summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_mark.c
Commit message (Collapse)AuthorAgeFilesLines
* xtables: Introduce and use common function to print val[/mask] argumentsSerhey Popovych2018-04-271-12/+5
| | | | | | | | | | | | | | | | There are number of places where argument is in val[/mask] format printed in extensions and some of them may print corresponding symbolic name. By introducing common function for this task we eliminate custom code parts in extensions to perform printing of arguments in required formats. Use xtables_print_mark_mask() helper for extensions without symbolic name for val[/mask]. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-8/+6
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: fix multiple spaces issuePablo M. Bermudo Garay2016-07-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a multiple spaces issue. The problem arises when a rule set loaded through iptables-compat-restore is listed in nft. Before this commit, two spaces were printed after every match translation: $ sudo iptables-save *filter :INPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT COMMIT $ sudo iptables-compat-restore iptables-save $ sudo nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ct state related,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_mark: fix a wrong translation to nft when mask is specifiedLiping Zhang2016-06-011-2/+2
| | | | | | | | | | | | | | | The mask and mark's order is reversed, so when we specify the mask, we will get the wrong translation result: # iptables-translate -A INPUT -m mark --mark 0x1/0xff nft add rule ip filter INPUT mark and 0x1 == 0xff counter Apply this patch, translation will become: # iptables-translate -A INPUT -m mark --mark 0x1/0xff nft add rule ip filter INPUT mark and 0xff == 0x1 counter Cc: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()Pablo Neira Ayuso2016-03-091-2/+2
| | | | | | | The multiport match needs it, this basically leaves ->xlate() indirection with almost the same interface as ->print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-9/+9
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_mark: Fix inversion codeShivani Bhardwaj2016-02-161-8/+18
| | | | | | | | | | | | | | | Fix the code associated with invert flag. Examples: $ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0xa/0xa nft insert rule ip filter INPUT ip protocol tcp mark and 0xa != 0xa counter $ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0x1 nft insert rule ip filter INPUT ip protocol tcp mark != 0x1 counter Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_mark: Add translation to nftShivani Bhardwaj2016-02-161-2/+38
| | | | | | | | | | | | | | | | | | | | | Add translation for metainformation mark to nftables. Examples: $ sudo iptables-translate -I INPUT -m mark --mark 12 nft insert rule ip filter INPUT mark 0xc counter $ sudo iptables-translate -A FORWARD -m mark --mark 22 -j ACCEPT nft add rule ip filter FORWARD mark 0x16 counter accept $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 4600 -m mark --mark 0x40 nft add rule ip mangle PREROUTING tcp dport 4600 mark 0x40 counter $ sudo iptables-translate -A FORWARD -m mark --mark 0x400/0x400 -j ACCEPT nft add rule ip filter FORWARD mark and 0x400 == 0x400 counter accept Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_MARK: use guided option parserJan Engelhardt2011-04-131-70/+25
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: do not print trailing whitespacesJan Engelhardt2011-01-311-10/+10
| | | | | | | | | | | | | | | | | Due to the use of printf("foobar "), iptables emits spaces at the end-of-line, which looks odd to some users because it causes the terminal to wrap even if there is seemingly nothing to print. It may also have other points of annoyance, such as mailers interpreting a trailing space as an indicator that the paragraph continues when format=flowed is also on. And git highlights trailing spaces in red, so let's avoid :) Preexisting inconsistencies in outputting spaces in the right spot are also addressed right away. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove no longer necessary default: casesJan Engelhardt2011-01-081-3/+0
| | | | | | | Match and target parse functions now only get option characters they have defined themselves. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use C99/POSIX typesJan Engelhardt2011-01-081-1/+1
| | | | | | "u_int" was a non-standardized extension predating C99 on some platforms. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* all: consistent syntax use in struct optionJan Engelhardt2010-07-231-1/+1
| | | | | | Try to inhibit copypasting old stuff. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* includes: header updatesJan Engelhardt2010-02-011-0/+5
| | | | | | | | | | | | Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-1/+1
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: collapse data variables to use multi-reg callsJan Engelhardt2009-06-261-30/+30
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: use NFPROTO_UNSPEC for .family fieldJan Engelhardt2009-06-011-2/+2
| | | | | | | | This constant would be the designated one for the .family field; it also, given recent changes, makes grep for NFPROTO_UNSPEC work to finally recollect all manpages. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add const qualifiers in print/save functionsJan Engelhardt2009-05-261-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move check_inverse to xtables.cJan Engelhardt2009-01-301-1/+1
| | | | | | | This also adds a warning that intrapositional negation support is deprecated. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - param_actJan Engelhardt2009-01-301-4/+4
| | | | | | | | Changes: exittype -> xtables_exittype P_* -> XTF_* flags Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - strtouiJan Engelhardt2009-01-271-2/+2
| | | | | | This commit also throws out the redundant string_to_number_*. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: use UINT_MAX constants over open-coded bits (1/2)Jan Engelhardt2009-01-271-3/+3
| | | | | | ~0 depends on the sizeof(int), so it is better to use UINT32_MAX. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* mark: fix invalid iptables-save outputPablo Sebastian Greco2008-09-291-1/+1
| | | | | | | | | | When a neg mark is saved via iptables-save it is saved as !--mark, but this is not recognized by iptables-restore, just adding a space to the saved file to make it look like "! --mark" makes iptables-restore accept the file. Signed-off-by: Pablo Sebastian Greco <pablo@fliagreco.com.ar> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Update commentsJan Engelhardt2008-09-011-4/+0
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Remove old functions, constantsJan Engelhardt2008-04-151-4/+3
|
* Implement AF_UNSPEC as a wildcard for extensionsJan Engelhardt2008-04-141-34/+2
|
* Correct the family member value of libxt_mark revision 1Jan Engelhardt2008-04-061-1/+1
| | | | | libxt_mark rev1 used AF_INET6 in the class structure where it should have used AF_INET.
* fix gcc warningsMax Kellermann2008-01-291-1/+1
| | | | Max Kellermann <max@duempel.org>
* libxt_mark r1Jan Engelhardt2008-01-201-28/+112
| | | | | | Introduce libxt_mark match revision 1 support. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Unique symbols 1/6Jan Engelhardt2007-10-041-28/+23
| | | | | | | | | | | Give symbols of libxt matches unique names (1/3). Adds unique prefixes to all functions (most of them - especially the hook functions) so that debugging programs can unambiguously map a symbol to an address. Also unifies the names of the xtables_match/xtables_target structs, (based upon libxt_connmark.c/libip6t_*.c). Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fix sparse warnings: non-ANSI function declarations, 0 used as pointerPatrick McHardy2007-09-081-2/+2
|
* Remove last vestiges of NFC (Peter Riley <Peter.Riley@hotpop.com>)Peter Riley2007-09-021-1/+0
|
* Make the option structures const.Jan Engelhardt2007-07-301-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Remove the .next=NULL field. This is automatically initialized to zero.Jan Engelhardt2007-07-301-2/+0
| | | | | | | I've kept .print=NULL and .save=NULL so it stands out (since iptables will do the print/save then). Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Unifies libip[6]_mark.c into libxt_mark.cYasuyuki KOZAKAI2007-07-241-0/+141