| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for masquerade to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip6 nat POSTROUTING counter masquerade
$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10
$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10-20 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for masquerade to nftables.
Examples:
$ sudo iptables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip nat POSTROUTING counter masquerade
$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10
$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add missing constants for libxt_TCPOPTSTRIP.c, in case they are not defined.
(Original patch from VoidLinux)
Signed-off-by: Loganaden Velvindron <logan@hackers.mu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for match comment to nftables.
This patch also adds the relevant infrastructure for carrying out
the translation.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\"
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for NF queue to nftables.
Examples:
$ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 30
nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p TCP --sport 80
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for REDIRECT target to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to 8080
$ sudo ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to 8080 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for target REDIRECT to nftables.
Examples:
$ sudo iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080
nft add rule ip nat prerouting tcp dport 80 counter redirect to 8080
$ sudo iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random
nft add rule ip nat prerouting tcp dport 80 counter redirect to 8080 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for hop limit to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A postrouting -m hl --hl-gt 3
nft add rule ip6 nat postrouting ip6 hoplimit gt 3 counter
$ sudo ip6tables-translate -t nat -A postrouting -m hl ! --hl-eq 3
nft add rule ip6 nat postrouting ip6 hoplimit != 3 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for options log-level and log-prefix of LOG target
to nftables.
Full translation of this target awaits the support for the options
log-tcp-sequence, log-tcp-options, log-ip-options, log-uid and
log-macdecode in nftables
Examples:
$ sudo ip6tables-translate -A FORWARD -p tcp -j LOG --log-level debug
nft add rule ip6 filter FORWARD ip6 nexthdr tcp counter log level debug
$ sudo ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log"
nft add rule ip6 filter FORWARD ip6 nexthdr tcp counter log prefix \"Checking log\" level warn
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for options log-level and log-prefix of LOG target
to nftables.
Full translation of this target awaits the support for the options
log-tcp-sequence, log-tcp-options, log-ip-options, log-uid and
log-macdecode in nftables.
Examples:
$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-level error
nft add rule ip filter FORWARD ip protocol tcp counter log level err
$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix"
nft add rule ip filter FORWARD ip protocol tcp counter log prefix \"Random prefix\" level warn
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for target REJECT to nftables.
Examples:
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for module ttl to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m ttl --ttl-eq 3 -j ACCEPT
nft add rule ip filter INPUT ip ttl 3 counter accept
$ sudo iptables-translate -A INPUT -m ttl --ttl-gt 5 -j ACCEPT
nft add rule ip filter INPUT ip ttl gt 5 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for AH to nftables.
Examples:
$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500 -j DROP
nft add rule ip6 filter INPUT ah spi 500 counter drop
$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500:550 -j DROP
nft add rule ip6 filter INPUT ah spi 500-550 counter drop
$ sudo ip6tables-translate -A INPUT -m ah ! --ahlen 120
nft add rule ip6 filter INPUT ah hdrlength != 120 counter
$ sudo ip6tables-translate -A INPUT -m ah --ahres
nft add rule ip6 filter INPUT ah reserved 1 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for module length to nftables.
Examples:
$ sudo iptables-translate -A INPUT -p icmp -m length --length 86:0xffff -j DROP
nft add rule ip filter INPUT ip protocol icmp meta length 86-65535 counter drop
$ sudo iptables-translate -A INPUT -p udp -m length --length :400
nft add rule ip filter INPUT ip protocol udp meta length 0-400 counter
$ sudo iptables-translate -A INPUT -p udp -m length --length 40
nft add rule ip filter INPUT ip protocol udp meta length 40 counter
$ sudo iptables-translate -A INPUT -p udp -m length ! --length 40
nft add rule ip filter INPUT ip protocol udp meta length != 40 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for SNAT target to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:80
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :80
$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:1-20
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :1-20
$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :123 random
$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random-fully --persistent
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :123 fully-random,persistent
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for target DNAT to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A prerouting -i eth1 -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
nft add rule ip6 nat prerouting iifname eth1 tcp dport 8080 counter dnat fec0::1234 :80
$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:1-20
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :1-20
$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --persistent
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :80 persistent
$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :80 random,persistent
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for target DNAT to nftables.
Examples:
$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4
$ sudo iptables-translate -t nat -A prerouting -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
nft add rule ip nat prerouting ip daddr 15.45.23.67 tcp dport 80 counter dnat 192.168.1.1-192.168.1.10
$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1-1023
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4:1-1023
$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random
$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random,persistent
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for target SNAT to nftables.
Examples:
$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4
$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4-1.2.3.6
$ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4:1-1023
$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random
$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random --persistent
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random,persistent
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for routing realm to nftables.
Examples:
$ sudo iptables-translate -A PREROUTING -m realm --realm 4
nft add rule ip filter PREROUTING rtclassid 0x4 counter
$ sudo iptables-translate -A PREROUTING -m realm --realm 5/5
nft add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter
$ sudo iptables-translate -A PREROUTING -m realm ! --realm 50
nft add rule ip filter PREROUTING rtclassid != 0x32 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for target REJECT to nftables.
Examples:
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp-net-unreachable
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for packet type to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m pkttype --pkt-type broadcast -j DROP
nft add rule ip filter INPUT pkttype broadcast counter drop
$ sudo iptables-translate -A INPUT -m pkttype ! --pkt-type unicast -j DROP
nft add rule ip filter INPUT pkttype != unicast counter drop
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for connmark to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m connmark --mark 2 -j ACCEPT
nft add rule ip filter INPUT ct mark 0x2 counter accept
$ sudo iptables-translate -A INPUT -m connmark ! --mark 2 -j ACCEPT
nft add rule ip filter INPUT ct mark != 0x2 counter accept
$ sudo iptables-translate -A INPUT -m connmark --mark 10/10 -j ACCEPT
nft add rule ip filter INPUT ct mark and 0xa == 0xa counter accept
$ sudo iptables-translate -A INPUT -m connmark ! --mark 10/10 -j ACCEPT
nft add rule ip filter INPUT ct mark and 0xa != 0xa counter accept
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 40 -m
connmark --mark 0x40
nft add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for Authentication Header to nftables.
Examples:
$ sudo iptables-translate -A INPUT -p 51 -m ah --ahspi 500 -j DROP
nft add rule ip filter INPUT ah spi 500 counter drop
$ sudo iptables-translate -A INPUT -p 51 -m ah --ahspi 500:600 -j DROP
nft add rule ip filter INPUT ah spi 500-600 counter drop
$ sudo iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP
nft add rule ip filter INPUT ah spi != 50 counter drop
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for module cpu to nftables.
Examples:
$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept
$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for device group to nftables.
Examples:
$ sudo iptables-translate -A FORWARD -m devgroup --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup 0x2 counter accept
$ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept
$ sudo iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept
$ sudo iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup != 0x2 counter accept
Signed-off-by : Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the code associated with invert flag.
Examples:
$ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0xa/0xa
nft insert rule ip filter INPUT ip protocol tcp mark and 0xa != 0xa counter
$ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0x1
nft insert rule ip filter INPUT ip protocol tcp mark != 0x1 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for module limit to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m limit --limit 5/s
nft add rule ip filter INPUT limit rate 5/second counter
$ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3
nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add group_info with every rule as it is mandatory to consider logging to
be same type as NFLOG.
Remove multiple log keywords to avoid loading multiple log expressions
at a time.
Examples:
$ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 2
nft insert rule ip filter INPUT counter log queue-threshold 2 group 0
$ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0"
nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" group 32
Reported-by: Arturo Borrero <arturoborreroglez@gmail.com>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for helper module to nftables.
Examples:
$ sudo iptables-translate -A FORWARD -m helper --helper sip
nft add rule ip filter FORWARD ct helper \"sip\" counter
$ sudo iptables-translate -A FORWARD -m helper ! --helper ftp
nft add rule ip filter FORWARD ct helper != \"ftp\" counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for module mac to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m mac --mac-source 0a:12:3e:4f:b2:c6 -j DROP
nft add rule ip filter INPUT ether saddr 0A:12:3E:4F:B2:C6 counter drop
$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m mac --mac-source 0a:12:3e:4f:b2:c6 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 ether saddr 0A:12:3E:4F:B2:C6 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for iprange to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m iprange --src-range 192.168.25.149-192.168.25.151 -j ACCEPT
nft add rule ip filter INPUT ip saddr 192.168.25.149-192.168.25.151 counter accept
$ sudo iptables-translate -A INPUT -m iprange --dst-range 192.168.25.149-192.168.25.151 -j ACCEPT
nft add rule ip filter INPUT ip daddr 192.168.25.149-192.168.25.151 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for NF Logging to nftables.
Examples:
$ sudo iptables-translate -A OUTPUT -j NFLOG --nflog-group 30
nft add rule ip filter OUTPUT counter log group 30
$ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0"
nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" log group 32
$ sudo iptables-translate -I INPUT -j NFLOG --nflog-range 256
nft insert rule ip filter INPUT counter log snaplen 256
$ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 25
nft insert rule ip filter INPUT counter log queue-threshold 25
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for ESP Protocol to nftables.
Examples:
$ sudo iptables-translate -A FORWARD -p esp -j ACCEPT
nft add rule ip filter FORWARD ip protocol esp counter accept
$ sudo iptables-translate -A INPUT --in-interface wan --protocol esp -j ACCEPT
nft add rule ip filter INPUT iifname wan ip protocol esp counter accept
$ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP
nft add rule ip filter INPUT esp spi 500 counter drop
$ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP
nft add rule ip filter INPUT esp spi 500-600 counter drop
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for metainformation mark to nftables.
Examples:
$ sudo iptables-translate -I INPUT -m mark --mark 12
nft insert rule ip filter INPUT mark 0xc counter
$ sudo iptables-translate -A FORWARD -m mark --mark 22 -j ACCEPT
nft add rule ip filter FORWARD mark 0x16 counter accept
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 4600 -m mark --mark 0x40
nft add rule ip mangle PREROUTING tcp dport 4600 mark 0x40 counter
$ sudo iptables-translate -A FORWARD -m mark --mark 0x400/0x400 -j ACCEPT
nft add rule ip filter FORWARD mark and 0x400 == 0x400 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some examples:
$ sudo iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
add rule ip filter INPUT iifname eth0 udp sport 53 counter accept
$ sudo ./iptables-translate -A OUTPUT -p udp -o eth0 --dport 53:66 -j DROP
add rule ip filter OUTPUT oifname eth0 udp dport 53-66 counter drop
$ sudo ./iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Translation for the TCP option matching is not yet implemented as we
don't have a way to match this yet.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes a typo in the cgroup2 cgroup_help_v1() method in extensions\ibxt_cgroup.c.
Signed-off-by: Rami Rosen <rami.rosen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add basic tests which depend only on the root cgroup.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates xt_cgroup so that it supports revision 1 interface
which includes cgroup2 path based matching.
v3: Folded into xt_cgroup as a new revision interface as suggested by
Pablo.
v2: cgroup2_match->userspacesize and ->save and man page updated as
per Jan.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxt_cgroup will grow cgroup2 path based match. Postfix existing
symbols with _v0 and prepare for multi revision registration. While
at it, rename O_CGROUP to O_CLASSID and fwid to classid.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This adds the user space front-end and man-page bits for the additional
zone features (direction, mark) of the CT target.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 4443 added two new codes values for ICMPv6 type 1:
5 - Source address failed ingress/egress policy
6 - Reject route to destination
And RFC 7084 states in L-14 that IPv6 Router MUST send ICMPv6 Destination
Unreachable with code 5 for packets forwarded to it that use an address
from a prefix that has been invalidated.
Signed-off-by: Andreas Herz <andi@geekosphere.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
extensions/libxt_esp.t: ERROR: line 7 (should fail: iptables -A INPUT -p esp -m esp)
extensions/libip6t_rt.t: ERROR: line 5 (should fail: ip6tables -A INPUT -m rt)
extensions/libip6t_ah.t: ERROR: line 15 (should fail: ip6tables -A INPUT -m ah)
extensions/libipt_ah.t: ERROR: line 13 (should fail: iptables -A INPUT -p ah -m ah)
Fixes: 4264de1f270a ("extensions: restore matching any SPI id by default")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://tools.ietf.org/html/rfc4443 says:
ICMPv6 Fields:
Type 1
Code 0 - No route to destination
1 - Communication with destination
administratively prohibited
2 - Beyond scope of source address
3 - Address unreachable
4 - Port unreachable
5 - Source address failed ingress/egress policy
6 - Reject route to destination
Add missing code 2, 5 and 6.
Signed-off-by: Andreas Herz <andi@geekosphere.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Newer extensions require libnftnl in order to build, but there are no
configure or build checks for it, which leads to a bunch of modules
failing when libnftnl isn't installed. Add finer grained blacklisting
so we can disable modules for specific parts rather than all of them.
e.g. We want to blacklist libebt_limit, but not libxt_limit.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This is the same as commit v1.4.15-12-g8a988f6.
If no id option is given, the extensions only match packets with a
zero-valued identification field. This behavior deviates from what it
used to do back in v1.4.10-273-g6944f2c^.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
In the --help output and manpage for ipv6header the name for upper layer
protocol headers was "proto", while in the code itself it's "prot" for
the short form. Fixed by changing manpage and help output.
Signed-off-by: Andreas Herz <andi@geekosphere.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Update the man pages for libxt_socket with a description and example
usage of the --restore-skmark option.
Also added tests for libxt_socket with various combinations of
--restore-skmark and the existing options.
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|