summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* arptables: ignore --table argument.Florian Westphal2018-11-121-1/+4
| | | | | | | You can run 'arptables-legacy -t foobar' and commands work fine, as it still operates on filter table (the only table that exists). Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: make uni/multicast mac masks staticFlorian Westphal2018-11-121-6/+6
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: add test casesFlorian Westphal2018-11-124-0/+27
| | | | | | | | | | | | | | | | Unicast being shown as '00:00:00:00:00:00/01:00:00:00:00:00' looks like broken output, however, arptables classic did not pretty-print either. Also add test cases for all targets supported by the original arptables tool: -j CLASSIFY -j MARK -j mangle [ yes, mangle target is lower-case 8-( ] Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: pre-init hlen and ethertypeFlorian Westphal2018-11-122-14/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to check -s 1.2.3.4, we need to add the size of the hardware address to the arp header to obtain the offset where the ipv4 address begins: base_arphdr HW_ADDR IP_ADDR (src) IP_ADDR (target) In arptables-classic, the kernel will add dev->addr_len to the arp header base address to obtain the correct location, but we cannot do this in nf_tables, at least not at this time (we need a fixed offset value). code does: op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP); add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ... but if user did not provide "--h-length 6" argument, then this won't work even for ethernet, as the payload expression will be told to load the first 4 bytes of arp header source mac address (sender hw address). Fix this by pre-initialising arhlen to 6. We also need to set up arhrd. Otherwise, src/dst mac can't be used: arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66 arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT This means that matching won't work for AX25, NETROM etc, however, arptables "classic" can't parse non-ethernet addresses, and makes ETH_ALEN assumptions in several spots, so this should be fine from compatibility point of view. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: fix src/dst mac handlingFlorian Westphal2018-11-121-9/+57
| | | | | | | | | | 1. check both address and mask, not just first byte of mac 2. use add_addr() for this so mask is also handled via bitwise expr. 3. use the correct offsets. 4. add dissector so we can reverse translate the payload expressions generated for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: fix target ip offsetFlorian Westphal2018-11-121-2/+3
| | | | | | | | | | | | | | | | --dst-ip checks the first four octets of the target mac. Format of ipv4 arp is: arphdr (htype, ptype...) src mac src ip target mac target ip So we need to add hlen (6 bytes) a second time (arphdr + 6 + 4 + 6) to get correct offset. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: fix -s/-d handling for negation and maskFlorian Westphal2018-11-121-6/+14
| | | | | | | also handle negations in other cases. Still to be resolved: mask handling for other options such as hlen. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: add basic test infra for arptables-nftFlorian Westphal2018-11-121-1/+10
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: fix rule deletion/compareFlorian Westphal2018-11-121-1/+2
| | | | | | | arptables -D fails most of the time, as we compared source mask with target mask. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: remove code that is also commented-out in original arptablesFlorian Westphal2018-11-121-31/+3
| | | | | | | This isn't a missing feature in the -nft version, neither plen and -m were ever implemented in arptables-legacy. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables-save: add -c option, like xtables-saveFlorian Westphal2018-11-122-9/+35
| | | | | | | | | arptables classic doesn't have arptables-save, it only has a perl script that attempts to emulate iptables-save. It supports no options, and thus has no way to dump counters. Add -c option, like iptables to enable this. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: use ->save for arptables-save, like xtablesFlorian Westphal2018-11-123-43/+43
| | | | | | | | | | | | | arptables-save will show -A OUTPUT --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0xffffffff as --h-length 6 --h-type Ethernet -j MARK MARK set 0x1 Because it uses ->print() instead of ->save(). Switch it to use ->save, we can then also drop special handling of CLASSIFY target. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: test protocol and interface negationFlorian Westphal2018-11-122-0/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix error return code in nft_chain_user_rename()Phil Sutter2018-11-122-2/+6
| | | | | | | If the chain to rename wasn't found, the function would return -1 which got interpreted as success. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Clarify error message when deleting by indexPhil Sutter2018-11-121-0/+1
| | | | | | | | | | | | Trying to delete a rule by index from a non-existent chain leads to a somewhat confusing error message: | # iptables-nft -D foobar 1 | iptables: Index of deletion too big. Fix this by performing chain existence checks for CMD_DELETE_NUM, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Fix typo in do_command() error messagePhil Sutter2018-11-121-1/+1
| | | | | | | | | | | This checks p->chain for existence, not cs->jumpto. Fixes this bogus error message: | # iptables-nft -t nat -A FORWARD -j ACCEPT | iptables v1.8.1 (nf_tables): Chain 'ACCEPT' does not exist Fixes: b6a06c1a215f8 ("xtables: Align return codes with legacy iptables") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: use extrapositioned negation consistentlyFlorian Westphal2018-11-1217-51/+81
| | | | | | | | | | | | | | in the iptables universe, we enforce extrapositioned negation: ! -i foo "-i ! foo" is not even supported anymore. At least make sure that ebtables prints the former syntax everywhere as well so we don't have a mix of both ways. Parsing of --option ! 42 will still work for backwards compat reasons. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-save: add -c option, using xtables-style countersFlorian Westphal2018-11-122-17/+81
| | | | | | | | | | The 'original' ebtables-save was a perl script that supported no option. Add minimal options, like ip(6)tables save. Retain the old way of formatiing counters via environment variable, but allow overriding this using the -c option. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: add NFT_TABLE_* enumerationPablo Neira Ayuso2018-11-122-22/+24
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: replace nft_chain_dump() by nft_chain_list_get()Pablo Neira Ayuso2018-11-124-21/+16
| | | | | | So we can remove nft_chain_dump() and replace nftnl_chain_get_list(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-nft: fix -f fragment optionFlorian Westphal2018-11-111-1/+1
| | | | | | | | This needs to be passed in network byte order. Reported-by: Arno van Amersfoort <arnova@rocky.eld.leidenuniv.nl> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1292 Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: add and use mac print helpersFlorian Westphal2018-11-0715-89/+52
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libebt_ip: fix tos negationFlorian Westphal2018-11-052-3/+7
| | | | | | | | passing ->tos as uintmax_t will clear adjacent fields in the structure, including invflags. Fixes: 49479aa12a15 ("ebtables-compat: add 'ip' match extension") Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libebt_ip6: fix ip6-dport negationFlorian Westphal2018-11-052-1/+2
| | | | | Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-nft: make -Z option workFlorian Westphal2018-11-051-2/+79
| | | | | | | | -Z doesn't just zero base counters, it zeroes out all rule counters, or, optionally, all counters of a chain (-Z FOO). Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1286 Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: add missing error stringFlorian Westphal2018-11-031-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-tests: add % to run iptables commandsPablo Neira Ayuso2018-11-032-4/+12
| | | | | | | Lines starting by % allows you to run iptables commands, use it for rateest test. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-tests: do not append xtables-multi to external commandsPablo Neira Ayuso2018-11-031-1/+1
| | | | | | | | | Lines starting by @ can be used to invoke an external command of any kind. Do not add xtables-multi here since we may want to execute a non-iptables command. Fixes: 9ff99156b63e ("iptables-test: fix netns test") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-nft: add arpreply targetFlorian Westphal2018-11-033-0/+111
| | | | | | Unfortunately no nft translation available so far. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: add redirect test caseFlorian Westphal2018-11-032-1/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: add test casesFlorian Westphal2018-11-0311-0/+89
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: relax -t table restriction, add snat/dnat test casesFlorian Westphal2018-11-033-3/+9
| | | | | | | | | | | | | | Its artificial and prevents test cases that need to add rules to a different table from working. The test script generates: -A PREROUTING -t nat ... which works fine for iptables and ip6tables. Just accept it for ebtables too and add test cases for snat and dnat. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: fix -j CONTINUE handling for add/deleteFlorian Westphal2018-11-033-27/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -j CONTINUE can be added, but it can't be removed: extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE) This problem stems from silly ambiguity in ebtables-nft vs. iptables. In iptables, you can do iptables -A INPUT (no -j) in ebtables, you can do either ebtables -A INPUT or ebtables -A INPUT -j CONTINUE both are *supposed* to be the same (and they do the same even in ebtables-nft on netlink side). However, the temprary binary representation within ebtables-nft is not the same: when parsing -j CONTINUE, we add a standard target, then omit it later in _add_target(). When translating netlink representation to ebt binary one, we do not add a standard target and instead just print '-j CONTINUE' when listing rules. So when doing -I INPUT -j CONTINUE -D INPUT -j CONTINUE the -D operation fails because it has a standard target in the binary representation, whereas the rule we obtained from translating nftables netlink back to ebtables' binary represenation doesn't. Fix it by ignoring 'CONTINUE' on parser side. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add basic ebtables test supportFlorian Westphal2018-11-032-3/+16
| | | | | | | now that we have ebtables-save, lets add test cases for ebtables-nft as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-nft: fix bogus handling of zero saddr/daddrFlorian Westphal2018-11-034-5/+18
| | | | | | | | | | | | | rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check mask (or negation, for that matter). Fix this and add test cases too. This also revealed an ip6tables-nft-save bug, it would print ' !-d', not '! -d'. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287 Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-test: fix netns testTaehee Yoo2018-11-011-13/+9
| | | | | | | | | | | | | | | | The libxt_rateest test always fails because dependent command is not executed in netns. (@iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval \ 250.0ms --rateest-ewmalog 500.0ms) After this path, adding netns command is executed first. Then test commands are executed. Fixes: 0123183f43a9 ("iptables-test: add -N option to exercise netns removal path") Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Fix for matching rules with wildcard interfacesPhil Sutter2018-11-012-1/+5
| | | | | | | | | | | | | | Due to xtables_parse_interface() and parse_ifname() being misaligned regarding interface mask setting, rules containing a wildcard interface added with iptables-nft could neither be checked nor deleted. As suggested, introduce extensions/iptables.t to hold checks for built-in selectors. This file is picked up by iptables-test.py as-is. The only limitation is that iptables is being used for it, so no ip6tables-specific things can be tested with it (for now). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: limit: unbreak build without libnftnlFlorian Westphal2018-10-242-1/+1
| | | | | | | | | | Lars Wendler reported 1.8.1 build failure when trying to build without nft backend: In file included from ../iptables/nft.h:5, from libxt_limit.c:18: libnftnl/rule.h: No such file or directory Reported-by: Lars Wendler <polynomial-c@gentoo.org> Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c") Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix for spurious errors from iptables-translatePhil Sutter2018-10-233-3/+5
| | | | | | | | | | | | When aligning iptables-nft error messages with legacy ones, I missed that translate tools shouldn't check for missing or duplicated chains. Introduce a boolean in struct nft_xt_cmd_parse indicating we're "just" translating and do_parse() should skip the checks. Fixes: b6a06c1a215f8 ("xtables: Align return codes with legacy iptables") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump versions for 1.8.1 releasev1.8.1Florian Westphal2018-10-221-3/+3
| | | | | | | | this release also adds xtables_getether* functions to libxtables, so current and age are incremented as well. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-test: add -N option to exercise netns removal pathPablo Neira Ayuso2018-10-201-6/+32
| | | | | | | We are getting bug reports lately from the netns path, add a new option to exercise this path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: expose new etherdb lookup function through libxtables APIPablo Neira Ayuso2018-10-208-57/+19
| | | | | | | | | | This is used from extensions and included in libxtables, so we have to make them public. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: prefix exported new functions for etherdb lookupsPablo Neira Ayuso2018-10-207-41/+29
| | | | | | | | | | To avoid symbol pollution, place them under the xt_ and xtables_ prefix name. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* Revert "extensions: libxt_quota: Allow setting the remaining quota"Pablo Neira Ayuso2018-10-192-28/+5
| | | | | | | This reverts commit 0a8f2bcadff157489a737f8cc8846adcb750b91f. Google folks are reporting some issues with 32-bits arch, let's revert this until we have a new version for this.
* xtables: Remove target_maxnamelen fieldPhil Sutter2018-10-156-8/+3
| | | | | | | | | | | | This is a partial revert of commit 9f075031a1973 ("Combine parse_target() and command_jump() implementations"): Upstream prefers to reduce max chain name length of arptables by two characters instead of the introduced struct xtables_globals field which requires to bump library API version. Fixes: 9f075031a1973 ("Combine parse_target() and command_jump() implementations") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: cgroup: fix option parsing for v2Pablo Neira Ayuso2018-10-091-1/+19
| | | | | | | | Structure layout is different, therefore a new struct xt_option_entry is needed. Fixes: f9efc8cb79c0 ("extensions: add cgroup revision 2") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_quota: Allow setting the remaining quotaChenbo Feng2018-10-092-5/+28
| | | | | | | | | | | | | | | | The current xt_quota module cannot track the current remaining quota of a specific rule. Everytime an unrelated rule is updated in the same iptables table, the quota will be reset. This is not a very useful function for iptables that get changed at run time. This patch fixes the above problem by adding a new field in the struct that records the current remaining quota. Fixed a print out bug in verbose print out wrt. inversion. Signed-off-by: Chenbo Feng <fengc@google.com> Suggested-by: Maciej Żenczykowski <maze@google.com> Reviewed-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-shared: Use xtables_calloc()Phil Sutter2018-09-251-11/+2
| | | | | | | | This simplifies code a bit since it takes care of checking for out-of-memory conditions. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: Use the shared nft_ipv46_parse_target()Phil Sutter2018-09-251-8/+1
| | | | | | | | No point in having a dedicated implementation for 'parse_target' callback since it is identical with the shared one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Combine parse_target() and command_jump() implementationsPhil Sutter2018-09-257-249/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | Merge these two functions from xtables, iptables, ip6tables and arptables. Both functions were basically identical in the first three, only the last one required a bit more attention. To eliminate access to 'invflags' in variant-specific location, move the call to set_option() into callers. This is actually consistent with parsing of other options in them. As with command_match(), use xt_params instead of the different *_globals objects to refer to 'opts' and 'orig_opts'. It was necessary to rename parse_target() as it otherwise clashes with a static function of same name in libxt_SET. In arptables, the maximum allowed target name is a bit larger, so introduce xtables_globals.target_maxnamelen defining the value. It is used in the shared xt_parse_target() implementation. Implementation of command_jump() in arptables diverted from the others for no obvious reason. The call to parse_target() was done outside of it and a pointer to cs->arp was passed but not used inside. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>