| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ebtables-nft has always supported both intra- and extrapositioned
negations but defaulted to intrapositioned when printing/saving rules.
With commit 58d364c7120b5 ("ebtables: Use do_parse() from xshared")
though, it started to warn about intrapositioned negations. So change
the default to avoid mandatory warnings when e.g. loading previously
dumped rulesets.
Also adjust test cases, help texts and ebtables-nft.8 accordingly.
Cc: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
* With XTOPT_NBO support in UINT types, the manual byteorder conversion
calls are no longer needed
* Setting bits in cb->xflags is done by xtables_option_parse() already
* Since O_HMARK_* values match XT_HMARK_* ones, all but the O_HMARK_TYPE
case fold together into a single default one
|
|
|
|
|
|
|
| |
Can't use XTTYPE_MARKMASK32 here because in 'val/mask', 'val' is
optional. Would have to extend xtopt_parse_markmask() to accept this,
maybe guarded by a new XTOPT_ flag to avoid unexpected changes in
behaviour?
|
|
|
|
|
| |
Not much to gain here. Maybe implement number parsing with fallback to
get rid of that part from extension parsers?
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Extension data is zero by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`echo -e` is not portable and we can end up with:
GEN matches.man
-e + ./libxt_addrtype.man
-e + ./libip6t_ah.man
-e + ./libipt_ah.man
-e + ./libxt_bpf.man
-e + ./libxt_cgroup.man
-e + ./libxt_cluster.man
-e + ./libxt_comment.man
-e + ./libxt_connbytes.man
-e + ./libxt_connlabel.man
-e + ./libxt_connlimit.man
-e + ./libxt_connmark.man
-e + ./libxt_conntrack.man
[...]
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
The previous implementation ignored the default verbosity defined by
configure, and controlled by --{enable,disable}-silent-rules, and
treated V="" as V=0. Instead, follow the guide-lines given in the
automake manual.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
There is no C++, so these variables are not required.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
It doesn't do anything, so get rid of it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Corrections for several spelling mistakes, typo's and non-native usages in
man-pages and error-messages.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
This appears to be not necessary, also mandoc complains about it:
| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \!
Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage")
Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Fixes: v1.8.10-28-g4b0c168a
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
It expects mark values in hex which is possible by setting the base
field.
The only adjustment needed to use the revision 2 parser is to fill the
mask for --set-mark: With XTTYPE_MARKMASK32, an omitted mask sets all
mask bits, XTTYPE_UINT32 leaves it uninitialized, though.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sadly not the best conversion, struct arpt_mangle is not ideal for use
as storage backend: With MAC addresses, xtopt_parse_ethermac() refuses
to write into *_devaddr fields as they are larger than expected. With
XTTYPE_HOSTMASK OTOH, XTOPT_PUT is not supported in the first place.
As a side-effect, network names (from /etc/networks) are no longer
accepted. But earlier migrations to guided option parser had this
side-effect as well, so probably not a frequently used feature.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
"-" is the dash, "\-" is minus as we know, but groff lists some more
characters: "^" is "modifier circumflex" and "~" is "modifier tilde",
which, too, need to be escaped for our use.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
| |
Just some random values in hope this starts failing if masks support
changes or breaks.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arptables accepts numeric --proto-type values and masks in any numeral
system identified by (absence of) prefix. Yet it prints the mask value
in hex without '0x'-prefix, breaking save and restore the same way
numeric --h-type output did.
In theory, this could be fixed either by adding the missing prefix or
printing the mask in decimal (like most other builtin matches do), but
since the value is printed in hex with prefix already, align mask output
with that.
Also a day 1 bug and consistent with legacy, so no Fixes: tag here as
well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arptables expects numeric arguments to --h-type option in hexadecimal
form, even if no '0x'-prefix is present. In contrast, it prints such
values in decimal. This is not just inconsistent, but makes it
impossible to save and later restore a ruleset without fixing up the
values in between.
Assuming that the parser side can't be changed for compatibility
reasons, fix the output side instead.
This is a day 1 bug and present in legacy arptables as well, so treat
this as a "feature" of arptables-nft and omit a Fixes: tag.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
arptables "--set-mark" is really just "--or-mark".
This bug is also in arptables-legacy.
Fix this and add test cases.
Note that the test for "16" vs. "0x16" is intentional,
arptables parser is buggy and always uses "%x".
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add test cases for libarpt_mangle and extend the generic
tests to cover basic arptables matches.
Note that there are several historic artefacts that could be revised.
For example, arptables-legacy and arptables-nft both ignore "-p"
instead of returning an error about an unsupported option.
The ptype could be hard-wired to 0x800 and set unconditionally.
OTOH, this should always match for ethernet arp packets anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ARPT_ and IPT_INV flags are not interchangeable, e.g.:
define IPT_INV_SRCDEVADDR 0x0080
define ARPT_INV_SRCDEVADDR 0x0010
as these flags can be tested by libarp_foo.so such checks can yield
incorrect results.
Because arptables-nft uses existing code, e.g. xt_mark, it makes
sense to unify this completely by converting the last users of
ARPT_INV_ constants.
Note that arptables-legacy does not do run-time module loading via
dlopen(). Functionaliy implemented by "extensions" in the
arptables-legacy git tree are built-in, so this doesn't break
arptables-legacy binaries.
Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The .\" prefix made these paragraphs invisible in at least regular
man page output. Turn them into tags instead.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Value and description are more clearly set apart. Using .RS/.RE
pairs also adds proper indenting.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Replace some "fake" bullet point by the official syntax/markup
for bulleted lists.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
English generally uses open compounds rather than closed ones;
fix the excess hyphens in words. Fix a missing dash for the
portnr option as well.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Edit a few spots where indeed a hyphens (U+2010) rather than U+002D is desired.
("set-name" is not something you input, it is a placeholder in the context of
documentation. "out-of-flow" is part of the regular flowed text, so should not
use anything but hyphens.)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Unlike LaTeX, two/three U+002D in the source do not translate to an
en and em-dash in man. Using \(en and \(em, respectively, addresses
this.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sparked by a recent LWN article[1], sweeps over the iptables manpages
for incorrectly encoded dashes was made by Phil Sutter and myself.
An ASCII minushyphen in the source manpage translates to a hyphen in
output, so one has to use the sequence "\-" to get a minushyphen in
the output, as groff_char(7) explains.
[1] https://lwn.net/Articles/947941/ (paywalled until about 2023-11-06)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
For ranges, en dashes should be used; cf. e.g.
https://en.wikipedia.org/wiki/Dash#En_dash .
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 920ece2b392fb83bd26416e0e6f8f6a847aacbaa.
Since kernel commit c4eee56e14fe ("net: skb_find_text: Ignore patterns
extending past 'to'"), pattern scanning no longer happens past --to
offset even if skb_seq_read() returned a larger block. Point this out in
the description and also drop the '-1' offset which is not true as
kernel's selftest in tools/testing/selftests/netfilter/xt_string.sh
shows.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1707
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
String match indeed returns a match as long as the given pattern starts
in the range of --from and --to, update the text accordingly.
Also add a note regarding fragment boundaries.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1707
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A relict of legacy iptables' mandatory matching on interfaces and IP
addresses is support for the '-i +' notation, basically a "match any
input interface". Trying to make things better than its predecessor,
iptables-nft boldly optimizes that nop away - not entirely though, the
meta expression loading the interface name was left in place. While not
a problem (apart from pointless overhead) in current HEAD, v1.8.7 would
trip over this as a following cmp expression (for another match) was
incorrectly linked to that stale meta expression, loading strange values
into the respective interface name field.
While being at it, merge and generalize the functions into a common one
for use with ebtables' NFT_META_BRI_(I|O)IFNAME matches, too.
Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1702
Signed-off-by: Phil Sutter <phil@nwl.cc>
|