summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_conntrack.c
Commit message (Collapse)AuthorAgeFilesLines
* extensions: fix iptables-{nft,translate} with conntrack EXPECTEDQuentin Armitage2019-09-201-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED outputs: nft add rule ip filter INPUT ct status expected,assured counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED produces nft list output: chain INPUT { ct status expected,assured counter packets 0 bytes 0 accept } which are correct. However, iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft # -A INPUT -m conntrack --ctstatus EXPECTED and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { counter packets 0 bytes 0 accept } neither of which is what is desired. Commit 6223ead0d - "extensions: libxt_conntrack: Add translation to nft" included the following code in _conntrack3_mt_xlate(): if (sinfo->match_flags & XT_CONNTRACK_STATUS) { if (sinfo->status_mask == 1) return 0; ... If the intention had been not to produce output when status_mask == 1, it would have been written as: if (sinfo->status_mask == IPS_EXPECTED) return 0; so it looks as though this is debugging code accidently left in the original patch. Removing the lines: if (sinfo->status_mask == 1) return 0; resolves the problems, and iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft add rule ip filter INPUT ct status expected counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { ct status expected counter packets 0 bytes 0 accept } This commit also includes an additional txlate test to check when only the status EXPECTED is specified. Fixes: 6223ead0d06b ("extensions: libxt_conntrack: Add translation to nft") Signed-off-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add 'printf' attribute to xlate_addFlorian Westphal2018-11-121-3/+3
| | | | | | | | | | | | | | This allows gcc to check format string vs. passed arguments. Fix the fallout from this as well, typical warning produced is: libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=] xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ... ~^ ~~~~~~~~~~ so add the required casts or fixup format strings as needed. libxt_conntrack also passed an unneeded argument (port), so remove that. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: Avoid potential buffer overrunPhil Sutter2018-09-241-7/+7
| | | | | | | | | | In print_addr(), a resolved hostname is written into a buffer without size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an issue, though covscan complained about it. Fix the code by using conntrack_dump_addr() as an example. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTIONPhil Sutter2018-09-241-8/+0
| | | | | | | | | | Since sinfo->flags is only 8 bytes large, checking for XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return false, so drop this dead code. Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-15/+14
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: fix multiple spaces issuePablo M. Bermudo Garay2016-07-091-30/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a multiple spaces issue. The problem arises when a rule set loaded through iptables-compat-restore is listed in nft. Before this commit, two spaces were printed after every match translation: $ sudo iptables-save *filter :INPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT COMMIT $ sudo iptables-compat-restore iptables-save $ sudo nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ct state related,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_conntrack: Add translation to nftLaura Garcia Liebana2016-06-221-0/+197
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add translation of conntrack to nftables. Examples: $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT nft add rule ip filter INPUT ct state new,related counter accept $ sudo ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT nft add rule ip6 filter INPUT ct state != new,related counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT nft add rule ip filter INPUT ct proto 17 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctproto UDP -j ACCEPT nft add rule ip filter INPUT ct proto != 17 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.0.0/255.255.0.0 -j ACCEPT nft add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigdst 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctreplsrc 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctrepldst 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT nft add rule ip filter INPUT ct status != confirmed counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT nft add rule ip filter INPUT ct expiration 3 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctdir ORIGINAL -j ACCEPT nft add rule ip filter INPUT ct direction original counter accept Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()Pablo Neira Ayuso2016-03-091-2/+2
| | | | | | | The multiport match needs it, this basically leaves ->xlate() indirection with almost the same interface as ->print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-10/+10
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_state: add translation to nftPablo Neira Ayuso2016-02-161-0/+39
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: state match incompatibilty across versionsPhil Oester2013-08-081-0/+6
| | | | | | | | | | | | | | | As reported in Debian bug #718810 [1], state match rules added in < 1.4.16 iptables versions are incorrectly displayed by >= 1.4.16 iptables versions. Issue bisected to commit 0d701631 (libxt_state: replace as an alias to xt_conntrack). Fix this by adding the missing .print and .save functions for state match aliases in the conntrack match. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810 Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_conntrack: fix state match alias state parsingPatrick McHardy2013-04-261-10/+10
| | | | | | | | The conntrack match uses a different value for the UNTRACKED state than the state match. Translate states to conntrack states to make sure they all match. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add the "state" alias to the "conntrack" matchJozsef Kadlecsik2013-01-281-3/+24
|
* libxt_state: replace as an alias to xt_conntrackJan Engelhardt2012-09-301-0/+191
| | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_conntrack: improve error message on parsing violationTom Eastep2011-08-271-4/+11
| | | | | | | | | | | | | | | Tom Eastep noted: $ iptables -A foo -m conntrack --ctorigdstport 22 iptables v1.4.12: conntrack rev 2 does not support port ranges Try `iptables -h' or 'iptables --help' for more information. Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug, but let's include Tom's patch nevertheless for the better error message in case one actually does specify a range with rev 2. References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: fix --ctproto 0 outputJan Engelhardt2011-08-211-4/+5
| | | | | | | | | | | First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER. (Next commit will flag this.) Furthermore, l4proto is of type uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not work => revert v1.4.12~1^2. Bug goes back to v1.4.12~1^2. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: remove one misleading commentJan Engelhardt2011-08-211-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: move more data into the xt_option_entryJan Engelhardt2011-07-101-8/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: restore network-byte order for v1,v2Jan Engelhardt2011-07-101-7/+39
| | | | | | References: http://bugs.debian.org/632804 References: http://marc.info/?l=netfilter-devel&m=130999299016674&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: have xtopt_parse_mint interpret partially-spec'd rangesJan Engelhardt2011-05-251-65/+8
| | | | | | | | | | | | | When ":n" or "n:" is specified, it will now be interpreted as "0:n" and "n:<max>", respecitvely. nvals will always reflect the number of (expanded) components. This restores the functionality of options that take such partially-unspecified ranges. This makes it possible to nuke the per-matchdata init functions of some extensions and simply the extensions postparsing to the point where it only needs to check for nvals==1 or ==2. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: resolve erroneous rev-2 port range messageJan Engelhardt2011-05-131-0/+8
| | | | | | | --ctorigdstport 13 ip6tables-restore v1.4.10: conntrack rev 2 does not support port ranges Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: fix assignment to wrong memberJan Engelhardt2011-05-131-8/+4
| | | | | | | Of course the range end ought to be set, not doing the start value twice. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: correct printed module nameJan Engelhardt2011-05-131-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: use guided option parserJan Engelhardt2011-05-091-451/+219
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: do not print trailing whitespacesJan Engelhardt2011-01-311-60/+58
| | | | | | | | | | | | | | | | | Due to the use of printf("foobar "), iptables emits spaces at the end-of-line, which looks odd to some users because it causes the terminal to wrap even if there is seemingly nothing to print. It may also have other points of annoyance, such as mailers interpreting a trailing space as an indicator that the paragraph continues when format=flowed is also on. And git highlights trailing spaces in red, so let's avoid :) Preexisting inconsistencies in outputting spaces in the right spot are also addressed right away. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: libxt_conntrack: add support for specifying port rangesPatrick McHardy2011-01-201-65/+187
| | | | | | | Add support for revision 3 of the conntrack match, which allows to specify port ranges for origsrc/origdst/replsrc/repldst. Signed-off-by: Patrick McHardy <kaber@trash.net>
* extensions: remove no longer necessary default: casesJan Engelhardt2011-01-081-6/+0
| | | | | | | Match and target parse functions now only get option characters they have defined themselves. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use C99/POSIX typesJan Engelhardt2011-01-081-2/+2
| | | | | | "u_int" was a non-standardized extension predating C99 on some platforms. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: fix --ctdir save/dump output formatFlorian Westphal2010-11-171-4/+4
| | | | | | | | $ iptables-save | iptables-restore iptables-restore v1.4.6: conntrack: Bad value for "--ctdir" option: "ORIGINAL-j" Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* all: consistent syntax use in struct optionJan Engelhardt2010-07-231-1/+1
| | | | | | Try to inhibit copypasting old stuff. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: do print netmaskJan Engelhardt2010-06-241-4/+12
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=659 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* includes: header updatesJan Engelhardt2010-02-011-0/+33
| | | | | | | | | | | | Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* conntrack: fix --expires parsingPatrick McHardy2009-11-201-1/+1
| | | | | | | | | | | Using ranges in --ctexpire results in a parsing error: conntrack: Bad value for "--expires" option: "1:1000" The first value is parsed twice, after which the end pointer doesn't point to the expected '\0' but to the colon. Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables/extensions: make bundled options work againJan Engelhardt2009-11-031-9/+9
| | | | | | | | | | | | | When using a bundled option like "-ptcp", 'argv[optind-1]' would logically point to "-ptcp", but this is obviously not right. 'optarg' is needed instead, which if properly offset to "tcp". Not all places change optind-based access to optarg; where look-ahead is needed, such as for tcp's --tcp-flags option for example, optind is ok. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-8/+8
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'stable'Jan Engelhardt2009-08-051-21/+138
|\ | | | | | | | | | | | | Conflicts: extensions/libxt_conntrack.c Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * xt_conntrack: revision 2 for enlarged state_mask memberJan Engelhardt2009-06-251-27/+148
| | | | | | | | | | | | This complements the xt_conntrack revision 2 code added to the kenrel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: collapse data variables to use multi-reg callsJan Engelhardt2009-06-261-46/+44
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add const qualifiers in print/save functionsJan Engelhardt2009-05-261-2/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_conntrack: properly output negation symbolJan Engelhardt2009-04-051-4/+4
| | | | | | | | | Because the wrong flag was checked, the "!" was either wrongly printed, or not printed at all. This was broken since v1.4.0-29-ga8ad34c. Reported-by: Steven Jan Springl <steven@springl.ukfsn.org> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-27/+27
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move parse_protocol to xtables.cJan Engelhardt2009-01-301-2/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move check_inverse to xtables.cJan Engelhardt2009-01-301-8/+8
| | | | | | | This also adds a warning that intrapositional negation support is deprecated. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix - parse and escaped output funcJan Engelhardt2009-01-301-12/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - ipaddr/ipmask to ascii outputJan Engelhardt2009-01-301-7/+7
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - param_actJan Engelhardt2009-01-301-9/+9
| | | | | | | | Changes: exittype -> xtables_exittype P_* -> XTF_* flags Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - strtouiJan Engelhardt2009-01-271-7/+7
| | | | | | This commit also throws out the redundant string_to_number_*. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: use UINT_MAX constants over open-coded bits (1/2)Jan Engelhardt2009-01-271-5/+5
| | | | | | ~0 depends on the sizeof(int), so it is better to use UINT32_MAX. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: remove inclusion of iptables.hJan Engelhardt2008-11-201-1/+0
| | | | | | | | | iptables.h and ip6tables.h only include declarations internal to iptables (specifically iptables.c and ip6tables.c), as most of the public API has been moved to xtables.h a few months ago. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* state: report spaces in the state list parsingPablo Neira Ayuso2008-11-191-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | This patch adds better error reporting when the user inserts a space between two states with the --state option. iptables -I INPUT -m state ESTABLISHED, RELATED ^ mind the space results in: iptables v1.4.2-rc1: Bad state `' Try `iptables -h' or 'iptables --help' for more information. Now this returns: iptables v1.4.2-rc1: `--state' requires a list of states with no spaces, e.g. ESTABLISHED,RELATED This patch also applies to libxt_conntrack which has a copy of the function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>