| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning.
xtables-eb.c: In function ‘ebt_load_match_extensions’:
xtables-eb.c:653:7: warning: assignment discards ‘const’ qualifier
from pointer target type
opts = ebt_original_options;
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field inside
the xtables_globals struct and is not modified anywhere.
Done using following coccinelle semantic patch
@r1 disable optional_qualifier@
identifier s,i;
position p;
@@
static struct option i@p[] ={...};
@ok1@
identifier r1.i;
expression e;
position p;
@@
e = i@p
@bad@
position p != {r1.p,ok1.p};
identifier r1.i;
@@
e@i@p
@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
static
+const
struct option i[] = { ... };
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
xtables-eb.c:305:1: warning: empty declaration
} __attribute__((noreturn, format(printf,2,3)));
^
xtables-eb.c:311:2: warning: initialization makes '__attribute__((noreturn))' qualified function pointer from unqualified
.exit_err = ebt_print_error,
^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous to this patch, error reporting in ebtables-compat was like:
% ebtables-compat xxx
(null) v1.4.21: Bad argument : 'xxx'
Try `(null) -h' or '(null) --help' for more information.
While the original ebtables was:
% ebtables xxx
Bad argument : 'xxx'.
With this patch, we switch to:
% ebtables-compat xxx
Bad argument : 'xxx'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add support for the ebtables limit extension (match),
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
| |
Let's give support for the nflog extension (a watcher).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
ebtables watchers are targets which always return EBT_CONTINUE.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's call extensions final checks.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Translate mark_m match extension to the xtables-compat environment.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the 'ip' match extension to ebtables-compat.
It involves adapting old ebtables extension code to the xtables-compat
environment.
For testing:
% sudo ebtables-compat -p 0x0800 --ip-src 1.1.1.1 -j ACCEPT
The patch includes a cached copy of the extension kernel header.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using two matches options results in two copies of the match being included
in the nft rule.
Example before this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
-p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
Example with this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
% -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
[Note: the br_ip extension comes in a follow-up patch]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Parsing options will be overwritten if every time we load a match
the extension options are merged to the original options.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch:
% sudo ebtables-compat -L --Lc
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
-j ACCEPT , pcnt = 123 -- bcnt = 123
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Renaming of chains is not working. and ebtables-compat gets:
libnftnl: attribute 0 assertion failed in chain.c:159
This patch brings back the parser code of the original ebtables tool:
http://git.netfilter.org/ebtables.old-history/tree/userspace/ebtables2/ebtables.c#n652
I adapted the original parser code to fit in the new environment. Also tried to
keep original error messages as much as possible.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.
So, with this patch, ebtables-compat ends with:
Command: Result:
-L Always RETURN for user-defined chains
-P builtin RETURN Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP ok
-P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
-N userdefined ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This message doesn't exist in the original ebtables tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
And introduce fake ebt_entry.
This gets the code in sync in other existing compat tools. This
will likely allow to consolidate common infrastructure.
This code is still quite experimental.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
