summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* libxt_CT: add support for recently introduced zone optionsDaniel Borkmann2015-09-292-16/+87
| | | | | | | | This adds the user space front-end and man-page bits for the additional zone features (direction, mark) of the CT target. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* added missing icmpv6 codes in REJECTAndreas Herz2015-09-292-1/+7
| | | | | | | | | | | | | | RFC 4443 added two new codes values for ICMPv6 type 1: 5 - Source address failed ingress/egress policy 6 - Reject route to destination And RFC 7084 states in L-14 that IPv6 Router MUST send ICMPv6 Destination Unreachable with code 5 for packets forwarded to it that use an address from a prefix that has been invalidated. Signed-off-by: Andreas Herz <andi@geekosphere.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: fix several test errorsPablo Neira Ayuso2015-09-164-5/+3
| | | | | | | | | | extensions/libxt_esp.t: ERROR: line 7 (should fail: iptables -A INPUT -p esp -m esp) extensions/libip6t_rt.t: ERROR: line 5 (should fail: ip6tables -A INPUT -m rt) extensions/libip6t_ah.t: ERROR: line 15 (should fail: ip6tables -A INPUT -m ah) extensions/libipt_ah.t: ERROR: line 13 (should fail: iptables -A INPUT -p ah -m ah) Fixes: 4264de1f270a ("extensions: restore matching any SPI id by default") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: icmp6: added missing icmpv6 dest-unreach codesAndreas Herz2015-09-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | https://tools.ietf.org/html/rfc4443 says: ICMPv6 Fields: Type 1 Code 0 - No route to destination 1 - Communication with destination administratively prohibited 2 - Beyond scope of source address 3 - Address unreachable 4 - Port unreachable 5 - Source address failed ingress/egress policy 6 - Reject route to destination Add missing code 2, 5 and 6. Signed-off-by: Andreas Herz <andi@geekosphere.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add finer module blacklistingMike Frysinger2015-08-261-5/+5
| | | | | | | | | | | Newer extensions require libnftnl in order to build, but there are no configure or build checks for it, which leads to a bunch of modules failing when libnftnl isn't installed. Add finer grained blacklisting so we can disable modules for specific parts rather than all of them. e.g. We want to blacklist libebt_limit, but not libxt_limit. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: restore matching any SPI id by defaultJan Engelhardt2015-08-128-0/+37
| | | | | | | | | | | This is the same as commit v1.4.15-12-g8a988f6. If no id option is given, the extensions only match packets with a zero-valued identification field. This behavior deviates from what it used to do back in v1.4.10-273-g6944f2c^. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocolsAndreas Herz2015-07-202-3/+3
| | | | | | | | | In the --help output and manpage for ipv6header the name for upper layer protocol headers was "proto", while in the code itself it's "prot" for the short form. Fixed by changing manpage and help output. Signed-off-by: Andreas Herz <andi@geekosphere.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_socket: update man pages and tests for --restore-skmarkHarout Hedeshian2015-07-152-0/+18
| | | | | | | | | | | Update the man pages for libxt_socket with a description and example usage of the --restore-skmark option. Also added tests for libxt_socket with various combinations of --restore-skmark and the existing options. Signed-off-by: Harout Hedeshian <harouth@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve build error involving libnftnlJan Engelhardt2015-07-151-1/+1
| | | | | | | | | | | | | | make[2]: Entering directory '/home/jengelh/code/iptables/extensions' CC libebt_limit.oo In file included from ../iptables/nft.h:5:0, from libebt_limit.c:21: ../iptables/nft-shared.h:6:27: fatal error: libnftnl/rule.h: No such file or directory #include <libnftnl/rule.h> ^ compilation terminated. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_socket: add --restore-skmark optionHarout Hedeshian2015-06-301-0/+71
| | | | | | | | | | | | | | | | | | | | | | | | | xt_socket is useful for matching sockets with IP_TRANSPARENT and taking some action on the matching packets. However, it lacks the ability to match only a small subset of transparent sockets. Suppose there are 2 applications, each with its own set of transparent sockets. The first application wants all matching packets dropped, while the second application wants them forwarded somewhere else. Add the ability to retore the skb->mark from the sk_mark. The mark is only restored if a matching socket is found and the transparent / nowildcard conditions are satisfied. Now the 2 hypothetical applications can differentiate their sockets based on a mark value set with SO_MARK. iptables -t mangle -I PREROUTING -m socket --transparent \ --restore-skmark -j action iptables -t mangle -A action -m mark --mark 10 -j action2 iptables -t mangle -A action -m mark --mark 11 -j action3 Signed-off-by: Harout Hedeshian <harouth@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'ipset-next'Pablo Neira Ayuso2015-04-281-9/+191
|\ | | | | | | | | | | | | | | Get this patch into master: "Alignment problem between 64bit kernel 32bit userspace" As Jozsef requests.
| * Alignment problem between 64bit kernel 32bit userspaceJozsef Kadlecsik2014-11-061-9/+191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* | cgroup, man: improve man-page bitsDaniel Borkmann2015-04-081-5/+13
| | | | | | | | | | | | | | | | Document limitations when in use with INPUT until we found a better solution. Also fix up indent in the example section. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxt_tcp: manpage correctionJiri Popelka2015-03-161-1/+0
| | | | | | | | | | | | | | | | | | | | $ iptables -A INPUT -m tcp --sport 6500:6400 -j ACCEPT iptables v1.4.21: invalid portrange (min > max) Error message added with d15fb34c Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* | ebtables-compat: add support for limit extensionArturo Borrero2015-03-131-0/+179
| | | | | | | | | | | | Add support for the ebtables limit extension (match), Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* | man: using physdev match in OUTPUT is not supported anymoreFlorian Westphal2015-03-061-11/+3
| | | | | | | | | | | | | | | | kernels 2.6.20 and later reject -m physdev in OUTPUT with "using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore" error in dmesg. Signed-off-by: Florian Westphal <fw@strlen.de>
* | arptables-compat: add support for the CLASSIFY targetArturo Borrero2015-03-051-12/+32
| | | | | | | | | | | | | | This patch adds support to arptables-compat for the CLASSIFY target. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | ebtables-compat: support nflog extensionArturo Borrero2015-03-041-0/+144
| | | | | | | | | | | | | | Let's give support for the nflog extension (a watcher). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxt_quota: fix _save() invert syntaxArturo Borrero2015-02-232-6/+3
| | | | | | | | | | | | | | Space is misplaced. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libip6t_dst: make inversion workFlorian Westphal2015-02-192-0/+3
| | | | | | | | | | | | The inversion flag wasn't set in the match struct. Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions/libxt_recent.t: add test case for 3.19 regressionFlorian Westphal2015-02-191-2/+6
| | | | | | | | | | | | fail with vanilla 3.19. Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: SNPT,DNPT: fix save/print outputFlorian Westphal2015-02-194-8/+10
| | | | | | | | | | | | | | wrong placement of ' ', i.e. we get -j SNPT--src-pfx dead::/64 --dst-pfx 1c3::/64 Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: add more test cases for iptables-test.pyFlorian Westphal2015-02-1942-0/+231
| | | | | | | | | | | | | | | | | | | | Instead of using iptables-save-formatted files in the tests/ dir, lets use the iptables-test.py framework for all matches/targets. This obsoletes tests/ completely, will be removed in followup patch. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: remove 'unclean' matchFlorian Westphal2015-02-192-17/+0
| | | | | | | | | | | | removed from kernel in 2003. Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: remove SAME targetFlorian Westphal2015-02-192-203/+0
| | | | | | | | | | | | removed from the kernel December 2007. Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: remove MIRRORFlorian Westphal2015-02-192-27/+0
| | | | | | | | | | | | removed from the kernel back in 2003. Signed-off-by: Florian Westphal <fw@strlen.de>
* | arptables-compat: add mangle target extensionArturo Borrero2015-02-182-8/+242
| | | | | | | | | | | | | | | | This patch adds support to use the mangle target extensions, along with the required changes in the surrounding code. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'ebtables-compat'Pablo Neira Ayuso2015-02-116-7/+988
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ebtables-compat branch provides the compatibility layer to run ebtables extensions. Currently, only the following matches / targets / watchers are supported: * 802_3 * ip * mark_m and mark * log The remaining ones should be easy to port them to on top of libxtables, they will follow up later.
| * | ebtables-compat: add log watcher extensionArturo Borrero2015-02-111-0/+197
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the log 'watcher' extension. The work was started by Giuseppe Longo <giuseppelng@gmail.com> and finised by me. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | ebtables-compat: add mark target extensionArturo Borrero2015-02-031-0/+191
| | | | | | | | | | | | | | | | | | | | | Translate the mark target extension to the xtables-compat environment. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | ebtables-compat: call extensions final checksArturo Borrero2015-02-033-0/+6
| | | | | | | | | | | | | | | | | | | | | Let's call extensions final checks. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: cleanup commented code in ebtables-compat extensionsArturo Borrero2015-01-302-45/+0
| | | | | | | | | | | | | | | | | | | | | | | | This code can be cleaned up. No need for validation from userspace, the kernel will reject incorrect options. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | ebtables-compat: add mark_m match extensionArturo Borrero2015-01-301-0/+116
| | | | | | | | | | | | | | | | | | | | | Translate mark_m match extension to the xtables-compat environment. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | ebtables-compat: add 'ip' match extensionArturo Borrero2015-01-281-0/+326
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the 'ip' match extension to ebtables-compat. It involves adapting old ebtables extension code to the xtables-compat environment. For testing: % sudo ebtables-compat -p 0x0800 --ip-src 1.1.1.1 -j ACCEPT The patch includes a cached copy of the extension kernel header. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: add ebt 802_3 extensionArturo Borrero2014-12-232-6/+166
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the first ebtables extension to ebtables-compat. The original 802_3 code is adapted to the xtables environment. I tried to mimic as much as possible the original ebtables code paths. With this patch, ebtables-compat is able to send the 802_3 match to the kernel, but the kernel-to-userspace path is not tested and should be adjusted in follow-up patches. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | ebtables-compat: build ebtables extensionsGiuseppe Longo2014-11-241-5/+35
| | | | | | | | | | | | | | | | | | | | | This permits to build extensions for ebtables-compat layer. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | man: string: document icaseFlorian Westphal2015-01-051-0/+3
|/ / | | | | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* / extensions: libxt_TEE: Trim kernel struct to allow deletionLoganaden Velvindron2014-11-091-2/+2
|/ | | | | | | | | | | | | | | Correct trimming of userspacesize to fix deletions. Fixes: Bugzilla #884. The rule having TEE target with '--oif' option cannot be deleted by iptables command. $ iptables -I INPUT -i foo -j TEE --gateway x.x.x.x --oif bar $ iptables -D INPUT -i foo -j TEE --gateway x.x.x.x --oif bar iptables: No chain/target/match by that name. Signed-off-by: Loganaden Velvindron <logan@elandsys.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'ipset'Pablo Neira Ayuso2014-11-052-5/+209
|\ | | | | | | | | | | This provides the ipset skbinfo extension. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)Anton Danilov2014-09-142-5/+209
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This feature add support of mapping metainformation to packets like nftables maps or ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue. Usage of this functionality allowed only from mangle table. We can map tc priority only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision. If entry doesn't exist in the set nothing of fields changed. Example of classify by destination address: iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* | extensions: devgroup: fix showing and saving of dst-groupAna Rey2014-11-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Closes bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=985 The --dst-group parameter in devgroup extensions lists and saves incorrectly its value. --dst-group always shows "0x0/0x0". This is an example: # iptables -I FORWARD -m devgroup --dst-group 200 -j ACCEPT # iptables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere src-group 0x64 dst-group 0x0/0x0 # iptables -S FORWARD -P FORWARD ACCEPT -A FORWARD -m devgroup --dst-group 0x0/0x0 -j ACCEPT Reporte-by: Axinchan <axinchan@cnrouter.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'tests'Pablo Neira Ayuso2014-10-0159-0/+725
|\ \ | | | | | | | | | | | | This merges the iptables-test.py script and the corresponding test files.
| * | extensions: libxt_MARK: add unit testPablo Neira Ayuso2013-10-071-0/+7
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_owner: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libip6t_DNAT: add unit testPablo Neira Ayuso2013-10-071-0/+8
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_SNAT: add unit testPablo Neira Ayuso2013-10-071-0/+8
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_TEE: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_physdev: add unit testPablo Neira Ayuso2013-10-071-0/+14
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_iprange: add unit testPablo Neira Ayuso2013-10-071-0/+11
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_quota: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>