| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For nft, asterisk is special at end of the interface name only. Escaping
it mid-string makes the escape char part of the interface name, so avoid
this.
In the test case, also drop the ticks around interface names in
*-translate command - since there's no shell involved which would eat
them, they become part of the interface name.
Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
It is just a hack to translate '! -i +' into a never matching nft rule,
but recognize it anyway for completeness' sake and to make xlate replay
test pass.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It's actually nonsense since it will never match, but iptables accepts
it and the resulting nftables rule must behave identically. Reuse the
solution implemented into xtables-translate (by commit e179e87a1179e)
and turn the above match into 'iifname INVAL/D'.
The commit this fixes merely ignored the fact that "any interface" match
might be inverted.
Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Since nft adds the interface name as fixed-size string of 16 bytes,
filling a mask based on the length value will not match the mask nft
set.
Fixes: 652b98e793711 ("xtables-compat: fix wildcard detection")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
After applying the translated rule using nft, pass the untranslated rule
to --check instead of dumping the ruleset and performing a string
search. This fixes for mandatory match reordering (e.g. addresses before
interfaces) and minor differences like /32 netmasks or even just
whitespace changes.
Fixes: 223e34b057b95 ("tests: xlate-test: Replay results for reverse direction testing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Sadly, '-C' is in use already for --change-counters (even though
ebtables-nft does not implement this), so add a long-option only. It is
needed for xlate testsuite in replay mode, which will use '--check'
instead of '-C'.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding a rule, valgrind prints:
Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s)
at 0x4A8165A: setsockopt (in /lib64/libc.so.6)
by 0x4857A48: iptc_commit (libiptc.c:2676)
by 0x10E4BB: iptables_main (iptables-standalone.c:61)
by 0x49A3349: (below main) (in /lib64/libc.so.6)
Address 0x4b63788 is 40 bytes inside a block of size 1,448 alloc'd
at 0x484659F: calloc (vg_replace_malloc.c:1328)
by 0x4857654: iptc_commit (libiptc.c:2564)
by 0x10E4BB: iptables_main (iptables-standalone.c:61)
by 0x49A3349: (below main) (in /lib64/libc.so.6)
This is because repl->counters is not initialized upon allocation. Since
the field is an array, make use of calloc() which implicitly does the
initialization.
Fixes: e37c0dc100c51 ("Revert the recent addition of memset()'s to TC_COMMIT. One of them is bogus and the other one needs more investigation to why valgrind is complaining.")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
This is merely to make valgrind happy, but less noise means less real
issues missed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding a rule with a target which defines a udata_size, valgrind
prints:
8 bytes in 1 blocks are definitely lost in loss record 1 of 1
at 0x484659F: calloc (vg_replace_malloc.c:1328)
by 0x486B128: xtables_calloc (xtables.c:434)
by 0x1128B4: xs_init_target (xshared.c:238)
by 0x113CD3: command_jump (xshared.c:877)
by 0x114969: do_parse (xshared.c:1644)
by 0x10EEB9: do_command4 (iptables.c:691)
by 0x10E45B: iptables_main (iptables-standalone.c:59)
by 0x49A2349: (below main) (in /lib64/libc.so.6)
It is not sufficient to free cs.target->t, so call
xtables_clear_iptables_command_state() which takes care of all the
details.
Fixes: 2dba676b68ef8 ("extensions: support for per-extension instance "global" variable space")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
This is nft_clear_iptables_command_state() but in a location reachable
by legacy iptables, too.
Changes callers in non-family-specific code to use clear_cs callback
instead of directly calling it - ebtables still has a custom variant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding a rule in verbose mode, valgrind prints:
192 bytes in 1 blocks are definitely lost in loss record 1 of 2
at 0x48417E5: malloc (vg_replace_malloc.c:381)
by 0x486B158: xtables_malloc (xtables.c:446)
by 0x486C1F6: xtables_find_match (xtables.c:826)
by 0x10E684: print_match (iptables.c:115)
by 0x10E684: print_firewall (iptables.c:169)
by 0x10FC0C: print_firewall_line (iptables.c:196)
by 0x10FC0C: append_entry (iptables.c:221)
by 0x10FC0C: do_command4 (iptables.c:776)
by 0x10E45B: iptables_main (iptables-standalone.c:59)
by 0x49A2349: (below main) (in /lib64/libc.so.6)
200 bytes in 1 blocks are definitely lost in loss record 2 of 2
at 0x48417E5: malloc (vg_replace_malloc.c:381)
by 0x486B158: xtables_malloc (xtables.c:446)
by 0x486BBD6: xtables_find_target (xtables.c:956)
by 0x10E579: print_firewall (iptables.c:145)
by 0x10FC0C: print_firewall_line (iptables.c:196)
by 0x10FC0C: append_entry (iptables.c:221)
by 0x10FC0C: do_command4 (iptables.c:776)
by 0x10E45B: iptables_main (iptables-standalone.c:59)
by 0x49A2349: (below main) (in /lib64/libc.so.6)
If the match/target was cloned, it needs to be freed. Basically a bug since
day 1.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When zeroing a specific rule, valgrind reports:
40 bytes in 1 blocks are definitely lost in loss record 1 of 1
at 0x484659F: calloc (vg_replace_malloc.c:1328)
by 0x48DE128: xtables_calloc (xtables.c:434)
by 0x11C7C6: nft_parse_immediate (nft-shared.c:1071)
by 0x11C7C6: nft_rule_to_iptables_command_state (nft-shared.c:1236)
by 0x119AF5: nft_rule_zero_counters (nft.c:2877)
by 0x11A3CA: nft_prepare (nft.c:3445)
by 0x11A7A8: nft_commit (nft.c:3479)
by 0x114258: xtables_main.isra.0 (xtables-standalone.c:94)
by 0x1142D9: xtables_ip6_main (xtables-standalone.c:118)
by 0x49F2349: (below main) (in /lib64/libc.so.6)
Have to free the matches/target in populated iptables_command_state object
again. While being at it, call the proper family_ops callbacks since this is
family-agnostic code.
Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Freeing only if 'created' is non-zero is wrong - the data was still
allocated. In fact, the field is supposed to prevent only the call to
openChain().
Fixes: 8d3eccb19a9c6 ("Add iptables-xml tool (Amin Azez <azez@ufomechanic.net>)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running 'iptables-restore -t', valgrind reports:
1,496 (160 direct, 1,336 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
at 0x48417E5: malloc (vg_replace_malloc.c:381)
by 0x4857A46: alloc_handle (libiptc.c:1279)
by 0x4857A46: iptc_init (libiptc.c:1342)
by 0x1167CE: create_handle (iptables-restore.c:72)
by 0x1167CE: ip46tables_restore_main (iptables-restore.c:229)
by 0x116DAE: iptables_restore_main (iptables-restore.c:388)
by 0x49A2349: (below main) (in /lib64/libc.so.6)
Free the handle pointer before parsing the next table.
Fixes: 1c9015b2cb483 ("libiptc: remove indirections")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Valgrind is run as user nobody, let everyone write into the temporary
directory.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Use meta random and bitops to replicate what xt_statistics
is doing.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ebtables-nft-save will fail with
"unknown meta key" when decoding "among" emulation with ipv4 or ipv6
addresses included.
This is because "meta protocol ip" is used as a dependency, but
its never decoded anywhere.
Skip this for now to restore the "ebtables/0006-flush_0"
test case.
Fixes: 25883ce88bfb ("nft: check for unknown meta keys")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feed the nft expected output found in the .txlate test files to
nft -f via pipe/stdin directly without the shell mangling it.
The shell step isn't needed anymore because xtables-translate no longer
escapes quotes.
We only need to remove the "nft '" and trailing "'" because nft doesn't
expect those.
v3: handle multi-line expectations such as libxt_connlimmit.txlate (Phil Sutter)
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Now that xtables-translate encloses the entire command line in ', update
the test cases accordingly.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its not necessary to escape " characters, we can let xtables-translate
print the entire translation/command enclosed in '' chracters, i.e. nft
'add rule ...', this also takes care of [, { and other special characters
that some shells might parse otherwise (when copy-pasting translated output).
The escape_quotes struct member is retained to avoid an ABI breakage.
This breaks all xlate test cases, fixup in followup patches.
v3: no need to escape ', replace strcmp(x, "") with x[0] (Phil Sutter)
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Found this on disk, maybe there was a problem with this and among match
at some point? Anyway, it is relevant again since it fails recently.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Print a space after separating commas.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
No point in having this. Interestingly, other test cases even made up
for it.
Fixes: 0afd957f6bc03 ("extensions: libxt_state: add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Drop code which is used explicitly to deal with spacing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Try to eliminate most of the whitespace issues by separating strings
from separate xt_xlate_add() calls by whitespace if needed.
Cover the common case of consecutive range, list or MAC/IP address
printing by inserting whitespace only if the string to be appended
starts with an alphanumeric character or a brace. The latter helps to
make spacing in anonymous sets consistent.
Provide *_nospc() variants which disable the auto-spacing for the
mandatory exception to the rule.
Make things round by dropping any trailing whitespace before returning
the buffer via xt_xlate_get().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Kernel ignores 'hdrres' field, this matching on reserved field value was
never effective.
While being at it, drop its description from man page. Continue to parse
and print it for compatibility reasons, but avoid attracting new users.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Matching on fragmentation header length is ineffective in kernel, xlate
callback correctly ignores it. Add a comment as a hint for reviewers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Several log flags are ignored by the function. Add a comment explaining
why this is correct.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
A simple task since 'tcp option' expression exists.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Catch unexpected values in einfo->ip_ect.
Fixes: ca42442093d3d ("iptables: extensions: libxt_ecn: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Translation entirely ignored tos_mask field.
Fixes: b669e18489709 ("extensions: libxt_TOS: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Data structures are identical and the translation is layer3-agnostic.
Fixes: bebce197adb42 ("iptables: iptables-compat translation for TCPMSS")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Since markinfo->mode might contain unexpected values, add a default case
returning zero.
Fixes: afefc7a134ca0 ("extensions: libxt_MARK: Add translation for revision 1 to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bail out if nfmask != ctmask with XT_CONNMARK_SAVE and
XT_CONNMARK_RESTORE. Looks like this needs a similar implementation to
the one for XT_CONNMARK_SET.
Fix shift mark translation: xt_connmark_shift_ops does not contain
useful strings for nftables. Also add needed braces around the term
being shifted.
Fixes: db7b4e0de960c ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Catch unexpected values in info->mode, also fix indenting.
Fixes: 1b320a1a1dc1f ("extensions: libipt_ttl: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The callback is supposed to return 1 on success, not 0.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
The false suffix effectively disabled this test file, but it also has
problems: Apart from brmark_xlate() printing 'meta mark' instead of just
'mark', target is printed in the wrong position (like with any other
target-possessing extension.
Fixes: e67c08880961f ("ebtables-translate: add initial test cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Target value is constructed setting all non-target bits to one instead
of zero.
Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We always return 0, even if we printed some error message half-way.
Increment an error counter whenever an error message was printed so that
the chain-loop can exit with an error if this counter is nonzero.
Another effect is that iptables-save will no longer print the COMMIT line anmore.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Set ->errmsg when the meta key isn't supported by iptables-nft instead
of pretending everything is fine.
The old code is good enough to handle rules added by iptables-nft, but
its not enough to handle rules added by native nft.
At least make sure that there is a an error message telling that
iptables-nft could not decode the entire ruleset.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
In v1.8.8, the second bitwise changed the first one, messing
iptables-nft-save output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Replace nftnl_expr_get_data() alias by real function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Replace alias to real nftnl_nlmsg_build_hdr() function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Since basic_exit_err() appends a newline to the message itself, drop
explicit ones.
While being at it, fix indentation and join texts split over multiple
lines.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Merge all four copies of the ICMP/ICMPv6/IGMP parameter parsing code.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Put the most extensive version of icmp_codes, icmpv6_codes and
igmp_codes into the header. Have to rename the function
xt_print_icmp_types's parameter to avoid a compiler warning.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The libxtables function covers all formerly supported inputs (and more).
The extended libebt_arp.t passes before and after this patch.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Update the local copy of linux/netfilter_bridge/ebt_ip.h and include it
instead of keeping the local copy of struct ebt_ip_info et al.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Data structures were identical already, make use of the names in
xt_LOG.h and merge all code into a single extension of family
NFPROTO_UNSPEC.
While being at it, define SYSLOG_NAMES and use the array in syslog.h
instead of dragging along an own level->name mapping two times.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The same algorithm was present four times, outsource it. Also use
max()/min() macros for a more readable boundary notation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
