summaryrefslogtreecommitdiffstats
path: root/iptables/xtables-eb.c
Commit message (Collapse)AuthorAgeFilesLines
* ebtables: Exit gracefully on invalid table namesPhil Sutter2021-01-281-4/+4
| | | | | | | | | | | | | | | | | | | | | | Users are able to cause program abort by passing a table name that doesn't exist: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. | Aborted Avoid this by checking table existence just like iptables-nft does upon parsing '-t' optarg. Since the list of tables is known and fixed, checking the given name's length is pointless. So just drop that check in return. With this patch in place, output looks much better: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables v1.8.7 (nf_tables): table 'dummy' does not exist | Perhaps iptables or your kernel needs to be upgraded. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-031-53/+6
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Fix for broken chain renamingPhil Sutter2020-11-171-0/+1
| | | | | | | | | | Loading extensions pollutes 'errno' value, hence before using it to indicate failure it should be sanitized. This was done by the called function before the parsing/netlink split and not migrated by accident. Move it into calling code to clarify the connection. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-restore: Fix verbose mode table flushingPhil Sutter2020-06-091-1/+1
| | | | | | | | | | When called with --verbose mode, iptables-nft-restore did not print anything when flushing the table. Fix this by adding a "manual" mode to nft_cmd_table_flush(), turning it into a wrapper around '-F' and '-X' commands, which is exactly what iptables-legacy-restore does to flush a table. This though requires a real cache, so don't set NFT_CL_FAKE then. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Don't exit early after printing help textsPhil Sutter2020-05-111-1/+1
| | | | | | | Follow regular code path after handling --help option to gracefully deinit and free stuff. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_fini()Phil Sutter2020-05-111-0/+1
| | | | | | | | | | | | Record handles of loaded shared objects in a linked list and dlclose() them from the newly introduced function. While functionally not necessary, this clears up valgrind's memcheck output when also displaying reachable memory. Since this is an extra function that doesn't change the existing API, increment both current and age. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Free statically loaded extensions againPhil Sutter2020-05-111-0/+17
| | | | | | | | | All ebtables extensions are loaded upon program start as due to the lack of '-m' parameters, loading on demand is not possible. Introduce nft_fini_eb() to counteract nft_init_eb() and free dynamic memory in matches and targets from there. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: split parsing from netlink commandsPablo Neira Ayuso2020-05-111-13/+13
| | | | | | | | | | | | | | This patch updates the parser to generate a list of command objects. This list of commands is then transformed to a list of netlink jobs. This new command object stores the rule using the nftnl representation via nft_rule_new(). To reduce the number of updates in this patch, the nft_*_rule_find() functions have been updated to restore the native representation to skip the update of the rule comparison code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Review nft_init()Phil Sutter2020-02-241-8/+1
| | | | | | | | | | | | | | | | | Move common code into nft_init(), such as: * initial zeroing nft_handle fields * family ops lookup and assignment to 'ops' field * setting of 'family' field This requires minor adjustments in xtables_restore_main() so extra field initialization doesn't happen before nft_init() call. As a side-effect, this fixes segfaulting xtables-monitor binary when printing rules for trace event as in that code-path 'ops' field wasn't initialized. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: bridge: Rudimental among extension supportPhil Sutter2019-11-251-0/+1
| | | | | | | | | Support among match as far as possible given the limitations of nftables sets, namely limited to homogeneous MAC address only or MAC and IP address only matches. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: Unbreak *tables-restorePhil Sutter2019-10-231-1/+3
| | | | | | | | | | | | | | | | | Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") installed an error check which evaluated true in all cases as all callers of do_command callbacks pass a pointer to a table name already. Attached test case passed as it tested error condition only. Fix the whole mess by introducing a boolean to indicate whether a table parameter was seen already. Extend the test case to cover positive as well as negative behaviour and to test ebtables-restore and ip6tables-restore as well. Also add the required checking code to the latter since the original commit missed it. Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: Fix --table parameter checkPhil Sutter2019-10-211-0/+4
| | | | | | | | | | | | | | | | | | | | | Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* ebtables: fix over-eager -o checks on custom chainsFlorian Westphal2019-09-121-2/+3
| | | | | | | | | | | | | | | | Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-save: Fix counter formattingPhil Sutter2019-07-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial problem was 'ebtables-save -c' printing iptables-style counters but at the same time not disabling ebtables-style counter output (which was even printed in wrong format for ebtables-save). The code around counter output was complicated enough to motivate a larger rework: * Make FMT_C_COUNTS indicate the appended counter style for ebtables. * Use FMT_EBT_SAVE to distinguish between '-c' style counters and the legacy pcnt/bcnt ones. Consequently, ebtables-save sets format to: FMT_NOCOUNTS - for no counters FMT_EBT_SAVE - for iptables-style counters FMT_EBT_SAVE | FMT_C_COUNTS - for '-c' style counters For regular ebtables, list_rules() always sets FMT_C_COUNTS (iptables-style counters are never used there) and FMT_NOCOUNTS if no counters are requested. The big plus is if neither FMT_NOCOUNTS nor FMT_C_COUNTS is set, iptables-style counters are to be printed - both in iptables and ebtables. This allows to drop the ebtables-specific 'save_counters' callback. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Fix error message for invalid parametersPhil Sutter2019-07-231-1/+1
| | | | | | | | | | | | | | | | | | With empty ruleset, ebtables-nft would report the wrong argv: | % sudo ./install/sbin/ebtables-nft -vnL | ebtables v1.8.3 (nf_tables): Unknown argument: './install/sbin/ebtables-nft' | Try `ebtables -h' or 'ebtables --help' for more information. After a (successful) call to 'ebtables-nft -L', this would even segfault: | % sudo ./install/sbin/ebtables-nft -vnL | zsh: segmentation fault sudo ./install/sbin/ebtables-nft -vnL Fixes: acde6be32036f ("ebtables-translate: Fix segfault while parsing extension options") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace IPTABLES_VERSION by PACKAGE_VERSIONJan Engelhardt2019-05-301-2/+2
| | | | | | | | | | | | | The IPTABLES_VERSION C macro replicates the PACKAGE_VERSION C macro (both have the same definition, "@PACKAGE_VERSION@"). Since IPTABLES_VERSION, being located in internal.h, is not exposed to downstream users in any way, it can just be replaced by PACKAGE_VERSION, which saves a configure-time file substitution. This goes towards eliminating unnecessary rebuilds after rerunning ./configure. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-nft: Support user-defined chain policiesPhil Sutter2019-02-081-11/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Legacy ebtables supports policies for user-defined chains - and what's worse, they default to ACCEPT unlike anywhere else. So lack of support for this braindead feature in ebtables-nft is actually a change of behaviour which very likely affects all ebtables users out there. The solution implemented here uses an implicit (and transparent) last rule in all user-defined ebtables-nft chains with policy other than RETURN. This rule is identified by an nft comment "XTABLES_EB_INTERNAL_POLICY_RULE" (since commit ccf154d7420c0 ("xtables: Don't use native nftables comments") nft comments are not used otherwise). To minimize interference with existing code, this policy rule is removed from chains during cache population and the policy is saved in NFTNL_CHAIN_POLICY attribute. When committing changes to the kernel, nft_commit() traverses through the list of chains and (re-)creates policy rules if required. In ebtables-nft-restore, table flushes are problematic. To avoid weird kernel error responses, introduce a custom 'table_flush' callback which removes any pending policy rule add/remove jobs prior to creating the NFT_COMPAT_TABLE_FLUSH one. I've hidden all this mess behind checks for h->family, so hopefully impact on {ip,ip6,arp}tables-nft should be negligible. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* xshared: Explicitly pass target to command_jump()Phil Sutter2019-02-071-1/+1
| | | | | | | | | The use of global 'optarg' variable inside that function is a mess, but most importantly it limits its applicability to input parsers. Fix this by having it take the option argument as a parameter. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix for false-positive rule matchingPhil Sutter2019-02-051-46/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | When comparing two rules with non-standard targets, differences in targets' payloads wasn't respected. The cause is a rather hideous one: Unlike xtables_find_match(), xtables_find_target() did not care whether the found target was already in use or not, so the same target instance was assigned to both rules and therefore payload comparison happened over the same memory location. With legacy iptables it is not possible to reuse a target: The only case where two rules (i.e., iptables_command_state instances) could exist at the same time is when comparing rules, but that's handled using libiptc. The above change clashes with ebtables-nft's reuse of target objects: While input parsing still just assigns the object from xtables_targets list, rule conversion from nftnl to iptables_command_state allocates new data. To fix this, make ebtables-nft input parsing use the common command_jump() routine instead of its own simplified copy. In turn, this also eliminates the ebtables-nft-specific variants of parse_target(), though with a slight change of behaviour: Names of user-defined chains are no longer allowed to contain up to 31 but merely 28 characters. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix position of replaced rules in cachePhil Sutter2019-01-181-1/+1
| | | | | | | | | | | When replacing a rule, the replacement was simply appended to the chain's rule list. Instead, insert it where the rule it replaces was. This also fixes for zero counters command to remove the old rule from cache. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Use xtables_exit_err()Phil Sutter2018-11-231-13/+2
| | | | | | | | | | | | | | | | | When e.g. ebtables-nft detects an incompatible table, a stray '.' was printed as last line of output: | # ebtables-nft -L | table `filter' is incompatible, use 'nft' tool. | . This comes from ebtables' own exit_err callback. Instead use the common one which also provides useful version information. While being at it, align the final error message in xtables_eb_main() with how the others print it. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-nft: add arpreply targetFlorian Westphal2018-11-031-0/+1
| | | | | | Unfortunately no nft translation available so far. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: relax -t table restriction, add snat/dnat test casesFlorian Westphal2018-11-031-3/+0
| | | | | | | | | | | | | | Its artificial and prevents test cases that need to add rules to a different table from working. The test script generates: -A PREROUTING -t nat ... which works fine for iptables and ip6tables. Just accept it for ebtables too and add test cases for snat and dnat. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: fix -j CONTINUE handling for add/deleteFlorian Westphal2018-11-031-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -j CONTINUE can be added, but it can't be removed: extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE) This problem stems from silly ambiguity in ebtables-nft vs. iptables. In iptables, you can do iptables -A INPUT (no -j) in ebtables, you can do either ebtables -A INPUT or ebtables -A INPUT -j CONTINUE both are *supposed* to be the same (and they do the same even in ebtables-nft on netlink side). However, the temprary binary representation within ebtables-nft is not the same: when parsing -j CONTINUE, we add a standard target, then omit it later in _add_target(). When translating netlink representation to ebt binary one, we do not add a standard target and instead just print '-j CONTINUE' when listing rules. So when doing -I INPUT -j CONTINUE -D INPUT -j CONTINUE the -D operation fails because it has a standard target in the binary representation, whereas the rule we obtained from translating nftables netlink back to ebtables' binary represenation doesn't. Fix it by ignoring 'CONTINUE' on parser side. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: expose new etherdb lookup function through libxtables APIPablo Neira Ayuso2018-10-201-2/+1
| | | | | | | | | | This is used from extensions and included in libxtables, so we have to make them public. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: prefix exported new functions for etherdb lookupsPablo Neira Ayuso2018-10-201-3/+3
| | | | | | | | | | To avoid symbol pollution, place them under the xt_ and xtables_ prefix name. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* Fix a few cases of pointless assignmentsPhil Sutter2018-09-241-3/+0
| | | | | | | | This gets rid of a number of assignments which are either redundant or not used afterwards. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: Review match/target lookup once morePhil Sutter2018-08-241-32/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a partial revert of my previous commit with similar subject - it missed to apply the needed changes to ebtables-translate as well and on top of that still left some leaks and use-after-frees in place. The new strategy is to make ebtables extension loading compatible with that of xtables, because otherwise the heavy code sharing between ebtables-translate and iptables-translate will cause trouble. Basically, ebt_add_match() and ebt_add_watcher() copy what xtables' command_match() does, but after the actual extension argument parsing has already happened. Therefore they duplicate the loaded match along with its data and reset the original one to default state for being reused (e.g., by ebtables-restore). Since mflags/tflags are cleared while doing so, clearing them for all loaded extensions in do_commandeb() is not necessary anymore. In ebt_command_default() (where extension parameter parsing happens), the list of added extensions to the current rule are consolidated first so no duplicate extension loading happens. With the above in place, ebt_cs_clean() can be reverted to its old state. Apart from sharing command_jump() function with ebtables-translate, make use of nft_init_eb() there, as well. Fixes: aa7fb04fcf72c ("ebtables: Review match/target lookup") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-translate: Fix segfault while parsing extension optionsPhil Sutter2018-08-241-46/+40
| | | | | | | | | | | | | | | Previous review of match/target lookup did not consider xtables-eb-translate.c which contains the same code. Fix parsing of target/match arguments there as well by introducing ebt_command_default() which consolidates the previously duplicated code. One notable quirk in comparison to the similar xtables code: Since ebtables allows for negations in ugly places (e.g. '--arp-opcode ! 1'), ebt_check_inverse2() has to be called first. Fixes: aa7fb04fcf72c ("ebtables: Review match/target lookup") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: trivial: Leverage C99-style initializers a bit morePhil Sutter2018-08-241-1/+1
| | | | | | | | | | This nit was discovered when comparing do_commandeb() with do_commandeb_xlate(): Since 'cs' is initialized upon declaration already, initialization of field '.eb.bitmask' may be moved there as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Fix for listing of non-existent chainsPhil Sutter2018-08-161-2/+0
| | | | | | | | | | | | | | | | | When trying to list a non-existent chain, ebtables-nft would just print the table header and then exit with a code of zero. In order to be more consistent with legacy ebtables, change the code to: * Print table header only if chosen chain is found and * propagate the error condition if chain was not found to print an error message. Note that this does not establish full parity with legacy ebtables due to the error code being 1 instead of 255 and the error message differing from the legacy one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Merge libebt_limit.c into libxt_limit.cPhil Sutter2018-08-161-1/+4
| | | | | | | | | | | | | | | | | Both extensions were very similar already, but now that they both are translated into native nftables code, their actual difference (i.e. match size) doesn't matter anymore. This change comes with one caveat: Since ebtables limit match is not in its own file anymore, match preloading automatically also loads the NFPROTO_UNSPEC limit match. This is not a problem per se since match lookup will prefer the family-specific one, but when parsing unknown options, a match without 'parse' callback is encountered. Therefore do_commandeb() has to check existence of that callback prior to dereferencing it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Remove flags misinterpretationsPhil Sutter2018-08-101-9/+7
| | | | | | | | | | | | | | | This is actually quite a mess: xtables-eb.c defines names for bits in 'flags' variable of do_commandeb(), though these tend to clash with bit names defined in xshared.h due to the same 'OPT_' prefix. Therefore checking for bits OPT_NUMERIC and OPT_VERBOSE is syntactically correct, but semantically wrong as they actually refer to bits OPT_COMMAND and OPT_PROTOCOL. Since ebtables doesn't support numeric nor verbose modes, just replace the checks with zero values. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: Review match/target lookupPhil Sutter2018-08-061-39/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since ebtables does not indicate extension use on commandline via '-m' flag as in iptables, loading of matches has to happen prior to commandline parsing. While parsing, the right extension is searched for unknown parameters by passing it to its 'parse' callback and checking if it succeeds. As an unavoidable side-effect, custom data in xtables_targets objects is being altered if the extension parser succeeds. If called multiple times, do_commandeb() leaks memory and fixing this requires to properly treat the above quirk: * Load extensions just once at program startup, thereby reusing the existing ones for several calls of do_commandeb(). * In ebt_cs_clean(), don't free memory which is being reused. Instead reinit custom extension data if it was used in current do_commandeb() call (i.e., it is contained in cs->match_list). On the other hand, target lookup in command_jump() can be simplified a lot: The only target it may have loaded is 'standard', so just load that at as well at program startup and reduce command_jump() to a simple linked list search. Since 'standard' target does not prove a 'parse' callback, a check is necessary when parsing target options. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-restore: Use xtables_restore_parse()Phil Sutter2018-08-061-1/+3
| | | | | | | | | This drops the dedicated input parser (which was broken in many ways anyway) and replaces it by the common one now that all required knobs are in place. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Match verbose ip{,6}tables output with legacyPhil Sutter2018-08-041-3/+4
| | | | | | | | | | | | | | Legacy ip{,6}tables prints feedback for various commands if in verbose mode, make sure nft variants do the same. There is one difference, namely when checking a rule (-C command): Legacy ip{,6}tables print the rule in any case, nft variants don't in case the rule wasn't found. Changing this though would require to populate the nftnl_rule object just for printing, which is probably not feasible. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: Support --init-table commandPhil Sutter2018-08-041-1/+3
| | | | | | | | | This effectively flushes all built-in chains and removes user-defined ones. Since compat layer takes care of built-in table/chain creation, it is sufficient to just drop the relevant table. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: Fix match_list insertionPhil Sutter2018-08-041-10/+8
| | | | | | | | Find the end of the match_list before inserting in case the list contains more than one element. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: Fix for wrong program name in error messagesPhil Sutter2018-08-041-2/+2
| | | | | | | | Since nft_init_eb() is shared among standalone ebtables and ebtables-restore, allow for callers to pass the program name. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: implement ebtables-{save,restore}Phil Sutter2018-07-191-2/+2
| | | | | | | | | | | | | | | The code for ebtables-restore was derived from legacy code, ebtables-save is actually a new implementation using the existing infrastructure and trying to adhere to legacy perl script output formatting as much as possible. This introduces a new format flag (FMT_EBT_SAVE) to allow nft_bridge_save_rule() to distinguish between ruleset listing (i.e., ebtables -L) and saving via ebtables-save - the two differ in how counters are being formatted. Odd, but that's how it is. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: introduce nft_init_eb()Phil Sutter2018-07-191-0/+34
| | | | | | | This wraps nft_init(), adding required things needed for ebtables. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables: replace memset by c99-style initializersPhil Sutter2018-07-191-4/+3
| | | | | | | | This cleans up a few obvious cases identified by grepping the source code for 'memset'. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-nft: add stp matchFlorian Westphal2018-07-021-0/+1
| | | | | | Unfortunately no nft translation available so far. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-nft: make -L, -X CHAINNAME workFlorian Westphal2018-06-291-11/+6
| | | | | | | In both cases the argument is optional, in both cases the argument wasn't evaluated. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-nft: remove exec_styleFlorian Westphal2018-06-291-80/+7
| | | | | | no plans to support daemon mode, so remove this. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-nft: don't crash on ebtables -XFlorian Westphal2018-06-291-4/+6
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: add nf_tables vs. legacy postfix to version stringsFlorian Westphal2018-06-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | -V now yields: arptables vlibxtables.so.12 (nf_tables) ebtables 1.6.2 (nf_tables) ip6tables v1.6.2 (legacy) ip6tables v1.6.2 (nf_tables) ip6tables-restore v1.6.2 (nf_tables) ip6tables-save v1.6.2 (nf_tables) ip6tables-restore v1.6.2 (legacy) ip6tables-restore-translate v1.6.2 ip6tables-save v1.6.2 (legacy) ip6tables-translate v1.6.2 (nf_tables) iptables v1.6.2 (legacy) iptables v1.6.2 (nf_tables) iptables-restore v1.6.2 (nf_tables) iptables-save v1.6.2 (nf_tables) iptables-restore v1.6.2 (legacy) iptables-restore-translate v1.6.2 iptables-save v1.6.2 (legacy) iptables-translate v1.6.2 (nf_tables) This allows to see wheter "iptables" is using old set/getsockopt or new nf_tables infrastructure. Suggested-by: Harald Welte <laforge@gnumonks.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: remove dead code inherited from ebtablesFlorian Westphal2018-06-151-2/+1
| | | | | | | | | | | | | | previous patch shows this problem: xtables-eb.c: In function ‘parse_change_counters_rule’: xtables-eb.c:534:65: warning: logical ‘and’ of mutually exclusive tests is always false [-Wlogical-op] (argv[optind + 1][0] == '-' && (argv[optind + 1][1] < '0' && argv[optind + 1][1] > '9'))) ... so this never worked. Just remove it, the arg will be fed to strtol() -- No need to do this check. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1149 Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-compat: add arp match extensionFlorian Westphal2018-05-211-0/+1
| | | | | | no translation yet, might be doable with raw payload expressions though. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-compat: add redirect match extensionFlorian Westphal2018-05-211-0/+1
| | | | | | | | | | No translation. The kernel match will alter packet type (meta set pkttype), but also replace dst mac with the bridges' mac address, however nft currently doesn't allow to retrieve this at runtime. So just add this without the xlate part for now. Signed-off-by: Florian Westphal <fw@strlen.de>