| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Remove code to set table in dormant state, this is not required from
the iptables over nft compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Prepare inclusion of tables and chain objects in the batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds the user space extension/frontend for process matching
based on cgroups from the kernel patch entitled "netfilter: xtables:
lightweight process control group matching".
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch provides the userspace part for snat in order to make
randomize-full support available in {ip,nf}tables. It allows for
enabling full port randomization that was motivated in [1] and
introduced to the kernel in [2].
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
[1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
[2] http://patchwork.ozlabs.org/patch/304306/
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch enables user to set iptables ACTIONs for IPcomp
flow specified by its SPI value.
For example:
iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP
ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP
IPcomp packet with spi as 0x12 will be dropped.
Signed-off-by: Fan Du <fan.du@windriver.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
its enforced by both by libiptc and kernel.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the family declaration has been modified in libnftnl,
from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16
the assertion is failed for {ip,ip6,arp}tables-compat
when printing rules.
iptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
ip6tables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
see also 296dca39be
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
original bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1022228
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
http://www.gnu.org/licenses/gpl-2.0.html
http://www.fsf.org/about/contact/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the current condition doesn't permit to parse ip addresses
when they should be. Obviously they are not printed.
arptables-compat -A INPUT -s 1.1.1.1 -i eth0 -j ACCEPT
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
-j ACCEPT -i eth0
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Wrong arguments are passed to is_same_interfaces
that causes sometimes to delete a wrong rule.
See the example below:
arptables-compat -A INPUT -i eth0 -j ACCEPT
arptables-compat -A INPUT -i eth1 -j ACCEPT
arptables-compat -A INPUT -i eth2 -j ACCEPT
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
-j ACCEPT -i eth0
-j ACCEPT -i eth1
-j ACCEPT -i eth2
arptables-compat -D INPUT -i eth2 -j ACCEPT
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
-j ACCEPT -i eth1
-j ACCEPT -i eth2
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This patch permits to print arp rules, avoiding the segfault that
you got currently.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Adds nft_arp_save_firewall to arp family. (Avoids the segfault in
xtables-events)
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ \
| | |
| | |
| | |
| | | |
This merges the branch that contains the iptables over nftables
compatibility layer into master.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In this specific places, libnftnl gives back a string on which iptables
should not assume any line break, thus it's up to iptables to add it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
These are not helpful.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This helps to remove some runtime overhead, especially when running
xtables-restore.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
nft_chain_set() is directly used in xtables-restore.c, however at that
point no builtin chains have been created yet thus the need to request
to build it relevantly.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is useful to know if a builtin table is requested to be created.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This fixes matches/targets that are dependent on that IPv4/Ipv6
context, eg.
# ip6tables-compat -I INPUT -j REJECT --reject-with icmp6-addr-unreachable
# ip6tables-compat-save
...
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling
to avoid misinterpretations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch permits to save matches and target for ip/ip6/arp/eb
family, required for xtables-events.
Also, generalizes nft_rule_print_save to be reused for all protocol
families.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Just to keep aligned with iptables legacy tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch should allow distributors to switch to the iptables over
nftables compatibility layer in a transparent way by updating
symbolic links from:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-multi
to:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-compat-multi
Same thing with iptables-save, iptables-restore, ip6tables, ip6tables-save,
ip6tables-restore and arptables.
Note that, after this patch, the following new symlinks are installed:
* iptables-compat
* iptables-compat-save
* iptables-compat-restore
* ip6tables-compat
* ip6tables-compat-save
* ip6tables-compat-restore
* arptables-compat
which point to the new binary xtables-compat-multi.
The idea is to keep both native and compatibility tools installed in the
system, which should also make it easier for testing purposes.
The iptables over nftables compatibility layer is enabled by default
and it requires the libmnl and libnftnl libraries. If you don't want to
compile the compatibility layer, you can still disable it through
--disable-nftables.
This patch also includes changes to adapt the existing code to this
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a new operation structure, we don't actually need the libip4tc
definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Depend on libmnl, libnftnl, flex and bison if only if the nftables
compatibility is enabled.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The compat utility name is xtables, the name used for the
compatibility binary. Better explicitly refer to the compatibility
later as nftables-compat.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | | |
Reported-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
We have to use uint32_t instead uint8_t to adapt this to the libnftables
changes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Many changes were missing.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
nft.c: In function ‘nft_xtables_config_load’:
nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default]
In file included from nft.c:41:0:
/usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’
Introduced in (12eb85b nft: fix memory leaks in
nft_xtables_config_load) but that was my fault indeed since Ana sent
a v2 patch that I have overlook.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Those errors are shown with valgrind tool:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80
==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
These objects are allocated from nft_init but they were not released
appropriately in the exit path.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Those errors are shown with the valgrind tool:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5955B02: nft_table_list_alloc (table.c:425)
==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888)
==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
Fix these leaks and consolidate error handling in the exit path of
nft_xtables_config_load
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This error is shown with valgrind tools:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x574CC76: mnl_socket_open (socket.c:117)
==7377== by 0x417495: nft_init (nft.c:598)
==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
This patch calls nft_fini to release the objects that have been allocated in
nft_init. This function was not used so far.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Valgrind reports an invalid read after a memory block:
==11114== Invalid read of size 8
==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==11114== by 0x41788E: add_match (nft.c:781)
==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72)
==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945)
==11114== by 0x418ACE: nft_rule_append (nft.c:1000)
==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424)
==11114== by 0x4152DE: do_commandx (xtables.c:1184)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd
==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==11114== by 0x52448C8: xtables_calloc (xtables.c:272)
==11114== by 0x410AC2: command_default (xshared.c:150)
==11114== by 0x4149A2: do_commandx (xtables.c:1075)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
m->u.match_size also contains the size of the xt_entry_match structure.
Fix also the target path which is very similar.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Tested-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
(0ab045f xtables: fix missing ipt_entry for MASQUERADE target) broke
inversion of built-in selectors, such as -s, -d, etc.
We need to refresh the invflags if -p is used or set it for first
time if -p is not used, otherwise inversion is ignored.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The patch (989b793 src: unify parse and output types) changed
the table and chain type definitions, adapt this code to use
the new ones.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is a temporary workaround mechanism until variable interface
hardware address length can be handled through nftables. This
defaults on the length of EUI-64 mac address, which should be the
most common usage until this is appropriately fixed for all type
of layer 2 addresses.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This fixes such warning:
xtables-arp.c: In function ‘check_inverse’:
xtables-arp.c:561:54: attention : declaration of ‘optind’ shadows a
global declaration [-Wshadow]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch replaces strcat with strncat and strcpy with strncpy
fixing possible string overflow.
Based on the original patch:
http://patchwork.ozlabs.org/patch/279672/
from Jaromír Končický via Jiri Popelka.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In (73ea1cc nft: convert rule into a command state structure), the
interface wildcard matching got broken. The previous handling was
flawed by the use of ifnametoindex in scenario where the interface
may vanished after a rule was added.
This approach relies on the trailing '\0' to identify if this is
an exact or wildcard matching, based on discussion with Florian.
Based on initial patch from Anand Raj Manickam.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use ->userspacesize to compare the extension data area, otherwise
we also compare the internal private pointers which are only
meaningful to the kernelspace.
This fixes:
xtables -4 -D INPUT -m connlimit \
--connlimit-above 10 --connlimit-mask 32 --connlimit-daddr
But it also fixes many other matches/targets which use internal
private data.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
