| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
was disabled
Reported-by: Thomas Deutschmann <whissi@gentoo.org>
Tested-by: Thomas Deutschmann <whissi@gentoo.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Unfortunately no nft translation available so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Major Hayden <major@mhtx.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
no translation yet, might be doable with raw payload expressions though.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
No translation. The kernel match will alter packet type
(meta set pkttype), but also replace dst mac with the bridges' mac address,
however nft currently doesn't allow to retrieve this at runtime.
So just add this without the xlate part for now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
adds snat and dnat.
Translation for snat isn't complete, the --snat-arp switch isn't supported so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
This uncovered broken translation of ethernet + mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
ip6tables-save didn't include the masks.
Furhermore, mask decoding used the ipv4 struct which caused it to write
into parts of ipv6 saddr.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
kernel would reject ip, ip6 etc. without -p ip, -p ip6.
So add it. On reverse, search the match list to decide if -p
has to be translated or not.
Also, icmp and icmpv6 also imply l3 protocol, so no need to translate
that either.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This patch add some testcases for psid, nsid, and lsid matches
into libip6t_srh.t
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
src: iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0
exp: nft add rule ip mangle PREROUTING counter ct mark set 0x0
res: nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x0
Fixes: db7b4e0de960 ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new feature to iptables that allow bitshifting for
--restore,set and save-mark operations. This allows existing logic
operators (and, or and xor) and mask to co-operate with new bitshift
operations.
The intention is to provide uses with more fexible uses of skb->mark
and ct->mark. For example, users can save extra bits in skb->mark:
skb->mark = ct->mark << 8;
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch extends the libip6t_srh shared library to support matching
previous SID, next SID, and last SID.
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
I added and verified these tests after applying Florian's fixed wrt.
nf_nat_range2 size for rev2.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
DNAT tests fail on nf-next.git, kernel complains about target size
mismatch (40 vs 48), this fixes this for me.
Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap ranges")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a proposal patch for iptables DNAT extension to support shifted portmap
ranges. It is related to the kernel patch proposed in earlier message '[PATCH
v5] netfilter : add NAT support for shifted portmap ranges'.
A new struct nf_nat_range2 was added as extension for existing struct
nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT
revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with
older kernels is not impacted.
The syntax for shifted portmaps uses an extra value in '--to-destination' for
setting the base port which determines the offset in the redirect port range
for incoming connections. i.e. : iptables -t nat -A zone_wan_prerouting -p tcp
-m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000'
The base port value is totally optional, so current behavior is not impacted in
any way. The use of slash '/' as separator is an arbitrary choice, all other
suggestions are valid of course (original proposal used semicolon but this was
not practical for commandline use) Another approach using an additional option
seems also possible (i.e. '--base-port 5000'). However, that would mean more
parsing logic with extra lines of code and thus increased risk for regression.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are number of places where argument is in val[/mask] format
printed in extensions and some of them may print corresponding symbolic
name.
By introducing common function for this task we eliminate custom code
parts in extensions to perform printing of arguments in required
formats.
Use xtables_print_mark_mask() helper for extensions without
symbolic name for val[/mask].
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a couple of places in both core and extensions where arguments
in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32).
In some cases symbolic name might be used which is mapped in code to
numeric value.
Introduce common function to handle both cases where value given is
either val[/mask] or symbolic name.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxt_devgroup and libipt_realm currently unable to display symbolic
names in save/print commands because linear mapping is not initialized.
It looks bit confusing as linear mapping initialization is done in init()
of extension, which is expected to be called before any other function of
extension.
However init is called only when '-m' option specified on command line,
that is true only for insert, append, replace and destroy iptables
commands.
Move initialization to extension _init() function before calling
any function in extension.
Before:
-------
... src-group 0x1 dst-group 0x2
... src-group 0x2 dst-group 0x1
After:
------
... src-group grp1 dst-group grp2
... src-group grp2 dst-group grp1
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
ULOG target was removed in 3.17, so this always fails now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
tos translation to dscp yielded incorrect value.
icmp inserted extra "ip" keyword, remove it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Was added to ebtables recently, so backport this to ebt-compat.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
it its good practice as interface names can be virtually any
identifier and could clash with nft keywords.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
libebt_ip will get icmp support soon, unify icmp name
mapping a bit so we can re-use this code from libebt_ip.c.
It doesn't seem to be too useful to move to libxtables
(as its icmp specific), so add a hedaer file for this to reduce
copy & paste needs.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
nft xlate needs the full name, for ebtables it makes no difference,
'minute' would work too.
Also fixup ' ' placement in xlate.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
add translations for ip, limit, log, mark, mark_m, nflog.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field and
is not modified anywhere.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
gcc warned here:
libxt_comment.c:62 output may be truncated before the last format character [-Wformat-truncation=]
snprintf(comment, XT_MAX_COMMENT_LEN, "\"%s\"" ...
It tells us that the '"' might not fit anymore, so increase output
buffer size to make room for "" escapes too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Makes no sense, fail in such a case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add a few tests to catch regressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kernel 3.18 the union bpf_attr does not have a pathname attribute and
BPF_OBJ_GET is also not defined in these versions.
This was added in Linux commit b2197755b263 ("bpf: add support for
persistent maps/progs"). Check for the BPF_FS_MAGIC define which was
also added in this Linux commit and only activate this code in case we
find that define.
This fixes a build problem with Linux 3.18.
Netfilter bug: #1231
Fixes: f17f9ace8a8 ("extensions: libxt_bpf: support ebpf pinned objects")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
nft can match tcp flags, so add ece/cwr translation.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This patch adds test for ipcomp flow match specified by its SPI value
and move tests for ipcomp protocol to libxt_policy.t
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... and return 0 so output reflects that no translation was performed.
iptables-translate -A I -j CONNMARK --save-mark --mask 0xff
nft # -A I -j CONNMARK --save-mark --mask 0xff
The translation that was performed:
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0xff
will clear (zero) most bits:
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ]
[ ct set mark with reg 1 ]
The xtables module however does this:
newmark = (ct->mark & ~info->ctmask) ^
(skb->mark & info->nfmask);
I.e., for ctmark mask defines what to clear,
for nfmark what to keep, i.e. we're supposed to only alter the lower
bits of the ctmark.
nftables can't do this at the moment because bitwise operator RHS
requires immediate values.
same is true for 'restore'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
adding a test case for MARK --set-mark 0 fails with
exp: nft add rule ip mangle OUTPUT counter meta mark set 0x0
res: nft add rule ip mangle OUTPUT counter meta mark set mark and 0x0
This translation isn't wrong, but unneccessarily complex, so
change order to first check if mask bits are all ones.
In that case we can simply use an immediate value without
need for logical operators.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following test:
# python xlate-test.py extensions/libxt_hashlimit.txlate
extensions/libxt_hashlimit.txlate: Fail
src: iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 -m state --state NEW -j DROP
exp: nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop
res: nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop
1 test file, 2 tests, 1 tests passed, 1 tests failed, 0 errors
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After nft v0.8.1 "flow table" is renamed as meter.
This should reflect in iptables to nftables translation.
Before this patch:
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
After this patch:
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3
--hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and
255.255.255.0 limit rate 200/second } counter drop
Signed-off-by: shyam saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds test cases for iptables to nft translation of cluster match
This adds all test cases including corner cases.
Run these test cases like:
$ ./xlate-test.py extensions/libxt_cluster.txlate
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is fixing the detection of multiple '--to-destination' in a
DNAT rule and '--to-source' in SNAT rule for IPv6. Currently, when
defining multiple values for these, only the last will be used and
others ignored silently.
The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the
flags are never set before. It seems to be a copy-paste artefact since
introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.
I also removed the kernel_version checks because they seem useless.
Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1. That
seems only added since kernel version 3.7-rc1 and therefore the check
for > v2.6.10 will always return true. The check is probably also
coming from the IPv4 copy-paste.
Add tests to cover this too, including the IPv4 side.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for cluster to nft
$ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
--cluster-total-nodes 7 --cluster-local-node 5 --cluster-hash-seed
0xdeadbeef -j MARK --set-mark 0xffff
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set
0xffff
$ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
--cluster-total-nodes 7 --cluster-local-nodemask 5 --cluster-hash-seed
0xdeadbeef -j MARK --set-mark 0xffff
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta
mark set 0xffff
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds a new exetension to iptables to supprt 'srh' match
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
shows:
nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
which prints burst twice, this is not correct.
Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not print timeout and burst in case default values are used.
For e.g.
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
