diff options
-rw-r--r-- | configure.ac | 13 | ||||
-rw-r--r-- | extensions/iptables.t | 5 | ||||
-rw-r--r-- | extensions/libip6t_mh.c | 4 | ||||
-rw-r--r-- | extensions/libip6t_mh.txlate | 8 | ||||
-rw-r--r-- | iptables/nft-ipv4.c | 23 | ||||
-rw-r--r-- | iptables/nft-ipv6.c | 23 | ||||
-rw-r--r-- | iptables/nft.c | 6 | ||||
-rw-r--r-- | iptables/nft.h | 1 | ||||
-rw-r--r-- | iptables/xshared.c | 2 | ||||
-rw-r--r-- | iptables/xtables-translate.c | 17 | ||||
-rw-r--r-- | libxtables/xtables.c | 20 |
11 files changed, 72 insertions, 50 deletions
diff --git a/configure.ac b/configure.ac index d99fa3b9..2293702b 100644 --- a/configure.ac +++ b/configure.ac @@ -63,6 +63,9 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH], AC_ARG_ENABLE([nftables], AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]), [enable_nftables="$enableval"], [enable_nftables="yes"]) +AC_ARG_ENABLE([libnfnetlink], + AS_HELP_STRING([--disable-libnfnetlink], [Do not use netfilter netlink library]), + [enable_libnfnetlink="$enableval"], [enable_libnfnetlink="auto"]) AC_ARG_ENABLE([connlabel], AS_HELP_STRING([--disable-connlabel], [Do not build libnetfilter_conntrack]), @@ -113,8 +116,14 @@ AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"]) AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"]) AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"]) -PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], - [nfnetlink=1], [nfnetlink=0]) +# If specified explicitly on the command line, error out when library was not found +# Otherwise, disable and continue +AS_IF([test "x$enable_libnfnetlink" = "xyes"], + [PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], + [nfnetlink=1])], + [test "x$enable_libnfnetlink" = "xauto"], + [PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], + [nfnetlink=1], [nfnetlink=0])]) AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then diff --git a/extensions/iptables.t b/extensions/iptables.t index b4b6d677..5d6d3d15 100644 --- a/extensions/iptables.t +++ b/extensions/iptables.t @@ -4,3 +4,8 @@ -i eth+ -o alongifacename+;=;OK ! -i eth0;=;OK ! -o eth+;=;OK +-c "";;FAIL +-c ,3;;FAIL +-c 3,;;FAIL +-c ,;;FAIL +-c 2,3 -j ACCEPT;-j ACCEPT;OK diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c index 3f80e28e..1a1cee83 100644 --- a/extensions/libip6t_mh.c +++ b/extensions/libip6t_mh.c @@ -214,11 +214,9 @@ static int mh_xlate(struct xt_xlate *xl, { const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data; bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE; - uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto; if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) { - if (proto != IPPROTO_MH) - xt_xlate_add(xl, "exthdr mh exists"); + xt_xlate_add(xl, "exthdr mh exists"); return 1; } diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate index 3364ce57..13b4ba88 100644 --- a/extensions/libip6t_mh.txlate +++ b/extensions/libip6t_mh.txlate @@ -1,14 +1,14 @@ ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept' +nft 'add rule ip6 filter INPUT mh type 1 counter accept' ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept' +nft 'add rule ip6 filter INPUT mh type 1-3 counter accept' ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' +nft 'add rule ip6 filter INPUT exthdr mh exists counter accept' ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT nft 'add rule ip6 filter INPUT exthdr mh exists counter accept' ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept' +nft 'add rule ip6 filter INPUT mh type != 0-255 counter accept' diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 0ce8477f..74092875 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -200,6 +200,7 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, static int nft_ipv4_xlate(const struct iptables_command_state *cs, struct xt_xlate *xl) { + uint16_t proto = cs->fw.ip.proto; const char *comment; int ret; @@ -213,18 +214,16 @@ static int nft_ipv4_xlate(const struct iptables_command_state *cs, cs->fw.ip.invflags & IPT_INV_FRAG? "" : "!= ", 0); } - if (cs->fw.ip.proto != 0) { - const char *pname = proto_to_name(cs->fw.ip.proto, 0); - - if (!pname || !xlate_find_match(cs, pname)) { - xt_xlate_add(xl, "ip protocol"); - if (cs->fw.ip.invflags & IPT_INV_PROTO) - xt_xlate_add(xl, " !="); - if (pname) - xt_xlate_add(xl, "%s", pname); - else - xt_xlate_add(xl, "%hu", cs->fw.ip.proto); - } + if (proto != 0 && !xlate_find_protomatch(cs, proto)) { + const char *pname = proto_to_name(proto, 0); + + xt_xlate_add(xl, "ip protocol"); + if (cs->fw.ip.invflags & IPT_INV_PROTO) + xt_xlate_add(xl, " !="); + if (pname) + xt_xlate_add(xl, "%s", pname); + else + xt_xlate_add(xl, "%hu", proto); } xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index c371ba8c..b184f8af 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -184,6 +184,7 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, static int nft_ipv6_xlate(const struct iptables_command_state *cs, struct xt_xlate *xl) { + uint16_t proto = cs->fw6.ipv6.proto; const char *comment; int ret; @@ -192,18 +193,16 @@ static int nft_ipv6_xlate(const struct iptables_command_state *cs, xlate_ifname(xl, "oifname", cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT); - if (cs->fw6.ipv6.proto != 0) { - const char *pname = proto_to_name(cs->fw6.ipv6.proto, 0); - - if (!pname || !xlate_find_match(cs, pname)) { - xt_xlate_add(xl, "meta l4proto"); - if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) - xt_xlate_add(xl, " !="); - if (pname) - xt_xlate_add(xl, "%s", pname); - else - xt_xlate_add(xl, "%hu", cs->fw6.ipv6.proto); - } + if (proto != 0 && !xlate_find_protomatch(cs, proto)) { + const char *pname = proto_to_name(proto, 0); + + xt_xlate_add(xl, "meta l4proto"); + if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) + xt_xlate_add(xl, " !="); + if (pname) + xt_xlate_add(xl, "%s", pname); + else + xt_xlate_add(xl, "%hu", proto); } xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, diff --git a/iptables/nft.c b/iptables/nft.c index ee63c3dc..884cc77e 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1307,14 +1307,12 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, uint8_t reg; int ret; - if (src[0] && src[0] == src[1] && + if (!invert_src && + src[0] && src[0] == src[1] && dst[0] && dst[0] == dst[1] && invert_src == invert_dst) { uint32_t combined = dst[0] | (src[0] << 16); - if (invert_src) - op = NFT_CMP_NEQ; - expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 4, ®); if (!expr) return -ENOMEM; diff --git a/iptables/nft.h b/iptables/nft.h index 57533b65..b2a8484f 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -242,6 +242,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, boo struct xt_buf; bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); +bool xlate_find_protomatch(const struct iptables_command_state *cs, uint16_t proto); int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); int xlate_action(const struct iptables_command_state *cs, bool goto_set, struct xt_xlate *xl); diff --git a/iptables/xshared.c b/iptables/xshared.c index b998dd75..b1997ea3 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1885,7 +1885,7 @@ void do_parse(int argc, char *argv[], set_option(p->ops, &cs->options, OPT_COUNTERS, &args->invflags, invert); args->pcnt = optarg; - args->bcnt = strchr(args->pcnt + 1, ','); + args->bcnt = strchr(args->pcnt, ','); if (args->bcnt) args->bcnt++; if (!args->bcnt && xs_has_arg(argc, argv)) diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 8ebe523c..3d8617f0 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -131,7 +131,6 @@ bool xlate_find_match(const struct iptables_command_state *cs, const char *p_nam { struct xtables_rule_match *matchp; - /* Skip redundant protocol, eg. ip protocol tcp tcp dport */ for (matchp = cs->matches; matchp; matchp = matchp->next) { if (strcmp(matchp->match->name, p_name) == 0) return true; @@ -139,6 +138,22 @@ bool xlate_find_match(const struct iptables_command_state *cs, const char *p_nam return false; } +bool xlate_find_protomatch(const struct iptables_command_state *cs, + uint16_t proto) +{ + struct protoent *pent; + int i; + + /* Skip redundant protocol, eg. ip protocol tcp tcp dport */ + for (i = 0; xtables_chain_protos[i].name != NULL; i++) { + if (xtables_chain_protos[i].num == proto && + xlate_find_match(cs, xtables_chain_protos[i].name)) + return true; + } + pent = getprotobynumber(proto); + return pent && xlate_find_match(cs, pent->p_name); +} + const char *family2str[] = { [NFPROTO_ARP] = "arp", [NFPROTO_IPV4] = "ip", diff --git a/libxtables/xtables.c b/libxtables/xtables.c index f2fcc5c2..7b370d48 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -1513,11 +1513,9 @@ void xtables_param_act(unsigned int status, const char *p1, ...) const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp) { - static char buf[16]; - const unsigned char *bytep = (const void *)&addrp->s_addr; + static char buf[INET_ADDRSTRLEN]; - sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]); - return buf; + return inet_ntop(AF_INET, addrp, buf, sizeof(buf)); } static const char *ipaddr_to_host(const struct in_addr *addr) @@ -1577,13 +1575,14 @@ int xtables_ipmask_to_cidr(const struct in_addr *mask) const char *xtables_ipmask_to_numeric(const struct in_addr *mask) { - static char buf[20]; + static char buf[INET_ADDRSTRLEN + 1]; uint32_t cidr; cidr = xtables_ipmask_to_cidr(mask); if (cidr == (unsigned int)-1) { /* mask was not a decent combination of 1's and 0's */ - sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask)); + buf[0] = '/'; + inet_ntop(AF_INET, mask, buf + 1, sizeof(buf) - 1); return buf; } else if (cidr == 32) { /* we don't want to see "/32" */ @@ -1863,9 +1862,8 @@ void xtables_ipparse_any(const char *name, struct in_addr **addrpp, const char *xtables_ip6addr_to_numeric(const struct in6_addr *addrp) { - /* 0000:0000:0000:0000:0000:0000:000.000.000.000 - * 0000:0000:0000:0000:0000:0000:0000:0000 */ - static char buf[50+1]; + static char buf[INET6_ADDRSTRLEN]; + return inet_ntop(AF_INET6, addrp, buf, sizeof(buf)); } @@ -1923,12 +1921,12 @@ int xtables_ip6mask_to_cidr(const struct in6_addr *k) const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp) { - static char buf[50+2]; + static char buf[INET6_ADDRSTRLEN + 1]; int l = xtables_ip6mask_to_cidr(addrp); if (l == -1) { strcpy(buf, "/"); - strcat(buf, xtables_ip6addr_to_numeric(addrp)); + inet_ntop(AF_INET6, addrp, buf + 1, sizeof(buf) - 1); return buf; } /* we don't want to see "/128" */ |