| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
make[2]: Entering directory '/home/jengelh/code/iptables/extensions'
CC libebt_limit.oo
In file included from ../iptables/nft.h:5:0,
from libebt_limit.c:21:
../iptables/nft-shared.h:6:27: fatal error: libnftnl/rule.h: No such file or directory
#include <libnftnl/rule.h>
^
compilation terminated.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Current code makes the assumption that !defined(__GLIBC__) means libc5
which is very unlikely the case nowadays.
Fixes compile error because of conflict between kernel and musl headers.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
On glibc, <sys/errno.h> is a synomym for <errno.h>.
<errno.h> is specified by POSIX, so use that.
Fixes compilation error with musl libc
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Get this patch into master:
"Alignment problem between 64bit kernel 32bit userspace"
As Jozsef requests.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Sven-Haegar Koch reported the issue:
sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.
In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32
which was introduced by the counter extension in ipset.
The patch fixes the alignment issue with introducing a new set match
revision with the fixed underlying 'struct ip_set_counter_match'
structure.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When using libxtables with an external program (nft) which switches family
contexts (using xtables_set_nfproto()), the xtables_find_{match,target}
functions need to compare the family too.
We want to avoid this situation:
1) user first sets afinfo to IPv6
2) xtables_find_target() finds & load ip6t_REJECT and uses it
3) afinfo change to IPv4
4) user then tries to use ipt_REJECT
5) xtables_find_target() finds ip6t_REJECT instead (same target name)
6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
for (pos = list_entry((head)->next, typeof(*pos), member), \
^
libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry'
list_for_each_entry(c, &h->chains, list) {
^
[ Patch copied from one similar of Patrick McHardy on libnftnl ]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
xtables-eb.c:305:1: warning: empty declaration
} __attribute__((noreturn, format(printf,2,3)));
^
xtables-eb.c:311:2: warning: initialization makes '__attribute__((noreturn))' qualified function pointer from unqualified
.exit_err = ebt_print_error,
^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Document limitations when in use with INPUT until we found a
better solution. Also fix up indent in the example section.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
$ iptables -A INPUT -m tcp --sport 6500:6400 -j ACCEPT
iptables v1.4.21: invalid portrange (min > max)
Error message added with d15fb34c
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Before this patch, rule deleting with -D produces segfault in rules
with no target.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previous to this patch, error reporting in ebtables-compat was like:
% ebtables-compat xxx
(null) v1.4.21: Bad argument : 'xxx'
Try `(null) -h' or '(null) --help' for more information.
While the original ebtables was:
% ebtables xxx
Bad argument : 'xxx'.
With this patch, we switch to:
% ebtables-compat xxx
Bad argument : 'xxx'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
Add support for the ebtables limit extension (match),
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
kernels 2.6.20 and later reject -m physdev in OUTPUT with
"using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for
non-bridged traffic is not supported anymore" error in dmesg.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| | |
This is an extra space, let's get rid of it.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
This patch adds support to arptables-compat for the CLASSIFY target.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Let's give support for the nflog extension (a watcher).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Space is misplaced.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Once the data that the compare expression provides have been digested.
For example:
-A INPUT -i noexist -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
doesn't show anymore the following broken output via iptables-compat-save:
-A INPUT -i
+t -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Obsoleted by iptables-test.py in project root directory,
see extensions/*.t for the new test cases.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| | |
The inversion flag wasn't set in the match struct.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| | |
fail with vanilla 3.19.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| | |
wrong placement of ' ', i.e. we get
-j SNPT--src-pfx dead::/64 --dst-pfx 1c3::/64
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of using iptables-save-formatted files in the tests/ dir,
lets use the iptables-test.py framework for all matches/targets.
This obsoletes tests/ completely, will be removed in followup patch.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| | |
removed from kernel in 2003.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| | |
removed from the kernel December 2007.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| | |
removed from the kernel back in 2003.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
These two families only work under nft compat, so leave unset the fields
that we don't use. Basically, we need neither the module autoload code
nor the native get/setsockopt() revision infrastructure since we use the
one that nft_compat provides through nfnetlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This patch adds support to use the mangle target extensions, along with
the required changes in the surrounding code.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
xshared.c: In function ‘xtables_lock’:
xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
fails on 3.19 kernel:
xt_recent: hitcount (8) is larger than packets to be remembered (8) for table foo
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| | |
also add simple script to restore/save them.
run_qa.sh passes on standard-distro kernels.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The ebtables-compat branch provides the compatibility layer to run
ebtables extensions. Currently, only the following matches / targets /
watchers are supported:
* 802_3
* ip
* mark_m and mark
* log
The remaining ones should be easy to port them to on top of libxtables,
they will follow up later.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch adds the log 'watcher' extension.
The work was started by Giuseppe Longo <giuseppelng@gmail.com> and finised
by me.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
ebtables watchers are targets which always return EBT_CONTINUE.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Translate the mark target extension to the xtables-compat environment.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | | |
Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Let's call extensions final checks.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There are some extension which may name-clash, for example:
* libxt_mark.so
* liebt_mark.so
Let's search first for AF-specific extension and then for the generic libxt_**.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This code can be cleaned up. No need for validation from userspace,
the kernel will reject incorrect options.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Translate mark_m match extension to the xtables-compat environment.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch adds the 'ip' match extension to ebtables-compat.
It involves adapting old ebtables extension code to the xtables-compat
environment.
For testing:
% sudo ebtables-compat -p 0x0800 --ip-src 1.1.1.1 -j ACCEPT
The patch includes a cached copy of the extension kernel header.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information
from packets in the bridge family.
Let's allow the add_payload() function to know in which base it should work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Counters are missing in ebtables rules.
This patch includes them just before the target, so counters are incremented
when the rule is about to take his action.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Using two matches options results in two copies of the match being included
in the nft rule.
Example before this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
-p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
Example with this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
% -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
[Note: the br_ip extension comes in a follow-up patch]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Parsing options will be overwritten if every time we load a match
the extension options are merged to the original options.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
