| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
commit ad5b55761956427f61ed9c96961bf9c5cd4f92dc
Author: Alban Browaeys <alban.browaeys@gmail.com>
Date: Mon Feb 6 23:50:33 2017 +0100
netfilter: xt_hashlimit: Fix integer divide round to zero.
http://patchwork.ozlabs.org/patch/724800/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Sync with latest OpenBSD release.
Changelog: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix wrong appending of jump verdict after the comment
For example:
$ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
Note that even without comment with double-quotes (i.e. --comment
"foobar"), it will add quotes:
$ iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment
nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"singlecomment\"drop
Attempting to apply the translated/generated rule will result to:
$ nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
<cmdline>:1:111-114: Error: syntax error, unexpected jump, expecting endof file or newline or semicolon
add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment "foobar"jump LONGNACCEPT
After this patch
$ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\"
which is correct translation
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Reviewed-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -t mangle -A PREROUTING -m rpfilter
nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter
# iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--loose
nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter
# ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--invert
nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter
Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m connbytes --connbytes 200 \
--connbytes-dir original --connbytes-mode packets
nft add rule ip filter OUTPUT ct original packets ge 200 counter
# iptables-translate -A OUTPUT -m connbytes ! --connbytes 200 \
--connbytes-dir reply --connbytes-mode packets
nft add rule ip filter OUTPUT ct reply packets lt 200 counter
# iptables-translate -A OUTPUT -m connbytes --connbytes 200:600 \
--connbytes-dir both --connbytes-mode bytes
nft add rule ip filter OUTPUT ct bytes 200-600 counter
# iptables-translate -A OUTPUT -m connbytes ! --connbytes 200:600 \
--connbytes-dir both --connbytes-mode bytes
nft add rule ip filter OUTPUT ct bytes != 200-600 counter
# iptables-translate -A OUTPUT -m connbytes --connbytes 200:200 \
--connbytes-dir both --connbytes-mode avgpkt
nft add rule ip filter OUTPUT ct avgpkt 200 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The first:
```
iptables/extensions/libebt_limit.c:21:26: fatal error: iptables/nft.h: No such file or directory
#include "iptables/nft.h"
```
The second:
```
/data/keno/sandbox/iptables/iptables/xtables-config-parser.y:19:32: fatal error: libiptc/linux_list.h: No such file or directory
#include <libiptc/linux_list.h>
^
```
Simply fixed by adding the relevant `-I` directives.
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Replace gethostbyaddr() with getnameinfo() as getnameinfo()
deprecates the former and allows programs to
eliminate IPv4-versus-IPv6 dependencies
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Remove unnecessary debug code
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Between revisions, the layout of xtables data may change completely.
Do not interpret the data in a revision M with a module of revision N.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exercise the new kernel feature introduced in commit 2c16d6033264
("netfilter: xt_bpf: support ebpf") to load pinned eBPF programs.
The new interface allows instantiating a bpf match using
-m bpf --object-pinned ${PATH}
where ${PATH} points to a node in a bpf virtual filesystem. See
also the revised man page.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -j LOG --log-uid
nft add rule ip filter OUTPUT counter log flags skuid
# iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \
--log-tcp-options
nft add rule ip filter OUTPUT counter log flags tcp sequence,options
# iptables-translate -A OUTPUT -j LOG --log-level debug --log-uid
nft add rule ip filter OUTPUT counter log level debug flags skuid
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags ip options flags ether
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-uid \
--log-tcp-sequence --log-tcp-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags all
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes TCP flags matches:
| $ iptables-translate -A invalid -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
| nft add rule ip filter invalid tcp flags & fin|syn == fin|syn counter drop
Although the generated rule is syntactically correct and accepted by
nft, it will be interpreted in a different way than expected since
binary AND takes precedence over OR.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes the type of translated chains in nat table to be of type
'nat' instead of 'filter' which is incorrect.
Verified like so:
| $ iptables-restore-translate -f /dev/stdin <<EOF
| *nat
| :POSTROUTING ACCEPT [0:0]
| [0:0] -A POSTROUTING -j MASQUERADE
| COMMIT
| EOF
| # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016
| add table ip nat
| add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
| add rule ip nat POSTROUTING counter masquerade
Ditto for ip6tables-restore-translate.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was an annoying bug in the translator since it silently dropped
crucial information which is easily overlooked:
| $ iptables-translate -A INPUT -s 192.168.0.0/24 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 192.168.0.0 counter accept
| $ ip6tables-translate -A INPUT -s feed:babe::/64 -j ACCEPT
| nft add rule ip6 filter INPUT ip6 saddr feed:babe:: counter accept
To my surprise, this fix works really well in all kinds of situations:
| $ iptables-translate -A INPUT -s 1.2.3.4/0 -j ACCEPT
| nft add rule ip filter INPUT counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/23 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.2.0/23 counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/24 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.3.0/24 counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/32 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.3.4 counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/255.255.0.0 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.0.0/16 counter accept
Ditto for IPv6.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Looks like this bit was simply forgotten when implementing
xlate_chain_set() as everything needed was there to just print the
desired policy along with the chain definition.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is actually a limitation of ip6tables:
| # ip6tables -A INPUT -p ah -j ACCEPT
| Warning: never matched protocol: ah. use extension match instead.
The working alternative is like so:
| # ip6tables -A INPUT -m ah -j ACCEPT
But upon translating, this statement gets ignored:
| $ ip6tables-translate -A INPUT -m ah -j ACCEPT
| nft add rule ip6 filter INPUT counter accept
This patch (ab)uses the 'space' variable to check if a parameter to the
'ah' match was present and if not translates the match into an extension
header check:
| $ ip6tables-translate -A INPUT -m ah -j ACCEPT
| add rule ip6 filter INPUT meta l4proto ah counter accept
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Clang's static analyzer flagged the shift this patch removes as
shifting a garbage value. Looks like `m` isn't used at all anyway, so
we can simply remove it.
Signed-off-by: George Burgess IV <gbiv@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nfct_labels_get_path() requires libnetfilter_conntrack-1.0.6, update
this dependency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The email address has changed, let's update it.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Pablo suggested to print full config file path for connlabel.conf
parsing errors.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
--packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
# iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
--packet 5
nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter
Note, mode random is not completely supported in nft, so:
# iptables-translate -A OUTPUT -m statistic --mode random \
--probability 0.1
nft # -A OUTPUT -m statistic --mode random --probability 0.1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -j DSCP --set-dscp 1
nft add rule ip filter OUTPUT counter ip dscp set 0x01
# ip6tables-translate -A OUTPUT -j DSCP --set-dscp 6
nft add rule ip6 filter OUTPUT counter ip6 dscp set 0x06
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m quota --quota 111
nft add rule ip filter OUTPUT quota 111 bytes counter
# iptables-translate -A OUTPUT -m quota ! --quota 111
nft add rule ip filter OUTPUT quota over 111 bytes counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When translate to nft rules, ipcompspi range is not supported, so:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1-2 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3-30 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup default counter
Apply this patch:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup != default counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT != ip6 saddr 2003::1-2003::3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT ip daddr != 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip6 saddr != 2003::1-2003::3 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft will complain the syntax error if we use "ip saddr" or "ip daddr" in
ip6 family, so the current translation is wrong:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip saddr 2003::1-2003::3 counter
^^
Apply this patch:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip6 saddr 2003::1-2003::3 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We missed a blank space when do translate to nft, so if rt_realm can be
mapped to name, the result looks ugly:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassidcosmos counter
^
Apply this patch:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassid cosmos counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2
and xt_hashlimit_mtinfo2 and also create newer versions of all the
functions for match, checkentry and destory.
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Joshua Hunt <johunt@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
I am planning to add a revision 2 for the hashlimit xtables module to
support higher packets per second rates. This patch renames all the
functions and variables related to revision 1 by adding _v1 at the
end of the names.
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Joshua Hunt <johunt@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
is specified
It is better to add square brackets to ip6 address in nft translation
output when the port is specified. This is keep consistent with the
nft syntax.
Before this patch:
# ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
[123::4]:1
nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to 123::4 :1
# ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
[123::4-123::8]:1
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to 123::4-123::8 :1
Apply this patch:
# ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
[123::4]:1
nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to [123::4]:1
# ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
[123::4-123::8]:1
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to [123::4]-[123::8]:1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If quotes are escaped, nft -f is unable to parse and load the translated
ruleset.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a cache of rules within the nft handle. This feature is
useful since the whole ruleset was brought from the kernel for every
chain during listing operations. In addition with the new checks of
ruleset compatibility, the rule list is loaded one more time.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache has been introduced for
this purpose.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After commit "parser_bison: redirect to :port for consistency with
nat/masq statement" in nftables tree, we should recommend the end
user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to 1
Apply this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to :1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After commit "src: add 'to' for snat and dnat" in nftables tree,
we should recommend the end user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
nft add rule ip nat POSTROUTING counter snat 1.1.1.1
# ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
2001::1
nft add rule ip6 nat PREROUTING counter dnat 2001::1
Apply this patch:
# iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
nft add rule ip nat POSTROUTING counter snat to 1.1.1.1
# ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
2001::1
nft add rule ip6 nat PREROUTING counter dnat to 2001::1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When I want to translate SNAT target to nft rule, an error message
was printed out:
# iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
iptables-translate v1.6.0: OOM
Because ipt_natinfo{} started with a xt_entry_target{}, so when we
get the ipt_natinfo pointer, we should use the target itself,
not its data pointer. Yes, it is a little tricky and it's different
with other targets.
Fixes: 7a0992da44cf ("src: introduce struct xt_xlate_{mt,tg}_params")
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
iptables-restore was missing -n, -T and -M from the
usage message, added them to match the man page.
Cleaned-up other *restore files as well.
Signed-off-by: Brian Haley <brian.haley@hpe.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The comment_xlate function was not supporting this option that is
necessary in some situations.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The static function nft_rule_list_get was exposed outside nft.c through
the nft_rule_list_create function, but this was never used out there.
A similar situation occurs with nftnl_rule_list_free and
nft_rule_list_destroy.
This patch removes nft_rule_list_create and nft_rule_list_destroy for
the sake of simplicity.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For examples:
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0
nft add rule ip filter OUTPUT counter meta priority set none
# iptables-translate -A OUTPUT -j CLASSIFY --set-class ffff:ffff
nft add rule ip filter OUTPUT counter meta priority set root
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 1:234
nft add rule ip filter OUTPUT counter meta priority set 1:234
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The xt_bpf module applies BPF bytecode to the packet. Depending on
where the module is invoked, the kernel may pass a packet with or
without link layer header. Iptables has no such header.
A common `tcpdump -ddd <string>` compilation command may revert to
a physical device that generates code for packets starting from the
mac layer up (e.g., E10MB data link type: Ethernet).
Clarify in the man page that when using this tool for code generation,
a suitable target device must be chosen.
Netfilter Bugzilla Bug #1048
Reported-by: Lorenzo Pistone <blaffablaffa@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
ip[6]tables-compat -L was not printing the comments since commit
d64ef34a9961 ("iptables-compat: use nft built-in comments support").
This patch solves the issue.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The footnote clarification to option argument documentation, so keep the
indentation level same as for the arguments.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In iptables, "-i eth+" means match all in ifname with the prefix "eth".
But in nftables, this was changed to "iifname eth*". So we should handle
this subtle difference.
Apply this patch, translation will become:
# iptables-translate -A INPUT -i eth+
nft add rule ip filter INPUT iifname eth* counter
# ip6tables-translate -A OUTPUT ! -o eth+
nft add rule ip6 filter OUTPUT oifname != eth* counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some translations included escaped quotes when they were called from
nft:
$ sudo nft list ruleset
table ip mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
ct helper \"ftp\" counter packets 0 bytes 0
^^ ^^
}
}
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|