| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following test:
# python xlate-test.py extensions/libxt_hashlimit.txlate
extensions/libxt_hashlimit.txlate: Fail
src: iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 -m state --state NEW -j DROP
exp: nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop
res: nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop
1 test file, 2 tests, 1 tests passed, 1 tests failed, 0 errors
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After nft v0.8.1 "flow table" is renamed as meter.
This should reflect in iptables to nftables translation.
Before this patch:
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
After this patch:
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3
--hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and
255.255.255.0 limit rate 200/second } counter drop
Signed-off-by: shyam saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds test cases for iptables to nft translation of cluster match
This adds all test cases including corner cases.
Run these test cases like:
$ ./xlate-test.py extensions/libxt_cluster.txlate
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is fixing the detection of multiple '--to-destination' in a
DNAT rule and '--to-source' in SNAT rule for IPv6. Currently, when
defining multiple values for these, only the last will be used and
others ignored silently.
The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the
flags are never set before. It seems to be a copy-paste artefact since
introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.
I also removed the kernel_version checks because they seem useless.
Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1. That
seems only added since kernel version 3.7-rc1 and therefore the check
for > v2.6.10 will always return true. The check is probably also
coming from the IPv4 copy-paste.
Add tests to cover this too, including the IPv4 side.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for cluster to nft
$ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
--cluster-total-nodes 7 --cluster-local-node 5 --cluster-hash-seed
0xdeadbeef -j MARK --set-mark 0xffff
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set
0xffff
$ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
--cluster-total-nodes 7 --cluster-local-nodemask 5 --cluster-hash-seed
0xdeadbeef -j MARK --set-mark 0xffff
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta
mark set 0xffff
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds a new exetension to iptables to supprt 'srh' match
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
shows:
nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
which prints burst twice, this is not correct.
Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not print timeout and burst in case default values are used.
For e.g.
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated.
https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes
This patch fixes the following warning:
warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
_DEFAULT_SOURCE" [-Wcpp]
# warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
# _DEFAULT_SOURCE"
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning:
warning: initialization discards ‘const’ qualifier from pointer target
type [-Wdiscarded-qualifiers]
.orig_opts = original_opts,
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Max Laverse <max@laverse.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Description
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared. If -pie is provided after -shared, the linker throws an
error shown below as example.
-------------------------------------------------------------------------
/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
+ ./libxt_SYNPROXY.man
make[4]: *** [libxt_TCPOPTSTRIP.so] Error 1
+ ./libip6t_mh.man
/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
undefined reference to `main'
/host/lib/gcc/powerpc-buildroot-linux-gnu + ./libxt_TCPMSS.man
/6.4.0/../../../../powerpc-buildroot-linux-gnu/bin/ld:
BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
-------------------------------------------------------------------------
Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds test case for invalid MSS range.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning.
xtables-eb.c: In function ‘ebt_load_match_extensions’:
xtables-eb.c:653:7: warning: assignment discards ‘const’ qualifier
from pointer target type
opts = ebt_original_options;
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
A typo in the help output of: iptables -j MARK -h.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type
is not equal to the corresponding index in sctp_chunk_names[]. Using this field
leads to a segmentation fault (index out of range).
Example
$ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Segmentation fault
Signed-off-by: huaibin Wang <huaibin.wang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds test for ipcomp protocol.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print errors and total no. of tests, tests passed, failed and errors for
testfile argument
Remove option "--all"
Print file names for which all tests are passed with OK
For e.g -
sudo ./xlate-test.py
generic.txlate: OK
libip6t_DNAT.txlate: OK
...
libxt_TCPMSS.txlate: Fail
src: iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
exp: nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter
tcp option maxseg size set rt mtu
res: nft # -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
...
libxt_connlabel.txlate: Error: iptables-translate failure
iptables-translate v1.6.1: Couldn't load match `connlabel':No such file
or directory
...
64 test files, 246 tests, 242 tests passed, 2 tests failed, 2 errors
sudo ./xlate-test.py extensions/libxt_iprange.txlate
1 test file, 5 tests, 5 tests passed, 0 tests failed, 0 errors
sudo ./xlate-test.py extensions/libxt_connlabel.txlate
extensions/libxt_connlabel.txlate: Error: iptables-translate failure
iptables-translate v1.6.1: Couldn't load match `connlabel':No such file
or directory
...
1 test file, 2 tests, 0 tests passed, 0 tests failed, 2 errors
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a
pointer. So there is no point in comparing it against NULL. Changing the
check to make sure it's content is not an empty string is pointless
either, since a non-empty default string is used and the argument parser
will refuse empty strings as --name argument. So simply get rid of the
checks altogether.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This patch checks that the iptables TOS to nftables translation works fine.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add missing files to be ignored.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since path mtu support was added, we can now add
iptables-compat translation for TCPMSS extension.
Signed-off-by: Aastha Gupta <aastha.gupta4104@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously, an MSS range of e.g. 65535:1000 was silently accepted but
would then never match a packet since the kernel checks whether the MSS
value is greater than or equal to the first *and* less than or equal to
the second value.
Detect this as a parameter problem and update the man page accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This adds test file for the recently added TCPMSS extension.
Signed-off-by: Aastha Gupta <aastha.gupta4104@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If user chain contains rules, flush needs to happen first to retain
iptables semantics. Use NLM_F_NONREC to request non-recursive chain
deletion.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The configure script handles the "--*-largefile" parameter badly. It
always disables largefile support if given (and it doesn't matter if
'enable' or 'disable' was used).
Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field inside
the xtables_globals struct and is not modified anywhere.
Done using following coccinelle semantic patch
@r1 disable optional_qualifier@
identifier s,i;
position p;
@@
static struct option i@p[] ={...};
@ok1@
identifier r1.i;
expression e;
position p;
@@
e = i@p
@bad@
position p != {r1.p,ok1.p};
identifier r1.i;
@@
e@i@p
@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
static
+const
struct option i[] = { ... };
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If -W <val> was given, error out if -w wasn't since that doesn't make
sense.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Passing -W without a value doesn't make sense so bail out if none was
given.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
* -d is optional
* -h is not really a flag, just anything not recognized triggers the
help output.
* That '<del rules>' bit is rather confusing than helpful.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This include is needed to compile the bpf_obj_get function properly,
as it brings in the __NR_bpf declaration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This chain should be translated as a route chain, not as a filter chain.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new feature to hashlimit that allows matching on the
current packet/byte rate without rate limiting. This can be enabled
with a new flag --hashlimit-rate-match. The match returns true if the
current rate of packets is above/below the user specified value.
The main difference between the existing algorithm and the new one is
that the existing algorithm rate-limits the flow whereas the new algorithm
does not. Instead it *classifies* the flow based on whether it is above or
below a certain rate. I will demonstrate this with an example below. Let
us assume this rule:
iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain
If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets
every second and send 5 packets to "new_chain".
But with the new algorithm, as long as the rate of 15/s is sustained, all
packets will continue to match and every packet is sent to new_chain.
This new functionality will let us classify different flows based on their
current rate, so that further decisions can be made on them based on what
the current rate is.
This is how the new algorithm works:
We divide time into intervals of 1 (sec/min/hour) as specified by
the user. We keep track of the number of packets/bytes processed in the
current interval. After each interval we reset the counter to 0.
When we receive a packet for match, we look at the packet rate
during the current interval and the previous interval to make a decision:
if [ prev_rate < user and cur_rate < user ]
return Below
else
return Above
Where cur_rate is the number of packets/bytes seen in the current
interval, prev is the number of packets/bytes seen in the previous
interval and 'user' is the rate specified by the user.
We also provide flexibility to the user for choosing the time
interval using the option --hashilmit-interval. For example the user can
keep a low rate like x/hour but still keep the interval as small as 1
second.
To preserve backwards compatibility we have to add this feature in a new
revision, so I've created revision 3 for hashlimit. The two new options
we add are:
--hashlimit-rate-match
--hashlimit-rate-interval
I have updated the help text to add these new options. Also added a few
tests for the new options.
Suggested-by: Igor Lubashev <ilubashe@akamai.com>
Reviewed-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following memory leaks are detected by valgrind when
ip[6]tables-compat is used for listing operations:
==1604== 1,064 (120 direct, 944 indirect) bytes in 5 blocks are definitely lost in loss record 21 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x56ABB78: xtables_malloc (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x56AC7D3: xtables_find_match (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x11F502: nft_parse_match (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x11FC7B: nft_rule_to_iptables_command_state (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x1218C0: nft_ipv4_print_firewall (nft-ipv4.c:301)
==1604== by 0x11CBEB: __nft_rule_list (nft.c:2042)
==1604== by 0x11CEA4: nft_rule_list (nft.c:2126)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 25 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11A311: nft_init (nft.c:777)
==1604== by 0x115A71: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 26 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11910C: mnl_nftnl_batch_page_add (nft.c:122)
==1604== by 0x11D8FE: nft_action (nft.c:2402)
==1604== by 0x11D957: nft_commit (nft.c:2413)
==1604== by 0x11CCB7: nft_rule_list (nft.c:2076)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following memory leaks are detected by valgrind when
ip[6]tables-compat-restore is executed:
valgrind --leak-check=full iptables-compat-restore test-ruleset
==2548== 16 bytes in 1 blocks are definitely lost in loss record 1 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x4E39D67: __mnl_socket_open (socket.c:110)
==2548== by 0x4E39DDE: mnl_socket_open (socket.c:133)
==2548== by 0x11A48E: nft_init (nft.c:765)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 16 bytes in 1 blocks are definitely lost in loss record 2 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11B2DB: nftnl_chain_list_get (nft.c:1194)
==2548== by 0x11B377: nft_chain_dump (nft.c:1210)
==2548== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2548== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 5 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x56ABB99: xtables_calloc (xtables.c:291)
==2548== by 0x116DA7: command_jump (xtables.c:623)
==2548== by 0x117D5B: do_parse (xtables.c:923)
==2548== by 0x1188BA: do_commandx (xtables.c:1183)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 6 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x4E3AE07: mnl_nlmsg_batch_start (nlmsg.c:441)
==2548== by 0x1192B7: mnl_nftnl_batch_alloc (nft.c:106)
==2548== by 0x11931A: mnl_nftnl_batch_page_add (nft.c:122)
==2548== by 0x11DB0C: nft_action (nft.c:2402)
==2548== by 0x11DB65: nft_commit (nft.c:2413)
==2548== by 0x114FBB: xtables_restore_parse (xtables-restore.c:238)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 8 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x50496FE: nftnl_table_list_alloc (table.c:433)
==2548== by 0x11DF88: nft_xtables_config_load (nft.c:2539)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 9 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11DF91: nft_xtables_config_load (nft.c:2540)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 135,168 bytes in 1 blocks are definitely lost in loss record 19 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x119280: mnl_nftnl_batch_alloc (nft.c:102)
==2548== by 0x11A51F: nft_init (nft.c:777)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
An additional leak occurs if a rule-set already exits:
==2735== 375 (312 direct, 63 indirect) bytes in 3 blocks are definitely lost in loss record 19 of 24
==2735== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2735== by 0x504AAE9: nftnl_chain_alloc (chain.c:92)
==2735== by 0x11B1F1: nftnl_chain_list_cb (nft.c:1172)
==2735== by 0x4E3A2E8: __mnl_cb_run (callback.c:78)
==2735== by 0x4E3A4A7: mnl_cb_run (callback.c:162)
==2735== by 0x11920D: mnl_talk (nft.c:70)
==2735== by 0x11B343: nftnl_chain_list_get (nft.c:1203)
==2735== by 0x11B377: nft_chain_dump (nft.c:1210)
==2735== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2735== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2735== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2735== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported in Bugzilla #1152, a segfault occurs in iptables-xml if a
jump or goto argument lacks a target argument. The following input will
segfault:
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 2200 -j
Problem occurs in do_rule_part, where the existsChain() function is called
with argv[arg + 1]. If the jump/goto argument is the last argument, then
arg + 1 is out of the array bounds. The fix ensures that arg + 1 is within
the array bounds before the call to existsChain() is made.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a comment translation immediately follows a counter statement, two
spaces are printed between "counter" and "comment" keywords.
The counter statement is almost always followed by a target, so we need
to move the space following "counter" to the beginning of the target
translation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This change should have been included in commit f035be35c749
("xtables-translate: fix multiple spaces issue"), but was forgotten.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The owner name was hard-coded in the owner extension translation test.
The translation process requires the user to exist in the system, so
this commit replaces it with the usual UID_MIN value (1000).
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an option to output the results of iptables-save,
ip6tables-save, and xtables-save save to a file.
Updates the man page with this new option.
Uses the dup2 call to replace stdout with the specified file.
Error output is unchanged.
This is a feature requested by a Gentoo developer in
Bugzilla #905.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
specifies the table option during a restore can create an invalid pointer.
It was discovered during fuzz testing that options like '-ftf'
can cause a segfault. A parameter that includes a 't' is not currently
filtered correctly.
Improves the filtering to:
Filter a beginning '-' followed by a character other than '-' and then a 't'
anywhere in the parameter. This filters parameters like '-ftf'.
Filter '--t'.
Filter '--table', stopping when the parameter length is reached. Because the
getopt_long function allows abbreviations, any unique abbreviation of '--table'
will be treated as '--table'. This filters parameters like '--t', '--ta', but not
'--ttl' or '--target'.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, iptables programs will exit with an error if the
iptables lock cannot be acquired, but will silently continue if
the lock cannot be opened at all. This can cause unexpected
failures (with unhelpful error messages) in the presence of
concurrent updates, which can be very difficult to find in a
complex or multi-administrator system.
Instead, refuse to do anything if the lock cannot be acquired.
The behaviour is not affected by command-line flags because:
1. In order to reliably avoid concurrent modification, all
invocations of iptables commands must follow this behaviour.
2. Whether or not the lock can be opened is typically not
a run-time condition but is likely to be a configuration
error.
Existing systems that depended on things working mostly correctly
even if there was no lock might be affected by this change.
However, that is arguably a configuration error, and now that the
iptables lock is configurable, it is trivial to provide a lock
file that is always accessible: if nothing else, the iptables
binary itself can be used. The lock does not have to be writable,
only readable.
Tested by configuring the system to use an xtables.lock file in
a non-existent directory and observing that all commands failed.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Change the scope of the weird character check loop so that
it checks for invalid characters when the interface name
contains a wildcard.
Fixes Bugzilla #1085.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
| |
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit replaces subprocess.run (introduced in python 3.5) with
subprocess.Popen (supported since the first version of python 3).
Furthermore, the output has been improved when ip[6]tables-translate
exits with non-zero return code.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
