| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes matches/targets that are dependent on that IPv4/Ipv6
context, eg.
# ip6tables-compat -I INPUT -j REJECT --reject-with icmp6-addr-unreachable
# ip6tables-compat-save
...
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling
to avoid misinterpretations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch permits to save matches and target for ip/ip6/arp/eb
family, required for xtables-events.
Also, generalizes nft_rule_print_save to be reused for all protocol
families.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Just to keep aligned with iptables legacy tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch should allow distributors to switch to the iptables over
nftables compatibility layer in a transparent way by updating
symbolic links from:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-multi
to:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-compat-multi
Same thing with iptables-save, iptables-restore, ip6tables, ip6tables-save,
ip6tables-restore and arptables.
Note that, after this patch, the following new symlinks are installed:
* iptables-compat
* iptables-compat-save
* iptables-compat-restore
* ip6tables-compat
* ip6tables-compat-save
* ip6tables-compat-restore
* arptables-compat
which point to the new binary xtables-compat-multi.
The idea is to keep both native and compatibility tools installed in the
system, which should also make it easier for testing purposes.
The iptables over nftables compatibility layer is enabled by default
and it requires the libmnl and libnftnl libraries. If you don't want to
compile the compatibility layer, you can still disable it through
--disable-nftables.
This patch also includes changes to adapt the existing code to this
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add a new operation structure, we don't actually need the libip4tc
definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Depend on libmnl, libnftnl, flex and bison if only if the nftables
compatibility is enabled.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The compat utility name is xtables, the name used for the
compatibility binary. Better explicitly refer to the compatibility
later as nftables-compat.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Reported-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We have to use uint32_t instead uint8_t to adapt this to the libnftables
changes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Many changes were missing.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft.c: In function ‘nft_xtables_config_load’:
nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default]
In file included from nft.c:41:0:
/usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’
Introduced in (12eb85b nft: fix memory leaks in
nft_xtables_config_load) but that was my fault indeed since Ana sent
a v2 patch that I have overlook.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Those errors are shown with valgrind tool:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80
==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
These objects are allocated from nft_init but they were not released
appropriately in the exit path.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Those errors are shown with the valgrind tool:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5955B02: nft_table_list_alloc (table.c:425)
==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888)
==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
Fix these leaks and consolidate error handling in the exit path of
nft_xtables_config_load
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This error is shown with valgrind tools:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x574CC76: mnl_socket_open (socket.c:117)
==7377== by 0x417495: nft_init (nft.c:598)
==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
This patch calls nft_fini to release the objects that have been allocated in
nft_init. This function was not used so far.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind reports an invalid read after a memory block:
==11114== Invalid read of size 8
==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==11114== by 0x41788E: add_match (nft.c:781)
==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72)
==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945)
==11114== by 0x418ACE: nft_rule_append (nft.c:1000)
==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424)
==11114== by 0x4152DE: do_commandx (xtables.c:1184)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd
==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==11114== by 0x52448C8: xtables_calloc (xtables.c:272)
==11114== by 0x410AC2: command_default (xshared.c:150)
==11114== by 0x4149A2: do_commandx (xtables.c:1075)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
m->u.match_size also contains the size of the xt_entry_match structure.
Fix also the target path which is very similar.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Tested-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
(0ab045f xtables: fix missing ipt_entry for MASQUERADE target) broke
inversion of built-in selectors, such as -s, -d, etc.
We need to refresh the invflags if -p is used or set it for first
time if -p is not used, otherwise inversion is ignored.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The patch (989b793 src: unify parse and output types) changed
the table and chain type definitions, adapt this code to use
the new ones.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This is a temporary workaround mechanism until variable interface
hardware address length can be handled through nftables. This
defaults on the length of EUI-64 mac address, which should be the
most common usage until this is appropriately fixed for all type
of layer 2 addresses.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This fixes such warning:
xtables-arp.c: In function ‘check_inverse’:
xtables-arp.c:561:54: attention : declaration of ‘optind’ shadows a
global declaration [-Wshadow]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch replaces strcat with strncat and strcpy with strncpy
fixing possible string overflow.
Based on the original patch:
http://patchwork.ozlabs.org/patch/279672/
from Jaromír Končický via Jiri Popelka.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In (73ea1cc nft: convert rule into a command state structure), the
interface wildcard matching got broken. The previous handling was
flawed by the use of ifnametoindex in scenario where the interface
may vanished after a rule was added.
This approach relies on the trailing '\0' to identify if this is
an exact or wildcard matching, based on discussion with Florian.
Based on initial patch from Anand Raj Manickam.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use ->userspacesize to compare the extension data area, otherwise
we also compare the internal private pointers which are only
meaningful to the kernelspace.
This fixes:
xtables -4 -D INPUT -m connlimit \
--connlimit-above 10 --connlimit-mask 32 --connlimit-daddr
But it also fixes many other matches/targets which use internal
private data.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The extension needs the ipt_entry not to crash. Since cs->fw
actually points to an union that also contains cs->fw6, just
pass cs->fw to make it work.
This fixes:
-A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MASQUERADE target relies on the ipt_entry information that is
set in ->post_parse, which is too late.
Add a new hook called ->pre_parse, that sets the protocol
information accordingly.
Thus:
xtables -4 -A POSTROUTING -t nat -p tcp \
-j MASQUERADE --to-ports 1024
works again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds parse_target for arp family, fixing segfaults
for xtables-arp -L after rules like:
xtables-arp -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7
xtables-arp -A OUTPUT -o eth1 --h-length 6 \
-j mangle --mangle-mac-s 01:00:5e:00:01:01
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This small patch initialize the flags in nft_arp_parse_meta,
now the nft_arp_rule_find is working properly.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The allocated area was not aligned.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Target never gets its options parsed.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes compilation issues.
nft-shared.c: In function ‘nft_ipv46_rule_find’:
nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration]
nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function)
nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fix option IDs and remove irrelevant flags on setting options
mandatory.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This is a porting of the original mangle target in arptables. This
also adapts original code so functions fits with libxtables.
This is needed by the xtables-arp compatibility tool for nftables.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Fixes a segfault issue when deleting a rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With this patch, all rule-set updates are put in one single batch
of netlink messages that is sent to user-space using the new
nfnetlink batch infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This small patch permit to reset the chain counters.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The following patch permit to delete the rules specifying
an entry or a rule number.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
According to libnftables change 437d610, now the length obtained
via getter function is uint32_t, not size_t anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
To ensure that compilation does not break if Linux kernel
headers are not installed in the system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The following patch permit to replace rule in xtables-arp.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should help to avoid code duplication to support ARP.
As a result, we have a common generic infrastructure for
IPv4, IPv6 and ARP.
This patch removes nft_arp_rule_append and nft_arp_rule_insert,
which were very similar to their original nft_rule_append and
nft_rule_insert.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch removes nft_arp_rule_new, which almost a copy and paste
of the original nft_rule_new. This patch generalizes the
infrastructure to support ARP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The following patch implements the is_same operation
for ARP family needed for searching arp rule.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
nft_arp_print_firewall already handles endianess appropriately.
This fixes the output of the option that allows you to match
ARP header fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The ARP family has less tables, so skip iteration once we find
a null one.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This should help Giuseppe with his ARP support works, this change
was missing in (618309c nft: refactoring parse operations for more
genericity).
Based on patch from Giuseppe.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft-shared.c: In function ‘nft_rule_to_iptables_command_state’:
nft-shared.c:454:22: warning: ‘jumpto’ may be used uninitialized in this function [-Wmaybe-uninitialized]
nft-shared.c:432:14: note: ‘jumpto’ was declared here
All verdicts are managed and jumpto has to get a value, but since
the compiler complains, let's fix it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This allows to reuse the nft_parse_* function for the bridge and
arp family (not yet supported).
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|