| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts the following commits:
b14c971db6db0 ("tests: Test compat mode")
11c464ed015b5 ("Add --compat option to *tables-nft and *-nft-restore commands")
ca709b5784c98 ("nft: Introduce and use bool nft_handle::compat")
402b9b3c07c81 ("nft: Pass nft_handle to add_{target,action}()")
This implementation of a compatibility mode implements rules using
xtables extensions if possible and thus relies upon existence of those
in kernel space. Assuming no viable replacement for the internal
mechanics of this mode will be found in foreseeable future, it will
effectively block attempts at deprecating and removing of these xtables
extensions in favor of nftables expressions and thus hinder upstream's
future plans for iptables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flag sets nft_handle::compat boolean, indicating a compatible rule
implementation is wanted. Users expecting their created rules to be
fetched from kernel by an older version of *tables-nft may use this to
avoid potential compatibility issues.
Changes since v1:
- Expect short option '-C' in {ip,ip6,eb}tables-nft-restore command line
parser
- Support -C/--compat in arptables-nft-restore, too
- Update man pages with the new flag
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Define the different optstrings in xshared.h instead, they are not
relevant for other libxtables users.
This is a partial revert of commit 65b150ae382a8 ("xshared: Store
optstring in xtables_globals") to avoid breaking libxtables' ABI
compatibility.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function checks afinfo->family already to cover ip6tables specifics,
doing the same for arptables does not make things much worse.
This changes arptables-nft help output slightly:
* List possible negations extrapositioned, which is preferred anyway
(arptables-nft supports both)
* List --out-interface option at lexically sorted position
* Print --wait option, it's ignored just like with iptables
* Restore default target option printing as with legacy arptables (not
sure if arptables-nft ever did this) by explicitly loading them.
While being at it, add --set-counters short option '-c' to help output
for ip(6)tables.
This effectively removes the need for (and all users of)
xtables_global's 'print_help' callback, thus effectively reverts commit
fe83b12fc910e ("libxtables: Introduce xtables_globals print_help
callback") which broke libxtables' ABI compatibility.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
It will be referenced by xtables_printhelp() if printing for arptables
and therefore must be present in legacy as well even if unused.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Add calls to arp- and ebtables-specific extension loaders where missing.
Also consistently call init_extensions() for them, as some extensions
(ebtables 'limit' and arptables 'CLASSIFY' and 'MARK') live in libxt_*
files.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Instead of guarding all calls to init_extensions*(), define stubs if not
used.
While at it, also add the missing prototypes for arp- and ebtables
extension initializers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Basically merge the function with xtables_exit_error,
printing a status-specific footer for parameter or version problems.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Both are constant strings, so precompiler may concat them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By declaring the relevant family_ops callbacks for arptables, the code
becomes ready to just use do_commandx() instead of a dedicated parser.
As a side-effect, this enables a bunch of new features in arptables-nft:
* Support '-C' command
* Support '-S' command
* Support rule indexes just like xtables, e.g. in '-I' or '-R' commands
* Reject chain names starting with '!'
* Support '-c N,M' counter syntax
Since arptables still accepts intrapositioned negations, add code to
cover that but print a warning like iptables did 12 years ago prior to
removing the functionality.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
This accomplishes the same tasks as e.g. nft_ipv4_post_parse() plus some
arptables-specific bits.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Use the compound data structures introduced for dedicated parsing
routines in other families instead of the many local variables. This
allows to standardize code a bit for sharing a common parser later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
With optstring being stored in struct xtables_globals as well, it is a
natural choice to store a pointer to a help printer also which matches
the supported options.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Preparing for a common option parser, store the string of options for
each family inside the respective xtables_globals object. The
array of long option definitions sitting in there already indicates it's
the right place.
While being at it, drop '-m' support from arptables-nft.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The set of builtin tables to use is fully determined by the given family
so just look it up instead of having callers pass it explicitly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The only reason why this is prohibited is that you cannot do it
in iptables-legacy.
This removes the artifical limitation.
"iptables-nft -X" will leave the builtin chains alone;
Also, deletion is only permitted if the chain is empty.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Join invflags handling between iptables, ip6tables, xtables and
arptables. Ebtables still has its own code which differs quite a bit.
In order to use a shared set_option() routine, iptables and ip6tables
need to provide a local 'invflags' variable which is 16bits wide.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add OPT_FRAGMENT define into the enum of other OPT_* defines at the
right position and adjust the arptables-specific ones that follow
accordingly. Appropriately adjust inverse_for_options array in
xtables-arp.c.
Extend optflags from iptables.c by the arptables values for the sake of
completeness, then move it to xshared.h along with NUMBER_OF_OPT
definition. As a side-effect, this fixes for wrong ordering of entries
in arptables' 'optflags' copy.
Add arptables-specific bits to commands_v_options table (the speicific
options are matches on ARP header fields, just treat them like '-s'
option. This is also just a cosmetic change, arptables doesn't have a
generic_opt_check() implementation and hence doesn't use such a table.
With things potentially ready for common use, move commands_v_options
table along with generic_opt_check() and opt2char() into xshared.c and
drop the local (identical) implementations from iptables.c, ip6tables.c
xtables.c and xtables-arp.c. While doing so, fix ordering of entries in
that table: the row for CMD_ZERO_NUM was in the wrong position. Since
all moved rows though are identical, this had no effect in practice.
Fixes: d960a991350ca ("xtables-arp: Integrate OPT_* defines into xshared.h")
Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arptables invflags are partly identical to IPT_INV_* ones but the bits
are differently assigned. Eliminate this incompatibility by definition
of the unique invflags in nft-arp.h on bits that don't collide with
IPT_INV_* ones, then use those in combination with IPT_INV_* ones in
arptables-specific code.
Note that ARPT_INV_ARPPRO is replaced by IPT_INV_PROTO although these
are in fact different options - yet since '-p' option is not supported
by arptables, this does not lead to a collision.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding a parser which supports common names for special MAC/mask
combinations and a print routine detecting those special addresses and
printing the respective name allows to consolidate all the various
duplicated implementations.
The side-effects of this change are manageable:
* arptables now accepts "BGA" as alias for the bridge group address
* "mac" match now prints MAC addresses in lower-case which is consistent
with the remaining code at least
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Follow regular code path after handling --help option to gracefully
deinit and free stuff.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
In a few places, initialized struct iptables_command_state was not fully
deinitialized. Change them to call nft_clear_iptables_command_state()
which does it properly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates the parser to generate a list of command objects.
This list of commands is then transformed to a list of netlink jobs.
This new command object stores the rule using the nftnl representation
via nft_rule_new().
To reduce the number of updates in this patch, the nft_*_rule_find()
functions have been updated to restore the native representation to
skip the update of the rule comparison code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move common code into nft_init(), such as:
* initial zeroing nft_handle fields
* family ops lookup and assignment to 'ops' field
* setting of 'family' field
This requires minor adjustments in xtables_restore_main() so extra field
initialization doesn't happen before nft_init() call.
As a side-effect, this fixes segfaulting xtables-monitor binary when
printing rules for trace event as in that code-path 'ops' field wasn't
initialized.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The local implementation differs just slightly but libxtables version
seems more correct (no needless memsetting of mask, more relevant
illegal character checking) so use that one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These defines are internal use only, so their actual value doesn't
matter as long as they're unique and inverse_for_options array items
match:
When negating a given option, the corresponding OPT_* value's bit is
used as an index into inverse_for_options to retrieve the corresponding
invflag. If zero, either negating or the option itself is not supported.
(In practice, a lookup for unsupported option won't happen as those are
caught by getopt_long()).
Since xtables-arp's OPT_* values change, adjust the local
inverse_for_options array accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
And drop the conditional defines.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
With all fields in commands_v_options[][] being whitespace, the function
is effectively a noop.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
They are mostly identical, just xtables-arp ones differ slightly. Though
since they are internal use only and their actual value doesn't matter
(as long as it's a distinct bit), they can be merged anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The function is really small, but still copied four times.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The shared definition of cmdflags is a super set of the previous one in
xtables-arp.c so while not being identical, they're compatible.
Avoid accidental array overstep in cmd2char() by incrementing an index
variable and checking its final value before using it as such.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
These seem like leftovers when changing code to use xtables_chain_protos
as struct xtables_pprot is identical to struct pprot removed here.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the same code for parsing source and destination IP addresses as
iptables and drop all the local functions dealing with that.
While being at it, call free() for 'saddrs' and 'daddrs' unconditionally
(like iptables does), they are NULL if not used.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The IPTABLES_VERSION C macro replicates the PACKAGE_VERSION C macro
(both have the same definition, "@PACKAGE_VERSION@"). Since
IPTABLES_VERSION, being located in internal.h, is not exposed to
downstream users in any way, it can just be replaced by
PACKAGE_VERSION, which saves a configure-time file substitution.
This goes towards eliminating unnecessary rebuilds after rerunning
./configure.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
The use of global 'optarg' variable inside that function is a mess, but
most importantly it limits its applicability to input parsers. Fix this
by having it take the option argument as a parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
These masks are not used in nftables backend, but mangle extension
checks arhln_mask value to make sure --h-length was given (which is
implicitly the case).
Fixes: 5aecb2d8bfdda ("arptables: pre-init hlen and ethertype")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
When replacing a rule, the replacement was simply appended to the
chain's rule list. Instead, insert it where the rule it replaces was.
This also fixes for zero counters command to remove the old rule from
cache.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Relevant code for this was already present (short option '-c'), just the
long option definition was missing.
While being at it, add '-c' to help text.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
way too generic name.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
old: arptables vlibxtables.so.12 (nf_tables)
now: arptables 1.8.1 (nf_tables)
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
You can run 'arptables-legacy -t foobar' and commands work fine,
as it still operates on filter table (the only table that exists).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:
base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)
In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the correct location, but we cannot
do this in nf_tables, at least not at this time (we need a fixed offset
value).
code does:
op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ...
but if user did not provide "--h-length 6" argument, then this won't
work even for ethernet, as the payload expression will be told to load
the first 4 bytes of arp header source mac address (sender hw address).
Fix this by pre-initialising arhlen to 6.
We also need to set up arhrd. Otherwise, src/dst mac can't be used:
arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66
arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT
This means that matching won't work for AX25, NETROM etc, however,
arptables "classic" can't parse non-ethernet addresses, and makes
ETH_ALEN assumptions in several spots, so this should be fine from
compatibility point of view.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This isn't a missing feature in the -nft version,
neither plen and -m were ever implemented in arptables-legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of commit 9f075031a1973 ("Combine
parse_target() and command_jump() implementations"): Upstream prefers to
reduce max chain name length of arptables by two characters instead of
the introduced struct xtables_globals field which requires to bump
library API version.
Fixes: 9f075031a1973 ("Combine parse_target() and command_jump() implementations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge these two functions from xtables, iptables, ip6tables and
arptables. Both functions were basically identical in the first three,
only the last one required a bit more attention.
To eliminate access to 'invflags' in variant-specific location, move the
call to set_option() into callers. This is actually consistent with
parsing of other options in them.
As with command_match(), use xt_params instead of the different
*_globals objects to refer to 'opts' and 'orig_opts'.
It was necessary to rename parse_target() as it otherwise clashes with a
static function of same name in libxt_SET.
In arptables, the maximum allowed target name is a bit larger, so
introduce xtables_globals.target_maxnamelen defining the value. It is
used in the shared xt_parse_target() implementation.
Implementation of command_jump() in arptables diverted from the others
for no obvious reason. The call to parse_target() was done outside of it
and a pointer to cs->arp was passed but not used inside.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds C implementations for arptables-save and -restore in compat
layer based on the two perl scripts in legacy arptables repository.
To share common code, introduce nft_init_arp() analogous to
nft_init_eb() introduced earlier.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy ip{,6}tables prints feedback for various commands if in verbose
mode, make sure nft variants do the same.
There is one difference, namely when checking a rule (-C command):
Legacy ip{,6}tables print the rule in any case, nft variants don't in
case the rule wasn't found. Changing this though would require to
populate the nftnl_rule object just for printing, which is probably not
feasible.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Trying to jump into a user-defined chain was not possible:
| arptables-nft -N foo
| arptables-nft -A INPUT -j foo
| (null) v1.8.0 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain INPUT
Since nft_arp_add() already does the right thing if cs->target is NULL
and cs->jumpto contains a non-empty string, simply drop the block of
code trying to deal with the situation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
