| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant
used '[PCNT BCNT]' prefix like with iptables-save.
In order to pass the counter format preference along, FMT_C_COUNTS is
introduced and related 'format' checks adjusted.
Since legacy iptables prints the counters between matches and target,
this change affects save_matches_and_target() function. In order to get
access to the rule counters, it's declaration is adjusted to receive
iptables_command_state pointer instead of match, target and jumpto
pointers from the same object.
While being at it, integrate jump to user-defined chain into it as well
since the related code in both callers was almost identical. Though
since different rule flags are used between iptables and ip6tables, pass
a 'goto_flag' boolean instead of the actual 'flags' bitfield.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
If batch_rule_add() failed (ENOMEM), nft_rule_append() frees the
rule and then tries to add it to the rule cache. Better return 0
(failure) instead of continuing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy ebtables-save does not use a policy string of '-' to denote
user-defined chains but instead lists them with a policy of ACCEPT.
In order to use ebtables_restore_parse() for ebtables-save
implementation, make use of builtin table definitions to decide whether
a given chain is a builtin one or not.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy ip{,6}tables prints feedback for various commands if in verbose
mode, make sure nft variants do the same.
There is one difference, namely when checking a rule (-C command):
Legacy ip{,6}tables print the rule in any case, nft variants don't in
case the rule wasn't found. Changing this though would require to
populate the nftnl_rule object just for printing, which is probably not
feasible.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Just like legacy iptables, iptables-nft should not treat the attempt to
list a non-existing chain as OK.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the same issue commit a4e78370af849 ("iptables-compat: fix empty
chains after first invocation of iptables-compat -L") fixed back in
2014. Seems like some changes since then broke it again.
This time, existing cache not containing the added table/chains gets
into the way, so clear it if nft_commit() was called.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Unlike iptables, nftables counts rules in a chain as references to that
chain. Align output of 'iptables-nft -L' with that of legacy iptables by
counting the number of rules in a chain and subtracting that value from
reference count before printing the chain header.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
In nft_chain_builtin_init(), The wrong macro was used for iterating over
the built-in chains of a given table. That array's length is defined
using NF_INET_NUMHOOKS, not NF_IP_NUMHOOKS. Though this change is rather
cosmetic since both macros resolve into the same value.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
In libnftnl-1.0.5, symbol name prefix changed from 'nft_' to 'nftnl_'.
This patch fixes for two places forgotten by the relevant commit.
Fixes: 742baabd185c3 ("iptables-compat: use new symbols in libnftnl")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are
not added to the cache.
There is one exception though, namely when zeroing counters:
nft_chain_zero_counters() adds a chain object it took from chain cache.
To distinguish this situation from the others, introduce
NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like
NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
These always have to be freed because nft_chain_user_del() removes them
from the cache so they are not freed when the chain cache is flushed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to variable 'ret' not being initialized in all situations, return
code of the function depends on garbage in stack. Fix this by
initializing 'ret' to zero upon declaration.
While being at it, make nftnl_chain_list_get() failure as well as
nftnl_chain_list_iter_create() failure an error condition since both
functions should succeed even if the current ruleset does not contain
any chains at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
For each parsed table, xtables-restore calls nft_table_flush() which
each time allocates a new rule cache, possibly overwriting the pointer
to the previously allocated one. Fix this by checking the pointer value
and only allocate if it's NULL.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Currently rule counters are always printed, but that's not the desired
behavior. We should only print them with the verbose flag. This broke
when the arguments of nft_rule_print_save() were changed to accept the
format instead of a counters flag.
Fixes: cdc78b1d6bd7 ("nft: convert rule into a command state structure")
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when using custom nft tables + iptables-nft, iptables-nft -L
may fail with
iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool.
even if filter table is compatible.
Problem is that the chain cache tracks ALL chains.
The "old" compat-check only walked chains in the table to checked
(filter in this case), now we will see all other
chains including base chains of another table.
It seems better to extend the chain cache long-term to track chains
per table instead, but for now skip the foreign ones.
Reported-by: Eric Garver <e@erig.me>
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Preparing ebtables-save implementation, allow for callers to pass format
bits to nft_rule_save() instead of just the 'counters' boolean.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
In preparation for ebtables-save implementation, introduce a callback
for convenient per-family formatting of chains in save output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
The name is quite misleading, since these functions/callbacks are not
about the whole ruleset but just a single rule. So rename them to
reflect this.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This relieves callers from having to prepare iptables_command_state,
which often happens just for the sake of passing it to this function.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Without this, trying to add a rule using ebtables without proper
permissions crashes the program.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also, in nf_tables backend case, only show more than one error
if we're iptables-restore, else we get very long concatenated errorline.
old:
iptables v1.6.2: can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2: iptables: CHAIN_ADD failed (Device or resource busy): chain PREROUTINGCHAIN_ADD failed (Device or resource busy): chain INPUTCHAIN_ADD failed (Device or resource busy): chain POSTROUTINGCHAIN_ADD failed (Device or resource busy): chain OUTPUT
iptables-restore v1.6.2: iptables-restore:
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING
now:
iptables v1.6.2 (legacy): can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2 (nf_tables): CHAIN_ADD failed (Device or resource busy): chain PREROUTING
iptables-restore v1.6.2 (nf_tables):
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
*filter
:INPUT DROP [32:4052]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT
COMMIT
will be restored with ACCEPT policies. When
-A OUTPUT is processed, the OUTPUT chain isn't found in the chain cache,
so the table is re-created with ACCEPT policies, which overrides the
earlier DROP policies.
A better fix would be to add the policy setting to the chain cache
but it seems we'll need a chain abstraction with refcounting first.
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nft meta expr enables the nfnetlink based trace infrastruvture, so
prefer to use that rather than xt_TRACE.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
in bridge and arp families, some tables such as security do not exist,
so name is NULL. skip them, else we segfault in strcmp.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Check for nft_insert_rule, since nft_add_rule is never set via nft_fn.
Moreover, generalize ELOOP error since there is only one single location
in the kernel code where we can hit this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a difference between error messages in iptables and
iptables-compat:
# iptables-compat -D INPUT 4
iptables: No chain/target/match by that name.
# iptables -D INPUT 4
iptables: Index of deletion too big.
Now, will show same error message.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Otherwise, flush commands on not-yet-initialized basechains hit ENOENT.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Perform incremental tracking on rule cache updates, instead of flushing
and resynchronizing with the kernel over and over again.
Note that there is no need to call flush_rule_cache() from
nft_rule_delete() and nft_rule_delete_num(), since __nft_rule_del()
already deletes the rule from the list.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
So we don't have to dump the chain cache content over and over again.
Moreover, perform incremental updates on the chain cache to add and to
delete non-base chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We cannot assume iptables-restore files always come with explicit
basechain definition, eg.
:PREROUTING ACCEPT
incremental ruleset updates may deliberately skip this.
But loading basechains over and over again can take time, so do it just
once per batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-restore < /tmp/bogus
iptables-restore v1.6.2: iptables-restore:
line 49: RULE_APPEND failed (No such file or directory): rule in chain FOOBAR
line 2023: RULE_APPEND failed (Invalid argument): rule in chain TESTSNAT
This is a followup commit to 437746c7b528f ("xtables: extended error reporting").
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use existing batching API from library, the existing code relies on an
earlier implementation of it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Use nft_is_table_compatible instead as only helper to a 'skip' decision.
Custom tables, tables that have extra base chains that iptables
syntax doesn't allow or rules that have special constructs line nftables
set lookups or verdict maps are not listed, but a message is provided
to show that such table exists.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
This is used by a followup patch to avoid continuing the 'dump everything
and then ignore what we don't need' model.
Places that know they only need a particular table
'iptables-save -t filter' can ask the kernel to limit this for us.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# iptables-compat -N coffee
# iptables-compat -I coffee
# iptables-compat -X coffee
iptables: Device or resource busy.
While it should say:
iptables: Directory not empty.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
With no -n, semantics for *filter are to delete filter table and all its
content.
This restores the similar behaviour introduced in ca165845f7ec
("xtables-compat-restore: flush rules and delete user-defined chains").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
# iptables-compat -X
iptables: No chain/target/match by that name.
While it should display no error message at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-n still flushes user-defined chains and its content, the following snippet:
iptables-compat -N FOO
iptables-compat -I INPUT
iptables-compat -I FOO
iptables-compat -I FOO
iptables-compat-save > A
iptables-compat-restore < A
iptables-compat -N BAR
iptables-compat -A BAR
iptables-compat-restore -n < A
results in:
iptables-compat-save
# Generated by xtables-save v1.6.2 on Mon May 7 17:18:44 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BAR - [0:0]
:FOO - [0:0]
-A INPUT
-A INPUT
-A BAR
-A FOO
-A FOO
COMMIT
# Completed on Mon May 7 17:18:44 2018
Still, user-defined chains that are not re-defined, such as BAR, are
left in place.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Instead of deleting the table and base chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
needed to display rules that exceed 4k (MNL buffer size).
This can happen with many matches in a rule or when using
-m cgroup (4k per match).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
noticed that iptables-compat-save exits with 1 on success,
whereas iptables-compat-save -t filter returns 0 (as expected).
Caused by double-invert of return value, so ge rid of those.
do_output now returns a value suitable to pass to exit() or return from main.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Remove dead code that uses the ancient non-batch netlink API. Chains
are already purged out from table flush.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following snippet fails if user chain FOO exists, but it should not fail:
iptables-compat -F
iptables-compat -N FOO
iptables-compat-save > foo
iptables-compat-restore < foo
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is only needed by 3.16, which was released 8 months after nftables was
merged upstream. That kernel version supports a reduced featureset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
... or when using multiple --comment lines.
This is more of a 'cosmetic' fix to handle the test suite case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Kernel clamps udata size at 256 bytes, udata size however also includes
internal bookkeeping which brings us over this limit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Only ip and ip6tables have revision retrieval support; pretend
ebtables and arptables are always ok.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its not supported anymore as of 4.13, and it did not work
before this either (arp packets cannot be routed).
This unbreaks arptables-compat -- without this fix kernel rejects the
incoming ruleset skeleton.
filtering forwarded arp packets on a bridge can be done either via
'netdev' or 'bridge' families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
This function is only used from iptables/nft.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|