| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags
no-op code.
CC libiptc/libip4tc.lo
In file included from libiptc/libip4tc.c:118:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:113:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC xtables_multi-iptables-xml.o
iptables-xml.c: In function "do_rule_part":
iptables-xml.c:376:8: warning: variable "thisChain" set but not used
CC xtables_multi-ip6tables.o
ip6tables.c: In function "print_firewall":
ip6tables.c:552:10: warning: variable "flags" set but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This enables one to have a single configuration file for both ipv4 and ipv6
firewall rules.
Example:
iptables-restore config
ip6tables-restore config
Where the file 'config' contains:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ssh - [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -6 -p icmpv6 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ssh
-A ssh -j ACCEPT
COMMIT
Signed-off-by: Maciej Zenczykowski <maze@google.com>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
This passes the per-extension data block to the new x6_fcheck function
pointer, which can then do last alterations without using hacks
like global variables (think libxt_statistic).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patchset seeks to drastically reduce the code in the individual
extensions by centralizing their argument parsing (breakdown of
strings), validation, and in part, assignment.
As a secondary goal, this reduces the number of static storage duration
variables in flight.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| | |
(actually only applies to two comments, since the
function has long been called do_command6)
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
|
| |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is often useful to check whether a specific rule is already present
in a chain without actually modifying the iptables config.
Services like fail2ban usually employ techniques like grepping through
the output of "iptables -L" which is quite error prone.
This patch adds a new operation -C to the iptables command which
mostly works like -D; it can detect and indicate the existence of the
specified rule by modifying the exit code. The new operation
TC_CHECK_ENTRY uses the same code as the -D operation, whose functions
got a dry-run parameter appended.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
For aesthetic consistency, put a space after -o.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
With v1.4.10-58-g94e247b, target option parsing started to happen in the
wrong case.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
-From: iptables v1.4.10: option "-q" requires an argument
+To: iptables v1.4.10: unknown option "-q"
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(Essentially, 5 levels of indentation have been stripped compared to the
original layout, and this is surely a result that looks a lot better
than it did before.)
Things to note:
1. If the m->parse call succeeded, we can return from the function and
do not need to go through the other code. As such, "m" is guaranteed to
be useless at the end of the match loop, and so, conditions can be
removed.
2. Since the per-extension parse function only ever get their own option
codes (since v1.4.10-26-gd09b6d5), their return value no longer has a
meaning and can be ignored.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This will be needed for the find_proto function.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
struct iptables_command_state and quite a bit of the code looks worthy
of deduplication.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
This will make it easier to put the code for the cases into separate
functions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Same as previous commit. Doing this actually allows to remove code
that is no longer needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normally, extensions use a "default:" case in switch(c) to just return
if they do not handle c. Apparently, libip6t_hl does that too late and
checks for hl-specific parsing state before it has established that c
refers to one of its own options.
Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic.
One way to fix this is to move the flags checks into case '2', '3',
'4'. Doing this replication feels bad, so as an alternative, let's
just free extensions from having to deal with other extension's
options passing thru.
References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
| |
Fiedler Roman brings to attention that if, in a faulty script,
"$some_variable" expands to an empty string, iptables should probably
catch this most likely undesired invocation. If no/all interfaces were
really desired, one can either omit -i completely, or use -i +.
References: http://marc.info/?l=netfilter&m=129439862903487&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
"u_int" was a non-standardized extension predating C99 on some platforms.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
Also one int -> uint here on the way through.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
| |
For each new command, iptables is supposed to start afresh with a
blank option set (opts) that only contains the program-specific
options (orig_opts), without any extension options. We failed to
restore this pointer (in function do_command) after the previous free
call in xtables_free_opts.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* On the first call to getopt, opts was NULL, so long options would
not be recognized until a match/target was loaded.
Whacky getopt behavior:
* If the longopts parameter is NULL, getopt fails to recognize unknown
options, such that `iptables-multi main --append` will print a garbage
help message ("main needs an argument").
* If the longopts parameter is NULL on the first call, but not on
subsequent calls, it completely screws up option parsing, taking
the --dport in `iptables-multi main -A INPUT -p tcp --dport 1000`
as --destination instead, but not accepting "--destination 1.2.3.4"
either.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using `-m mark --mark 2 -m connmark --mark 2`, the user currently
gets an error about the (libxt_mark) --mark option being used twice.
This is because libxt_connmark's option table does not override any
previous options. This patch changes this behavior, since the current
behavior does not allow connmark's option to be used at all, which is
illogical.
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Creationg of chain names longer than the ones being able to jump to
should be inhibited for consistency.
References: http://marc.info/?l=netfilter-devel&m=128397022618316&w=2
Cc: Stig Thormodsrud <stig@vyatta.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Since iptables uses its own copies of the header files anyway where the
revision field is exposed, there is no reach to access name[] beyond its
size.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Since XT_EXTENSION_MAXNAMELEN is now available, make use of it
and clear the confusion.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Found by gcc -Wmissing-noreturn.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The two commands:
-A OUPUT -d 10.11.12.13/32 -j LOG
-R OUTPUT 1 -j LOG -d 10.11.12.13
will replace 10.11.12.13/32 by 10.11.12.13/0, which is not right.
(No regression, this problem was there forever.)
Reported-by: Werner Pawlitschko <werner.pawlitschko@arcor.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mask created for the -D rulespec is simply too small.
xtables_targets points to whatever target has last been loaded, so
xtables_targets->size is quite almost wrong, as we need to use the
size of the target for the specific rule that is about to be deleted.
This bug existed ever since iptables history is tracked, and requires
certain circumstances to be visible, where the deletion operation is
one. Furthermore, multiple userspace target extensions must have been
loaded, and a target B whose .size is smaller than the target A of
the rule we are about to delete must have been loaded more recently
than target A. The minimal testcase is (rule 60007 gets wrongly
removed)
*nat
-F
-X
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60007
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
-A POSTROUTING -p udp -j CONNMARK --set-mark 0
-D POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
COMMIT
References: http://bugzilla.netfilter.org/show_bug.cgi?id=606
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
This is for extensions that do not take any options, and which
subsequently do not offer any help text either.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This means we can do some code removal in extensions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libiptc already supports adding and deleting multiple rules with
different addresses, so it only needs to be wired up to the options.
# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
Adjustments made: syntax, removal of unneeded variables, manpage
adjustment, soversion bump.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.
Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089
Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes options-merging that was broken somewhere
during the libxtables rework. Before this patch, two pointers
were used to keep the current options, however, the options field
in xt_params was not appropritely updated. Thus, xtables_free_opts()
was not restoring the original options.
This patch fixes iptables-restore and ip6tables-restore that
stopped working in my personal firewall.
% iptables-restore
*filter
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|