summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* nft: Eliminate table list from cachePhil Sutter2020-07-314-105/+34
| | | | | | | | | | | | | | The full list of tables in kernel is not relevant, only those used by iptables-nft and for those, knowing if they exist or not is sufficient. For holding that information, the already existing 'table' array in nft_cache suits well. Consequently, nft_table_find() merely checks if the new 'exists' boolean is true or not and nft_for_each_table() iterates over the builtin_table array in nft_handle, additionally checking the boolean in cache for whether to skip the entry or not. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables: replace libnftnl table list by linux listPablo Neira Ayuso2020-07-274-81/+77
| | | | | | | | This patch removes the libnftnl table list by linux list. This comes with an extra memory allocation to store the nft_table object. Probably, there is no need to cache the entire nftnl_table in the near future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Reorder enum nft_table_typePhil Sutter2020-07-241-3/+3
| | | | | | | | | This list of table types is used internally only, the actual values don't matter that much. Reorder them to match the order in which iptables-legacy-save prints them (if present). As a consequence, entries in builtin_table array 'xtables_ipv4' are correctly sorted as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Use nft_chain_find() in two more placesPhil Sutter2020-07-241-15/+14
| | | | | | | This doesn't really increase functions' readability but prepares for later changes. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Turn nft_chain_save() into a foreach-callbackPhil Sutter2020-07-243-37/+14
| | | | | | | | Let nftnl_chain_list_foreach() do the chain list iterating instead of open-coding it. While being at it, simplify the policy value selection code as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Drop pointless nft_xt_builtin_init() callPhil Sutter2020-07-241-2/+0
| | | | | | | When renaming a chain, either everything is in place already or the command will bail anyway. So just drop this superfluous call. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Drop duplicate chain checkPhil Sutter2020-07-241-6/+1
| | | | | | | | | When fetching chains from kernel, checking for duplicate chain names is not needed: Nftables doesn't support them in the first place. This is merely a leftover from when multiple cache fetches could happen and so a bit of sanity checking was in order. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Be lazy when flushingPhil Sutter2020-07-241-2/+4
| | | | | | | | If neither chain nor verbose flag was specified and the table to flush doesn't exist yet, no action is needed (as there is nothing to flush anyway). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Make table creation purely implicitPhil Sutter2020-07-244-24/+3
| | | | | | | | | | | | | | | | | | | While asserting a required builtin chain exists, its table is created implicitly if missing. Exploit this from xtables-restore, too: The only actions which need adjustment are chain_new and chain_restore, i.e. when restoring (either builtin or custom) chains. Note: The call to nft_table_builtin_add() wasn't sufficient as it doesn't set the table as initialized and therefore a following call to nft_xt_builtin_init() would override non-default base chain policies. Note2: The 'table_new' callback in 'nft_xt_restore_cb' is left in place as xtables-translate uses it to print an explicit 'add table' command. Note3: nft_table_new() function was already unused since a7f1e208cdf9c ("nft: split parsing from netlink commands"). Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_conntrack: provide translation for DNAT and SNAT --ctstatePablo Neira Ayuso2020-07-242-5/+20
| | | | | | | iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT nft add rule ip filter INPUT ct status dnat counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: accept lock file name at runtimeGiuseppe Scrivano2020-07-243-3/+17
| | | | | | | | | | | | | | | allow users to override at runtime the lock file to use through the XTABLES_LOCKFILE environment variable. It allows to use iptables when the user has granted enough capabilities (e.g. a user+network namespace) to configure the network but that lacks access to the XT_LOCK_NAME (by default placed under /run). $ XTABLES_LOCKFILE=/tmp/xtables unshare -rn iptables ... Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add help output to run-tests.shPhil Sutter2020-07-061-0/+19
| | | | | | | The script has quite a few options nowadays, so add a bit of help text also. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: compiler warning fixes for NO_SHARED_LIBSMaciej Żenczykowski2020-06-301-0/+4
| | | | | | | | | | | | Fixes two issues with NO_SHARED_LIBS: - #include <dlfcn.h> is ifdef'ed out and thus dlclose() triggers an undeclared function compiler warning - dlreg_add() is unused and thus triggers an unused function warning Test: builds without warnings Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: Use proper clear_cs functionPhil Sutter2020-06-161-1/+1
| | | | | | | Avoid memleaks by performing a full free of any allocated data in local iptables_command_state variable. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: don't fail if help was requestedArturo Borrero Gonzalez2020-06-161-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle this case in do_command_xlate(). Before this patch, you would see: user@debian:~$ sudo iptables-translate -h [..] nft Unsupported command? user@debian:~$ echo $? 1 After this patch: user@debian:~$ sudo iptables-translate -h [..] user@debian:~$ echo $? 0 Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts") Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* build: Fix for failing 'make uninstall'Phil Sutter2020-06-094-1/+47
| | | | | | | | | | | | | | | | | | | | | Support for uninstalling is severely broken: - extensions/GNUmakefile.in defines an 'install' target but lacks a respective 'uninstall' one, causing 'make uninstall' abort with an error message. - iptables/Makefile.am defines an 'install-exec-hook' to create the binary symlinks which are left in place after 'make uninstall'. Fix these problems by defining respective targets containing code copied from automake-generated uninstall targets. While being at it, add a few more uninstall-hooks removing custom directories created by 'make install' if they are empty afterwards. Reported-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Tested-by: Richard Guy Briggs <rgb@redhat.com>
* xtables-restore: Fix verbose mode table flushingPhil Sutter2020-06-096-6/+88
| | | | | | | | | | When called with --verbose mode, iptables-nft-restore did not print anything when flushing the table. Fix this by adding a "manual" mode to nft_cmd_table_flush(), turning it into a wrapper around '-F' and '-X' commands, which is exactly what iptables-legacy-restore does to flush a table. This though requires a real cache, so don't set NFT_CL_FAKE then. Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: resolve iptables-apply not getting installedJan Engelhardt2020-06-081-1/+1
| | | | | | | | | | | | | | | ip6tables-apply gets installed but iptables-apply does not. That is wrong. » make install DESTDIR=$PWD/r » find r -name "*app*" r/usr/local/sbin/ip6tables-apply r/usr/local/share/man/man8/iptables-apply.8 r/usr/local/share/man/man8/ip6tables-apply.8 Fixes: v1.8.5~87 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: document danger of applying REJECT to INVALID CTsJan Engelhardt2020-06-082-0/+40
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump version for 1.8.5 releasev1.8.5Pablo Neira Ayuso2020-06-031-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump dependency on libnftnlPhil Sutter2020-06-031-1/+1
| | | | | | | | | Recently added full among match support depends on concatenated ranges in nftables sets, a feature which was not available in libnftnl before version 1.1.6. Fixes: c33bae9c6c7a4 ("ebtables: among: Support mixed MAC and MAC/IP entries") Signed-off-by: Phil Sutter <phil@nwl.cc>
* include: Avoid undefined left-shift in xt_sctp.hPhil Sutter2020-05-291-3/+3
| | | | | | | | | | | | | Pull the fix in kernel commit 164166558aace ("netfilter: uapi: Avoid undefined left-shift in xt_sctp.h") into iptables repository. The original description is: With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is undefined for the signed 32-bit value 1. Avoid this by declaring 1 as unsigned. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Fix syntax in ipt-restore/0010-noflush-new-chain_0Phil Sutter2020-05-291-0/+1
| | | | | | | | The here-doc statement missed the final delimiter. Worked anyways because end-of-file would do the trick. Fixes: a103fbfadf4c1 ("xtables-restore: Fix parser feed from line buffer") Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: libxt_MARK: OUTPUT chain is fine, tooPhil Sutter2020-05-271-2/+2
| | | | | | | | | In order to route packets originating from the host itself based on fwmark, mangle table's OUTPUT chain must be used. Mention this chain as alternative to PREROUTING. Fixes: c9be7f153f7bf ("doc: libxt_MARK: no longer restricted to mangle table") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Drop save_counters callback from family_opsPhil Sutter2020-05-187-16/+3
| | | | | | | All families use the same callback function, just fold it into the sole place it's called. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Merge nft_*_rule_find() functionsPhil Sutter2020-05-187-112/+40
| | | | | | | | | Both ebtables and arptables are fine with using nft_ipv46_rule_find() instead of their own implementations. Take the chance and move the former into nft.c as a static helper since it is used in a single place, only. Then get rid of the callback from family_ops. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nfnl_osf: Improve error handlingPhil Sutter2020-05-181-5/+10
| | | | | | | | | | | | | | | | | | | | | | For some error cases, no log message was created - hence apart from the return code there was no indication of failing execution. If a line load fails, don't abort but continue with the remaining file contents. The current pf.os file in this repository serves as proof-of-concept: Lines 700 and 701: Duplicates of lines 698 and 699 because 'W*' and 'W0' parse into the same data. Line 704: Duplicate of line 702 because apart from 'W*' and 'W0', only the first three fields on right-hand side are sent to the kernel. When loading, these dups are ignored (they would bounce if NLM_F_EXCL was given). Upon deletion, they cause ENOENT response from kernel. In order to align duplicate-tolerance in both modes, just ignore that ENOENT. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nfnl_osf: Fix broken conversion to nfnl_query()Phil Sutter2020-05-181-2/+4
| | | | | | | | | | | | | Due to missing NLM_F_ACK flag in request, nfnetlink code in kernel didn't create an own ACK message but left it upon subsystem to ACK or not. Since nfnetlink_osf doesn't ACK by itself, nfnl_query() got stuck waiting for a reply. Whoever did the conversion from deprecated nfnl_talk() obviously didn't even test basic functionality of the tool. Fixes: 52aa15098ebd6 ("nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libip6t_srh.t: switch to lowercase, add /128 suffix, require successMaciej Żenczykowski2020-05-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | This looks like an oversight which is easy to fix. Furthermore: git grep ';;OK' does not find any other matches, so this is the last unverified test case. Test: [root@f32vm IPT]# uname -r 5.6.10-300.fc32.x86_64 [root@f32vm IPT]# md5sum extensions/libip6t_srh.t b98864bdd6c39a0dd96022c47e652edb extensions/libip6t_srh.t [root@f32vm IPT]# ./iptables-test.py extensions/libip6t_srh.t extensions/libip6t_srh.t: OK 1 test files, 27 unit tests, 27 passed Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-test: Don't choke on empty linesPhil Sutter2020-05-112-2/+1
| | | | | | | | | | | | | | | | | | | | The script code wasn't expecting empty lines: | Traceback (most recent call last): | File "./iptables-test.py", line 380, in <module> | main() | File "./iptables-test.py", line 370, in main | file_tests, file_passed = run_test_file(filename, args.netns) | File "./iptables-test.py", line 265, in run_test_file | if item[1] == "=": | IndexError: list index out of range Fix this by ignoring empty lines or those consisting of whitespace only. While being at it, remove the empty line from libxt_IDLETIMER.t which exposed the problem. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Don't exit early after printing help textsPhil Sutter2020-05-113-9/+10
| | | | | | | Follow regular code path after handling --help option to gracefully deinit and free stuff. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix leak when replacing a rulePhil Sutter2020-05-111-1/+2
| | | | | | | | | | If nft_rule_append() is called with a reference rule, it is supposed to insert the new rule at the reference position and then remove the reference from cache. Instead, it removed the new rule from cache again right after inserting it. Also, it missed to free the removed rule. Fixes: 5ca9acf51adf9 ("xtables: Fix position of replaced rules in cache") Signed-off-by: Phil Sutter <phil@nwl.cc>
* arptables: Fix leak in nft_arp_print_rule()Phil Sutter2020-05-111-0/+2
| | | | | | | The function missed to clear struct iptables_command_state again after use. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Use clear_cs() instead of open codingPhil Sutter2020-05-114-10/+4
| | | | | | | | In a few places, initialized struct iptables_command_state was not fully deinitialized. Change them to call nft_clear_iptables_command_state() which does it properly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_fini()Phil Sutter2020-05-1114-9/+82
| | | | | | | | | | | | Record handles of loaded shared objects in a linked list and dlclose() them from the newly introduced function. While functionally not necessary, this clears up valgrind's memcheck output when also displaying reachable memory. Since this is an extra function that doesn't change the existing API, increment both current and age. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Free statically loaded extensions againPhil Sutter2020-05-114-2/+20
| | | | | | | | | All ebtables extensions are loaded upon program start as due to the lack of '-m' parameters, loading on demand is not possible. Introduce nft_fini_eb() to counteract nft_init_eb() and free dynamic memory in matches and targets from there. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix leak when deleting rulesPhil Sutter2020-05-111-1/+1
| | | | | | | For NFT_COMPAT_RULE_DELETE jobs, batch_obj_del() has to do the rule freeing, they are no longer in cache. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix leaks in ebt_add_policy_rule()Phil Sutter2020-05-111-6/+12
| | | | | | | | | | | | | | | | | | The function leaked memory allocated in temporary struct iptables_command_state, clean it immediately after use. In any of the udata-related error cases, allocated nftnl_rule would leak, fix this by introducing a common error path to goto. In regular code path, the allocated nftnl_rule would still leak: batch_obj_del() does not free rules in NFT_COMPAT_RULE_APPEND jobs, as they typically sit in cache as well. Policy rules in turn weren't added to cache: They are created immediately before commit and never referenced from other rules. Add them now so they are freed just like regular rules. Fixes: aff1162b3e4b7 ("ebtables-nft: Support user-defined chain policies") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Clear all lists in nft_fini()Phil Sutter2020-05-111-3/+9
| | | | | | | | Remove and free any pending entries in obj_list and err_list as well. To get by without having to declare list-specific cursors, use generic list_head types and call list_entry() explicitly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Re-establish cache consistency checkPhil Sutter2020-05-111-0/+11
| | | | | | | | | | | | | Restore code ensuring __nft_build_cache() returns a consistent cache in which all ruleset elements belong to the same generation. This check was removed by commit 200bc39965149 ("nft: cache: Fix iptables-save segfault under stress") as it could lead to segfaults if a partial cache fetch was done while cache's chain list was traversed. With the new cache fetch logic, __nft_build_cache() is never called while holding references to cache entries. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Implement --valgrind modePhil Sutter2020-05-111-0/+47
| | | | | | | | | | | | | | | | | | Wrap every call to $XT_MULTI with valgrind, or actually a wrapper script which does the valgrind wrap and stores the log if it contains something relevant. Carefully name the wrapper script(s) so that test cases' checks on $XT_MULTI name stay intact. This mode slows down testsuite execution horribly. Luckily, it's not meant for constant use, though. For now, ignore commands with non-zero exit status - error paths typically hit direct exit() calls and therefore leave reachable memory in place. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix for '-F' in iptables dumpsPhil Sutter2020-05-111-0/+34
| | | | | | | | | | | When restoring a dump which contains an explicit flush command, previously added rules are removed from cache and the following commit will try to create netlink messages based on freed memory. Fix this by weeding any rule-based commands from obj_list if they address the same chain. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Optimize caching for flush commandPhil Sutter2020-05-113-1/+39
| | | | | | | | | | | | | | | | | | When flushing all chains and verbose mode is not enabled, nft_rule_flush() uses a shortcut: It doesn't specify a chain name for NFT_MSG_DELRULE, so the kernel will flush all existing chains without user space needing to know which they are. The above allows to avoid a chain cache, but there's a caveat: nft_xt_builtin_init() will create base chains as it assumes they are missing and thereby possibly overrides any non-default chain policies. Solve this by making nft_xt_builtin_init() cache-aware: If a command doesn't need a chain cache, there's no need to bother with creating any non-existing builtin chains, either. For the sake of completeness, also do nothing if cache is not initialized (although that shouldn't happen). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Fetch cache for specific chainsPhil Sutter2020-05-113-8/+81
| | | | | | | | | | | | | | | | | Iterate over command list and collect chains to cache. Insert them into a sorted list to pass to __nft_build_cache(). If a command is interested in all chains (e.g., --list), cmd->chain remains unset. To record this case reliably, use a boolean ('all_chains'). Otherwise, it is hard to distinguish between first call to nft_cache_level_set() and previous command with NULL cmd->chain value. When caching only specific chains, manually add builtin ones for the given table as well - otherwise nft_xt_builtin_init() will act as if they don't exist and possibly override non-default chain policies. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-cache: Introduce __fetch_chain_cache()Phil Sutter2020-05-111-20/+30
| | | | | | | Extract the inner part of fetch_chain_cache() into a dedicated function, preparing for individual chain caching. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-cache: Fetch cache per tablePhil Sutter2020-05-117-44/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | Restore per-table operation of cache routines as initially implemented in commit e2883c5531e6e ("nft-cache: Support partial cache per table"). As before, this doesn't limit fetching of tables (their number is supposed to be low) but instead limits fetching of sets, chains and rules to the specified table. For this to behave correctly when restoring without flushing over multiple tables, cache must be freed fully after each commit - otherwise the previous table's cache level is reused for the current one. The exception being fake cache, used for flushing restore: NFT_CL_FAKE is set just once at program startup, so it must stay set otherwise consecutive tables cause pointless cache fetching. The sole use-case requiring a multi-table cache, iptables-save, is indicated by req->table being NULL. Therefore, req->table assignment is a bit sloppy: All calls to nft_cache_level_set() are assumed to set the same table value, collision detection exists merely to catch programming mistakes. Make nft_fini() call nft_release_cache() instead of flush_chain_cache(), the former does a full cache deinit including cache_req contents. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Introduce struct nft_cache_reqPhil Sutter2020-05-112-16/+22
| | | | | | | | | | This embedded struct collects cache requirement info gathered from parsed nft_cmds and is interpreted by __nft_build_cache(). While being at it, remove unused parameters passed to the latter function, nft_handle pointer is sufficient. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Improve fake cache integrationPhil Sutter2020-05-113-15/+4
| | | | | | | | With NFT_CL_FAKE being highest cache level while at the same time __nft_build_cache() treating it equal to NFT_CL_TABLES, no special handling for fake cache is required anymore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Simplify rule and set fetchersPhil Sutter2020-05-111-15/+5
| | | | | | | | | | | | Since no incremental cache fetching happens anymore, code fetching rules for chains or elements for sets may safely assume that whatever is in cache also didn't get populated with rules or elements before. Therefore no (optional) chain name needs to be passed on to fetch_rule_cache() and fetch_set_cache() doesn't have to select for which sets in a table to call set_fetch_elem_cb(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: missing nft_fini() call in bridge familyPablo Neira Ayuso2020-05-111-0/+2
| | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>