Commit message (Collapse)AuthorAgeFilesLines
* extensions: SECMARK: Implement revision 1HEADmasterPhil Sutter8 days3-20/+80
| | | | | | | | | The changed data structure for communication with kernel allows to exclude the field 'secid' which is populated on kernel side. Thus this fixes the formerly always failing extension comparison breaking rule check and rule delete by content. Signed-off-by: Phil Sutter <>
* nft-arp: Make use of ipv4_addr_to_string()Phil Sutter12 days3-94/+14
| | | | | | | This eliminates quite a bit of redundant code apart from also dropping use of obsolete function gethostbyaddr(). Signed-off-by: Phil Sutter <>
* Eliminate inet_aton() and inet_ntoa()Phil Sutter12 days2-11/+18
| | | | | | | Both functions are obsolete, replace them by equivalent calls to inet_pton() and inet_ntop(). Signed-off-by: Phil Sutter <>
* extensions: sctp: Explain match types in man pagePhil Sutter12 days1-0/+11
| | | | | | They weren't mentioned at all. Signed-off-by: Phil Sutter <>
* nft: Increase BATCH_PAGE_SIZE to support huge rulesetsPhil Sutter2021-04-101-5/+7
| | | | | | | | | | | | | | In order to support the same ruleset sizes as legacy iptables, the kernel's limit of 1024 iovecs has to be overcome. Therefore increase each iovec's size from 128KB to 2MB. While being at it, add a log message for failing sendmsg() call. This is not supposed to happen, even if the transaction fails. Yet if it does, users are left with only a "line XXX failed" message (with line number being the COMMIT line). Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* nft: cache: Sort chains on demand onlyPhil Sutter2021-04-065-13/+73
| | | | | | | | | Mandatory sorted insert of chains into cache significantly slows down restoring of large rulesets. Since the sorted list of user-defined chains is needed for listing and verbose output only, introduce nft_cache_sort_chains() and call it where needed. Signed-off-by: Phil Sutter <>
* fix build for missing ETH_ALEN definitionMaciej ┼╗enczykowski2021-04-031-0/+1
| | | | | | | (this is needed at least with bionic) Signed-off-by: Maciej ┼╗enczykowski <> Signed-off-by: Florian Westphal <>
* extensions: libxt_conntrack: use bitops for status negationAlexander Mikhalitsyn2021-04-022-10/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At the moment, status_xlate_print function prints statusmask as comma-separated sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus condition then we have to use more complex expression (if more than one flag enabled) because nft not supports syntax like "ct status != expected,assured". Examples: ! --ctstatus CONFIRMED,ASSURED should be translated as ct status & (assured|confirmed) == 0 ! --ctstatus CONFIRMED can be translated as ct status & confirmed == 0 See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference). Reproducer: $ iptables -A INPUT -d -p tcp -m conntrack ! --ctstatus expected,assured -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr ct status != expected,assured counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <> Signed-off-by: Alexander Mikhalitsyn <> Signed-off-by: Florian Westphal <>
* extensions: libxt_conntrack: use bitops for state negationAlexander Mikhalitsyn2021-04-022-14/+29
| | | | | | | | | | | | | | | | | | | | | Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled statemask flags. But if we have inverted conntrack ctstate condition then we have to use more complex expression because nft not supports syntax like "ct state != related,established". Reproducer: $ iptables -A INPUT -d -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr ct state != related,established counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <> Signed-off-by: Alexander Mikhalitsyn <> Signed-off-by: Florian Westphal <>
* libxtables: Simplify xtables_ipmask_to_cidr() a bitPhil Sutter2021-03-091-10/+5
| | | | | | | Reduce the whole mask matching into a single for-loop. No need for a shortcut, /32 masks will match in the first iteration. Signed-off-by: Phil Sutter <>
* xtables-translate: Fix translation of odd netmasksPhil Sutter2021-03-094-15/+106
| | | | | | | | | Iptables supports netmasks which are not prefixes to match on (or ignore) arbitrary bits in an address. Yet nftables' prefix notation is available for real prefixes only, so translation is not as trivial - print bitmask syntax for those cases. Signed-off-by: Phil Sutter <>
* nft: Fix bitwise expression avoidance detectionPhil Sutter2021-03-092-1/+27
| | | | | | | | | Byte-boundary prefix detection was too sloppy: Any data following the first zero-byte was ignored. Add a follow-up loop making sure there are no stray bits in the designated host part. Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") Signed-off-by: Phil Sutter <>
* iptables-nft: fix -Z optionFlorian Westphal2021-02-242-1/+65
| | | | | | | | | it zeroes the rule counters, so it needs fully populated cache. Add a test case to cover this. Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands") Signed-off-by: Florian Westphal <> Acked-by: Phil Sutter <>
* include: Drop libipulog.hPhil Sutter2021-02-171-39/+0
| | | | | | | | The file is not included anywhere, also it seems outdated compared to the one in libnetfilter_log (which also holds the implementation). Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* ebtables: Exit gracefully on invalid table namesPhil Sutter2021-01-281-4/+4
| | | | | | | | | | | | | | | | | | | | | | Users are able to cause program abort by passing a table name that doesn't exist: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. | Aborted Avoid this by checking table existence just like iptables-nft does upon parsing '-t' optarg. Since the list of tables is known and fixed, checking the given name's length is pointless. So just drop that check in return. With this patch in place, output looks much better: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables v1.8.7 (nf_tables): table 'dummy' does not exist | Perhaps iptables or your kernel needs to be upgraded. Signed-off-by: Phil Sutter <>
* configure: bump version for 1.8.7 releasev1.8.7Pablo Neira Ayuso2021-01-151-3/+3
| | | | | | | | | | Update libtool version for libxtables since two new interfaces have been added: - xtables_parse_mac_and_mask() - xtables_print_well_known_mac_and_mask() Signed-off-by: Pablo Neira Ayuso <>
* tests/shell: Fix nft-only/0009-needless-bitwise_0Phil Sutter2021-01-151-1/+8
| | | | | | | | | For whatever reason, stored expected output contains false handles. To overcome this, filter the rule data lines from both expected and stored output before comparing. Fixes: 81a2e12851283 ("tests/shell: Add test for bitwise avoidance fixes") Signed-off-by: Phil Sutter <>
* nft: Avoid pointless table/chain creationPhil Sutter2020-12-213-18/+82
| | | | | | | | | | | | | | | | | Accept a chain name in nft_xt_builtin_init() to limit the base chain creation to that specific chain only. Introduce nft_xt_builtin_table_init() to create just the table for situations where no builtin chains are needed but the command may still succeed in an empty ruleset, particularly when creating a custom chain, restoring base chains or adding a set for ebtables among match. Introduce nft_xt_fake_builtin_chains(), a function to call after cache has been populated to fill empty base chain slots. This keeps ruleset listing output intact if some base chains do not exist (or even the whole ruleset is completely empty). Signed-off-by: Phil Sutter <>
* tests: shell: Drop any dump sorting in placePhil Sutter2020-12-213-18/+5
| | | | | | | With iptables-nft-save output now sorted just like legacy one, no sorting to unify them is needed anymore. Signed-off-by: Phil Sutter <>
* nft: cache: Sort custom chains by namePhil Sutter2020-12-212-3/+14
| | | | | | | | | | | | | | With base chains no longer residing in the tables' chain lists, they can easily be sorted upon insertion. This on one hand aligns custom chain ordering with legacy iptables and on the other makes it predictable, which is very helpful when manually comparing ruleset dumps for instance. Adjust the one ebtables-nft test case this change breaks (as wrong ordering is expected in there). The manual output sorting done for tests which apply to legacy as well as nft is removed in a separate patch. Signed-off-by: Phil Sutter <>
* nft: Introduce a dedicated base chain arrayPhil Sutter2020-12-213-2/+45
| | | | | | | | | Preparing for sorted chain output, introduce a per-table array holding base chains indexed by nf_inet_hooks value. Since the latter is ordered correctly, iterating over the array will return base chains in expected order. Signed-off-by: Phil Sutter <>
* nft: Introduce struct nft_chainPhil Sutter2020-12-217-66/+212
| | | | | | | | | Preparing for ordered output of user-defined chains, introduce a local datatype wrapping nftnl_chain. In order to maintain the chain name hash table, introduce nft_chain_list as well and use it instead of nftnl_chain_list. Signed-off-by: Phil Sutter <>
* nft: cache: Move nft_chain_find() overPhil Sutter2020-12-213-17/+17
| | | | | | It is basically just a cache lookup, hence fits better in here. Signed-off-by: Phil Sutter <>
* nft: Implement nft_chain_foreach()Phil Sutter2020-12-215-96/+46
| | | | | | | | | | | | | | This is just a fancy wrapper around nftnl_chain_list_foreach() with the added benefit of detecting invalid table names or uninitialized chain lists. This in turn allows to drop the checks in flush_rule_cache() and ignore the return code of nft_chain_foreach() as it fails only if the dropped checks had failed, too. Since this wrapper does the chain list lookup by itself, use of nft_chain_list_get() shrinks down to a single place, namely inside nft_chain_find(). Therefore fold it into the latter. Signed-off-by: Phil Sutter <>
* nft: cache: Introduce nft_cache_add_chain()Phil Sutter2020-12-213-12/+19
| | | | | | | This is a convenience function for adding a chain to cache, for now just a simple wrapper around nftnl_chain_list_add_tail(). Signed-off-by: Phil Sutter <>
* nft: Fix selective chain compatibility checksPhil Sutter2020-12-211-0/+6
| | | | | | | | | | | | | | Since commit 80251bc2a56ed ("nft: remove cache build calls"), 'chain' parameter passed to nft_chain_list_get() is no longer effective. Before, it was used to fetch only that single chain from kernel when populating the cache. So the returned list of chains for which compatibility checks are done would contain only that single chain. Re-establish the single chain compat checking by introducing a dedicated code path to nft_is_chain_compatible() doing so. Fixes: 80251bc2a56ed ("nft: remove cache build calls") Signed-off-by: Phil Sutter <>
* xtables-monitor:Florian Westphal2020-12-141-0/+3
| | | | | | 'LL=0x304' is not very convenient, print LOOPBACK instead. Signed-off-by: Florian Westphal <>
* xtables-monitor: print packet firstFlorian Westphal2020-12-141-11/+23
| | | | | | | | | | | The trace mode should first print the packet that was received and then the rule/verdict. Furthermore, the monitor did sometimes print an extra newline. After this patch, output is more consistent with nft monitor. Signed-off-by: Florian Westphal <>
* xtables-monitor: fix packet family protocolFlorian Westphal2020-12-141-2/+2
| | | | | | | This prints the family passed on the command line (which might be 0). Print the table family instead. Signed-off-by: Florian Westphal <>
* xtables-monitor: fix rule printingFlorian Westphal2020-12-141-17/+15
| | | | | | | | | | | trace_print_rule does a rule dump. This prints unrelated rules in the same chain. Instead the function should only request the specific handle. Furthermore, flush output buffer afterwards so this plays nice when output isn't a terminal. Signed-off-by: Florian Westphal <>
* extensions: dccp: Fix for DCCP type 'INVALID'Phil Sutter2020-12-092-25/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | Support for matching on invalid DCCP type field values was pretty broken: While RFC4340 declares any type value from 10 to 15 invalid, the extension's type name 'INVALID' mapped to type value 10 only. Fix this by introduction of INVALID_OTHER_TYPE_MASK which has the remaining invalid type's bits set and apply it if bit 10 is set after parsing the type list. When printing, stop searching type names after printing 'INVALID' - unless numeric output was requested. The latter prints all actual type values. Since parsing types in numeric form is not supported, changing the output should not break existing scripts. When translating into nftables syntax, the code returned prematurely if 'INVALID' was among the list of types - thereby emitting invalid syntax. Instead print a real match for invalid types by use of a range expression. While being at it, fix syntax of translator output: If only '--dccp-types' was translated, the output contained an extra 'dccp'. On the other hand, if '--sport' and '--dport' was present, a required 'dccp' between the translations of both was missing. Fixes: e40b11d7ef827 ("add support for new 'dccp' protocol match") Fixes: c94a998724143 ("extensions: libxt_dccp: Add translation to nft") Signed-off-by: Phil Sutter <>
* tests/shell: Test for fixed extension registrationPhil Sutter2020-12-071-0/+25
| | | | | | | | | | Use strace to look at iptables-restore behaviour with typically problematic input (conntrack revision 0 is no longer supported by current kernels) to make sure the fix in commit a1eaaceb0460b ("libxtables: Simplify pending extension registration") is still effective. Signed-off-by: Phil Sutter <>
* xshared: Merge some command option-related codePhil Sutter2020-12-036-258/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add OPT_FRAGMENT define into the enum of other OPT_* defines at the right position and adjust the arptables-specific ones that follow accordingly. Appropriately adjust inverse_for_options array in xtables-arp.c. Extend optflags from iptables.c by the arptables values for the sake of completeness, then move it to xshared.h along with NUMBER_OF_OPT definition. As a side-effect, this fixes for wrong ordering of entries in arptables' 'optflags' copy. Add arptables-specific bits to commands_v_options table (the speicific options are matches on ARP header fields, just treat them like '-s' option. This is also just a cosmetic change, arptables doesn't have a generic_opt_check() implementation and hence doesn't use such a table. With things potentially ready for common use, move commands_v_options table along with generic_opt_check() and opt2char() into xshared.c and drop the local (identical) implementations from iptables.c, ip6tables.c xtables.c and xtables-arp.c. While doing so, fix ordering of entries in that table: the row for CMD_ZERO_NUM was in the wrong position. Since all moved rows though are identical, this had no effect in practice. Fixes: d960a991350ca ("xtables-arp: Integrate OPT_* defines into xshared.h") Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface") Signed-off-by: Phil Sutter <>
* xtables-arp: Don't use ARPT_INV_*Phil Sutter2020-12-033-68/+53
| | | | | | | | | | | | | | Arptables invflags are partly identical to IPT_INV_* ones but the bits are differently assigned. Eliminate this incompatibility by definition of the unique invflags in nft-arp.h on bits that don't collide with IPT_INV_* ones, then use those in combination with IPT_INV_* ones in arptables-specific code. Note that ARPT_INV_ARPPRO is replaced by IPT_INV_PROTO although these are in fact different options - yet since '-p' option is not supported by arptables, this does not lead to a collision. Signed-off-by: Phil Sutter <>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-0311-266/+106
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <>
* Try to unshare netns by defaultPhil Sutter2020-11-171-0/+7
| | | | | | | | If user did not explicitly requst to "test netnamespace path", try an import of 'unshare' module and call unshare() to avoid killing the local host's network by accident. Signed-off-by: Phil Sutter <>
* Accept multiple test files on commandlinePhil Sutter2020-11-171-2/+2
| | | | | | | | This allows to call the script like so: | # ./ -n extensions/libebt_*.t Signed-off-by: Phil Sutter <>
* ebtables: Fix for broken chain renamingPhil Sutter2020-11-173-3/+5
| | | | | | | | | | Loading extensions pollutes 'errno' value, hence before using it to indicate failure it should be sanitized. This was done by the called function before the parsing/netlink split and not migrated by accident. Move it into calling code to clarify the connection. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <>
* tests: shell: update format of registers in bitwise payloads.Pablo Neira Ayuso2020-11-161-5/+5
| | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Pablo Neira Ayuso <>
* tests/shell: Add test for bitwise avoidance fixesPhil Sutter2020-11-101-0/+339
| | | | | | | | | Masked address matching was recently improved to avoid bitwise expression if the given mask covers full bytes. Make use of nft netlink debug output to assert iptables-nft generates the right bytecode for each situation. Signed-off-by: Phil Sutter <>
* ebtables: Optimize masked MAC address matchesPhil Sutter2020-11-046-24/+30
| | | | | | | | | | Just like with class-based prefix matches in iptables-nft, optimize masked MAC address matches if the mask is on a byte-boundary. To reuse the logic in add_addr(), extend it to accept the payload base value via parameter. Signed-off-by: Phil Sutter <>
* nft: Optimize class-based IP prefix matchesPhil Sutter2020-11-045-11/+30
| | | | | | | Payload expression works on byte-boundaries, leverage this with suitable prefix lengths. Signed-off-by: Phil Sutter <>
* configure: bump version for 1.8.6 releasev1.8.6Pablo Neira Ayuso2020-10-311-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <>
* tests: shell: Improve concurrent noflush restore test a bitPhil Sutter2020-10-271-0/+14
| | | | | | | | | | | | The described issue happens only if chain FOO does not exist at program start so flush the ruleset after each iteration to make sure this is the case. Sadly the bug is still not 100% reproducible on my testing VM. While being at it, add a paragraph describing what exact situation the test is trying to provoke. Fixes: dac904bdcd9a1 ("nft: Fix for concurrent noflush restore calls") Signed-off-by: Phil Sutter <>
* nft: Fix for concurrent noflush restore callsPhil Sutter2020-10-132-28/+83
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Transaction refresh was broken with regards to nft_chain_restore(): It created a rule flush batch object only if the chain was found in cache and a chain add object only if the chain was not found. Yet with concurrent ruleset updates, one has to expect both situations: * If a chain vanishes, the rule flush job must be skipped and instead the chain add job become active. * If a chain appears, the chain add job must be skipped and instead rules flushed. Change the code accordingly: Create both batch objects and set their 'skip' field depending on the situation in cache and adjust both in nft_refresh_transaction(). As a side-effect, the implicit rule flush becomes explicit and all handling of implicit batch jobs is dropped along with the related field indicating such. Reuse the 'implicit' parameter of __nft_rule_flush() to control the initial 'skip' field value instead. A subtle caveat is vanishing of existing chains: Creating the chain add job based on the chain in cache causes a netlink message containing that chain's handle which the kernel dislikes. Therefore unset the chain's handle in that case. Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications") Signed-off-by: Phil Sutter <>
* libiptc: Avoid gcc-10 zero-length array warningPhil Sutter2020-10-121-1/+1
| | | | | | | | | | | | | | | | Gcc-10 doesn't like the use of zero-length arrays as last struct member to denote variable sized objects. The suggested alternative, namely to use a flexible array member as defined by C99, is problematic as that doesn't allow for said struct to be embedded into others. With the relevant structs being part of kernel UAPI, this can't be precluded though. The call to memcpy() which triggers the warning copies data from one struct xt_counters to another. Since this struct is flat and merely contains two u64 fields, One can use direct assignment instead which avoids the warning. Signed-off-by: Phil Sutter <>
* iptables-nft: fix basechain policy configurationPablo Neira Ayuso2020-10-082-1/+34
| | | | | | | | | | Previous to this patch, the basechain policy could not be properly configured if it wasn't explictly set when loading the ruleset, leading to iptables-nft-restore (and ip6tables-nft-restore) trying to send an invalid ruleset to the kernel. Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* nft: Fix error reporting for refreshed transactionsPhil Sutter2020-10-071-2/+3
| | | | | | | | | | | | | | When preparing a batch from the list of batch objects in nft_action(), the sequence number used for each object is stored within that object for later matching against returned error messages. Though if the transaction has to be refreshed, some of those objects may be skipped, other objects take over their sequence number and errors are matched to skipped objects. Avoid this by resetting the skipped object's sequence number to zero. Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications") Signed-off-by: Phil Sutter <> Reviewed-by: Florian Westphal <>
* nft: Make batch_add_chain() return the added batch objectPhil Sutter2020-10-071-18/+17
| | | | | | | | | | Do this so in a later patch the 'skip' field can be adjusted. While being at it, simplify a few callers and eliminate the need for a 'ret' variable. Signed-off-by: Phil Sutter <> Reviewed-by: Florian Westphal <>
* libxtables: Register multiple extensions in ascending orderPhil Sutter2020-10-071-6/+8
| | | | | | | | | The newly introduced ordered insert algorithm in xtables_register_{match,target}() works best if extensions of same name are passed in ascending revisions. Since this is the case in about all extensions' arrays, iterate over them from beginning to end. Signed-off-by: Phil Sutter <>