| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Try to eliminate most of the whitespace issues by separating strings
from separate xt_xlate_add() calls by whitespace if needed.
Cover the common case of consecutive range, list or MAC/IP address
printing by inserting whitespace only if the string to be appended
starts with an alphanumeric character or a brace. The latter helps to
make spacing in anonymous sets consistent.
Provide *_nospc() variants which disable the auto-spacing for the
mandatory exception to the rule.
Make things round by dropping any trailing whitespace before returning
the buffer via xt_xlate_get().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Kernel ignores 'hdrres' field, this matching on reserved field value was
never effective.
While being at it, drop its description from man page. Continue to parse
and print it for compatibility reasons, but avoid attracting new users.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Matching on fragmentation header length is ineffective in kernel, xlate
callback correctly ignores it. Add a comment as a hint for reviewers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Several log flags are ignored by the function. Add a comment explaining
why this is correct.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
A simple task since 'tcp option' expression exists.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Catch unexpected values in einfo->ip_ect.
Fixes: ca42442093d3d ("iptables: extensions: libxt_ecn: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Translation entirely ignored tos_mask field.
Fixes: b669e18489709 ("extensions: libxt_TOS: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Data structures are identical and the translation is layer3-agnostic.
Fixes: bebce197adb42 ("iptables: iptables-compat translation for TCPMSS")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Since markinfo->mode might contain unexpected values, add a default case
returning zero.
Fixes: afefc7a134ca0 ("extensions: libxt_MARK: Add translation for revision 1 to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bail out if nfmask != ctmask with XT_CONNMARK_SAVE and
XT_CONNMARK_RESTORE. Looks like this needs a similar implementation to
the one for XT_CONNMARK_SET.
Fix shift mark translation: xt_connmark_shift_ops does not contain
useful strings for nftables. Also add needed braces around the term
being shifted.
Fixes: db7b4e0de960c ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Catch unexpected values in info->mode, also fix indenting.
Fixes: 1b320a1a1dc1f ("extensions: libipt_ttl: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The callback is supposed to return 1 on success, not 0.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
The false suffix effectively disabled this test file, but it also has
problems: Apart from brmark_xlate() printing 'meta mark' instead of just
'mark', target is printed in the wrong position (like with any other
target-possessing extension.
Fixes: e67c08880961f ("ebtables-translate: add initial test cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Target value is constructed setting all non-target bits to one instead
of zero.
Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We always return 0, even if we printed some error message half-way.
Increment an error counter whenever an error message was printed so that
the chain-loop can exit with an error if this counter is nonzero.
Another effect is that iptables-save will no longer print the COMMIT line anmore.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Set ->errmsg when the meta key isn't supported by iptables-nft instead
of pretending everything is fine.
The old code is good enough to handle rules added by iptables-nft, but
its not enough to handle rules added by native nft.
At least make sure that there is a an error message telling that
iptables-nft could not decode the entire ruleset.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
In v1.8.8, the second bitwise changed the first one, messing
iptables-nft-save output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Replace nftnl_expr_get_data() alias by real function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Replace alias to real nftnl_nlmsg_build_hdr() function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Since basic_exit_err() appends a newline to the message itself, drop
explicit ones.
While being at it, fix indentation and join texts split over multiple
lines.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Merge all four copies of the ICMP/ICMPv6/IGMP parameter parsing code.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Put the most extensive version of icmp_codes, icmpv6_codes and
igmp_codes into the header. Have to rename the function
xt_print_icmp_types's parameter to avoid a compiler warning.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The libxtables function covers all formerly supported inputs (and more).
The extended libebt_arp.t passes before and after this patch.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Update the local copy of linux/netfilter_bridge/ebt_ip.h and include it
instead of keeping the local copy of struct ebt_ip_info et al.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Data structures were identical already, make use of the names in
xt_LOG.h and merge all code into a single extension of family
NFPROTO_UNSPEC.
While being at it, define SYSLOG_NAMES and use the array in syslog.h
instead of dragging along an own level->name mapping two times.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The same algorithm was present four times, outsource it. Also use
max()/min() macros for a more readable boundary notation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Function bodies were mostly identical, the only difference being the use
of struct ipt_entry or ip6t_entry for size calculation. Pass this value
via parameter to make them fully identical.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Call nft with translation output as input, then check xtables-save
output to make sure iptables-nft can handle anything it suggests nft to
turn its ruleset into.
This extends the test case syntax to cover for expected asymmetries.
When the existing syntax was something like this:
| <xlate command>
| <nft output1>
| [<nft output2>
The new syntax then is:
| <xlate command>[;<replay rule part>]
| <nft output1>
| [<nft output2>]
To keep things terse, <replay rule part> may omit the obligatory '-A
<chain>' argument. If missing, <xlate command> is sanitized for how it
would appear in xtables-save output: '-I' is converted into '-A' and an
optional table spec is removed.
Since replay mode has to manipulate the ruleset in-kernel, abort if
called by unprivileged user. Also try to run in own net namespace to
reduce collateral damage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
It's just a convenience wrapper around Popen(), simplifying the call.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Put the actual translation test into a function to call from the loop
and clean it up a bit. Preparation work for running a second test on the
same data.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
REDIRECT was already merged into DNAT. Given the callback generator and
generalized inner parsing routines, merging the other "flavors" is
relatively simple. Rename the extension into "libxt_NAT.so" while doing
so and turn the old DSOs into symlinks.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
No functional change intended, just a more generic name for some symbols
which won't be DNAT-specific soon.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Each extension's callbacks follow the same scheme so introduce a
generator which accepts the specifics as parameter - including the
method to transform from per-extension data into struct nf_nat_range2.
Also move the different parser frontends and fcheck callbacks in one
spot for clarity.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Make the common function a bit more versatile and give it a more
generic name, then use it for REDIRECT target, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SNAT, DNAT and REDIRECT extensions tried to prevent
NF_NAT_RANGE_PROTO_RANDOM flag from being set if no port or address was
also given.
With SNAT and DNAT, this is not possible as the respective
--to-destination or --to-source parameters are mandatory anyway.
Looking at the kernel code, doing so with REDIRECT seems harmless.
Moreover, nftables supports 'redirect random' without specifying a
port-range.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
When introducing 'start' variable to cover for IPv6 addresses enclosed
in brackets, this single spot was missed.
Fixes: 14d77c8aa29a7 ("extensions: Merge IPv4 and IPv6 DNAT targets")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
This extension always prints --connlimit-mask and (the default)
--connlimit-saddr options.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Fast iptables-test.py mode is picky and it has to: Plain redirect target
prints a trailing whitespace, generally stripping the rules in test
cases won't work therefore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Mask differs between numeric --set-tos values and symbolic ones, make
sure it is covered by the tests.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Specifying the lower boundary suffixed by colon is an undocumented
feature. Explicitly printing the upper boundary in that case seems sane.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Use hex input to avoid having to specify an expected output in trivial
cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
These minimal extension uses print in more detailed form. Track this,
the output is desired.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Unlike iptables, ebtables includes the default rule target in output.
Instead of adding it to every rule in ebtables tests, add special casing
to the testscript checking if the expected rule output contains a target
already and adding the default one if not.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a faster mode of operation for suitable test files:
1) Collect all rules to add and all expected output in lists
2) Any supposedly failing rules are checked immediately like in slow
mode.
3) Create and load iptables-restore input from the list in (1)
5) Construct the expected iptables-save output from (1) and check it in
a single search
5) If any of the steps above fail, fall back to slow mode for
verification and detailed error analysis. Fast mode failures are not
fatal, merely warn about them.
To keep things simple (and feasible), avoid complicated test files
involving external commands, multiple tables or variant-specific
results.
Aside from speeding up testsuite run-time, rule searching has become
more strict since EOL char is practically part of the search string.
This revealed many false positives where the expected string was
actually a substring of the printed rule.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
The range is not communicated as "min and max queue number", but "first
queue number and count" instead. With 16bits for each value, it is not
possible to balance between all 65536 possible queues. Although probably
never used in practice, point this detail out in man page and make the
parser complain instead of the cryptic "xt_NFQUEUE: number of total
queues is 0" emitted by the kernel module.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Conversion from 'ctx' to 'reg' missed some of the DEBUGP() calls.
Fixes: f315af1cf8871 ("nft: track each register individually")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
This is an odd bug: If the number of chains is right and one renames the
last one in the list, libiptc dereferences a NULL pointer. Add fix and
test case for it.
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
Reported-by: Julien Castets <castets.j@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
