| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED
outputs:
nft add rule ip filter INPUT ct status expected,assured counter
and
iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED
produces nft list output:
chain INPUT {
ct status expected,assured counter packets 0 bytes 0 accept
}
which are correct.
However,
iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED
outputs:
nft # -A INPUT -m conntrack --ctstatus EXPECTED
and
iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED
produces nft list output:
chain INPUT {
counter packets 0 bytes 0 accept
}
neither of which is what is desired.
Commit 6223ead0d - "extensions: libxt_conntrack: Add translation to nft"
included the following code in _conntrack3_mt_xlate():
if (sinfo->match_flags & XT_CONNTRACK_STATUS) {
if (sinfo->status_mask == 1)
return 0;
...
If the intention had been not to produce output when status_mask == 1,
it would have been written as:
if (sinfo->status_mask == IPS_EXPECTED)
return 0;
so it looks as though this is debugging code accidently left in the
original patch.
Removing the lines:
if (sinfo->status_mask == 1)
return 0;
resolves the problems, and
iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED
outputs:
nft add rule ip filter INPUT ct status expected counter
and
iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED
produces nft list output:
chain INPUT {
ct status expected counter packets 0 bytes 0 accept
}
This commit also includes an additional txlate test to check when
only the status EXPECTED is specified.
Fixes: 6223ead0d06b ("extensions: libxt_conntrack: Add translation to nft")
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows gcc to check format string vs. passed arguments.
Fix the fallout from this as well, typical warning produced is:
libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=]
xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ...
~^ ~~~~~~~~~~
so add the required casts or fixup format strings as needed.
libxt_conntrack also passed an unneeded argument (port), so remove that.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
In print_addr(), a resolved hostname is written into a buffer without
size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an
issue, though covscan complained about it. Fix the code by using
conntrack_dump_addr() as an example.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Since sinfo->flags is only 8 bytes large, checking for
XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return
false, so drop this dead code.
Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation of conntrack to nftables.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT
nft add rule ip filter INPUT ct state new,related counter accept
$ sudo ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
nft add rule ip6 filter INPUT ct state != new,related counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct proto 17 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct proto != 17 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.0.0/255.255.0.0 -j ACCEPT
nft add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigdst 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctreplsrc 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctrepldst 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT
nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
nft add rule ip filter INPUT ct status != confirmed counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
nft add rule ip filter INPUT ct expiration 3 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctdir ORIGINAL -j ACCEPT
nft add rule ip filter INPUT ct direction original counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The multiport match needs it, this basically leaves ->xlate() indirection
with almost the same interface as ->print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported in Debian bug #718810 [1], state match rules added in < 1.4.16
iptables versions are incorrectly displayed by >= 1.4.16 iptables versions.
Issue bisected to commit 0d701631 (libxt_state: replace as an alias to
xt_conntrack).
Fix this by adding the missing .print and .save functions for state match
aliases in the conntrack match.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The conntrack match uses a different value for the UNTRACKED state than
the state match. Translate states to conntrack states to make sure they
all match.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tom Eastep noted:
$ iptables -A foo -m conntrack --ctorigdstport 22
iptables v1.4.12: conntrack rev 2 does not support port ranges
Try `iptables -h' or 'iptables --help' for more information.
Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug,
but let's include Tom's patch nevertheless for the better error
message in case one actually does specify a range with rev 2.
References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
| |
First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER.
(Next commit will flag this.) Furthermore, l4proto is of type
uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not
work => revert v1.4.12~1^2.
Bug goes back to v1.4.12~1^2.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
References: http://bugs.debian.org/632804
References: http://marc.info/?l=netfilter-devel&m=130999299016674&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ":n" or "n:" is specified, it will now be interpreted as "0:n"
and "n:<max>", respecitvely. nvals will always reflect the number of
(expanded) components. This restores the functionality of options that
take such partially-unspecified ranges.
This makes it possible to nuke the per-matchdata init functions of
some extensions and simply the extensions postparsing to the point
where it only needs to check for nvals==1 or ==2.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
--ctorigdstport 13
ip6tables-restore v1.4.10: conntrack rev 2 does not support port ranges
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Of course the range end ought to be set, not doing the start value
twice.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Add support for revision 3 of the conntrack match, which allows to
specify port ranges for origsrc/origdst/replsrc/repldst.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Match and target parse functions now only get option characters they
have defined themselves.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
"u_int" was a non-standardized extension predating C99 on some platforms.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
$ iptables-save | iptables-restore
iptables-restore v1.4.6: conntrack: Bad value for "--ctdir" option: "ORIGINAL-j"
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Try to inhibit copypasting old stuff.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=659
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.
Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Using ranges in --ctexpire results in a parsing error:
conntrack: Bad value for "--expires" option: "1:1000"
The first value is parsed twice, after which the end pointer doesn't
point to the expected '\0' but to the colon.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\
| |
| |
| |
| |
| |
| | |
Conflicts:
extensions/libxt_conntrack.c
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
This complements the xt_conntrack revision 2 code added to the kenrel.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
Because the wrong flag was checked, the "!" was either wrongly
printed, or not printed at all.
This was broken since v1.4.0-29-ga8ad34c.
Reported-by: Steven Jan Springl <steven@springl.ukfsn.org>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
This also adds a warning that intrapositional negation support
is deprecated.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Changes:
exittype -> xtables_exittype
P_* -> XTF_* flags
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This commit also throws out the redundant string_to_number_*.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
~0 depends on the sizeof(int), so it is better to use UINT32_MAX.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
iptables.h and ip6tables.h only include declarations internal to
iptables (specifically iptables.c and ip6tables.c), as most of the
public API has been moved to xtables.h a few months ago.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds better error reporting when the user inserts a space
between two states with the --state option.
iptables -I INPUT -m state ESTABLISHED, RELATED
^
mind the space
results in:
iptables v1.4.2-rc1: Bad state `'
Try `iptables -h' or 'iptables --help' for more information.
Now this returns:
iptables v1.4.2-rc1: `--state' requires a list of states with no
spaces, e.g. ESTABLISHED,RELATED
This patch also applies to libxt_conntrack which has a copy of the
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|