match + Bump version to 1.4.13 + + +Patrick McHardy (1): + extensions: add IPv6 capable ECN match extension + + + +iptables v1.4.12.2 Changelog: +====================================================================== +Changes from 1.4.12.1: + + +Florian Westphal (2): + libxt_NFQUEUE: fix --queue-bypass ipt-save output + libxt_connbytes: fix handling of --connbytes FROM + +Jan Engelhardt (17): + xtoptions: fill in fallback value for nvals + libxt_statistic: link with -lm + libxt_RATEEST: link with -lm + build: scan for unreferenced symbols + iptables: move kernel version find routing into libxtables + Merge branch 'stable' of git://dev.medozas.de/iptables + Merge branch 'stable' + build: sort file list before build + doc: fix undesired newline in ip6tables-restore(8) + ip6tables-restore: implement missing -T option + doc: document iptables-restore's -T option + build: restore build order of modules + build: make check stage not fail when building statically + libipt_SAME: set PROTO_RANDOM on all ranges + doc: clarification on the meaning of -p 0 + libiptc: provide separate pkgconfig files + nfnl_osf: add missing libnfnetlink_CFLAGS to compile process + +Pablo Neira Ayuso (1): + Bump version to 1.4.12.2 + +Richard Weinberger (1): + xtoptions: simplify xtables_parse_interface + +Thomas Jarosch (1): + libxtables: Fix file descriptor leak in xtables_lmap_init on error + +Tom Eastep (2): + libxt_conntrack: improve error message on parsing violation + libxt_CONNSECMARK: fix spacing in output + + + +iptables v1.4.12.1 Changelog: +====================================================================== +Changes from 1.4.12: + + +Bernard Massot (1): + doc: fix typo in libxt_TRACE + +Dwight Davis (1): + libxt_string: fix space around arguments + +Fernando Luis Vázquez Cao (1): + libxt_TOS: update linux kernel version list for backported fix + +Jan Engelhardt (36): + extensions: use multi-target registration + libxt_TCPMSS: restore build with IPv6-less libcs + libxt_string: define _GNU_SOURCE for strnlen + build: workaround broken linux-headers on RHEL-5 + build: strengthen check for overlong lladdr components + build: abort autogen on subcommand failure + libipq: add pkgconfig file + libxt_u32: fix missing allowance for inversion + libxt_set: update man page about kernel support on the feature + libxt_tcp: always print the mask parts + libxt_set: put differing variable names in directly + doc: clarify libxt_connlimit defaults + libxt_conntrack: remove one misleading comment + libxt_dccp: restore missing XTOPT_INVERT tags for options + libxt_dccp: fix deprecated intrapositional ordering of ! + libxt_dccp: spell out option name on save + libxt_dccp: provide man pages options in short help too + libxt_dccp: fix random output of ! on --dccp-option + libxt_dscp: restore inversion support + libxt_hashlimit: default htable-expire must be in milliseconds + libxt_conntrack: fix --ctproto 0 output + xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT + libip6t_frag: restore inversion support + libxt_hashlimit: remove inversion from hashlimit rev 0 + libip6t_hbh: restore setting IP6T_OPTS_LEN flag + libip6t_dst: restore setting IP6T_OPTS_LEN flag + libipt_ttl: document that negation is available + libxt_owner: restore inversion support + libxt_physdev: restore inversion support + libxt_policy: remove superfluous inversion + tests: add negation tests for libxt_statistic + libxt_hashlimit: observe new default gc-expire time when saving + libxt_string: simplify hex output routine + libxt_string: replace hex codes by char equivalents + src: remove unused IPTABLES_MULTI define + libxt_string: escape the escaping char too + +Pablo Neira Ayuso (1): + Bump version to 1.4.12.1 + +Patrick McHardy (1): + Merge branch 'master' of git://dev.medozas.de/iptables + + + +iptables v1.4.12 Changelog: +====================================================================== +Changes from 1.4.11.1: + + +Fernando Luis Vazquez Cao (1): + doc: document IPv6 TOS mangling bug in old Linux kernels + +Jakub Zawadzki (1): + doc: fix group range in libxt_NFLOG's man + +Jan Engelhardt (23): + doc: include matches/targets in manpage again + libipt_LOG: fix ignoring all but last flags + libxt_RATEEST: use guided option parser + iptables: consolidate target/match init call + extensions: support for per-extension instance "global" variable space + libxt_rateest: abolish global variables + libxt_RATEEST: abolish global variables + libip6t_HL: fix option names from ttl -> hl + libxt_state: fix regression about inversion of main option + libxt_hashlimit: use a more obvious expiry value by default + build: bump soversion for recent data structure change + build: attempt to fix building under Linux 2.4 + doc: mention multiple verbosity flags + build: install modules in arch-dependent location + doc: fix version string in ip6tables.8 + doc: the -m option cannot be inverted + iptables: restore negation for -f + libxtables: properly reject empty hostnames + libxtables: ignore whitespace in the multiaddress argument parser + option: remove last traces of intrapositional negation + libxtables: set clone's initial data to NULL + libxt_conntrack: restore network-byte order for v1,v2 + libxt_conntrack: move more data into the xt_option_entry + +Jiri Popelka (5): + iptables: Coverity: DEADCODE + iptables: Coverity: NEGATIVE_RETURNS + iptables: Coverity: REVERSE_INULL + iptables: Coverity: VARARGS + iptables: Coverity: RESOURCE_LEAK + +Martin F. Krafft (1): + iptables-apply: select default rule file depending on call name + +Massimo Maggi (1): + libxt_RATEEST: fix userspacesize field + +Patrick McHardy (4): + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'master' of git://dev.medozas.de/iptables + Bump version to 1.4.12 + + + +iptables v1.4.11.1 Changelog: +====================================================================== +Changes from 1.4.11: + + +Elie De Brauwer (1): + doc: fix trivial typo in libipt_SNAT + +Jan Engelhardt (13): + libxt_owner: restore inversion support + build: remove dead code parts + build: fix installation of symlinks + build: fix absence of xml translator in IPv6-only builds + doc: update GPL license text + doc: iptables-xml should be in manpage section 1 + build: move basic preprocessor flags to regular_CPPFLAGS + build: move kinclude's preprocessor flags to kinclude_CPPFLAGS + src: move all libiptc pieces into its directory + src: move all iptables pieces into a separate directory + tests: add some sample rulesets to test save-restore cycle + option: fix ignored negation before implicit extension loading + build: re-add missing CPPFLAGS for libiptc + +Maciej Å»enczykowski (1): + xtables-multi: fix absence of xml translator in IPv6-only builds + +Mike Frysinger (1): + build: move remaining preprocessor flags to CPPFLAGS + +Patrick McHardy (1): + Bump version to 1.4.11.1 + +Vlad Dogaru (1): + doc: fix MASQUERADE section of man page + + + +iptables v1.4.11 Changelog: +====================================================================== +Changes from 1.4.10: + + +Changli Gao (1): + iptables: fix the dead loop when meeting unknown options + +Florian Westphal (3): + libxt_conntrack: fix --ctdir save/dump output format + libxt_time: fix random --datestart skips + extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option + +JP Abgrall (1): + libxt_quota: make sure uint64 is not truncated + +Jan Engelhardt (218): + libxtables: change option precedence order to be intuitive + libxt_TOS: avoid an undesired overflowing computation + iptables: fix longopt reecognition and workaround getopt(3) behavior + Revert "Revert "libxtables: change option precedence order to be intuitive"" + Merge branch 'master' of git://dev.medozas.de/iptables into m2 + iptables: reset options at the start of each command + iptables: do not emit orig_opts twice + include: update files with headers from Linux 2.6.37-rc1 + TPROXY: add support for revision 1 + socket: add support for revision 1 + build: fix globbing of extensions in other locales + libxt_owner: output numeric IDs when save is requested + Merge commit 'v1.4.10' + build: stop on error in subcommand + src: const annotations + xt_comment: remove redundant cast + src: use C99/POSIX types + iptables: abort on empty interface specification + xtables: reorder num_old substraction for clarity + ip[6]tables: only call match's parse function when option char is in range + ip[6]tables: only call target's parse function when option char is in range + extensions: remove no longer necessary default: cases + libxt_sctp: fix a typo + libipt_CLUSTERIP: const annotations + libxtables: do some option structure checking + libxt_quota: print negation when it has been selected + libxt_connlimit: reword help text to say prefix length + libxt_connlimit: add a --connlimit-upto option + libxt_connlimit: support for dstaddr-supporting revision 1 + libxt_connlimit: remove duplicate member that caused size change + libxt_quota: clarifications on matching + iptables: improve error reporting with extension loading troubles + libxt_u32: enclose argument in quotes + xtables: set custom opts to NULL on free + iptables: warn when parameter limit is exceeded + iptables: remove bogus address-of + iptables: remove more redundant casts + iptables: do not print trailing whitespaces + src: collect do_command variables in a struct + src: move large default: block from do_command6 into its own function + src: share iptables_command_state across the two programs + src: deduplicate find_proto function + src: move OPT_FRAGMENT to the end so the list can be shared + src: put shared option flags into xshared + src: deduplicate and simplify implicit protocol extension loading + src: unclutter command_default function + src: move jump option handling from do_command6 into its own function + src: move match option handling from do_command6 into its own functions + iptables: fix error message for unknown options + iptables: fix segfault target option parsing + ip6tables: spacing fixes for -o argument + libxt_devgroup: option whitespace update following v1.4.10-49-g7386635 + extensions: fix indent of vtable + doc: fix wrong sentence about negation in xt_limit + doc: fix misspelling of "field" + extensions: remove redundant init functions + Remove unused CVS expanded keywords + libip6t_dst: remove unimplemented --dst-not-strict + libip6t_hbh: remove unimplemented --hbh-not-strict + extensions: add missing checks for specific flags + libipt_ECN: set proper option flags + doc: mention other possible nf_loggers for TRACE + doc: fix odd partial sentence in libipt_TTL + libxt_quota: require --quota to be specified + doc: rateest options can be optional + libxtables: fix memory scribble beyond end of array + iptables: fix an inversion + doc: add VERSION section to manpages + extensions: add missing checks for specific flags (2) + libxtables: guided option parser + libxt_CHECKSUM: use guided option parser + libxt_socket: use guided option parser + libxtables: provide better final_check + libxt_CONNSECMARK: use guided option parser + libxtables: XTTYPE_UINT32 support + libxt_cpu: use guided option parser + libxtables: min-max option support + libxt_cluster: use guided option parser + libxtables: XTTYPE_UINT8 support + libip[6]t_HL: use guided option parser + libip[6]t_hl: use guided option parser + libxtables: XTTYPE_UINT32RC support + libip[6]t_ah: use guided option parser + libip6t_frag: use guided option parser + libxt_esp: use guided option parser + libxtables: XTTYPE_STRING support + libip[6]t_REJECT: use guided option parser + libip6t_dst: use guided option parser + libip6t_hbh: use guided option parser + libip[6]t_icmp: use guided option parser + libip6t_ipv6header: use guided option parser + libipt_ECN: use guided option parser + libipt_addrtype: use guided option parser + libxt_AUDIT: use guided option parser + libxt_CLASSIFY: use guided option parser + libxt_DSCP: use guided option parser + libxt_LED: use guided option parser + libxt_SECMARK: use guided option parser + libxt_TCPOPTSTRIP: use guided option parser + libxt_comment: use guided option parser + libxt_helper: use guided option parser + libxt_physdev: use guided option parser + libxt_pkttype: use guided option parser + libxt_state: use guided option parser + libxt_time: use guided option parser + libxt_u32: use guided option parser + doc: avoid duplicate entries in manpage + libxtables: XTTYPE_MARKMASK32 support + libxt_MARK: use guided option parser + libxt_CONNMARK: use guided option parser + libxtables: XTTYPE_UINT64 support + libxt_quota: use guided option parser + libxtables: linked-list name<->id map + libxt_devgroup: use guided option parser + libipt_realm: use guided option parser + libxtables: XTTYPE_UINT16RC support + libxt_length: use guided option parser + libxt_tcpmss: use guided option parser + libxtables: XTTYPE_UINT8RC support + libxtables: XTTYPE_UINT64RC support + libxt_connbytes: use guided option parser + libxtables: XTTYPE_UINT16 support + libxt_CT: use guided option parser + libxt_NFQUEUE: use guided option parser + libxt_TCPMSS: use guided option parser + libxtables: pass struct xt_entry_{match,target} to x6 parser + libxt_string: use guided option parser + libxtables: XTTYPE_SYSLOGLEVEL support + libip[6]t_LOG: use guided option parser + libxtables: XTTYPE_ONEHOST support + libxtables: XTTYPE_PORT support + libxt_TPROXY: use guided option parser + libipt_ULOG: use guided option parser + build: bump libxtables ABI version + libxt_TEE: use guided option parser + xtoptions: respect return value in xtables_getportbyname + libxt_TOS: use guided option parser + libxt_tos: use guided option parser + extensions: remove unused TOS code + libxtables: XTTYPE_PORTRC support + libxt_udp: use guided option parser + libxt_dccp: use guided option parser + libxt_tos: add inversion support back again + libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC) + libxt_u32: add missing call to xtables_option_parse + extensions: remove bogus use of XT_GETOPT_TABLEEND + libxt_owner: remove ifdef IPT_COMM_OWNER + libxtables: output name of extension on rev detect failure + extensions: const annotations + libxt_statistic: streamline and document possible placement of negation + libxt_statistic: increase precision on create and dump + libxtables: XTTYPE_DOUBLE support + libxt_statistic: use guided option parser + libxt_IDLETIMER: use guided option parser + libxt_NFLOG: use guided option parser + libxtables: support for XTTYPE_PLENMASK + libxt_connlimit: use guided option parser + libxt_recent: use guided option parser + libxtables: do not overlay addr and mask parts, and cleanup + libxtables: flag invalid uses of XTOPT_PUT + libxtables: XTTYPE_PLEN support + libxt_hashlimit: use guided option parser + libxtables: XTTYPE_HOSTMASK support + libxt_policy: use guided option parser + libxt_owner: use guided option parser + libxt_osf: use guided option parser + libxt_multiport: use guided option parser + libipt_NETMAP: use guided option parser + libxt_limit: use guided option parser + libxtables: XTTYPE_PROTOCOL support + libxt_ipvs: use guided option parser + doc: S/DNAT allows to omit IP addresses + libxt_conntrack: use guided option parser + libip6t_mh: use guided option parser + libip6t_rt: use guided option parser + libxtables: XTTYPE_ETHERMAC support + libxt_mac: use guided option parser + libipt_CLUSTERIP: use guided option parser + libxt_iprange: use guided option parser + libipt_DNAT: use guided option parser + libipt_SNAT: use guided option parser + libipt_MASQUERADE: use guided option parser + libipt_REDIRECT: use guided option parser + libipt_SAME: use guided option parser + src: replace old IP*T_ALIGN macros + src: combine default_command functions + libxt_policy: option table fixes, improved error tracking + libxtables: avoid running into .also checks when option not used + libxt_policy: use XTTYPE_PROTOCOL type + libxtables: collapse double protocol parsing + libipt_[SD]NAT: flag up module name on error + libipt_[SD]NAT: avoid false error about multiple destinations specified + libxt_conntrack: correct printed module name + libxt_conntrack: fix assignment to wrong member + libxt_conntrack: resolve erroneous rev-2 port range message + libip6t_rt: rt-0-not-strict should take no arg + libxtables: retract _NE types and use a flag instead + libxt_quota: readd missing XTOPT_PUT request + libxtables: check for negative numbers in xtables_strtou* + libxt_rateest: streamline case display of units + doc: add some coded option examples to libxt_hashlimit + doc: make usage of libxt_rateest more obvious + doc: clarify that -p all is a special keyword only + doc: use .IP list for TCPMSS + doc: remove redundant .IP calls in libxt_time + libxt_ipvs: restore network-byte order + libxt_u32: --u32 option is required + libip6t_rt: restore --rt-type storing + libxtables: more detailed error message on multi-int parsing + libxtables: use uintmax for xtables_strtoul + libxtables: make multiint parser have greater range + libxtables: unclutter xtopt_parse_mint + libxtables: have xtopt_parse_mint interpret partially-spec'd ranges + libxt_NFQUEUE: avoid double attempt at parsing + libxt_NFQUEUE: add mutual exclusion between qnum and qbal + libxt_time: always ignore libc timezone + libxt_time: --utc and --localtz are mutually exclusive + libxt_time: deprecate --localtz option, document kernel TZ caveats + +Jozsef Kadlecsik (3): + Fix listing/saving the new revision of the SET target + Fix set match/target direction parser + SET target revision 2 added + +Li Yewang (1): + xtables: fix typo in error message of xtables_register_match() + +Lutz Jaenicke (2): + libipt_REDIRECT: "--to-ports" is not mandatory + libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags + +Maciej Zenczykowski (20): + man pages: allow underscores in match and target names + mark newly opened fds as FD_CLOEXEC (close on exec) + xtables_ip6addr_to_numeric: fix typo in comment + xtables: delay (statically built) match/target initialization + v4: rename init_extensions() to init_extensions4() + v6: rename init_extensions() to init_extensions6() + xtables.h: init_extensions() no longer exists + v4: rename for_each_chain() to for_each_chain4() + v6: rename for_each_chain() to for_each_chain6() + v4: rename flush_entries() to flush_entries4() + v6: rename flush_entries() to flush_entries6() + v4: rename delete_chain() to delete_chain4() + v6: rename delete_chain() to delete_chain6() + v4: rename print_rule() to print_rule4() + v6: rename print_rule() to print_rule6() + v4: rename do_command() to do_command4() + v6: rename do_command() to do_command6() + move 'int line' definition from ip6?tables.c into xtables.c + convert ip6?tables-multi to actually use their own header files + Don't load ip6?_tables module when already loaded + +Maciej Å»enczykowski (3): + Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}. + Move common parts of libext{4,6}.a into libext.a + combine ip6?tables-multi into xtables-multi + +Mark Montague (1): + iptables: documentation for iptables and ip6tables "security" tables + +Max Kellerman (1): + xtables: use strspn() to check if string needs to be quoted + +Pablo Neira Ayuso (1): + libxt_cluster: fix inversion in the cluster match + +Patrick McHardy (16): + Revert "libxtables: change option precedence order to be intuitive" + Merge branch 'master' of git://dev.medozas.de/iptables + extensions: libxt_conntrack: add support for specifying port ranges + extensions: add extension for devgroup match + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables + Merge branch 'opts' of git://dev.medozas.de/iptables + Merge branch 'opts' of git://dev.medozas.de/iptables + Merge branch 'floating/opts' of git://dev.medozas.de/iptables + Merge branch 'opts' of git://dev.medozas.de/iptables + Merge branch 'opts' of git://dev.medozas.de/iptables + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'opts' of git://dev.medozas.de/iptables + Merge branch 'floating/opts' of git://dev.medozas.de/iptables + Merge branch 'master' of git://dev.medozas.de/iptables + Bump version to 1.4.11 + +Rob Leslie (1): + iptables-restore: resolve confusing policy error message + +Stefan Tomanek (2): + ip(6)tables-multi: unify subcommand handling + iptables: add -C to check for existing rules + +Stephen Beahm (1): + libipt_REDIRECT: avoid dereference of uninitialized pointer + +Thomas Graf (2): + libxt_AUDIT: add AUDIT target + iptables: add manual page section for AUDIT target + +Wes Campaigne (4): + libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6 + xtables: fix excessive memory allocation in host_to_ipaddr + xtables: fix the broken detection/removal of redundant addresses + xtables: use all IPv6 addresses resolved from a hostname + + + +iptables v1.4.10 Changelog: +====================================================================== +Changes from 1.4.9: + + +Changli Gao (1): + libxt_quota: don't ignore the quota value on deletion + +Eric Dumazet (2): + extensions: REDIRECT: add random help + extension: add xt_cpu match + +Hannes Eder (1): + libxt_ipvs: user-space lib for netfilter matcher xt_ipvs + +Jan Engelhardt (11): + doc: let man(1) autoalign the text in xt_cpu + doc: remove extra empty line from xt_cpu + doc: minimal spelling updates to xt_cpu + all: consistent syntax use in struct option + doc: consistent use of markup + xtables: remove unnecessary cast + build: fix static linking + iptables-xml: resolve compiler warnings + iptables: limit chain name length to be consistent with targets + libiptc: build with -Wl,--no-as-needed + libiptc: add Libs.private to pkgconfig files + +Luciano Coelho (2): + extensions: add idletimer xt target extension + extensions: libxt_IDLETIMER: use xtables_param_act when checking options + +Michael S. Tsirkin (1): + extensions: libxt_CHECKSUM extension + +Patrick McHardy (6): + extensions: libipt_LOG/libip6t_LOG: support macdecode option + extensions: fix compilation of the new CHECKSUM target + Merge branch 'master' into iptables-next + Merge branch 'master' into iptables-next + Merge branch 'iptables-next' + Bump version to 1.4.10 + + + +iptables v1.4.9 Changelog: +====================================================================== +Changes from 1.4.8: + + +Adam Nielsen (1): + extensions: add the LED target + +Eric Dumazet (1): + extensions: REDIRECT: add random help + +Jan Engelhardt (10): + utils: add missing include flags to Makefile + doc: xt_string: correct copy-and-pasting in manpage + doc: xt_hashlimit: fix a typo + doc: xt_LED: nroff formatting requirements + includes: sync header files from Linux 2.6.35-rc1 + xtables: another try at chain name length checking + xtables: remove xtables_set_revision function + libxt_hashlimit: always print burst value + libxt_conntrack: do print netmask + xt_quota: also document negation + +Jozsef Kadlecsik (1): + libxt_set: new revision added + +Luciano Coelho (2): + extensions: libxt_rateest: fix typo in the man page + extensions: libxt_rateest: fix bps options for iptables-save + +Patrick McHardy (5): + Revert "Revert "Merge branch 'iptables-next'"" + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables + Bump version to 1.4.9 + +Samuel Ortiz (1): + extensions: libxt_quota.c: Support option negation + +Shan Wei (2): + xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension + xt_sctp: support FORWARD_TSN chunk type + + + +iptables v1.4.8 Changelog: +====================================================================== +Changes from 1.4.7: + + +Dmitry V. Levin (3): + extensions: REDIRECT: fix --to-ports parser + iptables: add noreturn attribute to exit_tryhelp() + extensions: MASQUERADE: fix --to-ports parser + +Jan Engelhardt (9): + libxt_comment: avoid use of IPv4-specific examples + libxt_CT: add a manpage + iptables: correctly check for too-long chain/target/match names + doc: libxt_MARK: no longer restricted to mangle table + doc: remove claim that TCPMSS is limited to mangle + libxt_recent: add a missing space in output + doc: add manpage for libxt_osf + libxt_osf: import nfnl_osf program + extensions: add support for xt_TEE + +Karl Hiramoto (1): + iptables: optionally disable largefile support + +Pablo Neira Ayuso (1): + CT: fix --ctevents parsing + +Patrick McHardy (7): + extensions: add CT extension + libxt_CT: print conntrack zone in ->print/->save + Merge branch 'master' of git://dev.medozas.de/iptables into iptables-next + xtables: fix compilation when debugging is enabled + Merge branch 'iptables-next' + Revert "Merge branch 'iptables-next'" + Bump version to 1.4.8 + +Simon Lodal (1): + libxt_conntrack: document --ctstate UNTRACKED + +Vincent Bernat (1): + iprange: fix xt_iprange v0 parsing + + + +iptables v1.4.7 Changelog: +====================================================================== +Changes from 1.4.6: + + +Dmitry V. Levin (1): + libip4tc: Add static qualifier to dump_entry() + +Jan Engelhardt (8): + libipq: build as shared library + recent: reorder cases in code (cosmetic cleanup) + doc: fix recent manpage to reflect actual supported syntax + doc: fix limit manpage to reflect actual supported syntax + doc: mention requirement of additional packages for ipset + policy: fix error message showing wrong option + includes: header updates + Lift restrictions on interface names + +Patrick McHardy (1): + iptables 1.4.7 + + + +iptables v1.4.6 Changelog: +====================================================================== +Changes from 1.4.5: + + +Jan Engelhardt (20): + iptables: manpage updates for augmented -Z syntax + doc: mention maximum mark size in manpages + Support for nommu arches + realm: remove static initializations + libiptc: remove unused functions + libiptc: avoid strict-aliasing warnings + iprange: do accept non-ranges for xt_iprange v1 + iprange: warn on reverse range + iprange: roll address parsing into a loop + iprange: do accept non-ranges for xt_iprange v1 (log) + iprange: warn on reverse range (log) + libiptc: fix wrong maptype of base chain counters on restore + iptables: fix undersized deletion mask creation + style: reduce indent in xtables_check_inverse + libxtables: hand argv to xtables_check_inverse + iptables/extensions: make bundled options work again + CONNMARK: print mark rules with mask 0xffffffff as set instead of xset + iptables: take masks into consideration for replace command + doc: explain experienced --hitcount limit + doc: name resolution clarification + +Mohit Mehta (1): + iptables: expose option to zero packet/byte counters for a specific rule + +Olaf Rempel (1): + build: restore --disable-ipv6 functionality on system w/o v6 headers + +Patrick McHardy (7): + Merge branch 'zero' of git://dev.medozas.de/iptables + MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark + DNAT: fix incorrect check during parsing + extensions: add osf extension + conntrack: fix --expires parsing + Merge branch 'master' of git://dev.medozas.de/iptables + Bump version to v1.4.6 + +Tim Small (1): + doc: update TCPMSS manpage with Linux 2.6.25 changes + +sobtwmxt (1): + doc: fix typo in length manpage + + + +iptables v1.4.5 Changelog: +====================================================================== +Changes from 1.4.4: + + +Florian Westphal (1): + libxt_NFQUEUE: add new v1 version with queue-balance option + +Jan Engelhardt (18): + xt_conntrack: revision 2 for enlarged state_mask member + libxt_helper: fix invalid passed option to check_inverse + libiptc: split v4 and v6 + extensions: collapse registration structures + iptables: allow for parse-less extensions + iptables: allow for help-less extensions + extensions: remove empty help and parse functions + xtables: add multi-registration functions + extensions: collapse data variables to use multi-reg calls + xtables: warn of missing version identifier in extensions + COMMIT_NOTES: notice to check for soversion bumps + build: order of dependent libs is sensitive + multi binary: allow subcommand via argv[1] + build: fix struct size mismatch + build: combine iptables-multi and iptables-static + build: build only iptables-multi + Merge branch 'stable' + manpages: more fixes to minuses, hyphens, dashes + +Laurence J. Lane (1): + manpage: fix lintian warnings + +Michael Granzow (1): + iptables: accept multiple IP address specifications for -s, -d + +Patrick McHardy (2): + man: fix incorrect plural in libipt_set.man + Bump version number to 1.4.5 + +Trent W. Buck (1): + ipt_set: fix a typo in the manpage + + +iptables v1.4.4 Changelog: +====================================================================== +Changes from 1.4.3.2: + + +Frank Tobin (1): + libxt_tcp: fix a manpage syntax typo + +Ian Bruce (1): + libxt_tcp: manpage corrections and suggestions + +Jan Engelhardt (15): + Add new COMMIT_NOTES document + xtables: use extern "C" + extensions: add const qualifiers in print/save functions + iptables: replace open-coded sizeof by ARRAY_SIZE + addrtype: fix one manpage type + manpages: do not include v4-only modules in ip6tables manpage + libip6t_policy: remove redundant functions + policy: use direct xt_policy_info instead of ipt/ip6t + policy: merge ipv6 and ipv4 variant + build: fix manpage collection + extensions: use NFPROTO_UNSPEC for .family field + DNAT/SNAT: add manpage documentation for --persistent flag + extensions: remove redundant casts + iptables: close open file descriptors + manpages: markup corrections + +Jozsef Kadlecsik (1): + Updated set/SET match and target to support multiple ipset protocols. + +Pablo Neira Ayuso (2): + extensions: add `cluster' match support + xtables: fix segfault if incorrect protocol name is used + +Patrick McHardy (3): + SNAT/DNAT: add support for persistent multi-range NAT mappings + Merge branch 'stable' of git://dev.medozas.de/iptables + Bump version + +kd6lvw (1): + libxt_connlimit: initialize v6_mask + + + +iptables v1.4.3.2 Changelog: +====================================================================== +Changes from 1.4.3.1: + + +Jan Engelhardt (12): + libxt_tcpmss: fix an inversion while parsing --mss + iptables-multi: support "iptables-static" as a callable name + libxtables: reorder .version member + build: do not run ldconfig for DESTDIR installations + build: add configure option to disable ip6tables + build: add configure option to disable ipv4 iptables + libxtables: provide IPv6 zero address variable + iptables: print negation extrapositioned + Merge commit 'v1.4.3' + Merge branch 'plus' + CLASSIFY: document non-standard interpretation behavior + libxt_conntrack: properly output negation symbol + +Pablo Neira Ayuso (1): + build: bump version to 1.4.3.2 + + +iptables v1.4.3.1 Changelog: +====================================================================== +Changes from 1.4.3: + + +Jan Engelhardt (2): + iptables-save: minor corrections to the manpage markup + libxt_hashlimit: add missing space for iptables-save output + +Pablo Neira Ayuso (2): + build: bump version to 1.4.3.1 + iptables: refer to dmesg if we hit EINVAL + +Peter Volkov (2): + libxtables: fix compile error due to incomplete change + build: fix linker issue when LDFLAGS contains --as-needed + + + +iptables v1.4.3 Changelog: +====================================================================== +Changes from 1.4.2: + + +Bart De Schuymer (1): + man: fix physdev manpage + +Christian Perle (1): + libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff + +Christoph Paasch (1): + libiptc: avoid compile warnings for iptc_insert_chain + +Daniel Drake (1): + libxt_owner: add more spaces to output + +Eric Leblond (1): + xt_NFLOG: Set default NFLOG qthreshold to 0 + +Jamal Hadi Salim (12): + libxtables: Introduce global params structuring + libxtables: define xtables_free_opts() + libxtables: Add exit_error cb to xtables_globals + libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals + libxtables: Replace direct exit_error() calls inside libxtables + libxtables: simple aliasing macro for exit_error + libxtables: set names of programs + libxtables: add xtables_set_revision + libxtables: make iptables and ip6tables use xtables_free_opts + libxtables: consolidate merge_options into xtables_merge_options + libxtables: consolidate init calls into one function + libxtables: general follow-up cleanup + +Jan Engelhardt (84): + Move libipt_recent to libxt_recent + libxt_recent: add IPv6 support + manpage: use separate paragraphs for command syntax + manpage: explain what rule-specification is + libiptc: remove typedef indirection + libiptc: remove indirections + libiptc: remove unused iptc_get_raw_socket and iptc_check_packet + libiptc: use hex output for hookmask + libxt_conntrack: respect -n option during ruledump + libiptc: make sockfd a per-handle thing + libxt_conntrack: dump ctdir + src: reuse the global modprobe_program variable + src: use NFPROTO_ constants + src: remove inclusion of iptables.h + doc: fix a typo in libip6t_REJECT.man + libiptc: guard chain index allocation for different malloc implementations + src: remove unused include files + iptables-save: output ! in position according to manpage + rateest: guard against segfault + env: augment deprecation notice + build: resolve autotools suggestions + doc: put iptables version into manpage + doc: resynchronize markup in iptables,ip6tables.8.in + doc: escape minus sign in manpages + build: use regular = assignments in Makefile + build: remove non-portable rule + doc: escape minus sign in manpage (2) + doc: augment ICMP manpage by type/code syntax + src: remove redundant returns at end of void-returning functions + src: remove redundant casts + libxt_owner: use correct UID/GID boundaries + extensions: use UINT_MAX constants over open-coded bits (1/2) + extensions: use UINT_MAX constants over open-coded numbers (2/2) + libxtables: prefix/order - fw_xalloc + libxtables: prefix/order - modprobe and xtables.ko loading + libxtables: prefix/order - match/target loading + libxtables: prefix/order - libdir + libxtables: prefix/order - strtoui + libxtables: prefix/order - program_name + libxtables: prefix/order - param_act + libxtables: prefix/order - ipaddr/ipmask to ascii output + libxtables: prefix/order - ascii to ipaddr/ipmask input + libxtables: prefix - misc functions + libxtables: prefix - parse and escaped output func + libxtables: prefix/order - move check_inverse to xtables.c + libxtables: prefix/order - move parse_protocol to xtables.c + libbxtables: prefix names and order it #1 + libxtables: prefix names and order it #2 + libxtables: prefix names and order #3 + libxtables: move afinfo around + Merge branch 'origin/master' + libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable + build: move -ldl to proper LDADD + libxtables: remove unused XT_LIB_DIR macro + libxtables: decouple non-xtables parts from header + src: remove iptables_rule_match indirection macro + src: remove unused ipt_tryload macro + libxtables: move compat defines to xtables.c + src: consolidate duplicate code in iptables/internal.h + libxtables: use const for vars holding literals + libxt_string: fix undefined behavior/incorrect patlen calculation + libxtables: flush before fork + libipq: add missing doc for NF_ values + build: restructure Makefile for include/ directory + libipq: fix compile error + build: remove unneeded -ldl from iptables_xml_LDADD + libiptc: make library available as a shared library + build: trigger reconfigure when extensions/GNUmakefile.in changes + doc: do not put IPv4 doc into ip6tables.8 + doc: resynchronize manpage with in-code help + libxtables: inline and remove unused OPTION_OFFSET macro + libxtables: prefix exit_error to xtables_error + extensions: remove unwanted/add needed includes for IPv6 exts + extensions: remove unwanted/add needed includes for IPv4 exts + libxt_policy: use bounded strtoui + include: resynchronize headers with 2.6.29-rc5 + extensions: add missing limits.h include + iptables: turn deprecation warning into enforcing mode + Merge commit 'nf/master' + libxt_connbytes: minor manpage adustments + libxt_connbytes: document nf_ct_acct behavior + libxtables: add -I/-L flags to pkgconfig files + libxt_comment: output quotes must be escaped in + iptables-save: module loading corrections + +Jesper Dangaard Brouer (3): + libiptc: fix chain rename bug in libiptc + libiptc: fix whitespaces and typos + libiptc: give credits to my self + +Jirí Moravec (1): + libxt_TOS: fix compilation error + +KOVACS Krisztian (2): + Add iptables support for the TPROXY target + Add iptables support for the socket match + +Marc Fournier (1): + doc: fix option typo in libxt_multiport + +Pablo Neira Ayuso (5): + iptables: fix error reporting with wrong/missing arguments + state: report spaces in the state list parsing + iptables: refer to dmesg when we hit error + string: fix wrong pattern length calculation + iptables: fix broken options-merging during libxtables rework + +Patrick McHardy (5): + Add SCTP/DCCP support to NAT targets + Bump version to 1.4.3-rc1 + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'master' of git://dev.medozas.de/iptables + Bump version to 1.4.3 + +Shaul Karl (1): + doc: fix one layout issue in iptables-restore.8 + +Stephen Hemminger (1): + iptables: Add limits.h to get INT_MIN, INT_MAX, ... + +Thomas Jarosch (2): + Fix compile error in libxt_iprange.c using gcc 4.3.2 + Fix compile warnings using gcc 4.3.2 + + +iptables v1.4.2 Changelog: +====================================================================== +Changes from 1.4.2-rc1: + +Jan Engelhard (1): + build: fix iptables-static build + +Jan Engelhardt (26): + build: do not install ip{,6}tables.h + Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables + manpages: name and markup fixes + src: remove dependency on libiptc headers + src: drop libiptc from installation + iptables-restore: fix segmentation fault with -tanything + libxt_recent: do not allow both --set and --rttl + Put xtables.c into its own library, libxtables.so + manpages: correct erroneous markup + physdev: remove extra space in output + Warn about use of DROP in nat table + Synchronize invert flag order with manpages + build: fix dependency tracking for xtables.h.in + build: fix initext.c dependency + manpages: add missing --rsource,--rdest options to libxt_recent.man + manpages: add missing rateest documentation + manpages: add missing rateest match documentation + libxt_mac: flatten casts in libxt_mac + libxt_iprange: fix option names + src: use regular includes + src: Update comments + build: prepare make tarball for git 1.6.0 + libxt_recent: do allow --rttl for --update + src: update comments part II + build: run ldconfig on `make install` + doc: remove mentions of NAT in ip6tables manpage + +Jesper Dangaard Brouer (1): + libiptc: remove old fixme + +Pablo Sebastian Greco (1): + mark: fix invalid iptables-save output + +Patrick McHardy (2): + manpages: fix another typo in tcp manpage + v1.4.2 + +Phil Oester (3): + iptables-save: fix hashlimit output + libxt_dscp: fix save of negated dscp match rules + src: Missing limits.h includes + +WANG Cong (1): + manpages: Fix a typo in tcp man page + + + +iptables v1.4.1-rc1 Changelog: +====================================================================== +Changes from 1.4.0: + +Peter Warasin: + Fix CONNMARK mask initialisation + +Jesper Dangaard Brouer: + Inline functions iptcc_is_builtin() and set_changed() + Introduce a counter for number of user defined chains + Solving scalability issue: for chain list "name" searching + +Patrick McHardy: + Add RATEEST target extension + Add rateest match extension + Remove obsolete file + Add netfilter.h + Remove compiler.h inclusions + Retry ruleset dump when kernel returns EAGAIN + +Pablo Neira Ayuso: + Cleanup several code wraparounds + Check for malloc() return value in merge_opts() + Check for merge_opts() return value + +Jan Engelhardt: + Converts the iptables build infrastructure to autotools + Introduce strtonum() + Introduce common error messages + Add libxt_owner + Add libxt_tos + Add libxt_TOS + Add libxt_MARK r2 + Add libxt_connmark r1 + Print warning when dlopen fails + Add libxt_conntrack r0 + Bunch o' renames + Rename overlapping function names + Add more libxt_hashlimit checks + Add libxt_mark r1 + Add libxt_iprange r0 + Add libxt_iprange r1 + Give preference to iptables header files + Build adjustments + Add libxt_CONNMARK revision 1 + Add libxt_conntrack revision 1 + libxt_owner: UID/GID range support + Fix compilation of iptables-static build + Correct the family member value of libxt_mark revision 1 + Makefile: add a "tarball" target + Drop -W from CFLAGS and some tiny code cleanups + Fix -Wshadow warnings and clean up xt_sctp.h + Update the libxt_owner manpage with the UID/GID-range feature + Fix all remaining warnings (missing declarations, missing prototypes) + xtables.h: move non-exported parts to internal.h + Add support for xt_hashlimit match revision 1 + Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR + manpages: fix broken markup (missing close tags) + manpages: grammar and spelling + manpages: update to reflect fine-grained control + configure: split --enable-libipq from --enable-devel + Import iptables-apply + Add all necessary header files - compilation fix for various cases + Install libiptc header files because xtables.h depends on it + iptables: use C99 lists for struct options + RATEEST: add manpage + Implement AF_UNSPEC as a wildcard for extensions + Combine ipt and ip6t manpages + Resolve warnings on 64-bit compile + Wrap dlopen code into NO_SHARED_LIBS + Remove support for compilation of conditional extensions + Resolve libipt_set warnings + Update documentation about building the package + configure.ac: AC_SUBST must be separate + Dynamically create xtables.h.in with version + configure.ac: remove already-defined variables + Remove old functions, constants + Properly initialize revision for ip6tables targets + Makefile.am: use PACKAGE_TARNAME + iptables out-of-tree build directory + +Sven Schnelle: + Add libxt_TCPOPTSTRIP + +Max Kellermann: + Fix REDIRECT manpage + Whitespace cleanup + Use size_t + Escape strings + Unescape parameters + Allow empty strings in argument parser + Fix gcc warnings + +Naohiro Ooiwa: + Fix define value of SCTP chunk type + +Filippo Zangheri: + Remove useless white spaces from iptables-xml manpages + +James King: + libxt_iprange: Fix IP validation logic + +Shan Wei: + iptables-save: remove unnecessary code + +Henrik Nordstrom: + Make iptables-restore usable over a pipe + Add support for --set-counters to iptables -P + iptables --list-rules command + iptables --list chain rulenum + Make --set-counters (-c) accept comma separated counters + +Jamie Strandboge: + Fix ip6tables dest address printing + + + +iptables v1.4.1.1 Changelog +===================================================================== + +Henrik Nordstrom (1): + iptables: fix printing of line numbers with --line-numbers arg + +Jan Engelhardt (3): + ip6tables: fix printing of ipv6 network masks + build: fix `make install` when --disable-shared is used + iprange: kernel flags were not set + +Patrick McHardy (1): + v1.4.1.1 + + + +iptables v1.4.1 Changelog +====================================================================== + +Filippo Zangheri (1): + removes useless white spaces from iptables-xml manpages. + +Gáspár Lajos (1): + iptables: use C99 lists for struct options + +Henrik Nordstrom (5): + Make iptables-restore usable over a pipe + Add support for --set-counters to iptables -P + iptables --list-rules command + iptables --list chain rulenum + Make --set-counters (-c) accept comma separated counters + +James King (1): + [IPTABLES]: libxt_iprange: Fix IP validation logic + +Jamie Strandboge (1): + fix ip6tables dest address printing + +Jan Engelhardt (55): + Converts the iptables build infrastructure to autotools. + Introduce strtonum(), which works like string_to_number(), but passes + common error messages + libxt_owner + libxt_tos + libxt_TOS + libxt_MARK r2 + libxt_connmark r1 + print warning when dlopen fails + libxt_conntrack r0 + bunch o' renames + rename overlapping function names + libxt_hashlimit checks + libxt_mark r1 + libxt_iprange r0 + libxt_iprange r1 + Give preference to iptables header files + Build adjustments + libxt_CONNMARK revision 1 + [IPTABLES]: libxt_conntrack revision 1 + [IPTABLES]: libxt_owner: UID/GID range support + Fix compilation of iptables-static build + Correct the family member value of libxt_mark revision 1 + Makefile: add a "tarball" target + Drop -W from CFLAGS and some tiny code cleanups + Fix -Wshadow warnings and clean up xt_sctp.h + Update the libxt_owner manpage with the UID/GID-range feature + Fix all remaining warnings (missing declarations, missing prototypes) + xtables.h: move non-exported parts to internal.h + Add support for xt_hashlimit match revision 1 + Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR + manpages: fix broken markup (missing close tags) + manpages: grammar and spelling + manpages: update to reflect fine-grained control + configure: split --enable-libipq from --enable-devel + Add all necessary header files - compilation fix for various cases + Install libiptc header files because xtables.h depends on it + RATEEST: add manpage + Implement AF_UNSPEC as a wildcard for extensions + Combine ipt and ip6t manpages + Resolve warnings on 64-bit compile + Wrap dlopen code into NO_SHARED_LIBS + Remove support for compilation of conditional extensions + Resolve libipt_set warnings + Update documentation about building the package + configure.ac: AC_SUBST must be separate + Dynamically create xtables.h.in with version + configure.ac: remove already-defined variables + Remove old functions, constants + Makefile.am: use PACKAGE_TARNAME + iptables out-of-tree build directory + Update .gitignore + build: check for missing feature files + libxt_owner: add spaces to output + manpage updates + +Jesper Dangaard Brouer (3): + Inline functions iptcc_is_builtin() and set_changed(). + Introduce a counter for number of user defined chains. + Solving scalability issue: for chain list "name" searching. + +Kristof Provost (1): + REDIRECT: Allow symbolic port in REDIRECT --to-port + +Laszlo Attila Toth (1): + addrtype match: added revision 1 + +Lutz Jaenicke (1): + Fix iptables-save output of libxt_owner match + +Martin F. Krafft (1): + Import iptables-apply + +Max Kellermann (7): + Fix REDIRECT manpage + whitespace cleanup + use size_t + escape strings + unescape parameters + allow empty strings in argument parser + fix gcc warnings + +Naohiro Ooiwa (1): + Fix define value of SCTP chunk type. + +Pablo Neira Ayuso (2): + - cleanup several code wraparounds + bump iptables version to prepare 1.4.1 release + +Patrick McHardy (16): + Add RATEEST target extension + Add rateest match extension + Remove obsolete file + Add netfilter.h + Remove compiler.h inclusions. + Retry ruleset dump when kernel returns EAGAIN. + Properly initialize revision for ip6tables targets + Bump version to 1.4.1-rc1 + iptables 1.4.1-rc2 + manpages: consistent syntax + Resync header files with kernel + Bump version + libiptc: move variable definitions to head of function + iptables-xml: sparse fixes + sparse warning fixes: integer used as pointer + v1.4.1 + +Peter Warasin (1): + Fix CONNMARK mask initialisation + +Shan Wei (1): + iptables-save:remove unnecessary code. + +Sven Schnelle (1): + libxt_TCPOPTSTRIP + +Thomas Jacob (1): + Don't assume /bin/sh is bash + +Thomas Jarosch (1): + Add xtables version defines. + +Yasuyuki Kozakai (1): + Use s6_addr32 to access bits in int6_addr instead of incompatible name + + + +iptables v1.4.0 Changelog +====================================================================== +Changes from 1.4.0rc1: + +- Don't use dlfcn.h if NO_SHARED_LIBS is defined + [ Mike Frysinger ] + +- Fix showing help text for matches/targets with revision as user + [ Patrick McHardy ] + +- Print warnings to stderr + [ Max Kellermann ] + +- Fix sscanf type errors + [ Patrick McHardy ] + +- Always print mask in iptables-save + [ Jan Engelhardt ] + +- Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names + [ Victor Stinner ] + +- Adds --table to iptables-restore + [ Peter Warasin ] + +- Make DO_MULTI=1 work for ip6tables* binaries + [ Hann-huei Chiou ] + +- Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing +warnings + [ Patrick McHardy ] + +- Introducing libxt_*.man files. Sorted matches and modules + [ Laszlo Attila Toth ] + +- Install ip6tables-{save,restore} manpages + [ Patrick McHardy ] + +- Performance optimization in sorting chain during pull-out + [ Jesper Dangaard Brouer ] + +- Fix sockfd use accounting for kernels without autoloading + [ Patrick McHardy ] + +- use + [ Jan Engelhardt ] + +- Fix make/compile error for iptables-1.4.0rc1 + [ Jesper Dangaard Brouer ] + +- Fix for --random option in DNAT and REDIRECT + [ Tom Eastep ] + +- Document xt_statistic + [ Stefano Sabatini ] + +- sctp: fix - mistake to pass a pointer where array is required + [ Li Zefan ] + +- Fix connlimit output for inverted --connlimit-above: ! > is <=, not < + [ Patrick McHardy ] + +- Add NFLOG manpage + [ Patrick McHardy ] + +- Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8 + [ Yasuyuki Kozakai ] + +- Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man + [ Yasuyuki Kozakai ] + +- Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8 + [ Yasuyuki Kozakai ] + +- fix check_inverse() call + [ Jan Engelhardt ] + +- Bump version to 1.4.0 final + [ Pablo Neira Ayuso ] + + + +iptables v1.4.0rc1 Changelog +====================================================================== +Changes from 1.3.8: + +- Add support for generic xtables infrastructure (improved IPv6 support!) + [ Yasuyuki Kozakai ] + +- Deletes empty ->final_check() functions + [ Jan Engelhardt ] + +- Fix sparse warnings: non-C99 array declaration, incorrect function prototypes + [ Patrick McHardy ] + +- Remove last vestiges of NFC + [ Peter Riley ] + +- Make @msg argument a const char *, just like printf + [ Jan Engelhardt ] + +- Makes it possible to omit extra_opts of matches/targets if unnecessary + [ Jan Engelhardt ] + +- Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets + [ Patrick McHardy] + +- Introduces DEST_IPT_LIBDIR in Makefile + [ Yasuyuki Kozakai ] + +- Change default KERNEL_DIR location and add KBUILD_OUTPUT + [ Sven Wegener ] + +- Removes obsolete KERNEL_64_USERSPACE_32 definitions + [ Yasuyuki Kozakai ] + +- Fix unused function warning + [ Patrick McHardy ] + + + +iptables v1.3.8 Changelog +====================================================================== + +- Fix build error of conntrack match + [Yasuyuki Kozakai] + +- Remove whitespace in ip6tables.c + [Yasuyuki Kozakai] + +- `-p all' and `-p 0' should be allowed in ip6tables + [Yasuyuki Kozakai] + +- hashlimit doc update + [Jan Engelhardt] + +- add --random option to DNAT and REDIRECT + [Patrick McHardy] + +- Makefile uses POSIX conform directory check + [Roy Marples] + +- Fix missing newlines in iptables-save/restore output + [Pavol Rusnak] + +- Update quota manpage for SMP + [Phil Oester] + +- Output for unspecified proto is `all' instead of `0' + [Phil Oester] + +- Fix iptables-save with --random option + [Patrick McHardy] + +- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs + [Patrick McHardy] + +- Remove libnsl from LDLIBS + [Patrick McHardy] + +- Fix problem with iptables-restore and quotes + [Pablo Neira Ayuso] + +- Remove unnecessary includes + [Patrick McHardy] + +- Fix --modprobe parameter + [Maurice van der Pot] + +- ip6tables-restore should output error of modprobe after failed to load + [Yasuyuki Kozakai] + +- Add random option to SNAT + [Eric Leblond] + +- Fix missing space in error message + [Patrick McHardy] + +- Fixes for manpages of tcp, udp, and icmp{,6} + [Yasuyuki Kozakai] + +- Add ip6tables mh extension + [Masahide Nakamura] + +- Fix tcpmss manpage + [Patrick McHardy] + +- Add ip6tables TCPMSS extension + [Arnaud Ebalard] + +- Add UDPLITE multiport support + [Patrick McHardy] + +- Fix missing space in ruleset listing + [Patrick McHardy] + +- Remove extensions for unmaintained/obsolete patchlets + [Patrick McHardy] + +- Fix greedy debug grep + [Patrick McHardy] + +- Fix type in manpage + [Thomas Aktaia] + +- Fix compile/install error for iptables-xml with DO_MULTI=1 + [Lutz Jaenicke] + + + +iptables v1.3.7 Changelog +====================================================================== + +Bugs fixed since 1.3.6: + +- Fix compilation error with linux 2.6.19 + [ Patrick McHardy ] + +- Fix LOG target segfault with --log-prefix "" + [ Mike Frysinger, Bugzilla #516 ] + +- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET} + [ Yasuyuki KOZAKAI ] + +- Fix -E (rename) in iptables/ip6tables + [ Krzysztof Piotr Oledzki ] + +- Fix /etc/network usage + [ Pablo Neira ] + +- Fix iptables-save not printing -s/-d ! 0/0 + [ Patrick McHardy ] + +- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length + [ Daniel De Graaf ] + +New features since 1.3.6: + +- Add revision support for ip6tables + [ R?mi Denis-Courmont ] + +- Add port range support for ip6tables multiport match + [ R?mi Denis-Courmont ] + +- Add sctp match extension for ip6tables + [ Patrick McHardy ] + +- Add iptables-xml tool + [ Amin Azez ] + +- Add hashlimit support for ip6tables (needs kernel > 2.6.19) + [ Patrick McHardy ] + +- Use /limodules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source + [ Patrick McHardy ] + +- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19) + [ Patrick McHardy ] + + + +iptables v1.3.6 Changelog +====================================================================== + +Bugs fixed since 1.3.5: + +- Fix segfault on loading of invalid counters in ip[6]tables-restore + [ Bugzilla #437, Olaf Rempel ] + +- Fix double-free if a single match is used multiple times within a single rule + [ Bugzilla #440, Harald Welte ] + +- Don't try to resolve "-p all" using getprotoent() + [ Bugzilla #446, Harald Welte ] + +- Refuse never matching protocol specifications for ip6tables + [ Yasuyuki Kozakai ] + +- Fix iptables-save output of osf match + [ Daniel De Graaf ] + +- Fix esp/connbytes detection with newer kernels (x_tables) + [ Harald Welte ] + +- Fix loading of IPCMv6 match shared library + [ Yasuyuki Kozakai ] + +- Refuse invalid esp match SPI ranges + [ Yasuyuki Kozakai ] + +- Fix out-of-bounds memory access when the unsupported "check" command was used + [ Bugzilla #463, Larry Stefani, Harald Welte ] + +- Fix out-of-bounds memory access when the "-c" option was used + [ Bugzilla #462, Larry Stefani, Harald Welte ] + +- Fix "Unknown error 4294967295" message + [ Bugzilla #460, Patrick McHardy ] + +- Use lower-case letters for realm match output + [ Simon Lodal ] + +- Fix example in connlimit manpage + [ Phil Oester ] + +- Refuse IP addresses as arguments to REDIRECT target + [ Bugzilla #482, Phil Oester ] + +- Fix set match negation + [ Jozsef Kadlecsik ] + +- Fix some compiler warnings + [ Bugzilla #457, Phil Oester ] + +- Refuse port ranges in ip6tables multiport match + [ Bugzilla #451, Phil Oester ] + +- Force user to specify --ipcmv6-type if ipcmv6 match is used + [ Bugzilla #461, Yasuyuki Kozakai ] + +- Fix libiptc symbol clash + [ Bugzilla #456, Phil Oester ] + +- Remove "hoho" message + [ Pierre-Yves Ritschard ] + +- Handle CIDR notation more sanely + [ Bugzilla #422, Phil Oester ] + +- Fix chain reference increment bug + [ Jesper Brouer ] + +- Fix counter clearing for policy counters + [ Bugzilla #502, Andy Gay ] + +- Remove warnings about interface names with non-alphanumeric characters + [ Patrick McHardy ] + +New features since 1.3.5: + +- Support multiple matches of the same type within a single rule + [ Jozsef Kadlecsik ] + +- DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) + [ Patrick McHardy ] + +- SELinux SECMARK target (needs kernel >= 2.6.18) + [ James Morris ] + +- SELinux CONNSECMARK target (needs kernel >= 2.6.18) + [ James Morris ] + +- Add documentation for DNAT target : syntax + [ Evan Miller ] + +- Add new exit value to indicate concurrency issues + [ Jesper Dangaard Brouer ] + +- Use gcc to build shared objects + [ Bugzilla #454, Phil Oester ] + +- Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18) + [ Phil Oester ] + +- Update MARK target documentation to include --and-mask/--or-mask + [ Eric Leblond ] + +- Add support for statistic match (needs kernel >= 2.6.18) + [ Patrick McHardy ] + +- Optionally read realm values from /etc/iproute2/rt_realms + [ Simon Lodal ] + +iptables v1.3.5 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.4: + +- Fix conntrack --ctproto option in iptables-save + [ Phil Oester ] + +- Fix string match '--from' option in iptables-save + [ Michael Rash ] + +- Fix option parser of ttl match + [ Patrick McHardy ] + +- Get rid of gcc-4 warnings + [ Patrick McHardy ] + +- Fix spelling of 'address' in DNAT/SNAT manpage section + [ MJ Anthony ] + +- Fix 'tcp-rst' parsing in REJECT target + [ Torsten Hilbrich ] + +- Fix probing for supported revisions + [ Jones Desougi ] + +- Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO + [ Harald Welte ] + +- Only set revisions on real targets, not on jumps + [ Pablo Neira ] + +- Fix memory leak in TC_COMMIT() of libiptc + [ Markus Sundberg ] + +- Correctly propagate errors of setsockopt to calling function + [ Harald Welte ] + +- Fix connbytes match iptables-save + [ Unknown ] + +- Fix sctp match compilation against recent kernel headers + [ Harald Welte ] + +- Fix conntrack match compilation against 2.4.0 kernel headers + [ Harald Welte ] + +Changes from 1.3.4: + +- Add support for ip6tables connmark match and target + [ Harald Welte ] + +- Add support for ip6tables state match + [ Harald Welte ] + +- Add support for new policy ip[6]tables match + [ Patrick McHardy ] + +- Major manpage update + [ Yasuyuki Kozakai ] + +- Remove ippool support, it has been deprecated by ipset long time ago + [ Harald Welte ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.4 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.3: + +- Fix parsing of NFQUEUE queue numbers + [ Eric Leblond ] + +- Add documentation of --queue-num parameter to NFQUEUE manpage + [ Eric Leblond ] + +- Fix 'hash-init' parameter of CLUSTERIP target + [ KOVACS Krisztian ] + +- Fix CONNMARK match and target: Marks are now always 32bit + [ Deti Fliegl ] + +- Print error message when multiple "--to" DNAT/SNAT args are used + with kernel >= 2.6.10 + [ Phil Oester ] + +- Fix compilation of connbytes match with 2.6.14 kernel + [ Harald Welte ] + +- Fix address inversion of conntrack match + [ Tom Eastep ] + +- Fix sorting of chain names + [ Robert de Barth ] + +Changes from 1.3.2: + +- Add support for DCCP port and type matching + [ Harald Welte ] + +- Add support for new in-kernel string match + [ Pablo Neira ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.3 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.2: + +- Fix use-after-free in merge_options() + [ Markus Sundberg ] + +- Fix support for SNAT and DNAT to ICMP ID ranges + [ Patrick McHardy ] + +Changes from 1.3.2: + +- Add support for new NFQUEUE targets for IPv4 and IPv6 + [ Harald Welte ] + +- Minor manpage updates + [ Harald Welte ] + +- Fix numberous gcc-4 warnings throughout the code + [ Harald Welte ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.2 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.1: + +- Fix TCPLAG version + [ Torsten Luettgert ] + +- More error checking in SET target + [ Michal Pokrywka ] + +- Fix optflags value for OPT_LINENUMBERS + [ Jonas Berlin ] + +- Allow NULL init function in ip6tables plugins + [ Jonas Berlin ] + +- Don't allow newlines in LOG prefix + [ Phil Oester ] + +- Introduce ip_conntrack_old_tuple to userspace header copy + [ Pablo Neira ] + +- Fix connbytes command line parsing bug + [ Piotrek Kaczmarek ] + +- Ignore unknown arguments in libipt_ULOG + [ Patrick McHardy ] + +- Correct error in multiport manpage wrt. "--ports" + [ Rusty Russell ] + +- Fix CONNMARK save/restore + [ Tom Eastep, Pawel Sikora ] + +- Make sure chain name doesn't start with '!' + [ Yasuyuki Kozakai ] + +- Prevent user to specify negative ports in SNAT/DNAT + [ Yasuyuki Kozakai ] + +- Fix deletion of targets where kernel size != userspace size + [ Pablo Neira ] + +- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner + [ Harald Welte ] + +Changes from 1.3.1: + +- Add ``--log-uid'' option to ip6t_LOG target + [ Patrick McHardy ] + +- Improve REDIRECT manpage + [ Jonas Berlin ] + +- Add a number of missing manpage snippets + [ Jonas Berlin ] + +- Include FIN bit in mask of "--syn" bits + [ Harald Welte ] + +- Release previously merged options from merge_opts(), reduces memory-usage of + ipt ables-restore dramatically + [ Pablo Neira ] + +- OSF: changes to support connector notifications + [ Evgeniy Polyakov ] + +- Reduce code replication of parse_interface() + [ Yasuyuki Kozakai ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.1 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.0: + +- Fix CLUSTERIP rule deletion + [ Pablo Neira ] + +- Fix libip6t_random compilation + [ Harald Welte ] + +- Fix CONNMARK on 32bit userspace / 64bit kernel archs + [ Pablo Neira ] + +Changes from 1.3.0: + +- remove bogus NFC_* stuff in iptables + [ Pablo Neira ] + +- libiptc: don't sort builtin chains, restores iptables-1.2.x sort order + [ Olaf Rempel ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.0 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.0rc1: + +- Fix realm match save/restore issue + [ Harald Welte ] + +- Fix hashlimit rule deletion from userspace + [ Samuel Jean ] + +- Fix hashlimit parameter handling / iptables-save + [ Nikolai Malykh ] + +- Fix multiport inversion + [ Phil Oester ] + +Bugs fixed from 1.2.11: + +- Fix compilation on systems where /bin/sh != bash + [ Jozsef Kadlecsik ] + +- Fix setting lib_dir in ip*tables-{save,restore} + [ Martin Josefsson ] + +- Fix module-autoloading in certain cases + [ Harald Welte ] + +- libipt_TTL: limit range of valid TTL to 0-255 + [ Maciej Soltysiak ] + +- libip6t_HL: limit range of valid HL to 0-255 + [ Maciej Soltysiak ] + +- libip{6}t_limit: Fix half-working limit invert check + [ Phil Oester ] + +- libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters + [ Harald Welte ] + +- libipt_conntrack: Fix typo + [ Phil Oester ] + +- libipt_dstlimit: Fix half-working invert check + [ Phil Oester ] + +- libipt_helper: Prevent user from using --helper multiple times + [ Nicolas Bouliane ] + +- libipt_iprange: Print error message if --dst-range used twice + [ Nicolas Bouliane ] + +- libipt_nth: Fix help message syntax + [ Harald Welte ] + +- libipt_psd: Fix option parsing + [ Pablo Neira ] + +- libipt_random: Fix help message syntax + [ Harald Welte ] + +- libipt_realm: Fix inversion of options + [ Simon Lodal ] + +- libipt_time: Fix C++ style delayed variable definition + [ Olivier Clerget ] + +- libipt_time: Print message about time match not adhering daylight saving + [ Phil Oester ] + +- libipt_tos: Print Error message if --tos is specified twice + [ Nicolas Bouliane ] + +- libipt_ttl: Cleanup ttl option parsing + [ Phil Oester ] + +- libipt_u32: Fix option parsing + [ Piotr Gasid'o ] + + +Changes from 1.2.11: + +- libiptc: complete rewrite for performance reasons + [ Harald Welte, Martin Josefsson ] + +- introduce "DO_MULTI=1" mode to build a muilti-call binary + [ Bastiaan Bakker ] + +- code cleanup, use C99 initializers + [ Harald Welte, Pablo Neira ] + +- Extension revision number support (if kernel supports the getsockopts). + [ Rusty Russell ] + +- Don't need ipt_entry_target()/ip6t_entry_target(). + [ Rusty Russell ] + +- Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds. + [ Rusty Russell ] + +- Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables + [ Rusty Russell ] + +- Add manpage section about 'raw' table + [ Harald Welte ] + + +- libip{6}t_ROUTE: add ROUTE --tee mode + [ Patrick Schaaf ] + +- libip{6}t_multiport: Print Error message when `!' is used + [ Patrick McHardy, Phil Oester ] + +- New libip6t_physdev Match + [ Bart De Schuymer ] + +- libipt_CLUSTERIP: Fix compiler warning about const + [ Harald Welte ] + +- libipt_DNAT: Print Error message if `:' is used for port range +- libipt_SNAT: Print Error message if `:' is used for port range + [ Phil Oester ] + +- libipt_LOG: Add --log-uid option + [ John Lange ] + +- libipt_MARK: add bitwise operators + [ Henrik Nordstrom, Rusty Russell ] + +- libipt_SET: Update to ipset2 + [ Jozsef Kadlecsik ] + +- libipt_account: Update to 0.1.16 + [ Piotr Gasid'o ] + +- New libipt_comment Match + [ Brad Fisher ] + +- New libipt_hashlimit Match, supersedes dstlimit + [ Harald Welte ] + +- libipt_ttl: Use string_to_number() + [ Rusty Russell ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.2.11 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + + +Bugx Fixed from 1.2.10: + +- fix compilation on systems where /bin/sh != bash + [ Jozsef Kadlecsik ] + +Bugs Fixed from 1.2.9: + +- physdev match: fix new structure layout for kernel > 2.6.0-test8 + [ Bart De Schuymer ] + +- Better 64bit / 32bit split architecture detection +- IPv6 LOG target: Fix compiler warnings on 64bit +- LOG target: Fix compiler warnings on 64bit +- IPv6 MARK target: Use full 64bit mark on 64bit archs +- MARK target: Use full 64bit mark on 64bit archs +- SAME target: Fix 64bit/32bit splitarch problems +- ULOG target: Fix 64bit/32bit splitarch problems +- conntrack match: Fix 64bit/32bit splitarch problem +- IPv6 limit match: Fix 64bit/32bit splitarch problem +- limit match: Fix 64bit/32bit splitarch problem +- IPv6 mark match: Use full 64bit mark on 64bit archs +- mark match: Use full 64bit mark on 64bit archs +- owner match: Fix compiler warnings on 64bit + [ Martin Jofsefsson ] + +- connbytes match: Fix signedness / unsigned issue + [ Martin Josefsson ] + +- connlimit match: Fix '/0' netmask + [ David Ahern ] + +- ipv6 owner match: fix possibly not zero terminated string +- helper match: fix possibly not zero terminated string +- recent match: fix possibly not zero terminated string + [ Karsten Desler ] + +- ICMP match: fix '--icmp-type any' case + [ Harald Welte ] + +- CONNMARK target: major update (add mark/mask matching) + [ Henrik Nordstrom ] + +- DSCP target: Fix cosmetic help message problem + [ Maciej Soltysiak ] + +- string match: Fix iptables-save/restore for ascii strings with spaces + [ Michael Rash ] + +- ip(6)tables-restore: Make sure matches are used in the same order + [ Martin Josefsson ] + +- ip(6)tables-restore: Fix '--verbose' option +- ip(6)tables-restore: Add '--test' option +- ip(6)tables-restore: Complain about missing 'COMMIT' + [ Martin Josefsson ] + +- ip(6)tables-restore: Allow embedding of quote character in quoted strings + [ Michael Rash ] + +- libipq: Protect against spoofed queue messages (check if sender is kernel) + [ Harald Welte ] + + +Changes from 1.2.9: + +- time match: add 'datestart' and 'datestop' parameters + [ Fabrice Marie ] + +- modular manpage build, depending on actually compiled-in features + [ Henrik Nordstrom ] + +- additional documentation in manpage snippets formerly missing + [ Harald Welte ] + +- support new CLUSTERIP Target + [ Harald Welte ] + +- support new account match + [ Piotr Gasid'o ] + +- support new connrate match + [ Nuuti Kotivuori ] + +- support new dstlimit match + [ Harald Welte ] + +- support new 'set' match / 'SET' target + [ Jozsef Kadlecsik ] + +- osf match: add support for netlink reporting + [ Evgeniy Polyakov ] + +- new SCTP protocol match + [ Kiran Kumar ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + +Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, +distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) + + +iptables v1.2.10 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.9: + +- physdev match: fix new structure layout for kernel > 2.6.0-test8 + [ Bart De Schuymer ] + +- Better 64bit / 32bit split architecture detection +- IPv6 LOG target: Fix compiler warnings on 64bit +- LOG target: Fix compiler warnings on 64bit +- IPv6 MARK target: Use full 64bit mark on 64bit archs +- MARK target: Use full 64bit mark on 64bit archs +- SAME target: Fix 64bit/32bit splitarch problems +- ULOG target: Fix 64bit/32bit splitarch problems +- conntrack match: Fix 64bit/32bit splitarch problem +- IPv6 limit match: Fix 64bit/32bit splitarch problem +- limit match: Fix 64bit/32bit splitarch problem +- IPv6 mark match: Use full 64bit mark on 64bit archs +- mark match: Use full 64bit mark on 64bit archs +- owner match: Fix compiler warnings on 64bit + [ Martin Jofsefsson ] + +- connbytes match: Fix signedness / unsigned issue + [ Martin Josefsson ] + +- connlimit match: Fix '/0' netmask + [ David Ahern ] + +- ipv6 owner match: fix possibly not zero terminated string +- helper match: fix possibly not zero terminated string +- recent match: fix possibly not zero terminated string + [ Karsten Desler ] + +- ICMP match: fix '--icmp-type any' case + [ Harald Welte ] + +- CONNMARK target: major update (add mark/mask matching) + [ Henrik Nordstrom ] + +- DSCP target: Fix cosmetic help message problem + [ Maciej Soltysiak ] + +- string match: Fix iptables-save/restore for ascii strings with spaces + [ Michael Rash ] + +- ip(6)tables-restore: Make sure matches are used in the same order + [ Martin Josefsson ] + +- ip(6)tables-restore: Fix '--verbose' option +- ip(6)tables-restore: Add '--test' option +- ip(6)tables-restore: Complain about missing 'COMMIT' + [ Martin Josefsson ] + +- ip(6)tables-restore: Allow embedding of quote character in quoted strings + [ Michael Rash ] + +- libipq: Protect against spoofed queue messages (check if sender is kernel) + [ Harald Welte ] + + +Changes from 1.2.9: + +- time match: add 'datestart' and 'datestop' parameters + [ Fabrice Marie ] + +- modular manpage build, depending on actually compiled-in features + [ Henrik Nordstrom ] + +- additional documentation in manpage snippets formerly missing + [ Harald Welte ] + +- support new CLUSTERIP Target + [ Harald Welte ] + +- support new account match + [ Piotr Gasid'o ] + +- support new connrate match + [ Nuuti Kotivuori ] + +- support new dstlimit match + [ Harald Welte ] + +- support new 'set' match / 'SET' target + [ Jozsef Kadlecsik ] + +- osf match: add support for netlink reporting + [ Evgeniy Polyakov ] + +- new SCTP protocol match + [ Kiran Kumar ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + +Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, +distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) + + +iptables v1.2.9 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.8: + +- ip(6)tables-save/restore: fix memory leaks + [ Harald Welte, Martin Josefsson ] +- ip6tables: fix printout of odd length netmasks + [ Mikko Markus Torni ] +- condition match: fix iptables-save + [ Stephane Ouellette ] +- fuzzy match: fix ip(6)tables-save + [ Hime Aguiar e Oliveira Jr. ] +- mac match: fix ip(6)tables-save if used inverted (!) + [ David Zambonini, Martin Josefsson ] +- ip6tables udp match: check for invalid port ranges + [ Thomas Poehnitz ] +- LOG target: fix iptables-save (save loglevel numerically) + [ Thomas Woerner ] +- mport match: fix iptables-save (save numerically) + [ Thomas Woerner ] +- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures + [ Ryan Veety ] +- libip6tc: fix ipv6_prefix_length endianness bugs + [ Mikko Markus Torni ] +- MASQUERADE target: don't accept negative port numbers + [ Yasuyuki Kozakai ] +- physdev match: fix new structure layout for kernel > 2.6.0-test8 + [ Bart De Schuymer ] + +Changes from 1.2.8: + +- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP + [ Harald Welte ] +- libip(6)tc: Speedup due to inceremental chain cache updates + [ Harald Welte ] +- recent match: Update to version 0.3.1 that was submitted to the kernel + [ Stephen Frost ] +- physdev match: add --physdev-is-{in,out,bridge} option + [ Bart de Schuymer ] +- REJECT target: add support for ICMP administratively prohibited + [ Maciej Soltysiak ] +- conntrack match: add suport for CONFIRMED / unconfirmed state + [ Harald Welte ] +- ROUTE target: new option: continue traversal + [ Cedric de Launois ] +- varios cosmetic cleanups + [ Stephane Ouellette ] +- iptables/libiptc: add support for the new 'raw' table + [ Jozsef Kadlecsik ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + + +iptables v1.2.8 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.7a: + +- fix ip6tables-save function of 'length' match + [ Gerry Skerbitz ] +- fix ip6tables-save function of 'mac' match + [ Kristian Gronfeldt Sorensen ] +- fix iptables-save function of 'ULOG' target + [ Jimmy Hedman ] +- fix iptables-save function of 'conntrack' match + [ Lutz Pressler ] +- fix iptables-save function of 'length' match + [ Gerry Skerbitz ] +- fix iptables-save function of 'mac' match + [ Kristian Gronfeldt Sorense ] +- fix iptables-save function of 'mark' match + [ Harald Welte ] +- fix iptables-save function of 'owner' match + [ Costa Tsaousis ] +- fix iptables-save function of 'pool' match + [ Oskar Berggren ] +- fix iptables-save function of 'tcpmss' match + [ Michael Schwendt ] +- fix iptables-save function of 'tos' match + [ Harald Welte ] +- fix save/print function of 'connmark' match + [ Harald Welte ] +- fix error message when invalid TCP flag is specified with 'tcp' match + [ Aaron Sethman ] + +Changes from 1.2.7a: + +- updated version of the ROUTE target + [ Cedric de Launois ] +- updated version of the 'recent' match + [ Stephen Frost ] +- update the RPC conntrack match, extend it to support filtering on procedures + [ Ian (Larry) Latter ] +- add support for hexstrings to the 'string' match + [ Michael Rash ] +- have iptables-restore print the line number in case of an error + [ Illes Marci ] +- big iptables.8 manpage update + [ Herve Eychenne ] +- print loglevel human-readable in ip6tables 'LOG' target + [ Michael Schwendt ] +- print loglevel human-readable in 'LOG' target + [ Michael Schwendt ] +- remove bogus code from 'ecn' match + [ Stephane Ouellette ] +- be more specific in help message of 'helper' match + [ Herve Eychenne ] +- fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead + of 'any' + [ Harald Welte ] +- fix iptables rename-chain option + [ Maciej Soltysiak ] +- remove libipulog from iptables since it is distributed with ulogd + [ Harald Welte ] +- support new ip6tables 'HL' target + [ Maciej Soltysiak ] +- support new ip6tables 'condition' match + [ Stephane Ouellette ] +- support new ip6tables 'fuzzy' match + [ Maciej Soltysiak ] +- support new ip6tables 'hoplimit' match + [ Maciej Soltysiak ] +- support new iptables 'CLASSIFY' target + [ unknown ] +- support new iptables TARPIT target + [ Aaron Hopkins ] +- support new iptables 'condition' match + [ Stephane Ouellette ] +- support new iptables 'fuzzy' match + [ Hime Junior ] +- support new iptables 'physdev' match (for 2.5.x bridging) + [ Bart de Schumyer ] +- support new iptables 'u32' match (based on u32 tc filter) + [ Don Cohen ] + +Please note: As of version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + + +iptables v1.2.7a (== fixed 1.2.7) Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.6a: + +- fix compiler warning in userspace support for ipv6 REJECT target + [ Fabrice Marie ] +- check for invalid portranges in tcp+udp helper (e.g. 2000:100) + [ Thomas Poehnitz ] +- fix save save/restore functions of ip6tables tcp/udp extension + [ Harald Welte / Andras Kis-Szabo ] +- check for invalid (out of range) nfmark values in MARK target + [ Alexey ??? ] +- fix save function of MASQUERADE userspace support + [ A. van Schie ] +- compile fixes for userspace suppot of experimental POOL target + [ ? ] +- fix save function of userspace support for ah and esp match + [ ? ] +- fix static build (NO_SHARED_LIBS) + [ Roberto Nibali ] +- fix save/restore function of userspace support for mport match + [ Bob Hockney ] +- update manpages to reflect recent changes + [ Herve Eychenne, Harald Welte ] +- remove all remnants of the 'check' option + [ ? ] + + +Changes from 1.2.6a: + +- patch-o-matic is now no longer part of iptables but rather distributed + as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) + [ Harald Welte ] +- userspace support for dscp match and target + [ Harald Welte ] +- userspace supprot for ecn match and target + [ Harald Welte ] +- userspace support for helper match + [ Martin Josefsson ] +- userspace supprot for conntrack match + [ Marc Boucher ] +- userspace support for pkttype match + [ Martin Ludvig ] +- userspace support for experimental ROUTE target + [ Cédric de Launois ] +- userspace support for experimental ipv6 ahesp match + [ Andras Kis-Szabo ] +- userspace support for experimental ipv6 option header match + [ Andras Kis-Szabo ] +- userspace support for experimental ipv6 routing header match + [ Andras Kis-Szabo ] +- add matching of process name to userspace support of owner match + [ Marc Boucher ] +- new version of userspace support for 'recent' match + [ Stephen Frost ] + + +iptables v1.2.6a (== fixed 1.2.6) Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.5: + +- Fix iptables segfault problem when using `!' without argument + [ Dionis Papavramidis, Harald Welte ] +- Fix PSD match for psd-delay-threshold > 100 + [ Steven Coenen, Dennis Koslowski ] +- ip6tables alignment fixes + [ Andreas Herrmann ] +- patch-o-matic: + - Fix NAT-related bug in TCP window tracking code + [ Jozsef Kadlecsik ] + - Fix support for DNAT of locally-originated connections (NAT in + LOCAL_OUT) + [ Henrik Nordstrom, Harald Welte ] + - Fix string match (is now SMP safe) + [ Gianni Tedesco ] + - Fix TFTP conntrack/nat helper (now also catches first packet) + [ Magnus Boden ] + +Changes from 1.2.5: + +- Added global PREFIX makefile variable for all paths + [ Harald Welte ] +- If compiled without any COPT_FLAGS, debugging is disabled. To enable + debugging, use -DIPTC_DEBUG + [ Harald Welte ] +- New ip6tables-restore and ip6tables-save manpage + [ Andras Kis-Szabo ] +- Sync ip6tables-restore and ip6tables-save with iptables-restore + [ Andras Kis-Szabo ] +- Sync ip6tables with iptables + [ Andras Kis-Szabo ] +- mangle table attaches now to all five netfilter hooks + [ Brad Chapman, Harald Welte ] +- iptables and ip6tables manpage updates + [ Herve Eychenne ] +- patch-o-matic program now supports removal of already-applied patches + [ Bob Hockney ] +- patch-o-matic program now supports patches to the userspace extensions + [ Fabrice Marie ] +- patch-o-matic: + - Extend recent match to support multiple recent lists + [ Stephen Frost ] + - New GRE and PPTP connection tracking and NAT helper + [ Harald Welte ] + - New CONNMARK target for marking all packets within one connection + [ Henrik Nordstrom ] + - New conntrack match, enables matching on more conntrack informatin + than state + [ Marc Boucher ] + - New DSCP match and target (DSCP header field obsoletes TOS) + [ Harald Welte ] + - New owner match extension: Match on process name + [ Marc Boucher ] + - Add support for bitwise AND / OR manipulation on nfmark + [ Fabrice Marie ] + - New experimental patch for disabling TCP connection tracking pickup + [ Harald Welte ] + - Add support for SACK in all NAT helpers + [ Harald Welte ] + - Make eggdrop botnet connection tracking support work with eggdrop + v1.6.x + [ Magnus Sandin ] + - Add support to REJECT for sending icmp-unreachable messages + from a fake source address + [ Fabrice Marie ] + - Add support for ntalk2 to talk NAT helper + [ Jozsef Kadlecsik ] + - Big update to newnat patch + [ Jozsef Kadlecsik, Paul P Komkoff ] + +iptables v1.2.6 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.5: + +- Fix iptables segfault problem when using `!' without argument + [ Dionis Papavramidis, Harald Welte ] +- Fix PSD match for psd-delay-threshold > 100 + [ Steven Coenen, Dennis Koslowski ] +- ip6tables alignment fixes + [ Andreas Herrmann ] +- patch-o-matic: + - Fix NAT-related bug in TCP window tracking code + [ Jozsef Kadlecsik ] + - Fix support for DNAT of locally-originated connections (NAT in + LOCAL_OUT) + [ Henrik Nordstrom, Harald Welte ] + - Fix string match (is now SMP safe) + [ Gianni Tedesco ] + - Fix TFTP conntrack/nat helper (now also catches first packet) + [ Magnus Boden ] + +Changes from 1.2.5: + +- Added global PREFIX makefile variable for all paths + [ Harald Welte ] +- If compiled without any COPT_FLAGS, debugging is disabled. To enable + debugging, use -DIPTC_DEBUG + [ Harald Welte ] +- New ip6tables-restore and ip6tables-save manpage + [ Andras Kis-Szabo ] +- Sync ip6tables-restore and ip6tables-save with iptables-restore + [ Andras Kis-Szabo ] +- Sync ip6tables with iptables + [ Andras Kis-Szabo ] +- mangle table attaches now to all five netfilter hooks + [ Brad Chapman, Harald Welte ] +- iptables and ip6tables manpage updates + [ Herve Eychenne ] +- patch-o-matic program now supports removal of already-applied patches + [ Bob Hockney ] +- patch-o-matic program now supports patches to the userspace extensions + [ Fabrice Marie ] +- patch-o-matic: + - Extend recent match to support multiple recent lists + [ Stephen Frost ] + - New GRE and PPTP connection tracking and NAT helper + [ Harald Welte ] + - New CONNMARK target for marking all packets within one connection + [ Henrik Nordstrom ] + - New conntrack match, enables matching on more conntrack informatin + than state + [ Marc Boucher ] + - New DSCP match and target (DSCP header field obsoletes TOS) + [ Harald Welte ] + - New owner match extension: Match on process name + [ Marc Boucher ] + - Add support for bitwise AND / OR manipulation on nfmark + [ Fabrice Marie ] + - New experimental patch for disabling TCP connection tracking pickup + [ Harald Welte ] + - Add support for SACK in all NAT helpers + [ Harald Welte ] + - Make eggdrop botnet connection tracking support work with eggdrop + v1.6.x + [ Magnus Sandin ] + - Add support to REJECT for sending icmp-unreachable messages + from a fake source address + [ Fabrice Marie ] + - Add support for ntalk2 to talk NAT helper + [ Jozsef Kadlecsik ] + - Big update to newnat patch + [ Jozsef Kadlecsik, Paul P Komkoff ] + + +iptables v1.2.5 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel > 2.4.14 + +Bugs Fixed from 1.2.4: + +- make iptables-restore accept --table as well as -t option + [ Andreas Ferber ] +- make iptables-restore -v / --verbose option work + [ Marc Boucher ] +- fix iptables-save problems with saving "ppp+" style interface wildcards + [ Harald Welte ] +- make iptables accept '_' and '.' in interface names + [ Harald Welte ] +- Kernel bugfixes in patch-o-matic: + - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the + address of the IRC server + [ Bob Hockney ] + - Fix potential Oops in TOS target module + [ Edward Killips ] + - Fix problem when raw socket has cloned skb while netfilter doing + payload modification + [ Rusty Russell ] + - Fix memory leak in ipchains redirect code + [ Rusty Russell ] + - Fix reintroduced ECN problem with unclean match + [ Guillaume Morin ] + - Fix MAC adress match problem with small udp packets + [ Harald Welte ] + +Changes from 1.2.4: + +- Whole patch-o-matic system restructured - now supports multiple patch + repositories (submitted, pending, base, extra, newnat). + [ Jozsef Kadlecsik ] +- Add IPv6 support to the QUEUE target and libipq + [ Fernando Anton / James Morris ] +- New patch-o-matic patches: + -New IPV4OPTSSTRIP target to strip IP options + [ Fabrice Marie ] + - New ipv6header match to match IPv6 header options + [ Brad Chapman / Andras Kis-Szabo ] + - New helper match to match RELATED connections on their conntrack + helper + [ Martin Josefsson ] + - New quota match to have fixed IP quotas + [ Sam Johnston ] + - New recent match to match recently seen packets + [ Stephen Frost ] + + +iptables v1.2.4 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel > 2.4.9 + +Bugs Fixed from 1.2.3: + +- make iptables-restore print error message instead of segfault when + processing broken / wrong input. + [ ] +- string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target + [ ] +- fix iptables-save problems when saving MIRROR rules + [ Harald Welte ] +- fix IPv6 ICMP problems [ ] +- fix TTL increment in TTL target [ ] +- Kernel bugfixes in patch-o-matic: + - Fix printing of inner-packet in ICMP error messages (LOG target) + [ ] + - Decrement TTL when using MIRROR target at PRE_ROUTING [ ] + - fix undiscovered REJECT checkentry() bug (alignment) + [ Bert Hubert] + +Changes from 1.2.3: + +- New "make most-of-pom" feature for application of non-confliction + patches. This should be used instead of "make patch-o-matic" by most + users. + [ Harald Welte ] +- iptables-save and iptables-restore now included in the default install; + They are n - longer experimental for quite some time. + [ Harald Welte ] +- synchronize ip6tables-save/restore with iptables-save/restore + [ Harald Welte ] +- more precise save() function for ipt_limit rates + [ ] +- new improved version of nth-match. Added support for multiple counters, + added support for matching on individual packets in the counter cycle + [ Richard Wagner ] +- added manpage for ip6tables + [ ] +- updated libipq documentation + [ ] +- added timeout t - libipq recv function + [ ] +- New patch-o-matic patches: + - New random match + [ ] + - New ftp-fxp patch, imposes security risk but some people need it -sigh* + [ Magnus Sandin ] + - New H323 conntrack + nat modules + [ Jozsef Kadlecsik ] + - New version of tcp-window tracking patch, includes sysctl() + changeable timeouts + [ Jozsef Kadlecsik ] + + +iptables v1.2.3 Changelog +====================================================================== +This version requires kernel 2.4.4 or above. +This version recommends kernel 2.4.9 or above. + +Bugs Fixed from 1.2.2: + +- fix ICMPv6 support for IPv6 + [ Kis-Szab - Andras ] +- fix problems with REJECT and iptables-restore / iptables-save + [ Harald Welte ] +- fix possible string overflow in psd match + [ Dennis Koslowski ] +- fix string match compile problems + [ Gianni Tedesc - ] +- support interfaces with '_' (underscore) in device names + [ Harald Welte ] +- support rules without target in iptables-save + [ Emmanuel Fleury ] +- correct handling of "eth+" type interface names in iptables-save/restore + [ Harald Welte ] +- d - incremental checksumming when altering TTL in TTL target + [ Harald Welte ] +- fix no-srr case in ipv4options match + [ Fabrice Marie ] +- Kernel bugfixes in patch-o-matic: + - Fix unexported ip6_table symbols [ Brad Chapman ] + - Decrement TTL in MIRROR target if used in FORWARD chain [ Harald + Welte, Fabian Melzow ] + - Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) + [ Guillaume Morin ] + +Changes from 1.2.2: + +- New "make most-of-pom" feature for application of non-confliction + patches. This should be used instead of "make patch-o-matic" by most + users. + [ Harald Welte ] +- support for statically linking iptables, without need for .s - plugins + [ David McCullough ] +- support for multiple ranges in SAME target + [ Martin Josefsson ] +- support for router alert options in ipv4options match + [ Fabrice Marie ] +- modprobe() modules when doing iptables-restore + [ Andries van Schie ] +- remove obsolete fragment matching code in IPv6 + [ Kis-Szab - Andras ] +- add support for dns hostnames t - IPv6 code + [ Kis-Szab - Andras ] +- New patch-o-matic patches: + - New multiport (mport) match + [ Andreas Ferber ] + - New nth match for matching every n-th packet + [ Fabrice Marie ] + - New realm match for matchin the routing realm + [ Sampsa Ranta ] + - New ctnetlink patch for manipulation of conntrack from userspace + [ Jay Schulist ] + - New REJECT Target for IPv6 + [ Harald Welte ] + - New length match for IPv6 + [ Imran Patel ] + - New multiport (mport) match for IPv6 + [ Andreas Ferber] + + +iptables v1.2.1 Changelog +====================================================================== +This version requires kernel 2.4.0 or above. + +Bugs Fixed from 1.2: + +- Missing quotes around log-prefix + [ Bart Theunissen ] +- Bug in save function of string match + [ Gianni Tedesc - ] +- ip6tables.c string buffer size fixes + [ Andras Kis-Szab - ] +- dependency problem with iptables-save / iptables-restore + [ Harald Welte ] +- strtok problem with iptables-save / iptables-restore + [ Harald Welte ] +- Problems with tcp/udp extension and multiple calls of do_command() + [ Sven Koch ] +- Kernel bugfixes in patch-o-matic: + - Updated rpc-record patch to work with 2.4.0 + [ Marc Boucher ] + - New ftp-pasv patch for fixing PASV detection with some ftpd's + [ Erik Hensema ] + - Fix checksum calculation of TOS target + [ Rusty Russell ] + +Changes from 1.2: + +- New `pending-patches' target + [ Rusty Russell ] +- build all shared library extensions regardless of kernel tree + [ Rusty Russell ] +- New counter-restore functions for iptables + [ Harald Welte ] +- Added libiptc and libipulog t - `devel' Makefile target + [ Harald Welte ] +- Ported iptables-save/restore t - IPv6 + [ Andras Kis-Szab - ] +- Updated ULOG target (now in-kernel accumulation [= higher performance]) + [ Harald Welte ] +- Added fxp support t - ftp-multi patch + [ Magnus Sandin ] +- Implemented Boyer Moore Sublinear search algorithm for string match + [ Gianni Tedesc - ] +- Fixed tcp-window-tracking incompatibility with NAT helpers + [ Harald Welte ] +- New patch-o-matic patches: + - New generic sequence number offset API for nat helpers + [ Harald Welte ] + - New psd (port-scan-detection) match + [ Dennis Koslowski, Markus Henning ] + - New NETLINK target for old ipchains -o behaviour + [ Gianni Tedesc - ] + - New SAME target as a special case of SNAT + [ Martin Josefsson ] + - Ported LOG target to IPv6 + [ Jan Rekorajski ] + - Ported owner, limit, mac and multiport match to IPv6 + [ Jan Rekorajski ] + + +iptables v1.2.2 Changelog +====================================================================== +This version requires kernel 2.4.1 or above. +This version recommends kernel 2.4.4 or above. + +Bugs Fixed from 1.2.1a: + +- fixes for SAME Target + [ Martin Josefsson ] +- fixes for iplimit match in combination with iptables-save/-restore + [ Gerd Knorr ] +- fix for TCP match in combination with iptables-save/-restore + [ Ian Lynagh ] +- iptables-restore now deals correclty with spaces in --log-prefix + [ Harald Welte ] +- fix in 'isapplied' script. It used t - give false negatives + [ Harald Welte ] +- fix in BALANCE target, target now uses full ip address range + [ Martin Josefsson ] +- fix for NETLINK target, was sending wrong interface name + [ Gianni Tedesc - ] +- fix for collision of ftp and irc NAT helpers + [ Harald Welte ] +- ip6tables brought in sync with iptables + [ Kis-Szab - Andras ] +- Kernel bugfixes in patch-o-matic: + - Fix possible security vulnerability in ip_conntrack_ftp + [ Cristian - Lincoln Mattos, James Morris and Rusty ] + +Changes from 1.2.1a: + +- libiptc should now be usable from C++ applications + [ Fabrice MAURIE ] +- seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch + [ Rusty Russell ] +- lots of old pre-2.4.1 patches now combined in 2.4.1.patch + [ Rusty Russel ] +- IRC conntrack + nat cleanup + [ Harald Welte ] +- string match cleanup + [ Gianni Tedesc - ] +- ULOG cleanup, new version. Fixes 'unable t - send nflink' bug + [ Harald Welte ] +- New patch-o-matic patches: + - New NETMAP Target for mapping whole networks 1:1 to other addresses + [ Svenning Soerensen ] + - New length Target for matching packet length + [ James Morris ] + - New ipv4options match for matching IPv4 header options + [ Fabrice MARIE ] + - New IPv6 agr match for matching IPv6 global aggregatable unicast + adresses + [ Andras Kis-Szab - ] + - New pkttype match for matching link-layer multicast / broadcast + packets + [ Michal Ludvig ] + - New time match for matching the packet's receive time + [ Fabrice MARIE ] + - New talk conntack + NAT helper module + [ Jozsef Kadlecsik ] + + +iptables v1.2 Changelog +====================================================================== +This version requires 2.4.0-test9 or above. + +Bugs Fixed from 1.1.2: + +- Now default installs int - /usr/local/sbin, not /usr/local/bin. +- Only does IPv6 compilation on libc6. +- More header fixes for weird header combos. +- ip6tables now refers t - "icmpv6" protocol, not "icmp". + [ Harald Welte ] +- IPPROTO_ESP and AH defined in iptables for primitive headers. +- iptables multiple-DNS resolve fixed + [ Harald Welte, Rusty ] +- Kernel bugfixes in patch-o-matic: + - IPv6 netfilter fixes + [ Harald Welte ] + - Masquerade with fwmark routing fix + - Dynamic hashsize optimization (NAT) + `hashsize=' module parameter. + - NAT overlap fix + - PPC/Sparc mangle table fix. + +Changes from 1.1.2: + +- New `install-devel' target + [ James Morris ] +- libipq now has man pages! + [ James Morris ] +- iptables-save and iptables-restore added (with man pages!) + [ Harald Welte ] +- iptables now inserts modules if CONFIG_KMOD or --modprobe + [ Harald Welte, Rusty ] +- New `experimental' and `install-experimental' targets. +- `--reject-with=echo-reply' removed in anticipation of the removal of + kernel support. +- ttl match enhancements (greater or less than tests) + [ Harald Welte ] +- Reworked patch-o-matic interface, t - force reading of help. +- patch-o-matic updated for new 2.4 Makefiles + [ Daniel Stone, Harald Welte ] +- patch-o-matic now supports non-IPv4 netfilter patches + [ Harald Welte ] +- New patch-o-matic patches: + - eggdrop bot connection tracking + [ Magnus Sandin ] + - FTOS target for full ToS mangling. + [ Matthew G. Marsh ] + - BALANCE target for simple load-balancing. + - iplimit match for limiting number of connections. + [ Gerd Knorr ] + - IPv6 MARK target + [ Harald Welte ] + - IPv6 mark match + [ Harald Welte ] + + +iptables v1.1.2 Changelog +====================================================================== +This version requires 2.4.0-test9 or above. + +Bugs Fixed from 1.1.1: + +- Adding rules on UltraSparc now works +- string_to_number now handles overflow + [ Jan Echternach ] +- Bug when using ridiculous rule numbers fixed + +Changes from 1.1.1: + +- patch-o-matic system added: + - TTL alteration and ttl matching support -- Harald Welte + - AH/ESP matching support -- Yon Uriarte + - DROPPED table support -- Rusty + - ftp-multi patch for non-standard ftp servers -- Harald Welte + - IRC connection tracking & NAT -- Harald Welte + - pool match and POOL target -- Patrick + - RPC recording patch -- Marcelo Barbosa Lima + - SNMP NAT support -- James Morris + - string match for looking in packet's data -- Emmanuel Roger + - tcp-MSS target for altering MSS -- Marc Boucher + - ULOG target for advanced logging -- Harald Welte +- Minor const cleanups + [ Jan Echternach ] +- iptables.8 updates + [ Harald Welte, Rusty ] +- Better warnings for non-existant matches/missing libraries + [ Harald Welte ] +- Improved isapplied script debian/patches/notes0000644000000000000000000000021312263344316011670 0ustar 01xx - debian specific patches 02xx - documentation patches 03xx - makefile/build patches 04xx - code patches 05xx - miscellaneous patches debian/patches/0202-725413-sctp_man_description.patch0000644000000000000000000000055512263345140017176 0ustar Subject: add SCTP extension man page description From: Laurence J. Lane Bug: http://bugs.debian.org/725413 --- a/extensions/libxt_sctp.man +++ b/extensions/libxt_sctp.man @@ -1,3 +1,4 @@ +This module matches Stream Control Transmission Protocol headers. .TP [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] .TP debian/patches/9000-howtos.patch0000644000000000000000000066031312263344316013564 0ustar Author: Soren Hansen Description: Revert changes between 1.4.1.1-3 and 1.4.1.1-4, thus bringing back the howtos. Forwarded: no Index: iptables-1.4.12/howtos/Makefile =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.12/howtos/Makefile 2011-11-07 13:57:14.000000000 -0600 @@ -0,0 +1,10 @@ +all: + for i in *.sgml; do sgml2html $$i; done + +install: + for i in *.html; do install -D -m 0644 $$i ${DESTDIR}/howtos/$$i; done + +clean: + -rm *.html + +.PHONY: all clean install Index: iptables-1.4.12/howtos/NAT-HOWTO.sgml =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.12/howtos/NAT-HOWTO.sgml 2011-11-07 13:57:14.000000000 -0600 @@ -0,0 +1,609 @@ + + + + + + +
+ + + +Linux 2.4 NAT HOWTO +<author>Rusty Russell, mailing list <tt>netfilter@lists.samba.org</tt> +<date>$Revision: 1.18 $ $Date: 2002/01/14 09:35:13 $ +<abstract> +This document describes how to do masquerading, transparent proxying, +port forwarding, and other forms of Network Address Translations with +the 2.4 Linux Kernels. +</abstract> + +<!-- Table of contents --> +<toc> + +<!-- Begin the document --> + +<sect>Introduction<label id="intro"> + +<p> +Welcome, gentle reader. + +<p> +You are about to delve into the fascinating (and sometimes horrid) +world of NAT: Network Address Translation, and this HOWTO is going to +be your somewhat accurate guide to the 2.4 Linux Kernel and beyond. + +<p>In Linux 2.4, an infrastructure for mangling packets was +introduced, called `netfilter'. A layer on top of this provides NAT, +completely reimplemented from previous kernels. + +<p>(C) 2000 Paul `Rusty' Russell. Licensed under the GNU GPL. + +<sect>Where is the official Web Site and List? + +<p>There are three official sites: +<itemize> +<item>Thanks to <url url="http://netfilter.filewatcher.org/" name="Filewatcher">. +<item>Thanks to <url url="http://netfilter.samba.org/" name="The Samba Team and SGI">. +<item>Thanks to <url url="http://netfilter.gnumonks.org/" name="Harald Welte">. +</itemize> + +<p>You can reach all of them using round-robin DNS via +<url url="http://www.netfilter.org/"> and <url url="http://www.iptables.org/"> + +<p>For the official netfilter mailing list, see +<url url="http://www.netfilter.org/contact.html#list" name="netfilter List">. + +<sect1>What is Network Address Translation? + +<p> +Normally, packets on a network travel from their source (such as your +home computer) to their destination (such as www.gnumonks.org) +through many different links: about 19 from where I am in Australia. +None of these links really alter your packet: they just send it +onward. + +<p> +If one of these links were to do NAT, then they would alter the source +or destinations of the packet as it passes through. As you can +imagine, this is not how the system was designed to work, and hence +NAT is always something of a crock. Usually the link doing NAT will +remember how it mangled a packet, and when a reply packet passes +through the other way, it will do the reverse mangling on that reply +packet, so everything works. + +<sect1>Why Would I Want To Do NAT? + +<p>In a perfect world, you wouldn't. Meanwhile, the main reasons are: + +<descrip> +<tag/Modem Connections To The Internet/ Most ISPs give you a single IP +address when you dial up to them. You can send out packets with any +source address you want, but only replies to packets with this source +IP address will return to you. If you want to use multiple different +machines (such as a home network) to connect to the Internet through +this one link, you'll need NAT. + +<p>This is by far the most common use of NAT today, commonly known as +`masquerading' in the Linux world. I call this SNAT, because you +change the <bf>source</bf> address of the first packet. + +<tag/Multiple Servers/ Sometimes you want to change where packets +heading into your network will go. Frequently this is because (as +above), you have only one IP address, but you want people to be able +to get into the boxes behind the one with the `real' IP address. If +you rewrite the destination of incoming packets, you can manage this. +This type of NAT was called port-forwarding under previous versions of +Linux. + +<p>A common variation of this is load-sharing, where the mapping +ranges over a set of machines, fanning packets out to them. If you're +doing this on a serious scale, you may want to look at + +<url url="http://linuxvirtualserver.org/" name="Linux Virtual Server">. + +<tag/Transparent Proxying/ Sometimes you want to pretend that each +packet which passes through your Linux box is destined for a program +on the Linux box itself. This is used to make transparent proxies: a +proxy is a program which stands between your network and the outside +world, shuffling communication between the two. The transparent part +is because your network won't even know it's talking to a proxy, +unless of course, the proxy doesn't work. + +<p>Squid can be configured to work this way, and it is called +redirection or transparent proxying under previous Linux versions. +</descrip> + +<sect>The Two Types of NAT + +<p>I divide NAT into two different types: <bf>Source NAT</bf> (SNAT) +and <bf>Destination NAT</bf> (DNAT). + +<p>Source NAT is when you alter the source address of the first +packet: i.e. you are changing where the connection is coming from. +Source NAT is always done post-routing, just before the packet goes +out onto the wire. Masquerading is a specialized form of SNAT. + +<p>Destination NAT is when you alter the destination address of the +first packet: i.e. you are changing where the connection is going to. +Destination NAT is always done before routing, when the packet first +comes off the wire. Port forwarding, load sharing, and transparent +proxying are all forms of DNAT. + +<sect>Quick Translation From 2.0 and 2.2 Kernels + +<p>Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to +2.2 (ipchains) transition. There's good and bad news. + +<p>Firstly, you can simply use ipchains and ipfwadm as before. To do +this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel +modules found in the latest netfilter distribution. These are +mutually exclusive (you have been warned), and should not be combined +with any other netfilter modules. + +<p>Once one of these modules is installed, you can use ipchains and +ipfwadm as normal, with the following differences: + +<itemize> +<item> Setting the masquerading timeouts with ipchains -M -S, or + ipfwadm -M -s does nothing. Since the timeouts are longer for + the new NAT infrastructure, this should not matter. + +<item> The init_seq, delta and previous_delta fields in the verbose + masquerade listing are always zero. + +<item> Zeroing and listing the counters at the same time `-Z -L' does + not work any more: the counters will not be zeroed. + +<item> The backward compatibility layer doesn't scale very well for + large numbers of connections: don't use it for your corporate + gateway! +</itemize> + +Hackers may also notice: + +<itemize> +<item> You can now bind to ports 61000-65095 even if you're + masquerading. The masquerading code used to assume anything + in this range was fair game, so programs couldn't use it. + +<item> The (undocumented) `getsockname' hack, which transparent proxy + programs could use to find out the real destinations of + connections no longer works. + +<item> The (undocumented) bind-to-foreign-address hack is also not + implemented; this was used to complete the illusion of + transparent proxying. + +</itemize> + +<sect1> I just want masquerading! Help! + +<p>This is what most people want. If you have a dynamically allocated +IP PPP dialup (if you don't know, this is you), you simply want to +tell your box that all packets coming from your internal network +should be made to look like they are coming from the PPP dialup box. + +<tscreen><verb> +# Load the NAT module (this pulls in all the others). +modprobe iptable_nat + +# In the NAT table (-t nat), Append a rule (-A) after routing +# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to +# MASQUERADE the connection (-j MASQUERADE). +iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE + +# Turn on IP forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward +</verb></tscreen> + +Note that you are not doing any packet filtering here: for that, see +the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'. + +<sect1> What about ipmasqadm? + +<p>This is a much more niche user base, so I didn't worry about +backward compatibility as much. You can simply use `iptables -t nat' +to do port forwarding. So for example, in Linux 2.2 you might have +done: + +<tscreen><verb> +# Linux 2.2 +# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80 +ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80 +</verb></tscreen> + +Now you would do: + +<tscreen><verb> +# Linux 2.4 +# Append a rule before routing (-A PREROUTING) to the NAT table (-t nat) that +# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080) +# have their destination mapped (-j DNAT) to 192.168.1.1, port 80 +# (--to 192.168.1.1:80). +iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \ + -j DNAT --to 192.168.1.1:80 +</verb></tscreen> + +<sect>Controlling What To NAT + +<p>You need to create NAT rules which tell the kernel what connections +to change, and how to change them. To do this, we use the very +versatile <tt>iptables</tt> tool, and tell it to alter the NAT table by +specifying the `-t nat' option. + +<p>The table of NAT rules contains three lists called `chains': each +rule is examined in order until one matches. The two chains are +called PREROUTING (for Destination NAT, as packets first come in), and +POSTROUTING (for Source NAT, as packets leave). The third (OUTPUT) +will be ignored here. + +<p>The following diagram would illustrate it quite well if I had any +artistic talent: + +<tscreen><verb> + _____ _____ + / \ / \ + PREROUTING -->[Routing ]----------------->POSTROUTING-----> + \D-NAT/ [Decision] \S-NAT/ + | ^ + | | + | | + | | + | | + | | + | | + --------> Local Process ------ +</verb></tscreen> + +At each of the points above, when a packet passes we look up what +connection it is associated with. If it's a new connection, we look +up the corresponding chain in the NAT table to see what to do with it. +The answer it gives will apply to all future packets on that +connection. + +<sect1>Simple Selection using iptables + +<p><tt>iptables</tt> takes a number of standard options as listed +below. All the double-dash options can be abbreviated, as long as +<tt>iptables</tt> can still tell them apart from the other possible +options. If your kernel has iptables support as a module, you'll need +to load the ip_tables.o module first: `insmod ip_tables'. + +<p>The most important option here is the table selection option, `-t'. +For all NAT operations, you will want to use `-t nat' for the NAT +table. The second most important option to use is `-A' to append a +new rule at the end of the chain (e.g. `-A POSTROUTING'), or `-I' to +insert one at the beginning (e.g. `-I PREROUTING'). + +<p>You can specify the source (`-s' or `--source') and destination +(`-d' or `--destination') of the packets you want to NAT. These +options can be followed by a single IP address (e.g. 192.168.1.1), a +name (e.g. www.gnumonks.org), or a network address +(e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0). + +<p>You can specify the incoming (`-i' or `--in-interface') or outgoing +(`-o' or `--out-interface') interface to match, but which you can +specify depends on which chain you are putting the rule into: at +PREROUTING you can only select incoming interface, and at POSTROUTING +you can only select outgoing interface. If you use the +wrong one, <tt>iptables</tt> will give an error. + +<sect1>Finer Points Of Selecting What Packets To Mangle + +<p>I said above that you can specify a source and destination address. +If you omit the source address option, then any source address will +do. If you omit the destination address option, then any destination +address will do. + +<p>You can also indicate a specific protocol (`-p' or `--protocol'), +such as TCP or UDP; only packets of this protocol will match the rule. +The main reason for doing this is that specifying a protocol of tcp or +udp then allows extra options: specifically the `--source-port' and +`--destination-port' options (abbreviated as `--sport' and `--dport'). + +<p>These options allow you to specify that only packets with a certain +source and destination port will match the rule. This is useful for +redirecting web requests (TCP port 80 or 8080) and leaving other +packets alone. + +<p>These options must follow the `-p' option (which has a side-effect +of loading the shared library extension for that protocol). You can +use port numbers, or a name from the /etc/services file. + +<p>All the different qualities you can select a packet by are detailed +in painful detail in the manual page (<tt>man iptables</tt>). + +<sect>Saying How To Mangle The Packets + +<p>So now we know how to select the packets we want to mangle. To +complete our rule, we need to tell the kernel exactly what we want it +to do to the packets. + +<sect1>Source NAT + +<p>You want to do Source NAT; change the source address of connections +to something different. This is done in the POSTROUTING chain, just +before it is finally sent out; this is an important detail, since it +means that anything else on the Linux box itself (routing, packet +filtering) will see the packet unchanged. It also means that the `-o' +(outgoing interface) option can be used. + +<p>Source NAT is specified using `-j SNAT', and the `--to-source' +option specifies an IP address, a range of IP addresses, and an +optional port or range of ports (for UDP and TCP protocols only). + +<tscreen><verb> +## Change source addresses to 1.2.3.4. +# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 + +## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 +# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 + +## Change source addresses to 1.2.3.4, ports 1-1023 +# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 +</verb></tscreen> + +<sect2>Masquerading + +<p>There is a specialized case of Source NAT called masquerading: it +should only be used for dynamically-assigned IP addresses, such as +standard dialups (for static IP addresses, use SNAT above). + +<p>You don't need to put in the source address explicitly with +masquerading: it will use the source address of the interface the +packet is going out from. But more importantly, if the link goes +down, the connections (which are now lost anyway) are forgotten, +meaning fewer glitches when connection comes back up with a new IP +address. + +<tscreen><verb> +## Masquerade everything out ppp0. +# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE +</verb></tscreen> + +<sect1>Destination NAT + +<p>This is done in the PREROUTING chain, just as the packet comes in; +this means that anything else on the Linux box itself (routing, packet +filtering) will see the packet going to its `real' destination. It +also means that the `-i' (incoming interface) option can be used. + +<p>Destination NAT is specified using `-j DNAT', and the +`--to-destination' option specifies an IP address, a range of IP +addresses, and an optional port or range of ports (for UDP and TCP +protocols only). + +<tscreen><verb> +## Change destination addresses to 5.6.7.8 +# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 + +## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. +# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 + +## Change destination addresses of web traffic to 5.6.7.8, port 8080. +# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ + -j DNAT --to 5.6.7.8:8080 +</verb></tscreen> + +<sect2>Redirection + +<p>There is a specialized case of Destination NAT called redirection: +it is a simple convenience which is exactly equivalent to doing DNAT +to the address of the incoming interface. + +<tscreen><verb> +## Send incoming port-80 web traffic to our squid (transparent) proxy +# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ + -j REDIRECT --to-port 3128 +</verb></tscreen> + +Note that squid needs to be configured to know it's a transparent proxy! + +<sect1>Mappings In Depth + +<p>There are some subtleties to NAT which most people will never have +to deal with. They are documented here for the curious. + +<sect2>Selection Of Multiple Addresses in a Range + +<p>If a range of IP addresses is given, the IP address to use is +chosen based on the least currently used IP for connections the +machine knows about. This gives primitive load-balancing. + +<sect2>Creating Null NAT Mappings + +<p>You can use the `-j ACCEPT' target to let a connection through +without any NAT taking place. + +<sect2>Standard NAT Behavior + +<p>The default behavior is to alter the connection as little as +possible, within the constraints of the rule given by the user. This +means we won't remap ports unless we have to. + +<sect2>Implicit Source Port Mapping + +<p>Even when no NAT is requested for a connection, source port +translation may occur implicitly, if another connection has been +mapped over the new one. Consider the case of masquerading, which +is rather common: + +<enum> +<item> A web connection is established by a box 192.1.1.1 from port + 1024 to www.netscape.com port 80. + +<item> This is masqueraded by the masquerading box to use its source + IP address (1.2.3.4). + +<item> The masquerading box tries to make a web connection to + www.netscape.com port 80 from 1.2.3.4 (its external interface + address) port 1024. + +<item> The NAT code will alter the source port of the second + connection to 1025, so that the two don't clash. +</enum> + +<p>When this implicit source mapping occurs, ports are divided into +three classes: +<itemize> +<item> Ports below 512 +<item> Ports between 512 and 1023 +<item> Ports 1024 and above. +</itemize> + +A port will never be implicitly mapped into a different class. + +<sect2>What Happens When NAT Fails + +<p>If there is no way to uniquely map a connection as the user +requests, it will be dropped. This also applies to packets which +could not be classified as part of any connection, because they are +malformed, or the box is out of memory, etc. + +<sect2>Multiple Mappings, Overlap and Clashes + +<p>You can have NAT rules which map packets onto the same range; the +NAT code is clever enough to avoid clashes. Hence having two rules +which map the source address 192.168.1.1 and 192.168.1.2 respectively +onto 1.2.3.4 is fine. + +<p>Furthermore, you can map over real, used IP addresses, as long as +those addresses pass through the mapping box as well. So if you have +an assigned network (1.2.3.0/24), but have one internal network using +those addresses and one using the Private Internet Addresses +192.168.1.0/24, you can simply NAT the 192.168.1.0/24 source addresses +onto the 1.2.3.0 network, without fear of clashing: + +<tscreen><verb> +# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ + -j SNAT --to 1.2.3.0/24 +</verb></tscreen> + +<p>The same logic applies to addresses used by the NAT box itself: +this is how masquerading works (by sharing the interface address +between masqueraded packets and `real' packets coming from the box +itself). + +<p>Moreover, you can map the same packets onto many different targets, +and they will be shared. For example, if you don't want to map +anything over 1.2.3.5, you could do: + +<tscreen><verb> +# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ + -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254 +</verb></tscreen> + +<sect2>Altering the Destination of Locally-Generated Connections + +<p>The NAT code allows you to insert DNAT rules in the OUTPUT chain, +but this is not fully supported in 2.4 (it can be, but it requires a +new configuration option, some testing, and a fair bit of coding, so +unless someone contracts Rusty to write it, I wouldn't expect it +soon). + +<p>The current limitation is that you can only change the destination +to the local machine (e.g. `j DNAT --to 127.0.0.1'), not to any other +machine, otherwise the replies won't be translated correctly. + +<sect>Special Protocols + +<p>Some protocols do not like being NAT'ed. For each of these +protocols, two extensions must be written; one for the connection +tracking of the protocol, and one for the actual NAT. + +<p>Inside the netfilter distribution, there are currently modules for +ftp: ip_conntrack_ftp.o and ip_nat_ftp.o. If you insmod these into +your kernel (or you compile them in permanently), then doing any kind +of NAT on ftp connections should work. If you don't, then you can +only use passive ftp, and even that might not work reliably if you're +doing more than simple Source NAT. + +<sect>Caveats on NAT + +<p>If you are doing NAT on a connection, all packets passing +<bf>both</bf> ways (in and out of the network) must pass through the +NAT'ed box, otherwise it won't work reliably. In particular, the +connection tracking code reassembles fragments, which means that not +only will connection tracking not be reliable, but your packets may +not get through at all, as fragments will be withheld. + +<sect>Source NAT and Routing + +<p>If you are doing SNAT, you will want to make sure that every +machine the SNAT'ed packets goes to will send replies back to the NAT +box. For example, if you are mapping some outgoing packets onto the +source address 1.2.3.4, then the outside router must know that it is +to send reply packets (which will have <bf>destination</bf> 1.2.3.4) +back to this box. This can be done in the following ways: + +<enum> +<item> If you are doing SNAT onto the box's own address (for which + routing and everything already works), you don't need to do + anything. + +<item> If you are doing SNAT onto an unused address on the local LAN + (for example, you're mapping onto 1.2.3.99, a free IP on your + 1.2.3.0/24 network), your NAT box will need to respond to ARP + requests for that address as well as its own: the easiest way + to do this is create an IP alias, e.g.: +<tscreen><verb> +# ip address add 1.2.3.99 dev eth0 +</verb></tscreen> + +<item> If you are doing SNAT onto a completely different address, you + will have to ensure that the machines the SNAT packets will hit + will route this address back to the NAT box. This is already + achieved if the NAT box is their default gateway, otherwise you + will need to advertise a route (if running a routing protocol) + or manually add routes to each machine involved. +</enum> + +<sect>Destination NAT Onto the Same Network + +<p>If you are doing port forwarding back onto the same network, you +need to make sure that both future packets and reply packets pass +through the NAT box (so they can be altered). The NAT code will now +(since 2.4.0-test6), block the outgoing ICMP redirect which is +produced when the NAT'ed packet heads out the same interface it came +in on, but the receiving server will still try to reply directly to +the client (which won't recognize the reply). + +<p>The classic case is that internal staff try to access your `public' +web server, which is actually DNAT'ed from the public address +(1.2.3.4) to an internal machine (192.168.1.1), like so: + +<tscreen><verb> +# iptables -t nat -A PREROUTING -d 1.2.3.4 \ + -p tcp --dport 80 -j DNAT --to 192.168.1.1 +</verb></tscreen> + +<p>One way is to run an internal DNS server which knows the real +(internal) IP address of your public web site, and forward all other +requests to an external DNS server. This means that the logging on +your web server will show the internal IP addresses correctly. + +<p>The other way is to have the NAT box also map the source IP address +to its own for these connections, fooling the server into replying +through it. In this example, we would do the following (assuming the +internal IP address of the NAT box is 192.168.1.250): + +<tscreen><verb> +# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ + -p tcp --dport 80 -j SNAT --to 192.168.1.250 +</verb></tscreen> + +Because the <bf>PREROUTING</bf> rule gets run first, the packets will +already be destined for the internal web server: we can tell which +ones are internally sourced by the source IP addresses. + +<sect>Thanks + +<p>Thanks first to WatchGuard, and David Bonn, who believed in the +netfilter idea enough to support me while I worked on it. + +<p>And to everyone else who put up with my ranting as I learnt about +the ugliness of NAT, especially those who read my diary. + +<p>Rusty. +</article> Index: iptables-1.4.12/howtos/netfilter-extensions-HOWTO.sgml =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.12/howtos/netfilter-extensions-HOWTO.sgml 2011-11-07 13:57:14.000000000 -0600 @@ -0,0 +1,1781 @@ +<!doctype linuxdoc system> + +<!-- This is the Netfilter Extensions HOWTO. + --> + +<article> + +<!-- Title information --> + +<title>Netfilter Extensions HOWTO +Fabrice MARIE <fabrice@netfilter.org>, mailing list netfilter-devel@lists.samba.org +$Revision: 1.28 $ + +This document describes how to install and use current iptables extensions for netfilter. + + + + + + + +Introduction
Index: iptables-1.4.12/howtos/netfilter-hacking-HOWTO.sgml =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.12/howtos/netfilter-hacking-HOWTO.sgml 2011-11-07 13:57:14.000000000 -0600 @@ -0,0 +1,1978 @@ + + + + + + +
+ + + +Linux netfilter Hacking HOWTO +<author>Rusty Russell and Harald Welte, mailing list <tt>netfilter@lists.samba.org</tt> +<date>$Revision: 1.14 $ $Date: 2002/07/02 04:07:19 $ +<abstract> +This document describes the netfilter architecture for Linux, how to +hack it, and some of the major systems which sit on top of it, such as +packet filtering, connection tracking and Network Address Translation. +</abstract> + +<!-- Table of contents --> +<toc> + +<!-- Begin the document --> + +<sect>Introduction<label id="intro"> + +<p> +Hi guys. + +<p> +This document is a journey; some parts are well-traveled, and in +other areas you will find yourself almost alone. The best advice I +can give you is to grab a large, cozy mug of coffee or hot chocolate, +get into a comfortable chair, and absorb the contents before venturing +out into the sometimes dangerous world of network hacking. + +<p>For more understanding of the use of the infrastructure on top of +the netfilter framework, I recommend reading the Packet Filtering +HOWTO and the NAT HOWTO. For information on kernel programming I +suggest Rusty's Unreliable Guide to Kernel Hacking and Rusty's +Unreliable Guide to Kernel Locking. + +<p>(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL. + +<sect1>What is netfilter? + +<p> +netfilter is a framework for packet mangling, outside the normal +Berkeley socket interface. It has four parts. Firstly, each protocol +defines "hooks" (IPv4 defines 5) which are well-defined points in a +packet's traversal of that protocol stack. At each of these points, +the protocol will call the netfilter framework with the packet and the +hook number. + +<p> +Secondly, parts of the kernel can register to listen to the different +hooks for each protocol. So when a packet is passed to the netfilter +framework, it checks to see if anyone has registered for that protocol +and hook; if so, they each get a chance to examine (and possibly +alter) the packet in order, then discard the packet +(<tt>NF_DROP</tt>), allow it to pass (<tt>NF_ACCEPT</tt>), tell +netfilter to forget about the packet (<tt>NF_STOLEN</tt>), or ask +netfilter to queue the packet for userspace (<tt>NF_QUEUE</tt>). + +<p> +The third part is that packets that have been queued are collected (by +the ip_queue driver) for sending to userspace; these packets are +handled asynchronously. + +<p> +The final part consists of cool comments in the code and +documentation. This is instrumental for any experimental project. +The netfilter motto is (stolen shamelessly from Cort Dougan): + +<tscreen><verb> + ``So... how is this better than KDE?'' +</verb></tscreen> + +<p>(This motto narrowly edged out `Whip me, beat me, make me use +ipchains'). + +<p> +In addition to this raw framework, various modules have been written +which provide functionality similar to previous (pre-netfilter) +kernels, in particular, an extensible NAT system, and an extensible +packet filtering system (iptables). + +<sect1>What's wrong with what we had in 2.0 and 2.2? + +<p> +<enum> +<item>No infrastructure established for passing packet to userspace: +<itemize> +<item>Kernel coding is hard +<item>Kernel coding must be done in C/C++ +<item>Dynamic filtering policies do not belong in kernel +<item> 2.2 introduced copying packets to userspace via netlink, but + reinjecting packets is slow, and subject to `sanity' checks. + For example, reinjecting packet claiming to come from an + existing interface is not possible. +</itemize> + +<item>Transparent proxying is a crock: + +<itemize> + +<item> We look up <bf>every</bf> packet to see if there is a socket +bound to that address + +<item> Root is allowed to bind to foreign addresses + +<item> Can't redirect locally-generated packets + +<item> REDIRECT doesn't handle UDP replies: redirecting UDP named +packets to 1153 doesn't work because some clients don't like replies +coming from anything other than port 53. + +<item> REDIRECT doesn't coordinate with tcp/udp port allocation: a +user may get a port shadowed by a REDIRECT rule. + +<item>Has been broken at least twice during 2.1 series. + +<item>Code is extremely intrusive. Consider the stats on the number +of #ifdef CONFIG_IP_TRANSPARENT_PROXY in 2.2.1: 34 occurrences in 11 +files. Compare this with CONFIG_IP_FIREWALL, which has 10 occurrences +in 5 files. +</itemize> + +<item>Creating packet filter rules independent of interface addresses + is not possible: + +<itemize> +<item>Must know local interface addresses to distinguish +locally-generated or locally-terminating packets from through +packets. + +<item>Even that is not enough in cases of redirection or +masquerading. + +<item>Forward chain only has information on outgoing interface, +meaning you have to figure where a packet came from using knowledge of +the network topography. +</itemize> + +<item>Masquerading is tacked onto packet filtering:<p> + Interactions between packet filtering and masquerading make firewalling + complex: +<itemize> +<item>At input filtering, reply packets appear to be destined for box itself +<item>At forward filtering, demasqueraded packets are not seen at all +<item>At output filtering, packets appear to come from local box +</itemize> + +<item>TOS manipulation, redirect, ICMP unreachable and mark (which can +effect port forwarding, routing, and QoS) are tacked onto packet +filter code as well. + +<item>ipchains code is neither modular, nor extensible (eg. MAC +address filtering, options filtering, etc). + +<item>Lack of sufficient infrastructure has led to a profusion of +different techniques: +<itemize> +<item>Masquerading, plus per-protocol modules +<item>Fast static NAT by routing code (doesn't have per-protocol handling) +<item>Port forwarding, redirect, auto forwarding +<item>The Linux NAT and Virtual Server Projects. +</itemize> + +<item>Incompatibility between CONFIG_NET_FASTROUTE and packet filtering: +<itemize> +<item>Forwarded packets traverse three chains anyway +<item>No way to tell if these chains can be bypassed +</itemize> + +<item>Inspection of packets dropped due to routing protection +(eg. Source Address Verification) not possible. + +<item>No way of atomically reading counters on packet filter rules. + +<item>CONFIG_IP_ALWAYS_DEFRAG is a compile-time option, making life +difficult for distributions who want one general-purpose kernel. + +</enum> + +<sect1>Who are you? + +<p> +I'm the only one foolish enough to do this. As ipchains co-author and +current Linux Kernel IP Firewall maintainer, I see many of the +problems that people have with the current system, as well as getting +exposure to what they are trying to do. + +<sect1>Why does it crash? + +<p> +Woah! You should have seen it <bf>last</bf> week! + +<p> +Because I'm not as great a programmer as we might all wish, and I +certainly haven't tested all scenarios, because of lack of time, +equipment and/or inspiration. I do have a testsuite, which I +encourage you to contribute to. + +<sect>Where Can I Get The Latest? + +<p>There is a CVS server on netfilter.org which contains the latest +HOWTOs, userspace tools and testsuite. For casual browsing, you +can use the +<url url="http://cvs.netfilter.org/" name="Web Interface">. + +To grab the latest sources, you can do the following: + +<enum> +<item> Log in to the netfilter CVS server anonymously: +<tscreen><verb> +cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login +</verb></tscreen> +<item> When it asks you for a password type `cvs'. +<item> Check out the code using: +<tscreen><verb> +# cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace +</verb></tscreen> +<item> To update to the latest version, use +<tscreen><verb> +cvs update -d -P +</verb></tscreen> +</enum> + +<sect>Netfilter Architecture + +<p>Netfilter is merely a series of hooks in various points in a +protocol stack (at this stage, IPv4, IPv6 and DECnet). The +(idealized) IPv4 traversal diagram looks like the following: + +<tscreen><verb> +A Packet Traversing the Netfilter System: + + --->[1]--->[ROUTE]--->[3]--->[4]---> + | ^ + | | + | [ROUTE] + v | + [2] [5] + | ^ + | | + v | +</verb></tscreen><label id="netfilter-traversal"> + +On the left is where packets come in: having passed the simple sanity +checks (i.e., not truncated, IP checksum OK, not a promiscuous receive), +they are passed to the netfilter framework's NF_IP_PRE_ROUTING [1] hook. + +<p> +Next they enter the routing code, which decides whether the packet is +destined for another interface, or a local process. The routing code +may drop packets that are unroutable. + +<p> +If it's destined for the box itself, the netfilter framework is called +again for the NF_IP_LOCAL_IN [2] hook, before being passed to the +process (if any). + +<p> +If it's destined to pass to another interface instead, the netfilter +framework is called for the NF_IP_FORWARD [3] hook. + +<p> +The packet then passes a final netfilter hook, the NF_IP_POST_ROUTING +[4] hook, before being put on the wire again. + +<p> +The NF_IP_LOCAL_OUT [5] hook is called for packets that are created +locally. Here you can see that routing occurs after this hook is +called: in fact, the routing code is called first (to figure out the +source IP address and some IP options): if you want to alter the +routing, you must alter the `skb->dst' field yourself, as is done in +the NAT code. + +<sect1>Netfilter Base +<p> +Now we have an example of netfilter for IPv4, you can see when each +hook is activated. This is the essence of netfilter. + +<p> +Kernel modules can register to listen at any of these hooks. A module +that registers a function must specify the priority of the function +within the hook; then when that netfilter hook is called from the core +networking code, each module registered at that point is called in the +order of priorites, and is free to manipulate the packet. The +module can then tell netfilter to do one of five things: + +<enum> +<item> NF_ACCEPT: continue traversal as normal. +<item> NF_DROP: drop the packet; don't continue traversal. +<item> NF_STOLEN: I've taken over the packet; don't continue traversal. +<item> NF_QUEUE: queue the packet (usually for userspace handling). +<item> NF_REPEAT: call this hook again. +</enum> + +<p> +The other parts of netfilter (handling queued packets, cool comments) +will be covered in the kernel section later. + +<p> +Upon this foundation, we can build fairly complex packet +manipulations, as shown in the next two sections. + +<sect1>Packet Selection: IP Tables +<p> +A packet selection system called IP Tables has been built over the +netfilter framework. It is a direct descendent of ipchains (that came +from ipfwadm, that came from BSD's ipfw IIRC), with extensibility. +Kernel modules can register a new table, and ask for a packet to +traverse a given table. This packet selection method is used for +packet filtering (the `filter' table), Network Address Translation +(the `nat' table) and general pre-route packet mangling (the `mangle' +table). + +<p>The hooks that are registered with netfilter are as follows (with +the functions in each hook in the order that they are actually +called): + +<tscreen><verb> + + --->PRE------>[ROUTE]--->FWD---------->POST------> + Conntrack | Mangle ^ Mangle + Mangle | Filter | NAT (Src) + NAT (Dst) | | Conntrack + (QDisc) | [ROUTE] + v | + IN Filter OUT Conntrack + | Conntrack ^ Mangle + | Mangle | NAT (Dst) + v | Filter +</verb></tscreen> + +<sect2>Packet Filtering + +<p> +This table, `filter', should never alter packets: only filter them. + +<p> +One of the advantages of iptables filter over ipchains is that it is +small and fast, and it hooks into netfilter at the NF_IP_LOCAL_IN, +NF_IP_FORWARD and NF_IP_LOCAL_OUT points. This means that for any +given packet, there is one (and only one) possible place to filter it. +This makes things much simpler for users than ipchains was. Also, the +fact that the netfilter framework provides both the input and output +interfaces for the NF_IP_FORWARD hook means that many kinds of +filtering are far simpler. + +<p> +Note: I have ported the kernel portions of both ipchains and ipfwadm +as modules on top of netfilter, enabling the use of the old ipfwadm +and ipchains userspace tools without requiring an upgrade. + +<sect2>NAT + +<p> +This is the realm of the `nat' table, which is fed packets from two +netfilter hooks: for non-local packets, the NF_IP_PRE_ROUTING and +NF_IP_POST_ROUTING hooks are perfect for destination and source +alterations respectively. If CONFIG_IP_NF_NAT_LOCAL is defined, the +hooks NF_IP_LOCAL_OUT and NF_IP_LOCAL_IN are used for altering the +destination of local packets. + +<p> +This table is slightly different from the `filter' table, in that only +the first packet of a new connection will traverse the table: the +result of this traversal is then applied to all future packets in the +same connection. + +<sect3>Masquerading, Port Forwarding, Transparent Proxying + +<p>I divide NAT into Source NAT (where the first packet has its source +altered), and Destination NAT (the first packet has its destination +altered). + +<p>Masquerading is a special form of Source NAT: port forwarding and +transparent proxying are special forms of Destination NAT. These are +now all done using the NAT framework, rather than being independent +entities. + +<sect2>Packet Mangling + +<p>The packet mangling table (the `mangle' table) is used for actual +changing of packet information. Example applications are the TOS and +TCPMSS targets. The mangle table hooks into all five netfilter hooks. +(please note this changed with kernel 2.4.18. Previous kernels didn't +have mangle attached to all hooks) + +<sect1>Connection Tracking +<p> +Connection tracking is fundamental to NAT, but it is implemented as a +separate module; this allows an extension to the packet filtering code +to simply and cleanly use connection tracking (the `state' module). + +<sect1>Other Additions + +<p>The new flexibility provides both the opportunity to do really +funky things, but for people to write enhancements or complete +replacements that can be mixed and matched. + +<sect>Information for Programmers + +<p>I'll let you in on a secret: my pet hamster did all the coding. I +was just a channel, a `front' if you will, in my pet's grand plan. +So, don't blame me if there are bugs. Blame the cute, furry one. + +<sect1>Understanding ip_tables + +<p>iptables simply provides a named array of rules in memory (hence +the name `iptables'), and such information as where packets from each +hook should begin traversal. After a table is registered, userspace +can read and replace its contents using getsockopt() and setsockopt(). + +<p>iptables does not register with any netfilter hooks: it relies on +other modules to do that and feed it the packets as appropriate; a +module must register the netfilter hooks and ip_tables separately, and +provide the mechanism to call ip_tables when the hook is reached. + +<sect2> ip_tables Data Structures + +<p>For convenience, the same data structure is used to represent a +rule by userspace and within the kernel, although a few fields are +only used inside the kernel. + +<p>Each rule consists of the following parts: +<enum> +<item> A `struct ipt_entry'. +<item> Zero or more `struct ipt_entry_match' structures, each with a + variable amount (0 or more bytes) of data appended to it. +<item> A `struct ipt_entry_target' structure, with a variable amount + (0 or more bytes) of data appended to it. +</enum> + +The variable nature of the rule gives a huge amount of flexibility for +extensions, as we'll see, especially as each match or target can carry +an arbitrary amount of data. This does create a few traps, however: +we have to watch out for alignment. We do this by ensuring that the +`ipt_entry', `ipt_entry_match' and `ipt_entry_target' structures are +conveniently sized, and that all data is rounded up to the maximal +alignment of the machine using the IPT_ALIGN() macro. + +<p> +The `struct ipt_entry' has the following fields: +<enum> +<item> A `struct ipt_ip' part, containing the specifications for the +IP header that it is to match. + +<item> An `nf_cache' bitfield showing what parts of the packet this +rule examined. + +<item> A `target_offset' field indicating the offset from the +beginning of this rule where the ipt_entry_target structure begins. +This should always be aligned correctly (with the IPT_ALIGN macro). + +<item> A `next_offset' field indicating the total size of this rule, +including the matches and target. This should also be aligned +correctly using the IPT_ALIGN macro. + +<item> A `comefrom' field used by the kernel to track packet +traversal. + +<item> A `struct ipt_counters' field containing the packet and byte +counters for packets which matched this rule. +</enum> + +<p> +The `struct ipt_entry_match' and `struct ipt_entry_target' are very +similar, in that they contain a total (IPT_ALIGN'ed) length field +(`match_size' and `target_size' respectively) and a union holding the +name of the match or target (for userspace), and a pointer (for the +kernel). + +<p> +Because of the tricky nature of the rule data structure, some helper +routines are provided: + +<descrip> +<tag>ipt_get_target()</tag> This inline function returns a pointer to +the target of a rule. + +<tag>IPT_MATCH_ITERATE()</tag> This macro calls the given function for +every match in the given rule. The function's first argument is the +`struct ipt_match_entry', and other arguments (if any) are those +supplied to the IPT_MATCH_ITERATE() macro. The function must return +either zero for the iteration to continue, or a non-zero value to +stop. + +<tag>IPT_ENTRY_ITERATE()</tag> This function takes a pointer to an +entry, the total size of the table of entries, and a function to call. +The functions first argument is the `struct ipt_entry', and other +arguments (if any) are those supplied to the IPT_ENTRY_ITERATE() +macro. The function must return either zero for the iteration to +continue, or a non-zero value to stop. +</descrip> + +<sect2>ip_tables From Userspace + +<p>Userspace has four operations: it can read the current table, read +the info (hook positions and size of table), replace the table (and +grab the old counters), and add in new counters. + +<p>This allows any atomic operation to be simulated by userspace: this +is done by the libiptc library, which provides convenience +"add/delete/replace" semantics for programs. + +<p>Because these tables are transferred into kernel space, alignment +becomes an issue for machines which have different userspace and +kernelspace type rules (eg. Sparc64 with 32-bit userland). These +cases are handled by overriding the definition of IPT_ALIGN for these +platforms in `libiptc.h'. + +<sect2> ip_tables Use And Traversal + +<p>The kernel starts traversing at the location indicated by the +particular hook. That rule is examined, if the `struct ipt_ip' +elements match, each `struct ipt_entry_match' is checked in turn (the +match function associated with that match is called). If the match +function returns 0, iteration stops on that rule. If it sets the +`hotdrop' parameter to 1, the packet will also be immediately dropped +(this is used for some suspicious packets, such as in the tcp match +function). + +<p>If the iteration continues to the end, the counters are +incremented, the `struct ipt_entry_target' is examined: if it's a +standard target, the `verdict' field is read (negative means a packet +verdict, positive means an offset to jump to). If the answer is +positive and the offset is not that of the next rule, the `back' +variable is set, and the previous `back' value is placed in that +rule's `comefrom' field. + +<p>For non-standard targets, the target function is called: it returns +a verdict (non-standard targets can't jump, as this would break the +static loop-detection code). The verdict can be IPT_CONTINUE, to +continue on to the next rule. + +<sect1>Extending iptables + +<p>Because I'm lazy, <tt>iptables</tt> is fairly extensible. This is +basically a scam to palm off work onto other people, which is what +Open Source is all about (cf. Free Software, which as RMS would say, +is about freedom, and I was sitting in one of his talks when I wrote +this). + +<p>Extending <tt>iptables</tt> potentially involves two parts: +extending the kernel, by writing a new module, and possibly extending +the userspace program <tt>iptables</tt>, by writing a new shared +library. + +<sect2>The Kernel + +<p>Writing a kernel module itself is fairly simple, as you can see +from the examples. One thing to be aware of is that your code must be +re-entrant: there can be one packet coming in from userspace, while +another arrives on an interrupt. In fact in SMP there can be one +packet on an interrupt per CPU in 2.3.4 and above. + +<p> +The functions you need to know about are: + +<descrip> +<tag>init_module()</tag> This is the entry-point of the module. It +returns a negative error number, or 0 if it successfully registers +itself with netfilter. + +<tag>cleanup_module()</tag> This is the exit point of the module; it +should unregister itself with netfilter. + +<tag>ipt_register_match()</tag> This is used to register a new match +type. You hand it a `struct ipt_match', which is usually declared as +a static (file-scope) variable. + +<tag>ipt_register_target()</tag> This is used to register a new +type. You hand it a `struct ipt_target', which is usually declared as +a static (file-scope) variable. + +<tag>ipt_unregister_target()</tag> Used to unregister your target. + +<tag>ipt_unregister_match()</tag> Used to unregister your match. +</descrip> + +<p>One warning about doing tricky things (such as providing counters) +in the extra space in your new match or target. On SMP machines, the +entire table is duplicated using memcpy for each CPU: if you really +want to keep central information, you should see the method used in +the `limit' match. + +<sect3>New Match Functions + +<p>New match functions are usually written as a standalone module. +It's possible to have these modules extensible in turn, although it's +usually not necessary. One way would be to use the netfilter +framework's `nf_register_sockopt' function to allows users to talk to +your module directly. Another way would be to export symbols for +other modules to register themselves, the same way netfilter and +ip_tables do. + +<p>The core of your new match function is the struct ipt_match which +it passes to `ipt_register_match()'. This structure has the following +fields: + +<descrip> +<tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. + +<tag>name</tag> This field is the name of the match function, as +referred to by userspace. The name should match the name of the +module (i.e., if the name is "mac", the module must be "ipt_mac.o") for +auto-loading to work. + +<tag>match</tag> This field is a pointer to a match function, which +takes the skb, the in and out device pointers (one of which may be +NULL, depending on the hook), a pointer to the match data in the rule +that is worked on (the structure that was prepared in userspace), the +IP offset (non-zero means +a non-head fragment), a pointer to the protocol header (i.e., just +past the IP header), the length of the data (ie. the packet length +minus the IP header length) and finally a pointer to a `hotdrop' +variable. It should return non-zero if the packet matches, and can +set `hotdrop' to 1 if it returns 0, to indicate that the packet must +be dropped immediately. + +<tag>checkentry</tag> This field is a pointer to a function which +checks the specifications for a rule; if this returns 0, then the rule +will not be accepted from the user. For example, the "tcp" match type +will only accept tcp packets, and so if the `struct ipt_ip' part of +the rule does not specify that the protocol must be tcp, a zero is +returned. The tablename argument allows your match to control what +tables it can be used in, and the `hook_mask' is a bitmask of hooks +this rule may be called from: if your match does not make sense from +some netfilter hooks, you can avoid that here. + +<tag>destroy</tag> This field is a pointer to a function which is +called when an entry using this match is deleted. This allows you to +dynamically allocate resources in checkentry and clean them up here. + +<tag>me</tag> This field is set to `THIS_MODULE', which gives a +pointer to your module. It causes the usage-count to go up and down +as rules of that type are created and destroyed. This prevents a user +removing the module (and hence cleanup_module() being called) if a +rule refers to it. +</descrip> + +<sect3>New Targets + +<p>If your target alters the packet (ie. the headers or the body), it +must call skb_unshare() to copy the packet in case it is cloned: +otherwise any raw sockets which have a clone of the skbuff will see +the alterations (ie. people will see wierd stuff happening in +tcpdump). + +<p>New targets are also usually written as a standalone module. The +discussions under the above section on `New Match Functions' apply +equally here. + +<p>The core of your new target is the struct ipt_target that it +passes to ipt_register_target(). This structure has the following +fields: + + <descrip> + <tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. + + <tag>name</tag> This field is the name of the target function, as + referred to by userspace. The name should match the name of the + module (i.e., if the name is "REJECT", the module must be + "ipt_REJECT.o") for auto-loading to work. + + <tag>target</tag> This is a pointer to the target function, which + takes the skbuff, the hook number, the input and output device + pointers (either of which may be NULL), a pointer to the target data, + and the position of the rule in the table. The target function may + return either IPT_CONTINUE (-1) if traversing should continue, or a + netfilter verdict (NF_DROP, NF_ACCEPT, NF_STOLEN etc.). + + <tag>checkentry</tag> This field is a pointer to a function which + checks the specifications for a rule; if this returns 0, then the + rule will not be accepted from the user. + + <tag>destroy</tag> This field is a pointer to a function which is + called when an entry using this target is deleted. This allows you + to dynamically allocate resources in checkentry and clean them up + here. + + <tag>me</tag> This field is set to `THIS_MODULE', which gives a + pointer to your module. It causes the usage-count to go up and down + as rules with this as a target are created and destroyed. This + prevents a user removing the module (and hence cleanup_module() being + called) if a rule refers to it. + </descrip> + +<sect3>New Tables + +<p>You can create a new table for your specific purpose if you wish. +To do this, you call `ipt_register_table()', with a `struct +ipt_table', which has the following fields: + + <descrip> + <tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. + + <tag>name</tag> This field is the name of the table function, as + referred to by userspace. The name should match the name of the + module (i.e., if the name is "nat", the module must be + "iptable_nat.o") for auto-loading to work. + + <tag>table</tag> This is a fully-populated `struct ipt_replace', as + used by userspace to replace a table. The `counters' pointer should + be set to NULL. This data structure can be declared `__initdata' so + it is discarded after boot. + + <tag>valid_hooks</tag> This is a bitmask of the IPv4 netfilter hooks + you will enter the table with: this is used to check that those entry + points are valid, and to calculate the possible hooks for ipt_match + and ipt_target `checkentry()' functions. + + <tag>lock</tag> This is the read-write spinlock for the entire table; + initialize it to RW_LOCK_UNLOCKED. + + <tag>private</tag> This is used internally by the ip_tables code. + </descrip> + +<sect2>Userspace Tool + +<p>Now you've written your nice shiny kernel module, you may want to +control the options on it from userspace. Rather than have a branched +version of <tt>iptables</tt> for each extension, I use the very latest +90's technology: furbies. Sorry, I mean shared libraries. + +<p>New tables generally don't require any extension to +<tt>iptables</tt>: the user just uses the `-t' option to make it use +the new table. + +<p>The shared library should have an `_init()' function, which will +automatically be called upon loading: the moral equivalent of the +kernel module's `init_module()' function. This should call +`register_match()' or `register_target()', depending on whether your +shared library provides a new match or a new target. + +<p>You need to provide a shared library: this can be used to +initialize part of the structure, or provide additional options. I +now insist on a shared library even if it doesn't do anything, to +reduce problem reports where the shares libraries are missing. + +<p>There are useful functions described in the `iptables.h' header, +especially: +<descrip> +<tag>check_inverse()</tag> checks if an argument is actually a `!', +and if so, sets the `invert' flag if not already set. If it returns +true, you should increment optind, as done in the examples. + +<tag>string_to_number()</tag> converts a string into a number in the +given range, returning -1 if it is malformed or out of range. +`string_to_number' rely on `strtol' (see the manpage), meaning +that a leading "0x" would make the number be in Hexadecimal base, a leading +"0" would make it be in Octal base. + +<tag>exit_error()</tag> should be called if an error is found. +Usually the first argument is `PARAMETER_PROBLEM', meaning the user +didn't use the command line correctly. +</descrip> + +<sect3>New Match Functions + +<p>Your shared library's _init() function hands `register_match()' a +pointer to a static `struct iptables_match', which has the following +fields: + +<descrip> +<tag>next</tag> This pointer is used to make a linked list of matches +(such as used for listing rules). It should be set to NULL initially. + +<tag>name</tag> The name of the match function. This should match the +library name (eg "tcp" for `libipt_tcp.so'). + +<tag>version</tag> Usually set to the IPTABLES_VERSION macro: this is +used to ensure that the <tt>iptables</tt> binary doesn't pick up the +wrong shared libraries by mistake. + +<tag>size</tag> The size of the match data for this match; you should +use the IPT_ALIGN() macro to ensure it is correctly aligned. + +<tag>userspacesize</tag> For some matches, the kernel changes some +fields internally (the `limit' target is a case of this). This means +that a simple `memcmp()' is insufficient to compare two rules +(required for delete-matching-rule functionality). If this is the +case, place all the fields which do not change at the start of the +structure, and put the size of the unchanging fields here. Usually, +however, this will be identical to the `size' field. + +<tag>help</tag> A function which prints out the option synopsis. + +<tag>init</tag> This can be used to initialize the extra space (if +any) in the ipt_entry_match structure, and set any nfcache bits; if +you are examining something not expressible using the contents of +`linux/include/netfilter_ipv4.h', then simply OR in the NFC_UNKNOWN +bit. It will be called before `parse()'. + +<tag>parse</tag> This is called when an unrecognized option is seen on +the command line: it should return non-zero if the option was indeed +for your library. `invert' is true if a `!' has already been seen. +The `flags' pointer is for the exclusive use of your match library, +and is usually used to store a bitmask of options which have been +specified. Make sure you adjust the nfcache field. You may extend +the size of the `ipt_entry_match' structure by reallocating if +necessary, but then you must ensure that the size is passed through +the IPT_ALIGN macro. + +<tag>final_check</tag> This is called after the command line has been +parsed, and is handed the `flags' integer reserved for your library. +This gives you a chance to check that any compulsory options have been +specified, for example: call `exit_error()' if this is the case. + +<tag>print</tag> This is used by the chain listing code to print (to +standard output) the extra match information (if any) for a rule. The +numeric flag is set if the user specified the `-n' flag. + +<tag>save</tag> This is the reverse of parse: it is used by +`iptables-save' to reproduce the options which created the rule. + +<tag>extra_opts</tag> This is a NULL-terminated list of extra options +which your library offers. This is merged with the current options +and handed to getopt_long; see the man page for details. The return +code for getopt_long becomes the first argument (`c') to your +`parse()' function. +</descrip> + +There are extra elements at the end of this structure for use +internally by <tt>iptables</tt>: you don't need to set them. + +<sect3>New Targets + +<p>Your shared library's _init() function hands `register_target()' it +a pointer to a static `struct iptables_target', which has similar +fields to the iptables_match structure detailed above. + +<sect2>Using `libiptc' + +<p><tt>libiptc</tt> is the iptables control library, designed for +listing and manipulating rules in the iptables kernel module. While +its current use is for the iptables program, it makes writing other +tools fairly easy. You need to be root to use these functions. + +<p>The kernel tables themselves are simply a table of rules, and a set +of numbers representing entry points. Chain names ("INPUT", etc) are +provided as an abstraction by the library. User defined chains are +labelled by inserting an error node before the head of the +user-defined chain, which contains the chain name in the extra data +section of the target (the builtin chain positions are defined by the +three table entry points). + +<p>The following standard targets are supported: ACCEPT, DROP, QUEUE +(which are translated to NF_ACCEPT, NF_DROP, and NF_QUEUE, +respectively), RETURN (which is translated to a special IPT_RETURN +value handled by ip_tables), and JUMP (which is translated from the +chain name to an actual offset within the table). + +<p>When `iptc_init()' is called, the table, including the counters, is +read. This table is manipulated by the `iptc_insert_entry()', +`iptc_replace_entry()', `iptc_append_entry()', `iptc_delete_entry()', +`iptc_delete_num_entry()', `iptc_flush_entries()', +`iptc_zero_entries()', `iptc_create_chain()' `iptc_delete_chain()', +and `iptc_set_policy()' functions. + +<p>The table changes are not written back until the `iptc_commit()' +function is called. This means it is possible for two library users +operating on the same chain to race each other; locking would be +required to prevent this, and it is not currently done. + +<p>There is no race with counters, however; counters are added back in +to the kernel in such a way that counter increments between the +reading and writing of the table still show up in the new table. + +<p>There are various helper functions: + +<descrip> +<tag>iptc_first_chain()</tag> This function returns the first chain +name in the table. + +<tag>iptc_next_chain()</tag> This function returns the next chain name +in the table: NULL means no more chains. + +<tag>iptc_builtin()</tag> Returns true if the given chain name is the +name of a builtin chain. + +<tag>iptc_first_rule()</tag> This returns a pointer to the first rule +in the given chain name: NULL for an empty chain. + +<tag>iptc_next_rule()</tag> This returns a pointer to the next rule in +the chain: NULL means the end of the chain. + +<tag>iptc_get_target()</tag> This gets the target of the given rule. If +it's an extended target, the name of that target is returned. If it's +a jump to another chain, the name of that chain is returned. If it's +a verdict (eg. DROP), that name is returned. If it has no target (an +accounting-style rule), then the empty string is returned. + +<p>Note that this function should be used instead of using the value +of the `verdict' field of the ipt_entry structure directly, as it +offers the above further interpretations of the standard verdict. + +<tag>iptc_get_policy()</tag> This gets the policy of a builtin chain, +and fills in the `counters' argument with the hit statistics on that +policy. + +<tag>iptc_strerror()</tag> This function returns a more meaningful +explanation of a failure code in the iptc library. If a function +fails, it will always set errno: this value can be passed to +iptc_strerror() to yield an error message. +</descrip> + +<sect1>Understanding NAT + +<p>Welcome to Network Address Translation in the kernel. Note that +the infrastructure offered is designed more for completeness than raw +efficiency, and that future tweaks may increase the efficiency +markedly. For the moment I'm happy that it works at all. + +<p>NAT is separated into connection tracking (which doesn't manipulate +packets at all), and the NAT code itself. Connection tracking is also +designed to be used by an iptables modules, so it makes subtle +distinctions in states which NAT doesn't care about. + +<sect2>Connection Tracking + +<p>Connection tracking hooks into high-priority NF_IP_LOCAL_OUT and +NF_IP_PRE_ROUTING hooks, in order to see packets before they enter the +system. + +<p>The nfct field in the skb is a pointer to inside the struct +ip_conntrack, at one of the infos[] array. Hence we can tell the +state of the skb by which element in this array it is pointing to: +this pointer encodes both the state structure and the relationship of +this skb to that state. + +<p>The best way to extract the `nfct' field is to call +`ip_conntrack_get()', which returns NULL if it's not set, or the +connection pointer, and fills in ctinfo which describes the +relationship of the packet to that connection. This enumerated type +has several values: + +<descrip> + +<tag>IP_CT_ESTABLISHED</tag> The packet is part of an established +connection, in the original direction. + +<tag>IP_CT_RELATED</tag> The packet is related to the connection, and +is passing in the original direction. + +<tag>IP_CT_NEW</tag> The packet is trying to create a new connection +(obviously, it is in the original direction). + +<tag>IP_CT_ESTABLISHED + IP_CT_IS_REPLY</tag> The packet is part of an +established connection, in the reply direction. + +<tag>IP_CT_RELATED + IP_CT_IS_REPLY</tag> The packet is related to the +connection, and is passing in the reply direction. +</descrip> + +Hence a reply packet can be identified by testing for >= +IP_CT_IS_REPLY. + +<sect1>Extending Connection Tracking/NAT + +<p>These frameworks are designed to accommodate any number of protocols +and different mapping types. Some of these mapping types might be +quite specific, such as a load-balancing/fail-over mapping type. + +<p>Internally, connection tracking converts a packet to a "tuple", +representing the interesting parts of the packet, before searching for +bindings or rules which match it. This tuple has a manipulatable +part, and a non-manipulatable part; called "src" and "dst", as this is +the view for the first packet in the Source NAT world (it'd be a reply +packet in the Destination NAT world). The tuple for every packet in +the same packet stream in that direction is the same. + +<p>For example, a TCP packet's tuple contains the manipulatable part: +source IP and source port, the non-manipulatable part: destination IP +and the destination port. The manipulatable and non-manipulatable +parts do not need to be the same type though; for example, an ICMP +packet's tuple contains the manipulatable part: source IP and the ICMP +id, and the non-manipulatable part: the destination IP and the ICMP +type and code. + +<p>Every tuple has an inverse, which is the tuple of the reply packets +in the stream. For example, the inverse of an ICMP ping packet, icmp +id 12345, from 192.168.1.1 to 1.2.3.4, is a ping-reply packet, icmp id +12345, from 1.2.3.4 to 192.168.1.1. + +<p>These tuples, represented by the `struct ip_conntrack_tuple', are used +widely. In fact, together with the hook the packet came in on (which +has an effect on the type of manipulation expected), and the device +involved, this is the complete information on the packet. + +<p>Most tuples are contained within a `struct +ip_conntrack_tuple_hash', which adds a doubly linked list entry, and a +pointer to the connection that the tuple belongs to. + +<p>A connection is represented by the `struct ip_conntrack': it has +two `struct ip_conntrack_tuple_hash' fields: one referring to the +direction of the original packet (tuplehash[IP_CT_DIR_ORIGINAL]), and +one referring to packets in the reply direction +(tuplehash[IP_CT_DIR_REPLY]). + +<p>Anyway, the first thing the NAT code does is to see if the +connection tracking code managed to extract a tuple and find an +existing connection, by looking at the skbuff's nfct field; this tells +us if it's an attempt on a new connection, or if not, which direction +it is in; in the latter case, then the manipulations determined +previously for that connection are done. + +<p>If it was the start of a new connection, we look for a rule for that +tuple, using the standard iptables traversal mechanism, on the `nat' +table. If a rule matches, it is used to initialize the manipulations +for both that direction and the reply; the connection-tracking code is +told that the reply it should expect has changed. Then, it's +manipulated as above. + +<p>If there is no rule, a `null' binding is created: this usually does +not map the packet, but exists to ensure we don't map another stream +over an existing one. Sometimes, the null binding cannot be created, +because we have already mapped an existing stream over it, in which +case the per-protocol manipulation may try to remap it, even though +it's nominally a `null' binding. + +<sect2>Standard NAT Targets + +<p>NAT targets are like any other iptables target extensions, except +they insist on being used only in the `nat' table. Both the SNAT and +DNAT targets take a `struct ip_nat_multi_range' as their extra data; +this is used to specify the range of addresses a mapping is allowed to +bind into. A range element, `struct ip_nat_range' consists of an +inclusive minimum and maximum IP address, and an inclusive maximum and +minimum protocol-specific value (eg. TCP ports). There is also room +for flags, which say whether the IP address can be mapped (sometimes +we only want to map the protocol-specific part of a tuple, not the +IP), and another to say that the protocol-specific part of the range +is valid. + +<p>A multi-range is an array of these `struct ip_nat_range' elements; +this means that a range could be "1.1.1.1-1.1.1.2 ports 50-55 AND +1.1.1.3 port 80". Each range element adds to the range (a union, for +those who like set theory). + +<sect2>New Protocols + +<sect3> Inside The Kernel + +<p>Implementing a new protocol first means deciding what the +manipulatable and non-manipulatable parts of the tuple should be. +Everything in the tuple has the property that it identifies the stream +uniquely. The manipulatable part of the tuple is the part you can do +NAT with: for TCP this is the source port, for ICMP it's the icmp ID; +something to use as a "stream identifier". The non-manipulatable part +is the rest of the packet that uniquely identifies the stream, but we +can't play with (eg. TCP destination port, ICMP type). + +<p>Once you've decided this, you can write an extension to the +connection-tracking code in the directory, and go about populating the +`ip_conntrack_protocol' structure which you need to pass to +`ip_conntrack_register_protocol()'. + +<p>The fields of `struct ip_conntrack_protocol' are: + +<descrip> +<tag>list</tag> Set it to '{ NULL, NULL }'; used to sew you into the list. + +<tag>proto</tag> Your protocol number; see `/etc/protocols'. + +<tag>name</tag> The name of your protocol. This is the name the user +will see; it's usually best if it's the canonical name in +`/etc/protocols'. + +<tag>pkt_to_tuple</tag> The function which fills out the protocol +specific parts of the tuple, given the packet. The `datah' pointer +points to the start of your header (just past the IP header), and the +datalen is the length of the packet. If the packet isn't long enough +to contain the header information, return 0; datalen will always be +at least 8 bytes though (enforced by framework). + +<tag>invert_tuple</tag> This function is simply used to change the +protocol-specific part of the tuple into the way a reply to that +packet would look. + +<tag>print_tuple</tag> This function is used to print out the +protocol-specific part of a tuple; usually it's sprintf()'d into the +buffer provided. The number of buffer characters used is returned. +This is used to print the states for the /proc entry. + +<tag>print_conntrack</tag> This function is used to print the private +part of the conntrack structure, if any, also used for printing the +states in /proc. + +<tag>packet</tag> This function is called when a packet is seen which +is part of an established connection. You get a pointer to the +conntrack structure, the IP header, the length, and the ctinfo. You +return a verdict for the packet (usually NF_ACCEPT), or -1 if the +packet is not a valid part of the connection. You can delete the +connection inside this function if you wish, but you must use the +following idiom to avoid races (see ip_conntrack_proto_icmp.c): + +<tscreen><verb> +if (del_timer(&ct->timeout)) + ct->timeout.function((unsigned long)ct); +</verb></tscreen> + +<tag>new</tag> This function is called when a packet creates a +connection for the first time; there is no ctinfo arg, since the first +packet is of ctinfo IP_CT_NEW by definition. It returns 0 to fail to +create the connection, or a connection timeout in jiffies. +</descrip> + +Once you've written and tested that you can track your new protocol, +it's time to teach NAT how to translate it. This means writing a new +module; an extension to the NAT code and go about populating the +`ip_nat_protocol' structure which you need to pass to +`ip_nat_protocol_register()'. + +<descrip> +<tag>list</tag> Set it to '{ NULL, NULL }'; used to sew you into the list. + +<tag>name</tag> The name of your protocol. This is the name the user +will see; it's best if it's the canonical name in `/etc/protocols' for +userspace auto-loading, as we'll see later. + +<tag>protonum</tag> Your protocol number; see `/etc/protocols'. + +<tag>manip_pkt</tag> This is the other half of connection tracking's +pkt_to_tuple function: you can think of it as "tuple_to_pkt". There +are some differences though: you get a pointer to the start of the IP +header, and the total packet length. This is because some protocols +(UDP, TCP) need to know the IP header. You're given the +ip_nat_tuple_manip field from the tuple (i.e., the "src" field), rather +than the entire tuple, and the type of manipulation you are to +perform. + +<tag>in_range</tag> This function is used to tell if manipulatable +part of the given tuple is in the given range. This function is a bit +tricky: we're given the manipulation type which has been applied to +the tuple, which tells us how to interpret the range (is it a source +range or a destination range we're aiming for?). + +<p>This function is used to check if an existing mapping puts us in +the right range, and also to check if no manipulation is necessary at +all. + +<tag>unique_tuple</tag> This function is the core of NAT: given a +tuple and a range, we're to alter the per-protocol part of the tuple +to place it within the range, and make it unique. If we can't find an +unused tuple in the range, return 0. We also get a pointer to the +conntrack structure, which is required for ip_nat_used_tuple(). + +<p>The usual approach is to simply iterate the per-protocol part of +the tuple through the range, checking `ip_nat_used_tuple()' on it, +until one returns false. + +<p>Note that the null-mapping case has already been checked: it's +either outside the range given, or already taken. + +<p>If IP_NAT_RANGE_PROTO_SPECIFIED isn't set, it means that the user +is doing NAT, not NAPT: do something sensible with the range. If no +mapping is desirable (for example, within TCP, a destination mapping +should not change the TCP port unless ordered to), return 0. + +<tag>print</tag> Given a character buffer, a match tuple and a mask, +write out the per-protocol parts and return the length of the buffer +used. + +<tag>print_range</tag> Given a character buffer and a range, write out +the per-protocol part of the range, and return the length of the +buffer used. This won't be called if the IP_NAT_RANGE_PROTO_SPECIFIED +flag wasn't set for the range. +</descrip> + +<sect2>New NAT Targets + +<p>This is the really interesting part. You can write new NAT targets +which provide a new mapping type: two extra targets are provided in +the default package: MASQUERADE and REDIRECT. These are fairly simple +to illustrate the potential and power of writing a new NAT target. + +<p>These are written just like any other iptables targets, but +internally they will extract the connection and call +`ip_nat_setup_info()'. + +<sect2>Protocol Helpers + +<p>Protocol helpers for connection tracking allow the connection +tracking code to understand protocols which use multiple network +connections (eg. FTP) and mark the `child' connections as being +related to the initial connection, usually by reading the related +address out of the data stream. + +<p>Protocol helpers for NAT do two things: firstly allow the NAT code +to manipulate the data stream to change the address contained within +it, and secondly to perform NAT on the related connection when it +comes in, based on the original connection. + +<sect2>Connection Tracking Helper Modules + +<sect3>Description +<p> +The duty of a connection tracking module is to specify which packets +belong to an already established connection. The module has the +following means to do that: + +<itemize> +<item>Tell netfilter which packets our module is interested in (most +helpers operate on a particular port). + +<item>Register a function with netfilter. This function is called for +every packet which matches the criteria above. + +<item>An `ip_conntrack_expect_related()' function which can be called +from there to tell netfilter to expect related connections.</item> +</itemize> + +<p> +If there is some additional work to be done at the time the first packet +of the expected connection arrives, the module can register a callback +function which is called at that time. + +<sect3>Structures and Functions Available + +<p>Your kernel module's init function has to call +`ip_conntrack_helper_register()' with a pointer to a +`struct ip_conntrack_helper'. This struct has the following fields: + +<descrip> +<tag>list</tag>This is the header for the linked list. Netfilter +handles this list internally. Just initialize it with `{ NULL, NULL }'. + +<tag>name</tag>This is a pointer to a string constant specifying the +name of the protocol. ("ftp", "irc", ...) + +<tag>flags</tag>A set of flags with one or more out of the following flgs: +<itemize> +<item>IP_CT_HELPER_F_REUSE_EXPECT : Reuse expectations if the limit (see +`max_expected` below) is reached.</item> +</itemize> + +<tag>me</tag>A pointer to the module structure of the helper. Intitialize this with the `THIS_MODULE' macro. + +<tag>max_expected</tag>Maximum number of unconfirmed (outstanding) expectations. + +<tag>timeout</tag>Timeout (in seconds) for each unconfirmed expectation. An expectation is deleted `timeout' seconds after the expectation was issued with the `ip_conntrack_expect_related()' function. + +<tag>tuple</tag>This is a `struct ip_conntrack_tuple' which specifies +the packets our conntrack helper module is interested in. + +<tag>mask</tag>Again a `struct ip_conntrack_tuple'. This mask +specifies which bits of <tt>tuple</tt> are valid. + +<tag>help</tag>The function which netfilter should call for each +packet matching tuple+mask +</descrip> + +<sect3>Example skeleton of a conntrack helper module +<p> +<tscreen><code> +#define FOO_PORT 111 + +static int foo_expectfn(struct ip_conntrack *new) +{ + /* called when the first packet of an expected + connection arrives */ + + return 0; +} + +static int foo_help(const struct iphdr *iph, size_t len, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo) +{ + /* analyze the data passed on this connection and + decide how related packets will look like */ + + /* update per master-connection private data + (session state, ...) */ + ct->help.ct_foo_info = ... + + if (there_will_be_new_packets_related_to_this_connection) + { + struct ip_conntrack_expect exp; + + memset(&exp, 0, sizeof(exp)); + exp.t = tuple_specifying_related_packets; + exp.mask = mask_for_above_tuple; + exp.expectfn = foo_expectfn; + exp.seq = tcp_sequence_number_of_expectation_cause; + + /* per slave-connection private data */ + exp.help.exp_foo_info = ... + + ip_conntrack_expect_related(ct, &exp); + } + return NF_ACCEPT; +} + +static struct ip_conntrack_helper foo; + +static int __init init(void) +{ + memset(&foo, 0, sizeof(struct ip_conntrack_helper); + + foo.name = "foo"; + foo.flags = IP_CT_HELPER_F_REUSE_EXPECT; + foo.me = THIS_MODULE; + foo.max_expected = 1; /* one expectation at a time */ + foo.timeout = 0; /* expectation never expires */ + + /* we are interested in all TCP packets with destport 111 */ + foo.tuple.dst.protonum = IPPROTO_TCP; + foo.tuple.dst.u.tcp.port = htons(FOO_PORT); + foo.mask.dst.protonum = 0xFFFF; + foo.mask.dst.u.tcp.port = 0xFFFF; + foo.help = foo_help; + + return ip_conntrack_helper_register(&foo); +} + +static void __exit fini(void) +{ + ip_conntrack_helper_unregister(&foo); +} +</code></tscreen> + + +<sect2>NAT helper modules + +<sect3>Description +<p> +NAT helper modules do some application specific NAT handling. Usually +this includes on-the-fly manipulation of data: think about the PORT +command in FTP, where the client tells the server which IP/port to +connect to. Therefor an FTP helper module must replace the IP/port +after the PORT command in the FTP control connection. + +<p> +If we are dealing with TCP, things get slightly more complicated. The +reason is a possible change of the packet size (FTP example: the +length of the string representing an IP/port tuple after the PORT +command has changed). If we change the packet size, we have a syn/ack +difference between left and right side of the NAT box. (i.e. if we had +extended one packet by 4 octets, we have to add this offset to the TCP +sequence number of each following packet). + +<p> +Special NAT handling of all related packets is required, too. Take as +example again FTP, where all incoming packets of the DATA connection +have to be NATed to the IP/port given by the client with the PORT +command on the control connection, rather than going through the +normal table lookup. + +<itemize> +<item>callback for the packet causing the related connection (foo_help) +<item>callback for all related packets (foo_nat_expected) +</itemize> + +<sect3>Structures and Functions Available + +<p>Your nat helper module's `init()' function calls +`ip_nat_helper_register()' with a pointer to a `struct +ip_nat_helper'. This struct has the following members: + +<descrip> +<tag>list</tag>Just again the list header for netfilters internal use. +Initialize this with { NULL, NULL }. + +<tag>name</tag>A pointer to a string constant with the protocol's name + +<tag>flags</tag>A set out of zero, one or more of the following flags: +<itemize> +<item>IP_NAT_HELPER_F_ALWAYS : Call the NAT helper for every packet, +not only for packets where conntrack has detected an expectation-cause.</item> +<item>IP_NAT_HELPER_F_STANDALONE : Tell the NAT core that this protocol +doesn't have a conntrack helper, only a NAT helper.</item> +</itemize> + +<tag>me</tag>A pointer to the module structure of the helper. Initialize +this using the `THIS_MODULE' macro. + +<tag>tuple</tag>a `struct ip_conntrack_tuple' describing which packets +our NAT helper is interested in. + +<tag>mask</tag>a `struct ip_conntrack_tuple', telling netfilter which +bits of <tt>tuple</tt> are valid. + +<tag>help</tag>The help function which is called for each packet +matching tuple+mask. + +<tag>expect</tag>The expect function which is called for every first +packet of an expected connection. + +</descrip> + +This is very similar to writing a connection tracking helper. + +<sect3>Example NAT helper module +<p> +<tscreen><code> +#define FOO_PORT 111 + +static int foo_nat_expected(struct sk_buff **pksb, + unsigned int hooknum, + struct ip_conntrack *ct, + struct ip_nat_info *info) +/* called whenever the first packet of a related connection arrives. + params: pksb packet buffer + hooknum HOOK the call comes from (POST_ROUTING, PRE_ROUTING) + ct information about this (the related) connection + info &ct->nat.info + return value: Verdict (NF_ACCEPT, ...) +{ + /* Change ip/port of the packet to the masqueraded + values (read from master->tuplehash), to map it the same way, + call ip_nat_setup_info, return NF_ACCEPT. */ + +} + +static int foo_help(struct ip_conntrack *ct, + struct ip_conntrack_expect *exp, + struct ip_nat_info *info, + enum ip_conntrack_info ctinfo, + unsigned int hooknum, + struct sk_buff **pksb) +/* called for every packet where conntrack detected an expectation-cause + params: ct struct ip_conntrack of the master connection + exp struct ip_conntrack_expect of the expectation + caused by the conntrack helper for this protocol + info (STATE: related, new, established, ... ) + hooknum HOOK the call comes from (POST_ROUTING, PRE_ROUTING) + pksb packet buffer +*/ +{ + + /* extract information about future related packets (you can + share information with the connection tracking's foo_help). + Exchange address/port with masqueraded values, insert tuple + about related packets */ +} + +static struct ip_nat_helper hlpr; + +static int __init(void) +{ + int ret; + + memset(&hlpr, 0, sizeof(struct ip_nat_helper)); + hlpr.list = { NULL, NULL }; + hlpr.tuple.dst.protonum = IPPROTO_TCP; + hlpr.tuple.dst.u.tcp.port = htons(FOO_PORT); + hlpr.mask.dst.protonum = 0xFFFF; + hlpr.mask.dst.u.tcp.port = 0xFFFF; + hlpr.help = foo_help; + hlpr.expect = foo_nat_expect; + + ret = ip_nat_helper_register(hlpr); + + return ret; +} + +static void __exit(void) +{ + ip_nat_helper_unregister(&hlpr); +} +</code></tscreen> + +<sect1>Understanding Netfilter + +<p>Netfilter is pretty simple, and is described fairly thoroughly in +the previous sections. However, sometimes it's necessary to go +beyond what the NAT or ip_tables infrastructure offers, or you may +want to replace them entirely. + +<p>One important issue for netfilter (well, in the future) is caching. +Each skb has an `nfcache' field: a bitmask of what fields in the +header were examined, and whether the packet was altered or not. The +idea is that each hook off netfilter OR's in the bits relevant to it, +so that we can later write a cache system which will be clever enough +to realize when packets do not need to be passed through netfilter at +all. + +<p>The most important bits are NFC_ALTERED, meaning the packet was +altered (this is already used for IPv4's NF_IP_LOCAL_OUT hook, to +reroute altered packets), and NFC_UNKNOWN, which means caching should +not be done because some property which cannot be expressed was +examined. If in doubt, simply set the NFC_UNKNOWN flag on the skb's +nfcache field inside your hook. + +<sect1>Writing New Netfilter Modules + +<sect2> Plugging Into Netfilter Hooks + +<p> To receive/mangle packets inside the kernel, you can simply write +a module which registers a "netfilter hook". This is basically an +expression of interest at some given point; the actual points are +protocol-specific, and defined in protocol-specific netfilter headers, +such as "netfilter_ipv4.h". + +<p> To register and unregister netfilter hooks, you use the functions +`nf_register_hook' and `nf_unregister_hook'. These each take a +pointer to a `struct nf_hook_ops', which you populate as follows: + +<descrip> +<tag>list</tag> Used to sew you into the linked list: set to '{ NULL, +NULL }' + +<tag>hook</tag> The function which is called when a packet hits this +hook point. Your function must return NF_ACCEPT, NF_DROP or NF_QUEUE. +If NF_ACCEPT, the next hook attached to that point will be called. If +NF_DROP, the packet is dropped. If NF_QUEUE, it's queued. You +receive a pointer to an skb pointer, so you can entirely replace the +skb if you wish. + +<tag>flush</tag> Currently unused: designed to pass on packet hits +when the cache is flushed. May never be implemented: set it to NULL. + +<tag>pf</tag> The protocol family, eg, `PF_INET' for IPv4. + +<tag>hooknum</tag> The number of the hook you are interested in, eg +`NF_IP_LOCAL_OUT'. +</descrip> + +<sect2> Processing Queued Packets + +<p>This interface is currently used by ip_queue; you can register to +handle queued packets for a given protocol. This has similar semantics +to registering for a hook, except you can block processing the packet, +and you only see packets for which a hook has replied `NF_QUEUE'. + +<p>The two functions used to register interest in queued packets are +`nf_register_queue_handler()' and `nf_unregister_queue_handler()'. The +function you register will be called with the `void *' pointer you +handed it to `nf_register_queue_handler()'. + +<p> +If no-one is registered to handle a protocol, then returning NF_QUEUE +is equivalent to returning NF_DROP. + +<p> +Once you have registered interest in queued packets, they begin +queueing. You can do whatever you want with them, but you must call +`nf_reinject()' when you are finished with them (don't simply +kfree_skb() them). When you reinject an skb, you hand it the skb, the +`struct nf_info' which your queue handler was given, and a verdict: +NF_DROP causes them to be dropped, NF_ACCEPT causes them to continue +to iterate through the hooks, NF_QUEUE causes them to be queued again, +and NF_REPEAT causes the hook which queued the packet to be consulted +again (beware infinite loops). + +<p>You can look inside the `struct nf_info' to get auxiliary +information about the packet, such as the interfaces and hook it was +on. + +<sect2> Receiving Commands From Userspace + +<p>It is common for netfilter components to want to interact with +userspace. The method for doing this is by using the setsockopt +mechanism. Note that each protocol must be modified to call +nf_setsockopt() for setsockopt numbers it doesn't understand (and +nf_getsockopt() for getsockopt numbers), and so far only IPv4, IPv6 +and DECnet have been modified. + +<p>Using a now-familiar technique, we register a `struct +nf_sockopt_ops' using the nf_register_sockopt() call. The fields of +this structure are as follows: + +<descrip> +<tag>list</tag> Used to sew it into the linked list: set to '{ NULL, +NULL }'. + +<tag>pf</tag> The protocol family you handle, eg. PF_INET. + +<tag>set_optmin</tag> and +<tag>set_optmax</tag> + +These specify the (exclusive) range of setsockopt numbers handled. +Hence using 0 and 0 means you have no setsockopt numbers. + +<tag>set</tag> This is the function called when the user calls one of +your setsockopts. You should check that they have NET_ADMIN +capability within this function. + +<tag>get_optmin</tag> and +<tag>get_optmax</tag> + +These specify the (exclusive) range of getsockopt numbers handled. +Hence using 0 and 0 means you have no getsockopt numbers. + +<tag>get</tag> This is the function called when the user calls one of +your getsockopts. You should check that they have NET_ADMIN +capability within this function. +</descrip> + +<p>The final two fields are used internally. + +<sect1>Packet Handling in Userspace + +<p>Using the libipq library and the `ip_queue' module, almost anything +which can be done inside the kernel can now be done in userspace. +This means that, with some speed penalty, you can develop your code +entirely in userspace. Unless you are trying to filter large +bandwidths, you should find this approach superior to in-kernel packet +mangling. + +<p>In the very early days of netfilter, I proved this by porting an +embryonic version of iptables to userspace. Netfilter opens the doors +for more people to write their own, fairly efficient netmangling +modules, in whatever language they want. + +<sect>Translating 2.0 and 2.2 Packet Filter Modules + +<p>Look at the ip_fw_compat.c file for a simple layer which should +make porting quite simple. + +<sect>Netfilter Hooks for Tunnel Writers + +<p>Authors of tunnel (or encapsulation) drivers should follow two +simple rules for the 2.4 kernel (as do the drivers inside the kernel, +like net/ipv4/ipip.c): + +<itemize> +<item> +Release skb->nfct if you're going to make the packet unrecognisable +(ie. decapsulating/encapsulating). You don't need to do this if you +unwrap it into a *new* skb, but if you're going to do it in place, you +must do this. + +<p>Otherwise: the NAT code will use the old connection tracking +information to mangle the packet, with bad consequences. + +<item>Make sure the encapsulated packets go through the LOCAL_OUT +hook, and decapsulated packets go through the PRE_ROUTING hook (most +tunnels use ip_rcv(), which does this for you). + +<p>Otherwise: the user will not be able to filter as they expect to with +tunnels. +</itemize> + +<p>The canonical way to do the first is to insert code like the +following before you wrap or unwrap the packet: + +<tscreen><verb> + /* Tell the netfilter framework that this packet is not the + same as the one before! */ +#ifdef CONFIG_NETFILTER + nf_conntrack_put(skb->nfct); + skb->nfct = NULL; +#ifdef CONFIG_NETFILTER_DEBUG + skb->nf_debug = 0; +#endif +#endif +</verb></tscreen> + +<p>Usually, all you need to do for the second, is to find where the +newly encapsulated packet goes into "ip_send()", and replace it with +something like: + +<tscreen><verb> + /* Send "new" packet from local host */ + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, ip_send); +</verb></tscreen> + +<p> Following these rules means that the person setting up the packet +filtering rules on the tunnel box will see something like the +following sequence for a packet being tunnelled: + +<enum> +<item> FORWARD hook: normal packet (from eth0 -> tunl0) +<item> LOCAL_OUT hook: encapsulated packet (to eth1). +</enum> + +And for the reply packet: +<enum> +<item> LOCAL_IN hook: encapsulated reply packet (from eth1) +<item> FORWARD hook: reply packet (from eth1 -> eth0). +</enum> + +<sect>The Test Suite + +<p>Within the CVS repository lives a test suite: the more the test +suite covers, the greater confidence you can have that changes to the +code hasn't quietly broken something. Trivial tests are at least as +important as tricky tests: it's the trivial tests which simplify the +complex tests (since you know the basics work fine before the complex +test gets run). + +<p>The tests are simple: they are just shell scripts under the +testsuite/ subdirectory which are supposed to succeed. The scripts +are run in alphabetical order, so `01test' is run before `02test'. +Currently there are 5 test directories: + +<descrip> +<tag>00netfilter/</tag> General netfilter framework tests. +<tag>01iptables/</tag> iptables tests. +<tag>02conntrack/</tag> connection tracking tests. +<tag>03NAT/</tag> NAT tests +<tag>04ipchains-compat/</tag> ipchains/ipfwadm compatibility tests +</descrip> + +Inside the testsuite/ directory is a script called `test.sh'. It +configures two dummy interfaces (tap0 and tap1), turns forwarding on, +and removes all netfilter modules. Then it runs through the +directories above and runs each of their test.sh scripts until one +fails. This script takes two optional arguments: `-v' meaning to +print out each test as it proceeds, and an optional test name: if this +is given, it will skip over all tests until this one is found. + +<sect1>Writing a Test + +<p>Create a new file in the appropriate directory: try to number your +test so that it gets run at the right time. For example, in order to +test ICMP reply tracking (02conntrack/02reply.sh), we need to first +check that outgoing ICMPs are tracked properly +(02conntrack/01simple.sh). + +<p>It's usually better to create many small files, each of which +covers one area, because it helps to isolate problems immediately for +people running the testsuite. + +<p>If something goes wrong in the test, simply do an `exit 1', which +causes failure; if it's something you expect may fail, you should +print a unique message. Your test should end with `exit 0' if +everything goes OK. You should check the success of <bf>every</bf> +command, either using `set -e' at the top of the script, or +appending `|| exit 1' to the end of each command. + +<p>The helper functions `load_module' and `remove_module' can be used +to load modules: you should never rely on autoloading in the testsuite +unless that is what you are specifically testing. + +<sect1>Variables And Environment + +<p>You have two play interfaces: tap0 and tap1. Their interface +addresses are in variables <tt>$TAP0</tt> and <tt>$TAP1</tt> +respectively. They both have netmasks of 255.255.255.0; their +networks are in $TAP0NET and $TAP1NET respectively. + +<p>There is an empty temporary file in $TMPFILE. It is deleted at the +end of your test. + +<p>Your script will be run from the testsuite/ directory, wherever it +is. Hence you should access tools (such as iptables) using path +starting with `../userspace'. + +<p>Your script can print out more information if $VERBOSE is set +(meaning that the user specified `-v' on the command line). + +<sect1>Useful Tools + +<p> +There are several useful testsuite tools in the "tools" subdirectory: +each one exits with a non-zero exit status if there is a problem. + +<sect2>gen_ip + +<p>You can generate IP packets using `gen_ip', which outputs an IP +packet to standard input. You can feed packets in the tap0 and tap1 +by sending standard output to /dev/tap0 and /dev/tap1 (these are +created upon first running the testsuite if they don't exist). + +<p>gen_ip is a simplistic program which is currently very fussy about +its argument order. First are the general optional arguments: + +<descrip> + +<tag>FRAG=offset,length</tag> Generate the packet, then turn it into a + fragment at the following offset and length. + +<tag>MF</tag> Set the `More Fragments' bit on the packet. + +<tag>MAC=xx:xx:xx:xx:xx:xx</tag> Set the source MAC address on the + packet. + +<tag>TOS=tos</tag> Set the TOS field on the packet (0 to 255). + +</descrip> + +Next come the compulsory arguments: + +<descrip> +<tag>source ip</tag> Source IP address of the packet. + +<tag>dest ip</tag> Destination IP address of the packet. + +<tag>length</tag> Total length of the packet, including headers. + +<tag>protocol</tag> Protocol number of the packet, eg 17 = UDP. + +</descrip> + +Then the arguments depend on the protocol: for UDP (17), they are the +source and destination port numbers. For ICMP (1), they are the type +and code of the ICMP message: if the type is 0 or 8 (ping-reply or +ping), then two additional arguments (the ID and sequence fields) are +required. For TCP, the source and destination ports, and flags +("SYN", "SYN/ACK", "ACK", "RST" or "FIN") are required. There are +three optional arguments: "OPT=" followed by a comma-separated list of +options, "SYN=" followed by a sequence number, and "ACK=" followed by +a sequence number. Finally, the optional argument "DATA" indicates +that the payload of the TCP packet is to be filled with the contents +of standard input. + +<sect2>rcv_ip + +<p>You can see IP packets using `rcv_ip', which prints out the command +line as close as possible to the original value fed to gen_ip +(fragments are the exception). + +<p>This is extremely useful for analyzing packets. It takes two +compulsory arguments: + +<descrip> +<tag>wait time</tag> The maximum time in seconds to wait for a packet + from standard input. + +<tag>iterations</tag> The number of packets to receive. +</descrip> + +There is one optional argument, "DATA", which causes the payload of a +TCP packet to be printed on standard output after the packet header. + +<p>The standard way to use `rcv_ip' in a shell script is as follows: + +<verb> +# Set up job control, so we can use & in shell scripts. +set -m + +# Wait two seconds for one packet from tap0 +../tools/rcv_ip 2 1 < /dev/tap0 > $TMPFILE & + +# Make sure that rcv_ip has started running. +sleep 1 + +# Send a ping packet +../tools/gen_ip $TAP1NET.2 $TAP0NET.2 100 1 8 0 55 57 > /dev/tap1 || exit 1 + +# Wait for rcv_ip, +if wait %../tools/rcv_ip; then : +else + echo rcv_ip failed: + cat $TMPFILE + exit 1 +fi +</verb> + +<sect2>gen_err + +<p>This program takes a packet (as generated by gen_ip, for example) +on standard input, and turns it into an ICMP error. + +<p>It takes three arguments: a source IP address, a type and a code. +The destination IP address will be set to the source IP address of the +packet fed in standard input. + +<sect2>local_ip + +<p>This takes a packet from standard input and injects it into the +system from a raw socket. This give the appearance of a +locally-generated packet (as separate from feeding a packet in one of +the ethertap devices, which looks like a remotely-generated packet). + +<sect1>Random Advice + +<p>All the tools assume they can do everything in one read or write: +this is true for the ethertap devices, but might not be true if you're +doing something tricky with pipes. + +<p>dd can be used to cut packets: dd has an obs (output block size) +option which can be used to make it output the packet in a single +write. + +<p>Test for success first: eg. testing that packets are successfully +blocked. First test that packets pass through normally, <bf>then</bf> +test that some packets are blocked. Otherwise an unrelated failure +could be stopping the packets... + +<p>Try to write exact tests, not `throw random stuff and see what +happens' tests. If an exact test goes wrong, it's a useful thing to +know. If a random test goes wrong once, it doesn't help much. + +<p>If a test fails without a message, you can add `-x' to the top line +of the script (ie. `#! /bin/sh -x') to see what commands it's running. + +<p>If a test fails randomly, check for random network traffic +interfering (try downing all your external interfaces). Sitting on +the same network as Andrew Tridgell, I tend to get plagued by Windows +broadcasts, for example. + +<sect>Motivation + +<p>As I was developing ipchains, I realized (in one of those +blinding-flash-while-waiting-for-entree moments in a Chinese +restaurant in Sydney) that packet filtering was being done in the +wrong place. I can't find it now, but I remember sending mail to Alan +Cox, who kind of said `why don't you finish what you're doing, first, +even though you're probably right'. In the short term, pragmatism was +to win over The Right Thing. + +<p>After I finished ipchains, which was initially going to be a minor +modification of the kernel part of ipfwadm, and turned into a larger +rewrite, and wrote the HOWTO, I became aware of just how much +confusion there is in the wider Linux community about issues like +packet filtering, masquerading, port forwarding and the like. + +<p>This is the joy of doing your own support: you get a closer feel +for what the users are trying to do, and what they are struggling +with. Free software is most rewarding when it's in the hands of the +most users (that's the point, right?), and that means making it easy. +The architecture, not the documentation, was the key flaw. + +<p>So I had the experience, with the ipchains code, and a good idea of +what people out there were doing. There were only two problems. + +<p>Firstly, I didn't want to get back into security. Being a security +consultant is a constant moral tug-of-war between your conscience and +your wallet. At a fundamental level, you are selling the feeling of +security, which is at odds with actual security. Maybe working in a +military setting, where they understand security, it'd be different. + +<p>The second problem is that newbie users aren't the only concern; an +increasing number of large companies and ISPs are using this stuff. I +needed reliable input from that class of users if it was to scale to +tomorrow's home users. + +<p>These problems were resolved, when I ran into David Bonn, of +WatchGuard fame, at Usenix in July 1998. They were looking for a +Linux kernel coder; in the end we agreed that I'd head across to their +Seattle offices for a month and we'd see if we could hammer out an +agreement whereby they'd sponsor my new code, and my current support +efforts. The rate we agreed on was more than I asked, so I didn't +take a pay cut. This means I don't have to even think about external +conslutting for a while. + +<p>Exposure to WatchGuard gave me exposure to the large clients I +need, and being independent from them allowed me to support all users +(eg. WatchGuard competitors) equally. + +<p>So I could have simply written netfilter, ported ipchains over the +top, and been done with it. Unfortunately, that would leave all the +masquerading code in the kernel: making masquerading independent from +filtering is the one of the major wins point of moving the packet +filtering points, but to do that masquerading also needed to be moved +over to the netfilter framework as well. + +<p>Also, my experience with ipfwadm's `interface-address' feature (the +one I removed in ipchains) had taught me that there was no hope of +simply ripping out the masquerading code and expecting someone who +needed it to do the work of porting it onto netfilter for me. + +<p>So I needed to have at least as many features as the current code; +preferably a few more, to encourage niche users to become early +adopters. This means replacing transparent proxying (gladly!), +masquerading and port forwarding. In other words, a complete NAT layer. + +<p>Even if I had decided to port the existing masquerading layer, +instead of writing a generic NAT system, the masquerading code was +showing its age, and lack of maintenance. See, there was no +masquerading maintainer, and it shows. It seems that serious users +generally don't use masquerading, and there aren't many home users up +to the task of doing maintenance. Brave people like Juan Ciarlante +were doing fixes, but it had reached to the stage (being extended over +and over) that a rewrite was needed. + +<p>Please note that I wasn't the person to do a NAT rewrite: I didn't +use masquerading any more, and I'd not studied the existing code at +the time. That's probably why it took me longer than it should have. +But the result is fairly good, in my opinion, and I sure as hell +learned a lot. No doubt the second version will be even better, once +we see how people use it. + +<sect>Thanks + +<p>Thanks to those who helped, expecially Harald Welte for writing the +Protocol Helpers section. +</article> Index: iptables-1.4.12/howtos/packet-filtering-HOWTO.sgml =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.12/howtos/packet-filtering-HOWTO.sgml 2011-11-07 13:57:14.000000000 -0600 @@ -0,0 +1,1339 @@ +<!doctype linuxdoc system> + +<!-- This is the Linux Packet Filtering HOWTO. + --> + +<!-- $Id: packet-filtering-HOWTO.sgml,v 1.26 2002/01/24 13:42:53 laforge Exp $ --> + +<article> + +<!-- Title information --> + +<title>Linux 2.4 Packet Filtering HOWTO +<author>Rusty Russell, mailing list <tt>netfilter@lists.samba.org</tt> +<date>$Revision: 1.26 $ $Date: 2002/01/24 13:42:53 $ +<abstract> +This document describes how to use iptables to filter out bad packets +for the 2.4 Linux kernels. +</abstract> + +<!-- Table of contents --> +<toc> + +<!-- Begin the document --> + +<sect>Introduction<label id="intro"> + +<p> +Welcome, gentle reader. + +<p> +It is assumed you know what an IP address, a network address, a +netmask, routing and DNS are. If not, I recommend that you read the +Network Concepts HOWTO. + +<p> +This HOWTO flips between a gentle introduction (which will leave you +feeling warm and fuzzy now, but unprotected in the Real World) and raw +full-disclosure (which would leave all but the hardiest souls +confused, paranoid and seeking heavy weaponry). + +<p> +Your network is not <bf>secure</bf>. The problem of allowing rapid, +convenient communication while restricting its use to good, and not +evil intents is congruent to other intractable problems such as +allowing free speech while disallowing a call of ``Fire!'' in a +crowded theater. It will not be solved in the space of this HOWTO. + +<p> +So only you can decide where the compromise will be. I will try to +instruct you in the use of some of the tools available and some +vulnerabilities to be aware of, in the hope that you will use them for +good, and not evil purposes. Another equivalent problem. + +<p>(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL. + +<sect>Where is the official Web Site? Is there a Mailing List? + +<p>There are three official sites: +<itemize> +<item>Thanks to <url url="http://netfilter.filewatcher.org/" name="Filewatcher">. +<item>Thanks to <url url="http://netfilter.samba.org/" name="The Samba Team and SGI">. +<item>Thanks to <url url="http://netfilter.gnumonks.org/" name="Harald Welte">. +</itemize> +<p> You can reach all of them using round-robin DNS via +<url url="http://www.netfilter.org/"> and <url url="http://www.iptables.org/"> + +<p>For the official netfilter mailing list, see +<url url="http://www.netfilter.org/contact.html#list" name="netfilter List">. + +<sect>So What's A Packet Filter? + +<p> +A packet filter is a piece of software which looks at the +<em>header</em> of packets as they pass through, and decides the fate +of the entire packet. It might decide to <bf>DROP</bf> the packet +(i.e., discard the packet as if it had never received it), +<bf>ACCEPT</bf> the packet (i.e., let the packet go through), or +something more complicated. + +<p> +Under Linux, packet filtering is built into the kernel (as a kernel +module, or built right in), and there are a few trickier things we can +do with packets, but the general principle of looking at the headers +and deciding the fate of the packet is still there. + +<sect1>Why Would I Want to Packet Filter? + +<p> +Control. Security. Watchfulness. + +<p> +<descrip> +<tag/Control:/ when you are using a Linux box to connect your internal +network to another network (say, the Internet) you have an opportunity +to allow certain types of traffic, and disallow others. For example, +the header of a packet contains the destination address of the packet, +so you can prevent packets going to a certain part of the outside +network. As another example, I use Netscape to access the Dilbert +archives. There are advertisements from doubleclick.net on the page, +and Netscape wastes my time by cheerfully downloading them. +Telling the packet filter not to allow any packets to or from the +addresses owned by doubleclick.net solves that problem (there are +better ways of doing this though: see Junkbuster). + +<tag/Security:/ when your Linux box is the only thing between the +chaos of the Internet and your nice, orderly network, it's nice to +know you can restrict what comes tromping in your door. For example, +you might allow anything to go out from your network, but you might be +worried about the well-known `Ping of Death' coming in from malicious +outsiders. As another example, you might not want outsiders +telnetting to your Linux box, even though all your accounts have +passwords. Maybe you want (like most people) to be an observer on the +Internet, and not a server (willing or otherwise). Simply don't let +anyone connect in, by having the packet filter reject incoming packets +used to set up connections. + +<tag/Watchfulness:/ sometimes a badly configured machine on the local +network will decide to spew packets to the outside world. It's nice +to tell the packet filter to let you know if anything abnormal occurs; +maybe you can do something about it, or maybe you're just curious by +nature. +</descrip> + +<sect1>How Do I Packet Filter Under Linux?<label id="filter-linux"> + +<p>Linux kernels have had packet filtering since the 1.1 series. The +first generation, based on ipfw from BSD, was ported by Alan Cox in +late 1994. This was enhanced by Jos Vos and others for Linux 2.0; the +userspace tool `ipfwadm' controlled the kernel filtering rules. In +mid-1998, for Linux 2.2, I reworked the kernel quite heavily, with the +help of Michael Neuling, and introduced the userspace tool `ipchains'. +Finally, the fourth-generation tool, `iptables', and another kernel +rewrite occurred in mid-1999 for Linux 2.4. It is this iptables which +this HOWTO concentrates on. + +<p> +You need a kernel which has the netfilter infrastructure in it: +netfilter is a general framework inside the Linux kernel which other +things (such as the iptables module) can plug into. This means you +need kernel 2.3.15 or beyond, and answer `Y' to CONFIG_NETFILTER in +the kernel configuration. + +<p> +The tool <tt>iptables</tt> talks to the kernel and tells it what +packets to filter. Unless you are a programmer, or overly curious, +this is how you will control the packet filtering. + +<sect2> iptables + +<p> +The <tt>iptables</tt> tool inserts and deletes rules from the kernel's +packet filtering table. This means that whatever you set up, it will +be lost upon reboot; see <ref id="permanent" name="Making Rules +Permanent"> for how to make sure they are restored the next time Linux +is booted. + +<p> +<tt>iptables</tt> is a replacement for <tt>ipfwadm</tt> and +<tt>ipchains</tt>: see +<ref id="oldstyle" name="Using ipchains and ipfwadm"> for how to painlessly +avoid using iptables if you're using one of those tools. + +<sect2> Making Rules Permanent<label id="permanent"> + +<p>Your current firewall setup is stored in the kernel, and thus will +be lost on reboot. You can try the iptables-save and iptables-restore +scripts to save them to, and restore them from a file. + +<p>The other way is to put the commands required to set up your rules +in an initialization script. Make sure you do something intelligent +if one of the commands should fail (usually `exec /sbin/sulogin'). + +<sect>Who the hell are you, and why are you playing with my kernel? + +<p> +I'm Rusty Russell; the Linux IP Firewall maintainer and just another +working coder who happened to be in the right place at the right time. +I wrote ipchains (see <ref id="filter-linux" name="How Do I Packet +Filter Under Linux?"> above for due credit to the people who did the +actual work), and learnt enough to get packet filtering right this +time. I hope. + +<p> +<url url="http://www.watchguard.com" name="WatchGuard">, an excellent +firewall company who sell the really nice plug-in Firebox, offered to +pay me to do nothing, so I could spend all my time writing this stuff, +and maintaining my previous stuff. I predicted 6 months, and it took +12, but I felt by the end that it had been done Right. Many rewrites, +a hard-drive crash, a laptop being stolen, a couple of corrupted +filesystems and one broken screen later, here it is. + +<p> +While I'm here, I want to clear up some people's misconceptions: I am +no kernel guru. I know this, because my kernel work has brought me +into contact with some of them: David S. Miller, Alexey Kuznetsov, +Andi Kleen, Alan Cox. However, they're all busy doing the deep magic, +leaving me to wade in the shallow end where it's safe. + +<!-- This is probably no longer true; somewhere in writing all this +kernel code and documentation I seem to have picked up a fair number +of kernel tricks. But I'm still nowhere near as clever as I think I +am. --> + +<sect> Rusty's Really Quick Guide To Packet Filtering + +<p> +Most people just have a single PPP connection to the Internet, and +don't want anyone coming back into their network, or the firewall: + +<tscreen><verb> +## Insert connection-tracking modules (not needed if built into kernel). +# insmod ip_conntrack +# insmod ip_conntrack_ftp + +## Create chain which blocks new connections, except if coming from inside. +# iptables -N block +# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT +# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT +# iptables -A block -j DROP + +## Jump to that chain from INPUT and FORWARD chains. +# iptables -A INPUT -j block +# iptables -A FORWARD -j block +</verb></tscreen> + +<sect> How Packets Traverse The Filters + +<p> +The kernel starts with three lists of rules in the `filter' table; +these lists are called <bf>firewall chains</bf> or just +<bf>chains</bf>. The three chains are called <bf>INPUT</bf>, +<bf>OUTPUT</bf> and <bf>FORWARD</bf>. + +<p> +For ASCII-art fans, the chains are arranged like so: <bf>(Note: this +is a very different arrangement from the 2.0 and 2.2 kernels!)</bf> + +<verb> + _____ +Incoming / \ Outgoing + -->[Routing ]--->|FORWARD|-------> + [Decision] \_____/ ^ + | | + v ____ + ___ / \ + / \ |OUTPUT| + |INPUT| \____/ + \___/ ^ + | | + ----> Local Process ---- +</verb> + +<p>The three circles represent the three chains mentioned above. When +a packet reaches a circle in the diagram, that chain is examined to +decide the fate of the packet. If the chain says to DROP the packet, +it is killed there, but if the chain says to ACCEPT the packet, it +continues traversing the diagram. + +<p> +A chain is a checklist of <bf>rules</bf>. Each rule says `if the packet +header looks like this, then here's what to do with the packet'. If +the rule doesn't match the packet, then the next rule in the chain is +consulted. Finally, if there are no more rules to consult, then the +kernel looks at the chain <bf>policy</bf> to decide what to do. In a +security-conscious system, this policy usually tells the kernel to +DROP the packet. + +<p> +<enum> +<item>When a packet comes in (say, through the Ethernet card) the kernel +first looks at the destination of the packet: this is called +`routing'. + +<item>If it's destined for this box, the packet passes downwards +in the diagram, to the INPUT chain. If it passes this, any processes +waiting for that packet will receive it. + +<item>Otherwise, if the kernel does not have forwarding enabled, or it +doesn't know how to forward the packet, the packet is dropped. If +forwarding is enabled, and the packet is destined for another network +interface (if you have another one), then the packet goes rightwards +on our diagram to the FORWARD chain. If it is ACCEPTed, it will be +sent out. + +<item>Finally, a program running on the box can send network packets. +These packets pass through the OUTPUT chain immediately: if it says +ACCEPT, then the packet continues out to whatever interface it is +destined for. +</enum> + +<sect>Using iptables + +<p> +iptables has a fairly detailed manual page (<tt>man iptables</tt>), +and if you need more detail on particulars. Those of you familiar +with ipchains may simply want to look at <ref id="Appendix-A" +name="Differences Between iptables and ipchains">; they are very +similar. + +<p> +There are several different things you can do with <tt>iptables</tt>. +You start with three built-in chains <tt>INPUT</tt>, <tt>OUTPUT</tt> +and <tt>FORWARD</tt> which you can't delete. Let's look at the +operations to manage whole chains: + +<enum> +<item> Create a new chain (-N). +<item> Delete an empty chain (-X). +<item> Change the policy for a built-in chain. (-P). +<item> List the rules in a chain (-L). +<item> Flush the rules out of a chain (-F). +<item> Zero the packet and byte counters on all rules in a chain (-Z). +</enum> + +There are several ways to manipulate rules inside a chain: + +<enum> +<item> Append a new rule to a chain (-A). +<item> Insert a new rule at some position in a chain (-I). +<item> Replace a rule at some position in a chain (-R). +<item> Delete a rule at some position in a chain, or the first that matches (-D). +</enum> + +<sect1> What You'll See When Your Computer Starts Up + +<p> +iptables may be a module, called (`iptable_filter.o'), which should be +automatically loaded when you first run <tt>iptables</tt>. It can +also be built into the kernel permenantly. + +<p>Before any iptables commands have been run (be careful: some +distributions will run iptables in their initialization scripts), +there will be no rules in any of the built-in chains (`INPUT', +`FORWARD' and `OUTPUT'), all the chains will have a policy of ACCEPT. +You can alter the default policy of the FORWARD chain by providing the +`forward=0' option to the iptable_filter module. + +<sect1> Operations on a Single Rule + +<p> +This is the bread-and-butter of packet filtering; manipulating rules. +Most commonly, you will probably use the append (-A) and delete (-D) +commands. The others (-I for insert and -R for replace) are simple +extensions of these concepts. + +<p> +Each rule specifies a set of conditions the packet must meet, and what +to do if it meets them (a `target'). For example, you might want to +drop all ICMP packets coming from the IP address 127.0.0.1. So in +this case our conditions are that the protocol must be ICMP and that +the source address must be 127.0.0.1. Our target is `DROP'. + +<p> +127.0.0.1 is the `loopback' interface, which you will have even if you +have no real network connection. You can use the `ping' program to +generate such packets (it simply sends an ICMP type 8 (echo request) +which all cooperative hosts should obligingly respond to with an ICMP +type 0 (echo reply) packet). This makes it useful for testing. + +<tscreen><verb> +# ping -c 1 127.0.0.1 +PING 127.0.0.1 (127.0.0.1): 56 data bytes +64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms + +--- 127.0.0.1 ping statistics --- +1 packets transmitted, 1 packets received, 0% packet loss +round-trip min/avg/max = 0.2/0.2/0.2 ms +# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP +# ping -c 1 127.0.0.1 +PING 127.0.0.1 (127.0.0.1): 56 data bytes + +--- 127.0.0.1 ping statistics --- +1 packets transmitted, 0 packets received, 100% packet loss +# +</verb></tscreen> + +You can see here that the first ping succeeds (the `-c 1' tells ping +to only send a single packet). + +<p> +Then we append (-A) to the `INPUT' chain, a rule specifying that for +packets from 127.0.0.1 (`-s 127.0.0.1') with protocol ICMP (`-p icmp') +we should jump to DROP (`-j DROP'). + +<p> +Then we test our rule, using the second ping. There will be a pause +before the program gives up waiting for a response that will never +come. + +<p> +We can delete the rule in one of two ways. Firstly, since we know +that it is the only rule in the input chain, we can use a numbered +delete, as in: +<tscreen><verb> + # iptables -D INPUT 1 + # +</verb></tscreen> +To delete rule number 1 in the INPUT chain. + +<p> +The second way is to mirror the -A command, but replacing the -A with +-D. This is useful when you have a complex chain of rules and you +don't want to have to count them to figure out that it's rule 37 that +you want to get rid of. In this case, we would use: +<tscreen><verb> + # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP + # +</verb></tscreen> +The syntax of -D must have exactly the same options as the -A (or -I +or -R) command. If there are multiple identical rules in the same +chain, only the first will be deleted. + +<sect1>Filtering Specifications + +<p> +We have seen the use of `-p' to specify protocol, and `-s' to specify +source address, but there are other options we can use to specify +packet characteristics. What follows is an exhaustive compendium. + +<sect2>Specifying Source and Destination IP Addresses + +<p> +Source (`-s', `--source' or `--src') and destination (`-d', +`--destination' or `--dst') IP addresses can be specified in four +ways. The most common way is to use the full name, such as +`localhost' or `www.linuxhq.com'. The second way is to specify the IP +address such as `127.0.0.1'. + +<p> +The third and fourth ways allow specification of a group of IP +addresses, such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'. +These both specify any IP address from 199.95.207.0 to 199.95.207.255 +inclusive; the digits after the `/' tell which parts of the IP address +are significant. `/32' or `/255.255.255.255' is the default (match +all of the IP address). To specify any IP address at all `/0' can be +used, like so: +<tscreen><verb> + [ NOTE: `-s 0/0' is redundant here. ] + # iptables -A INPUT -s 0/0 -j DROP + # +</verb></tscreen> + +This is rarely used, as the effect above is the same as not specifying +the `-s' option at all. + +<sect2>Specifying Inversion + +<p> +Many flags, including the `-s' (or `--source') and `-d' +(`--destination') flags can have their arguments preceded by `!' +(pronounced `not') to match addresses NOT equal to the ones given. +For example. `-s ! localhost' matches any packet <bf>not</bf> coming +from localhost. + +<sect2>Specifying Protocol + +<p> +The protocol can be specified with the `-p' (or `--protocol') flag. +Protocol can be a number (if you know the numeric protocol values for +IP) or a name for the special cases of `TCP', `UDP' or `ICMP'. Case +doesn't matter, so `tcp' works as well as `TCP'. + +<p> +The protocol name can be prefixed by a `!', to invert it, such as `-p +! TCP' to specify packets which are <bf>not</bf> TCP. + +<sect2>Specifying an Interface + +<p> +The `-i' (or `--in-interface') and `-o' (or `--out-interface') options +specify the name of an <bf>interface</bf> to match. An interface is +the physical device the packet came in on (`-i') or is going out on +(`-o'). You can use the <tt>ifconfig</tt> command to list the +interfaces which are `up' (i.e., working at the moment). + +<p> +Packets traversing the <tt>INPUT</tt> chain don't have an output +interface, so any rule using `-o' in this chain will never match. +Similarly, packets traversing the <tt>OUTPUT</tt> chain don't have an +input interface, so any rule using `-i' in this chain will never match. + +<p>Only packets traversing the <tt>FORWARD</tt> chain have both an +input and output interface. + +<p> +It is perfectly legal to specify an interface that currently does not +exist; the rule will not match anything until the interface comes up. +This is extremely useful for dial-up PPP links (usually interface +<tt>ppp0</tt>) and the like. + +<p> +As a special case, an interface name ending with a `+' will match all +interfaces (whether they currently exist or not) which begin with that +string. For example, to specify a rule which matches all PPP +interfaces, the <tt>-i ppp+</tt> option would be used. + +<p> +The interface name can be preceded by a `!' with spaces around it, to +match a packet which does <bf>not</bf> match the specified +interface(s), eg <tt>-i ! ppp+</tt>. + +<sect2>Specifying Fragments + +<p> +Sometimes a packet is too large to fit down a wire all at once. When +this happens, the packet is divided into <bf>fragments</bf>, and sent +as multiple packets. The other end reassembles these fragments to +reconstruct the whole packet. + +<p> +The problem with fragments is that the initial fragment has the +complete header fields (IP + TCP, UDP and ICMP) to examine, but +subsequent packets only have a subset of the headers (IP without the +additional protocol fields). Thus looking inside subsequent fragments +for protocol headers (such as is done by the TCP, UDP and ICMP +extensions) is not possible. + +<p> +If you are doing connection tracking or NAT, then all fragments will +get merged back together before they reach the packet filtering code, +so you need never worry about fragments. + +<p> +Please also note that in the INPUT chain of the filter table (or any other +table hooking into the NF_IP_LOCAL_IN hook) is traversed after +defragmentation of the core IP stack. + +<p> +Otherwise, it is important to understand how fragments get treated by +the filtering rules. Any filtering rule that asks for information we +don't have will <em>not</em> match. This means that the first fragment is +treated like any other packet. Second and further fragments won't be. +Thus a rule <tt>-p TCP --sport www</tt> (specifying a source port of +`www') will never match a fragment (other than the first fragment). +Neither will the opposite rule <tt>-p TCP --sport ! www</tt>. + +<p> +However, you can specify a rule specifically for second and further +fragments, using the `-f' (or `--fragment') flag. It is also legal to +specify that a rule does <em>not</em> apply to second and further +fragments, by preceding the `-f' with ` ! '. + +<p> +Usually it is regarded as safe to let second and further fragments +through, since filtering will effect the first fragment, and thus +prevent reassembly on the target host; however, bugs have been known +to allow crashing of machines simply by sending fragments. Your call. + +<p> +Note for network-heads: malformed packets (TCP, UDP and ICMP packets +too short for the firewalling code to read the ports or ICMP code and +type) are dropped when such examinations are attempted. So are TCP +fragments starting at position 8. + +<p> +As an example, the following rule will drop any fragments going to +192.168.1.1: + +<tscreen><verb> +# iptables -A OUTPUT -f -d 192.168.1.1 -j DROP +# +</verb></tscreen> + +<sect2>Extensions to iptables: New Matches + +<p><tt>iptables</tt> is <bf>extensible</bf>, meaning that both the +kernel and the iptables tool can be extended to provide new features. + +<p>Some of these extensions are standard, and other are more exotic. +Extensions can be made by other people and distributed separately for +niche users. + +<p>Kernel extensions normally live in the kernel module subdirectory, +such as /lib/modules/2.4.0-test10/kernel/net/ipv4/netfilter. They are demand loaded if your +kernel was compiled with CONFIG_KMOD set, so you should not need to +manually insert them. + +<p>Extensions to the iptables program are shared libraries which +usually live in /usr/local/lib/, although a distribution +would put them in /lib/iptables or /usr/lib/iptables. + +<p>Extensions come in two types: new targets, and new matches (we'll +talk about new targets a little later). Some protocols automatically +offer new tests: currently these are TCP, UDP and ICMP as shown below. + +<p>For these you will be able to specify the new tests on the command +line after the `-p' option, which will load the extension. For +explicit new tests, use the `-m' option to load the extension, after +which the extended options will be available. + +<p>To get help on an extension, use the option to load it (`-p', `-j' or +`-m') followed by `-h' or `--help', eg: +<tscreen><verb> +# iptables -p tcp --help +# +</verb></tscreen> + +<sect3>TCP Extensions + +<p> +The TCP extensions are automatically loaded if `-p tcp' is specified. +It provides the following options (none of which match fragments). + +<p> +<descrip> +<tag>--tcp-flags</tag> Followed by an optional `!', then two strings +of flags, allows you to filter on specific TCP flags. The first +string of flags is the mask: a list of flags you want to examine. The +second string of flags tells which one(s) should be set. For example, + +<tscreen><verb> +# iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP +</verb></tscreen> + +This indicates that all flags should be examined (`ALL' is synonymous +with `SYN,ACK,FIN,RST,URG,PSH'), but only SYN and ACK should be set. +There is also an argument `NONE' meaning no flags. + +<tag>--syn</tag> Optionally preceded by a `!', this is shorthand + for `--tcp-flags SYN,RST,ACK SYN'. + +<tag>--source-port</tag> followed by an optional `!', then either a +single TCP port, or a range of ports. Ports can be port names, as +listed in /etc/services, or numeric. Ranges are either two port names +separated by a `:', or (to specify greater than or equal to a given +port) a port with a `:' appended, or (to specify less than or equal to +a given port), a port preceded by a `:'. + +<tag>--sport</tag> is synonymous with `--source-port'. + +<tag>--destination-port</tag> and <tag>--dport</tag> are the same as +above, only they specify the destination, rather than source, port to +match. + +<tag>--tcp-option</tag> followed by an optional `!' and a number, +matches a packet with a TCP option equaling that number. A packet +which does not have a complete TCP header is dropped automatically if +an attempt is made to examine its TCP options. +</descrip> + +<sect4>An Explanation of TCP Flags + +<p> +It is sometimes useful to allow TCP connections in one direction, but +not the other. For example, you might want to allow connections to an +external WWW server, but not connections from that server. + +<p> +The naive approach would be to block TCP packets coming from the +server. Unfortunately, TCP connections require packets going in both +directions to work at all. + +<p> +The solution is to block only the packets used to request a +connection. These packets are called <bf>SYN</bf> packets (ok, +technically they're packets with the SYN flag set, and the RST and ACK +flags cleared, but we call them SYN packets for short). By +disallowing only these packets, we can stop attempted connections in +their tracks. + +<p> +The `--syn' flag is used for this: it is only valid for rules which +specify TCP as their protocol. For example, to specify TCP connection +attempts from 192.168.1.1: +<tscreen><verb> +-p TCP -s 192.168.1.1 --syn +</verb></tscreen> + +<p> +This flag can be inverted by preceding it with a `!', which means +every packet other than the connection initiation. + +<sect3>UDP Extensions + +<p> +These extensions are automatically loaded if `-p udp' is specified. +It provides the options `--source-port', `--sport', +`--destination-port' and `--dport' as detailed for TCP above. + +<sect3>ICMP Extensions + +<p> +This extension is automatically loaded if `-p icmp' is specified. It +provides only one new option: + +<p> +<descrip> +<tag>--icmp-type</tag> followed by an optional `!', then either an +icmp type name (eg `host-unreachable'), or a numeric type (eg. `3'), +or a numeric type and code separated by a `/' (eg. `3/3'). A list +of available icmp type names is given using `-p icmp --help'. +</descrip> + +<sect3>Other Match Extensions + +<p> +The other extensions in the netfilter package are demonstration +extensions, which (if installed) can be invoked with the `-m' option. + +<descrip> +<tag>mac</tag> This module must be explicitly specified with `-m mac' +or `--match mac'. It is used for matching incoming packet's source +Ethernet (MAC) address, and thus only useful for packets traversing +the PREROUTING and INPUT chains. It provides only one option: + + <descrip> + <tag>--mac-source</tag> followed by an optional `!', then an + ethernet address in colon-separated hexbyte notation, eg + `--mac-source 00:60:08:91:CC:B7'. + </descrip> + +<tag>limit</tag> This module must be explicitly specified with `-m +limit' or `--match limit'. It is used to restrict the rate of +matches, such as for suppressing log messages. It will only match a +given number of times per second (by default 3 matches per hour, +with a burst of 5). It takes two optional arguments: + + <descrip> + <tag>--limit</tag> followed by a number; specifies the maximum + average number of matches to allow per second. The number can + specify units explicitly, using `/second', `/minute', `/hour' or + `/day', or parts of them (so `5/second' is the same as `5/s'). + + <tag>--limit-burst</tag> followed by a number, indicating the + maximum burst before the above limit kicks in. + </descrip> + +This match can often be used with the LOG target to do rate-limited +logging. To understand how it works, let's look at the following +rule, which logs packets with the default limit parameters: + +<tscreen><verb> +# iptables -A FORWARD -m limit -j LOG +</verb></tscreen> + +The first time this rule is reached, the packet will be logged; in +fact, since the default burst is 5, the first five packets will be +logged. After this, it will be twenty minutes before a packet will be +logged from this rule, regardless of how many packets reach it. Also, +every twenty minutes which passes without matching a packet, one of +the burst will be regained; if no packets hit the rule for 100 +minutes, the burst will be fully recharged; back where we started. + +<p>Note: you cannot currently create a rule with a recharge time +greater than about 59 hours, so if you set an average rate of one per +day, then your burst rate must be less than 3. + +<p>You can also use this module to avoid various denial of service +attacks (DoS) with a faster rate to increase responsiveness. + +<p>Syn-flood protection: +<tscreen><verb> +# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT +</verb></tscreen> + +Furtive port scanner: +<tscreen><verb> +# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT +</verb></tscreen> + +Ping of death: +<tscreen><verb> +# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT +</verb></tscreen> + +This module works like a "hysteresis door", as shown in the graph +below. + +<tscreen><verb> + rate (pkt/s) + ^ .---. + | / DoS \ + | / \ +Edge of DoS -|.....:.........\....................... + = (limit * | /: \ +limit-burst) | / : \ .-. + | / : \ / \ + | / : \ / \ +End of DoS -|/....:..............:.../.......\..../. + = limit | : :`-' `--' +-------------+-----+--------------+------------------> time (s) + LOGIC => Match | Didn't Match | Match +</verb></tscreen> + +Say we say match one packet per second with a five packet +burst, but packets start coming in at four per second, for three +seconds, then start again in another three seconds. +<tscreen><verb> + + + <--Flood 1--> <---Flood 2---> + +Total ^ Line __-- YNNN +Packets| Rate __-- YNNN + | mum __-- YNNN + 10 | Maxi __-- Y + | __-- Y + | __-- Y + | __-- YNNN + |- YNNN + 5 | Y + | Y Key: Y -> Matched Rule + | Y N -> Didn't Match Rule + | Y + |Y + 0 +--------------------------------------------------> Time (seconds) + 0 1 2 3 4 5 6 7 8 9 10 11 12 +</verb></tscreen> + +You can see that the first five packets are allowed to exceed the one +packet per second, then the limiting kicks in. If there is a pause, +another burst is allowed but not past the maximum rate set by the +rule (1 packet per second after the burst is used). + +<tag>owner</tag> +This module attempts to match various characteristics of the packet +creator, for locally-generated packets. It is only valid in the +OUTPUT chain, and even then some packets (such as ICMP ping responses) +may have no owner, and hence never match. + +<descrip> + <tag>--uid-owner userid</tag> +Matches if the packet was created by a process with the given +effective (numerical) user id. + <tag>--gid-owner groupid</tag> +Matches if the packet was created by a process with the given +effective (numerical) group id. + <tag>--pid-owner processid</tag> +Matches if the packet was created by a process with the given +process id. + <tag>--sid-owner sessionid</tag> +Matches if the packet was created by a process in the given session +group. +</descrip> + +<tag>unclean</tag> This experimental module must be explicitly +specified with `-m unclean or `--match unclean'. It does various +random sanity checks on packets. This module has not been audited, +and should not be used as a security device (it probably makes things +worse, since it may well have bugs itself). It provides no options. +</descrip> + +<sect3>The State Match + +<p>The most useful match criterion is supplied by the `state' +extension, which interprets the connection-tracking analysis of the +`ip_conntrack' module. This is highly recommended. + +<p>Specifying `-m state' allows an additional `--state' option, which +is a comma-separated list of states to match (the `!' flag indicates +<bf>not</bf> to match those states). These states are: + +<descrip> +<tag>NEW</tag> A packet which creates a new connection. + +<tag>ESTABLISHED</tag> A packet which belongs to an existing +connection (i.e., a reply packet, or outgoing packet on a connection +which has seen replies). + +<tag>RELATED</tag> A packet which is related to, but not part of, an +existing connection, such as an ICMP error, or (with the FTP module +inserted), a packet establishing an ftp data connection. + +<tag>INVALID</tag> A packet which could not be identified for some +reason: this includes running out of memory and ICMP errors which +don't correspond to any known connection. Generally these packets +should be dropped. +</descrip> + +An example of this powerful match extension would be: +<tscreen><verb> +# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP +</verb></tscreen> + +<sect1>Target Specifications + +<p>Now we know what examinations we can do on a packet, we need a way +of saying what to do to the packets which match our tests. This is +called a rule's <bf>target</bf>. + +<p>There are two very simple built-in targets: DROP and ACCEPT. We've +already met them. If a rule matches a packet and its target is one of +these two, no further rules are consulted: the packet's fate has been +decided. + +<p>There are two types of targets other than the built-in ones: +extensions and user-defined chains. + +<sect2>User-defined chains + +<p> +One powerful feature which <tt>iptables</tt> inherits from +<tt>ipchains</tt> is the ability for the user to create new chains, in +addition to the three built-in ones (INPUT, FORWARD and OUTPUT). By +convention, user-defined chains are lower-case to distinguish them +(we'll describe how to create new user-defined chains below in <ref +id="chain-ops" name="Operations on an Entire Chain">). + +<p> +When a packet matches a rule whose target is a user-defined chain, the +packet begins traversing the rules in that user-defined chain. If +that chain doesn't decide the fate of the packet, then once traversal +on that chain has finished, traversal resumes on the next rule in the +current chain. + +<p> +Time for more ASCII art. Consider two (silly) chains: <tt>INPUT</tt> (the +built-in chain) and <tt>test</tt> (a user-defined chain). + +<tscreen><verb> + `INPUT' `test' + ---------------------------- ---------------------------- + | Rule1: -p ICMP -j DROP | | Rule1: -s 192.168.1.1 | + |--------------------------| |--------------------------| + | Rule2: -p TCP -j test | | Rule2: -d 192.168.1.1 | + |--------------------------| ---------------------------- + | Rule3: -p UDP -j DROP | + ---------------------------- +</verb></tscreen> + +<p> +Consider a TCP packet coming from 192.168.1.1, going to 1.2.3.4. It +enters the <tt>INPUT</tt> chain, and gets tested against Rule1 - no match. +Rule2 matches, and its target is <tt>test</tt>, so the next rule examined +is the start of <tt>test</tt>. Rule1 in <tt>test</tt> matches, but doesn't +specify a target, so the next rule is examined, Rule2. This doesn't +match, so we have reached the end of the chain. We return to the +<tt>INPUT</tt> chain, where we had just examined Rule2, so we now examine +Rule3, which doesn't match either. + +<p> +So the packet path is: +<tscreen><verb> + v __________________________ + `INPUT' | / `test' v + ------------------------|--/ -----------------------|---- + | Rule1 | /| | Rule1 | | + |-----------------------|/-| |----------------------|---| + | Rule2 / | | Rule2 | | + |--------------------------| -----------------------v---- + | Rule3 /--+___________________________/ + ------------------------|--- + v +</verb></tscreen> + +<p>User-defined chains can jump to other user-defined chains (but +don't make loops: your packets will be dropped if they're found to +be in a loop). + +<sect2>Extensions to iptables: New Targets + +<p>The other type of extension is a target. A target extension +consists of a kernel module, and an optional extension to +<tt>iptables</tt> to provide new command line options. There are +several extensions in the default netfilter distribution: + +<descrip> +<tag>LOG</tag> This module provides kernel logging of matching +packets. It provides these additional options: + <descrip> + <tag>--log-level</tag> Followed by a level number or name. Valid + names are (case-insensitive) `debug', `info', `notice', `warning', + `err', `crit', `alert' and `emerg', corresponding to numbers 7 + through 0. See the man page for syslog.conf for an explanation of + these levels. The default is `warning'. + + <tag>--log-prefix</tag> Followed by a string of up to 29 characters, + this message is sent at the start of the log message, to allow it to + be uniquely identified. + </descrip> + + This module is most useful after a limit match, so you don't flood + your logs. + +<tag>REJECT</tag> This module has the same effect as `DROP', except +that the sender is sent an ICMP `port unreachable' error message. +Note that the ICMP error message is not sent if (see RFC 1122): + +<itemize> +<item> The packet being filtered was an ICMP error message in the +first place, or some unknown ICMP type. + +<item> The packet being filtered was a non-head fragment. + +<item> We've sent too many ICMP error messages to that destination +recently (see /proc/sys/net/ipv4/icmp_ratelimit). +</itemize> + +REJECT also takes a `--reject-with' optional argument which alters the +reply packet used: see the manual page. +</descrip> + +<sect2>Special Built-In Targets + +<p>There are two special built-in targets: <tt>RETURN</tt> and +<tt>QUEUE</tt>. + +<p><tt>RETURN</tt> has the same effect of falling off the end of a +chain: for a rule in a built-in chain, the policy of the chain is +executed. For a rule in a user-defined chain, the traversal continues +at the previous chain, just after the rule which jumped to this chain. + +<p><tt>QUEUE</tt> is a special target, which queues the packet for +userspace processing. For this to be useful, two further components are +required: + +<itemize> +<item>a "queue handler", which deals with the actual mechanics of +passing packets between the kernel and userspace; and +<item>a userspace application to receive, possibly manipulate, and +issue verdicts on packets. +</itemize> +The standard queue handler for IPv4 iptables is the ip_queue module, +which is distributed with the kernel and marked as experimental. +<p> +The following is a quick example of how to use iptables to queue packets +for userspace processing: +<tscreen><verb> +# modprobe iptable_filter +# modprobe ip_queue +# iptables -A OUTPUT -p icmp -j QUEUE +</verb></tscreen> +With this rule, locally generated outgoing ICMP packets (as created with, +say, ping) are passed to the ip_queue module, which then attempts to deliver +the packets to a userspace application. If no userspace application is +waiting, the packets are dropped. + +<p>To write a userspace application, use the libipq API. This is +distributed with iptables. Example code may be found in the testsuite +tools (e.g. redirect.c) in CVS. + +<p>The status of ip_queue may be checked via: +<tscreen><verb> +/proc/net/ip_queue +</verb></tscreen> +The maximum length of the queue (i.e. the number packets delivered +to userspace with no verdict issued back) may be controlled via: +<tscreen><verb> +/proc/sys/net/ipv4/ip_queue_maxlen +</verb></tscreen> +The default value for the maximum queue length is 1024. Once this limit +is reached, new packets will be dropped until the length of the queue falls +below the limit again. Nice protocols such as TCP interpret dropped packets +as congestion, and will hopefully back off when the queue fills up. However, +it may take some experimenting to determine an ideal maximum queue length +for a given situation if the default value is too small. + +<sect1>Operations on an Entire Chain<label id="chain-ops"> + +<p> +A very useful feature of <tt>iptables</tt> is the ability to group +related rules into chains. You can call the chains whatever you want, +but I recommend using lower-case letters to avoid confusion with the +built-in chains and targets. Chain names can be up to 31 letters +long. + +<sect2>Creating a New Chain + +<p> +Let's create a new chain. Because I am such an imaginative fellow, +I'll call it <tt>test</tt>. We use the `-N' or `--new-chain' options: + +<tscreen><verb> +# iptables -N test +# +</verb></tscreen> + +<p> +It's that simple. Now you can put rules in it as detailed above. + +<sect2>Deleting a Chain + +<p> +Deleting a chain is simple as well, using the `-X' or `--delete-chain' +options. Why `-X'? Well, all the good letters were taken. + +<tscreen><verb> +# iptables -X test +# +</verb></tscreen> + +<p> +There are a couple of restrictions to deleting chains: they must be +empty (see <ref id="flushing" name="Flushing a Chain"> below) and they +must not be the target of any rule. You can't delete any of the three +built-in chains. + +<p> +If you don't specify a chain, then <em>all</em> user-defined chains +will be deleted, if possible. + +<sect2> Flushing a Chain<label id="flushing"> + +<p> +There is a simple way of emptying all rules out of a chain, using the +`-F' (or `--flush') commands. + +<tscreen><verb> +# iptables -F FORWARD +# +</verb></tscreen> + +<p> +If you don't specify a chain, then <em>all</em> chains will be flushed. + +<sect2>Listing a Chain + +<p> +You can list all the rules in a chain by using the `-L' (or `--list') +command. + +<p> +The `refcnt' listed for each user-defined chain is the number of rules +which have that chain as their target. This must be zero (and the +chain be empty) before this chain can be deleted. + +<p> +If the chain name is omitted, all chains are listed, even empty ones. + +<p> +There are three options which can accompany `-L'. The `-n' (numeric) +option is very useful as it prevents <tt>iptables</tt> from trying to +lookup the IP addresses, which (if you are using DNS like most people) +will cause large delays if your DNS is not set up properly, or you +have filtered out DNS requests. It also causes TCP and UDP ports to +be printed out as numbers rather than names. + +<p> +The `-v' options shows you all the details of the rules, such as the +the packet and byte counters, the TOS comparisons, and the interfaces. +Otherwise these values are omitted. + +<p> +Note that the packet and byte counters are printed out using the +suffixes `K', `M' or `G' for 1000, 1,000,000 and 1,000,000,000 +respectively. Using the `-x' (expand numbers) flag as well prints the +full numbers, no matter how large they are. + +<sect2>Resetting (Zeroing) Counters + +<p> +It is useful to be able to reset the counters. This can be done with +the `-Z' (or `--zero') option. + +<p> +Consider the following: + +<tscreen><verb> +# iptables -L FORWARD +# iptables -Z FORWARD +# +</verb></tscreen> + +In the above example, some packets could pass through between the `-L' +and `-Z' commands. For this reason, you can use the `-L' and `-Z' +<em>together</em>, to reset the counters while reading them. + +<sect2>Setting Policy<label id="policy"> + +<p> +We glossed over what happens when a packet hits the end of a built-in +chain when we discussed how a packet walks through chains earlier. In +this case, the <bf>policy</bf> of the chain determines the fate of the +packet. Only built-in chains (<tt>INPUT</tt>, <tt>OUTPUT</tt> and +<tt>FORWARD</tt>) have policies, because if a packet falls off the end +of a user-defined chain, traversal resumes at the previous chain. + +<p> +The policy can be either <tt>ACCEPT</tt> or <tt>DROP</tt>, for +example: + +<tscreen><verb> +# iptables -P FORWARD DROP +# +</verb></tscreen> + +<sect> Using ipchains and ipfwadm<label id="oldstyle"> + +<p> There are modules in the netfilter distribution called ipchains.o +and ipfwadm.o. Insert one of these in your kernel (NOTE: they are +incompatible with ip_tables.o!). Then you can use ipchains or ipfwadm +just like the good old days. + +<p> This will be supported for some time yet. I think a reasonable +formula is 2 * [notice of replacement - initial stable release], +beyond the date that a stable release of the replacement is available. +This means that support will probably be dropped in Linux 2.6 or 2.8. + +<sect> Mixing NAT and Packet Filtering + +<p> +It's common to want to do Network Address Translation (see the NAT +HOWTO) and packet filtering. The good news is that they mix extremely +well. + +<p>You design your packet filtering completely ignoring any NAT you +are doing. The sources and destinations seen by the packet filter +will be the `real' sources and destinations. For example, if you are +doing DNAT to send any connections to 1.2.3.4 port 80 through to +10.1.1.1 port 8080, the packet filter would see packets going to +10.1.1.1 port 8080 (the real destination), not 1.2.3.4 port 80. +Similarly, you can ignore masquerading: packets will seem to come from +their real internal IP addresses (say 10.1.1.1), and replies will seem +to go back there. + +<p>You can use the `state' match extension without making the packet +filter do any extra work, since NAT requires connection tracking +anyway. To enhance the simple masquerading example in the NAT HOWTO +to disallow any new connections from coming in the ppp0 interface, you +would do this: + +<tscreen><verb> +# Masquerade out ppp0 +iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE + +# Disallow NEW and INVALID incoming or forwarded packets from ppp0. +iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP +iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP + +# Turn on IP forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward +</verb></tscreen> + +<sect> Differences Between iptables and ipchains<label id="Appendix-A"> + +<p> +<itemize> +<item> Firstly, the names of the built-in chains have changed from +lower case to UPPER case, because the INPUT and OUTPUT chains now only +get locally-destined and locally-generated packets. They used to see +all incoming and all outgoing packets respectively. + +<item> The `-i' flag now means the incoming interface, and only works +in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT +chains that used `-i' should be changed to `-o'. + +<item> TCP and UDP ports now need to be spelled out with the +--source-port or --sport (or --destination-port/--dport) options, and +must be placed after the `-p tcp' or `-p udp' options, as this loads +the TCP or UDP extensions respectively. + +<item> The TCP -y flag is now --syn, and must be after `-p tcp'. + +<item> The DENY target is now DROP, finally. + +<item> Zeroing single chains while listing them works. + +<item> Zeroing built-in chains also clears policy counters. + +<item> Listing chains gives you the counters as an atomic snapshot. + +<item> REJECT and LOG are now extended targets, meaning they are +separate kernel modules. + +<item> Chain names can be up to 31 characters. + +<item> MASQ is now MASQUERADE and uses a different syntax. REDIRECT, +while keeping the same name, has also undergone a syntax change. See +the NAT-HOWTO for more information on how to configure both of these. + +<item> The -o option is no longer used to direct packets to the userspace +device (see -i above). Packets are now sent to userspace via the QUEUE +target. + +<item> Probably heaps of other things I forgot. +</itemize> + +<sect> Advice on Packet Filter Design + +<p> +Common wisdom in the computer security arena is to block everything, +then open up holes as neccessary. This is usually phrased `that which +is not explicitly allowed is prohibited'. I recommend this approach +if security is your maximal concern. + +<p>Do not run any services you do not need to, even if you think you +have blocked access to them. + +<p>If you are creating a dedicated firewall, start by running nothing, +and blocking all packets, then add services and let packets through as +required. + +<p>I recommend security in depth: combine tcp-wrappers (for +connections to the packet filter itself), proxies (for connections +passing through the packet filter), route verification and packet +filtering. Route verification is where a packet which comes from an +unexpected interface is dropped: for example, if your internal network +has addresses 10.1.1.0/24, and a packet with that source address comes +in your external interface, it will be dropped. This can be enabled +for one interface (ppp0) like so: + +<tscreen><verb> +# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter +# +</verb></tscreen> + +Or for all existing and future interfaces like this: + +<tscreen><verb> +# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do +# echo 1 > $f +# done +# +</verb></tscreen> + +Debian does this by default where possible. If you have asymmetric +routing (ie. you expect packets coming in from strange directions), +you will want to disable this filtering on those interfaces. + +<p>Logging is useful when setting up a firewall if something isn't +working, but on a production firewall, always combine it with the +`limit' match, to prevent someone from flooding your logs. + +<p>I highly recommend connection tracking for secure systems: it +introduces some overhead, as all connections are tracked, but is very +useful for controlling access to your networks. You may need to load +the `ip_conntrack.o' module if your kernel does not load modules +automatically, and it's not built into the kernel. If you want to +accurately track complex protocols, you'll need to load the +appropriate helper module (eg. `ip_conntrack_ftp.o'). + +<tscreen><verb> +# iptables -N no-conns-from-ppp0 +# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT +# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT +# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:" +# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:" +# iptables -A no-conns-from-ppp0 -j DROP + +# iptables -A INPUT -j no-conns-from-ppp0 +# iptables -A FORWARD -j no-conns-from-ppp0 +</verb></tscreen> + +<p>Building a good firewall is beyond the scope of this HOWTO, but my +advice is `always be minimalist'. See the Security HOWTO for more +information on testing and probing your box. + +</article> + Index: iptables-1.4.12/Makefile.am =================================================================== --- iptables-1.4.12.orig/Makefile.am 2011-11-07 13:57:20.000000000 -0600 +++ iptables-1.4.12/Makefile.am 2011-11-07 13:58:55.000000000 -0600 @@ -3,7 +3,7 @@ ACLOCAL_AMFLAGS = -I m4 AUTOMAKE_OPTIONS = foreign subdir-objects -SUBDIRS = libiptc libxtables +SUBDIRS = libiptc libxtables howtos if ENABLE_DEVEL SUBDIRS += include endif ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������debian/patches/0103-lintian_allows_to.patch���������������������������������������������������������0000644�0000000�0000000�00000007555�12263345140�015754� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������From: Laurence J. Lane Description: cleanup "allows to", triggered lintian grammar warning --- a/extensions/libipt_ECN.man +++ b/extensions/libipt_ECN.man @@ -1,4 +1,4 @@ -This target allows to selectively work around known ECN blackholes. +This target selectively works around known ECN blackholes. It can only be used in the mangle table. .TP \fB\-\-ecn\-tcp\-remove\fP --- a/extensions/libxt_AUDIT.man +++ b/extensions/libxt_AUDIT.man @@ -1,4 +1,4 @@ -This target allows to create audit records for packets hitting the target. +This target allows creates audit records for packets hitting the target. It can be used to record accepted, dropped, and rejected packets. See auditd(8) for additional details. .TP --- a/extensions/libxt_CHECKSUM.man +++ b/extensions/libxt_CHECKSUM.man @@ -1,4 +1,4 @@ -This target allows to selectively work around broken/old applications. +This target selectively works around broken/old applications. It can only be used in the mangle table. .TP \fB\-\-checksum\-fill\fP --- a/extensions/libxt_CT.man +++ b/extensions/libxt_CT.man @@ -1,4 +1,4 @@ -The CT target allows to set parameters for a packet or its associated +The CT target sets parameters for a packet or its associated connection. The target attaches a "template" connection tracking entry to the packet, which is then used by the conntrack core when initializing a new ct entry. This target is thus only valid in the "raw" table. --- a/extensions/libxt_DSCP.man +++ b/extensions/libxt_DSCP.man @@ -1,4 +1,4 @@ -This target allows to alter the value of the DSCP bits within the TOS +This target alters the value of the DSCP bits within the TOS header of the IPv4 packet. As this manipulates a packet, it can only be used in the mangle table. .TP --- a/extensions/libxt_TCPMSS.man +++ b/extensions/libxt_TCPMSS.man @@ -1,4 +1,4 @@ -This target allows to alter the MSS value of TCP SYN packets, to control +This target alters the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). Of course, it can only be used --- a/extensions/libxt_osf.c +++ b/extensions/libxt_osf.c @@ -40,7 +40,7 @@ "--ttl level Use some TTL check extensions to determine OS:\n" " 0 true ip and fingerprint TTL comparison. Works for LAN.\n" " 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n" - " 2 do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n" + " 2 do not compare TTL at all. This allows NMAP detection, but can produce false results.\n" "--log level Log determined genres into dmesg even if they do not match desired one:\n" " 0 log all matched or unknown signatures.\n" " 1 log only first one.\n" --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -244,13 +244,13 @@ This option has no effect in iptables and iptables-restore. If a rule using the \fB\-4\fP option is inserted with (and only with) ip6tables-restore, it will be silently ignored. Any other uses will throw an -error. This option allows to put both IPv4 and IPv6 rules in a single rule file +error. This option allows IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore. .TP \fB\-6\fP, \fB\-\-ipv6\fP If a rule using the \fB\-6\fP option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an -error. This option allows to put both IPv4 and IPv6 rules in a single rule file +error. This option allows IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore. This option has no effect in ip6tables and ip6tables-restore. .TP ���������������������������������������������������������������������������������������������������������������������������������������������������debian/patches/series�������������������������������������������������������������������������������0000644�0000000�0000000�00000000536�12263345733�012046� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������0101-changelog.patch 0102-add_manpages.patch 0103-lintian_allows_to.patch 0104-lintian_hyphens.patch 0105-lintian_spelling.patch 0201-660748-iptables_apply_man.patch 0202-725413-sctp_man_description.patch 0301-install_iptables_apply.patch 0401-580941-iptables_apply_update.patch 9000-howtos.patch 9002-libxt_recent-Add-support-for-reap-option.patch ������������������������������������������������������������������������������������������������������������������������������������������������������������������debian/nfnl_osf.8�����������������������������������������������������������������������������������0000644�0000000�0000000�00000004502�12263344316�011070� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" ======================================================================== .\" .IX Title "NFNL_OSF 8" .TH NFNL_OSF 8 "2012-10-27" "nfnl_osf" "nfnl_osf" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" nfnl_osf \- load and unload os fingerprint database .SH "SYNOPSIS" .IX Header "SYNOPSIS" load and unload osf fingerprint database for the netfilter osf extension .SH "DESCRIPTION" .IX Header "DESCRIPTION" nffl_osf has no official man page. Look at the osf module in \fB\f(BIiptables\-extensions\fB\|(8)\fR for more information. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIiptables\-extensions\fR\|(8) ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������debian/iptables.links�������������������������������������������������������������������������������0000644�0000000�0000000�00000000256�12263344316�012042� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/usr/sbin/iptables-apply /usr/sbin/ip6tables-apply /usr/share/man/man8/iptables-apply.8.gz /usr/share/man/man8/ip6tables-apply.8.gz /sbin/xtables-multi /usr/bin/iptables-xml ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������debian/copyright������������������������������������������������������������������������������������0000644�0000000�0000000�00000044475�12263345140�011137� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: iptables Upstream-Contact: Netfilter Developer List <netfilter@vger.kernel.org> Source: http://ftp.netfilter.org/ Files: iptables/*.c Copyright: 2000-2002, the netfilter coreteam <coreteam@netfilter.org> Paul 'Rusty' Russell <rusty@rustcorp.com.au> Marc Boucher <marc+nf@mbsi.ca> James Morris <jmorris@intercode.com.au> Harald Welte <laforge@gnumonks.org> Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> License: GPL-2 Files: extensions/libip6t_DNAT.c Copyright: 2011, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libip6t_DNPT.c Copyright: 2012-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libip6t_MASQUERADE.c Copyright: 2011, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libip6t_NETMAP.c Copyright: 2011, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libip6t_REDIRECT.c Copyright: 2011, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libip6t_REJECT.c Copyright: 2000, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> License: GPL-2 Files: extensions/libip6t_SNAT.c Copyright: 2011, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libip6t_SNPT.c Copyright: 2012-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libip6t_mh.c Copyright: 2006, USAGI/WIDE Project License: GPL-2 Files: extensions/libipt_CLUSTERIP.c Copyright: 2003, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libipt_ECN.c Copyright: 2002, by Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libipt_REJECT.c Copyright: 2000, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> License: GPL-2 Files: extensions/libipt_TTL.c Copyright: 2000, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libipt_ULOG.c Copyright: 2000, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libipt_ttl.c Copyright: 2000, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libxt_AUDIT.c Copyright: 2010-2011, Thomas Graf <tgraf@redhat.com> 2010-2011, Red Hat, Inc. License: GPL-2 Files: extensions/libxt_CHECKSUM.c Copyright: 2002, Harald Welte <laforge@gnumonks.org> 2010, Red Hat, Inc License: GPL-2 Files: extensions/libxt_CLASSIFY.c Copyright: 2003-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_CONNMARK.c Copyright: 2002, 2004, MARA Systems AB <http://www.marasystems.com> by Henrik Nordstrom <hno@marasystems.com> License: GPL-2 Files: extensions/libxt_CONNSECMARK.c Copyright: 2006, Red Hat, Inc., James Morris <jmorris@redhat.com> License: GPL-2 Files: extensions/libxt_CT.c Copyright: 2010-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_DSCP.c Copyright: 2000-2002, Matthew G. Marsh <mgm@paktronix.com> Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libxt_HMARK.c Copyright: 2012, Hans Schillstrom <hans.schillstrom@ericsson.com> 2012, Pablo Neira Ayuso <pablo@netfilter.org> License: GPL-2 Files: extensions/libxt_IDLETIMER.c Copyright: 2010, Nokia Corporation License: GPL-2 Files: extensions/libxt_LED.c Copyright: 2008, Adam Nielsen <a.nielsen@shikadi.net> License: GPL-2 Files: extensions/libxt_NFQUEUE.c Copyright: 2005, by Harald Welte <laforge@netfilter.org> License: GPL-2 Files: extensions/libxt_RATEEST.c Copyright: 2008-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_SECMARK.c Copyright: 2006, Red Hat, Inc., James Morris <jmorris@redhat.com> License: GPL-2 Files: extensions/libxt_SET.c Copyright: 2000-2002, Joakim Axelsson <gozem@linux.nu> Patrick Schaaf <bof@bof.de> Martin Josefsson <gandalf@wlug.westbo.se> 2003-2010, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> License: GPL-2 Files: extensions/libxt_SYNPROXY.c Copyright: 2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_TCPMSS.c Copyright: 2000, Marc Boucher License: GPL-2 Files: extensions/libxt_TCPOPTSTRIP.c Copyright: 2007, Sven Schnelle <svens@bitebene.org> 2007, CC Computer Consultants GmbH License: GPL-2 Files: extensions/libxt_TEE.c Copyright: 2007, Sebastian Claßen <sebastian.classen [at] freenet.ag> 2007-2010, Jan Engelhardt <jengelh [at] medozas de> License: GPL-2 Files: extensions/libxt_TOS.c Copyright: 2007, CC Computer Consultants GmbH License: GPL-2 Files: extensions/libxt_TPROXY.c Copyright: 2002-2008, BalaBit IT Ltd. License: GPL-2 Files: extensions/libxt_addrtype.c Copyright: 2003-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_bpf.c Copyright: 2013, Google, Inc. License: GPL-2 Files: extensions/libxt_cluster.c Copyright: 2009, Pablo Neira Ayuso <pablo@netfilter.org> License: GPL-2 Files: extensions/libxt_connmark.c Copyright: 2002, 2004, MARA Systems AB <http://www.marasystems.com> by Henrik Nordstrom <hno@marasystems.com> License: GPL-2 Files: extensions/libxt_conntrack.c Copyright: 2001, Marc Boucher (marc@mbsi.ca). 2007-2008, CC Computer Consultants GmbH License: GPL-2 Files: extensions/libxt_dccp.c Copyright: 2005, by Harald Welte <laforge@netfilter.org> License: GPL-2 Files: extensions/libxt_devgroup.c Copyright: 2011, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_dscp.c Copyright: 2002, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libxt_ecn.c Copyright: 2002, Harald Welte <laforge@netfilter.org> 2011, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_hashlimit.c Copyright: 2003-2004, Harald Welte <laforge@netfilter.org> License: GPL-2 Files: extensions/libxt_osf.c Copyright: 2003+, Evgeniy Polyakov <zbr@ioremap.net> License: GPL-2 Files: extensions/libxt_owner.c Copyright: 2007-2008, CC Computer Consultants GmbH License: GPL-2 Files: extensions/libxt_policy.c Copyright: 2005-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_rateest.c Copyright: 2008-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_sctp.c Copyright: 2003, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: extensions/libxt_set.c Copyright: 2000-2002, Joakim Axelsson <gozem@linux.nu> Patrick Schaaf <bof@bof.de> Martin Josefsson <gandalf@wlug.westbo.se> 2003-2010, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> License: GPL-2 Files: extensions/libxt_socket.c Copyright: 2007, BalaBit IT Ltd. License: GPL-2 Files: extensions/libxt_statistic.c Copyright: 2006-2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: extensions/libxt_string.c Copyright: 2000, Emmanuel Roger <winfield@freegates.be> 2005-08-05, Pablo Neira Ayuso <pablo@eurodev.net> License: GPL-2 Files: extensions/libxt_time.c Copyright: 2007, CC Computer Consultants GmbH License: GPL-2 Files: extensions/libxt_tos.c Copyright: 2007, CC Computer Consultants GmbH License: GPL-2 Files: extensions/libxt_u32.c Copyright: 2002, Don Cohen <don-netf@isis.cs3-inc.com> 2007, CC Computer Consultants GmbH License: GPL-2 Files: include/linux/netfilter/ipset/ip_set.h Copyright: 2000-2002, Joakim Axelsson <gozem@linux.nu> Patrick Schaaf <bof@bof.de> Martin Josefsson <gandalf@wlug.westbo.se> 2003-2011, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> License: GPL-2 Files: include/linux/netfilter/xt_AUDIT.h Copyright: 2010-2011, Thomas Graf <tgraf@redhat.com> 2010-2011, Red Hat, Inc. License: GPL-2 Files: include/linux/netfilter/xt_CHECKSUM.h Copyright: 2002, Harald Welte <laforge@gnumonks.org> 2010, Red Hat Inc License: GPL-2 Files: include/linux/netfilter/xt_DSCP.h Copyright: 2002, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: include/linux/netfilter/xt_IDLETIMER.h Copyright: 2004, 2010, Nokia Corporation License: GPL-2 Files: include/linux/netfilter/xt_NFQUEUE.h Copyright: 2005, Harald Welte <laforge@netfilter.org> License: GPL-2 Files: include/linux/netfilter/xt_connmark.h Copyright: 2002, 2004, MARA Systems AB <http://www.marasystems.com> by Henrik Nordstrom <hno@marasystems.com> License: GPL-2 Files: include/linux/netfilter/xt_conntrack.h Copyright: 2001, Marc Boucher (marc@mbsi.ca) License: GPL-2 Files: include/linux/netfilter/xt_dscp.h Copyright: 2002, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: include/linux/netfilter/xt_ecn.h Copyright: 2002, Harald Welte <laforge@netfilter.org> License: GPL-2 Files: include/linux/netfilter/xt_osf.h Copyright: 2003+, Evgeniy Polyakov <johnpol@2ka.mxt.ru> License: GPL-2 Files: include/linux/netfilter_ipv4.h Copyright: 1998, Rusty Russell License: GPL-2 Files: include/linux/netfilter_ipv4/ip_queue.h Copyright: 2000, James Morris License: GPL-2 Files: include/linux/netfilter_ipv4/ipt_ECN.h Copyright: 2002, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: include/linux/netfilter_ipv4/ipt_TTL.h Copyright: 2000, Harald Welte <laforge@netfilter.org> License: GPL-2 Files: include/linux/netfilter_ipv4/ipt_ULOG.h Copyright: 2000-2002, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: include/linux/netfilter_ipv4/ipt_ttl.h Copyright: 2000, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: include/linux/netfilter_ipv6.h Copyright: 1998, Rusty Russell 1999, David Jeffery License: GPL-2 Files: iptables/iptables-apply Copyright: 2006, Martin F. Krafft <madduck@madduck.net> 2010, GW <gw.2010@tnode.com or http://gw.tnode.com/> License: Artistic-2 Files: iptables/iptables-save.c Copyright: 1999, Paul 'Rusty' Russell <rusty@rustcorp.com.au> 2000-2002, Harald Welte <laforge@gnumonks.org> License: GPL-2 Files: iptables/iptables-xml.c Copyright: 2006, Ufo Mechanic <azez@ufomechanic.net> License: GPL-2 Files: libiptc/libip4tc.c Copyright: 1999, Paul ``Rusty'' Russell License: GPL-2 Files: libiptc/libip6tc.c Copyright: 1999, Paul ``Rusty'' Russell License: GPL-2 Files: libiptc/libiptc.c Copyright: 1999, Paul ``Rusty'' Russell 2000-2004, by the Netfilter Core Team <coreteam@netfilter.org> 2003, 2004, Harald Welte <laforge@netfilter.org> 2008, Jesper Dangaard Brouer <hawk@comx.dk> License: GPL-2 Files: libxtables/xtables.c Copyright: 2000-2006, by the netfilter coreteam <coreteam@netfilter.org> License: GPL-2 Files: libxtables/xtoptions.c Copyright: 2011, Jan Engelhardt License: GPL-2 Files: utils/nfsynproxy.c Copyright: 2013, Patrick McHardy <kaber@trash.net> License: GPL-2 Files: utils/pf.os Copyright: 2000-2003, Michal Zalewski <lcamtuf@coredump.cx> 2003, Mike Frantzen <frantzen@w4g.org> License: Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. . THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF License: GPL-2 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-2'. License: Artistic-2 The "Artistic License" . Preamble . The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications. . Definitions: . "Package" refers to the collection of files distributed by the Copyright Holder, and derivatives of that collection of files created through textual modification. . "Standard Version" refers to such a Package if it has not been modified, or has been modified in accordance with the wishes of the Copyright Holder as specified below. . "Copyright Holder" is whoever is named in the copyright or copyrights for the package. . "You" is you, if you're thinking about copying or distributing this Package. . "Reasonable copying fee" is whatever you can justify on the basis of media cost, duplication charges, time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but only to the computing community at large as a market that must bear the fee.) . "Freely Available" means that no fee is charged for the item itself, though there may be fees involved in handling the item. It also means that recipients of the item may redistribute it under the same conditions they received it. . 1. You may make and give away verbatim copies of the source form of the Standard Version of this Package without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers. . 2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard Version. . 3. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each changed file stating how and when you changed that file, and provided that you do at least ONE of the following: . a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major archive site such as uunet.uu.net, or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package. . b) use the modified Package only within your corporation or organization. . c) rename any non-standard executables so the names do not conflict with standard executables, which must also be provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from the Standard Version. . d) make other distribution arrangements with the Copyright Holder. . 4. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: . a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. . b) accompany the distribution with the machine-readable source of the Package with your modifications. . c) give non-standard executables non-standard names, and clearly document the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version. . d) make other distribution arrangements with the Copyright Holder. . 5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any fee you choose for support of this Package. You may not charge a fee for this Package itself. However, you may distribute this Package in aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution provided that you do not advertise this Package as a product of your own. You may embed this Package's interpreter within an executable of yours (by linking); this shall be construed as a mere form of aggregation, provided that the complete Standard Version of the interpreter is so embedded. . 6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not automatically fall under the copyright of this Package, but belong to whoever generated them, and may be sold commercially, and may be aggregated with this Package. If such scripts or library files are aggregated with this Package via the so-called "undump" or "unexec" methods of producing a binary executable image, then distribution of such an image shall neither be construed as a distribution of this Package nor shall it fall under the restrictions of Paragraphs 3 and 4, provided that you do not represent such an executable image as a Standard Version of this Package. . 7. C subroutines (or comparably compiled subroutines in other languages) supplied by you and linked into this Package in order to emulate subroutines and variables of the language defined by this Package shall not be considered part of this Package, but are the equivalent of input as in Paragraph 6, provided these subroutines do not change the language in any way that would cause it to fail the regression tests for the language. . 8. Aggregation of this Package with a commercial distribution is always permitted provided that the use of this Package is embedded; that is, when no overt attempt is made to make this Package's interfaces visible to the end user of the commercial distribution. Such use shall not be construed as a distribution of this Package. . 9. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without specific prior written permission. . 10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. . The End ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������debian/iptables.doc-base.packet-filter��������������������������������������������������������������0000644�0000000�0000000�00000000545�12263344316�015131� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Document: packet-filter Title: Linux 2.4/2.6 Packet Filtering HOWTO Author: Rusty Russell Abstract: This document describes how to use iptables to filter IP packets for the 2.6+ Linux kernels. Section: Help/HOWTO Format: HTML Index: /usr/share/doc/iptables/html/packet-filtering-HOWTO.html Files: /usr/share/doc/iptables/html/packet-filtering-HOWTO*.html �����������������������������������������������������������������������������������������������������������������������������������������������������������debian/xtables-multi.8������������������������������������������������������������������������������0000644�0000000�0000000�00000004734�12263344316�012065� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" ======================================================================== .\" .IX Title "XTABLES-MULTI 8" .TH XTABLES-MULTI 8 "2012-10-27" "xtables 1.4.16.3" "xtables-multi" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" xtables\-multi \- xtables multi\-link binary for netfilter's iptables and ip6tables .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& n/a .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" xtables-multi has no official man page. It is a binary that behaves according to the name it is called by. \fB\s-1SEE\s0 \s-1ALSO\s0\fR lists the names. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIiptables\fR\|(8), \fIip6tables\fR\|(8), \fIiptables\-save\fR\|(8), \fIip6tables\-save\fR\|(8), \fIiptables\-restore\fR\|(8), \fIip6tables\-resotre\fR\|(8) ������������������������������������debian/source/��������������������������������������������������������������������������������������0000755�0000000�0000000�00000000000�12263347502�010472� 5����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������debian/source/format��������������������������������������������������������������������������������0000644�0000000�0000000�00000000014�12263344316�011700� 0����������������������������������������������������������������������������������������������������ustar ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������3.0 (quilt) ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������