summaryrefslogtreecommitdiffstats
path: root/iptables
Commit message (Collapse)AuthorAgeFilesLines
* nft: save: fix the printing of the countersGiuseppe Longo2014-06-116-24/+44
| | | | | | | | This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: add tables and chains to the batchPablo Neira Ayuso2014-06-102-123/+249
| | | | | | | | | | | | | | | | Since kernel changes: 55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure to handle chain"). it is possible to put tables and chains in the same batch (which was already including rules). This patch probes the kernel to check if if the new transaction is available, otherwise it falls back to the previous non-transactional approach to handle these two objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: remove unused codePablo Neira Ayuso2014-06-102-55/+4
| | | | | | | Remove code to set table in dormant state, this is not required from the iptables over nft compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: generalize batch infrastructurePablo Neira Ayuso2014-06-092-43/+43
| | | | | | Prepare inclusion of tables and chain objects in the batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables.8: --policy is either ACCEPT or DROPFlorian Westphal2014-04-171-4/+2
| | | | | | its enforced by both by libiptc and kernel. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: replace nft_rule_attr_get_u8Giuseppe Longo2014-03-244-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | Since the family declaration has been modified in libnftnl, from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16 the assertion is failed for {ip,ip6,arp}tables-compat when printing rules. iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 ip6tables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-save: actually parse -M/--modprobe optionJiri Popelka2014-03-174-4/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-{save,restore}: warn that -b/--binary isn't implementedJiri Popelka2014-03-176-15/+18
| | | | | | see also 296dca39be Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore.8: file to read from can be specified as argumentJiri Popelka2014-03-141-4/+5
| | | | | | | original bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1022228 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore.8: missing -T in synopsisJiri Popelka2014-03-141-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: missing bracket in iptables-save(8)Jiri Popelka2014-03-131-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables.8: update coreteam members from manpagePablo Neira Ayuso2014-03-071-3/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: fix version in iptables(8)Jiri Popelka2014-03-071-1/+1
| | | | | Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-arp: wrong condition in parse_payloadGiuseppe Longo2014-03-071-1/+1
| | | | | | | | | | | | | | | the current condition doesn't permit to parse ip addresses when they should be. Obviously they are not printed. arptables-compat -A INPUT -s 1.1.1.1 -i eth0 -j ACCEPT arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination -j ACCEPT -i eth0 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-arp: fix is_same_interfaces argumentsGiuseppe Longo2014-03-071-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Wrong arguments are passed to is_same_interfaces that causes sometimes to delete a wrong rule. See the example below: arptables-compat -A INPUT -i eth0 -j ACCEPT arptables-compat -A INPUT -i eth1 -j ACCEPT arptables-compat -A INPUT -i eth2 -j ACCEPT arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination -j ACCEPT -i eth0 -j ACCEPT -i eth1 -j ACCEPT -i eth2 arptables-compat -D INPUT -i eth2 -j ACCEPT arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination -j ACCEPT -i eth1 -j ACCEPT -i eth2 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-events: prints arp rulesGiuseppe Longo2014-02-251-8/+15
| | | | | | | | This patch permits to print arp rules, avoiding the segfault that you got currently. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-arp: adds nft_arp_save_firewallGiuseppe Longo2014-02-251-63/+109
| | | | | | | | Adds nft_arp_save_firewall to arp family. (Avoids the segfault in xtables-events) Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'nft-compat'Pablo Neira Ayuso2014-02-1325-2/+9370
|\ | | | | | | | | This merges the branch that contains the iptables over nftables compatibility layer into master.
| * nft: Pass a line after printing out a debug messageTomasz Bursztyka2014-02-121-3/+3
| | | | | | | | | | | | | | | | In this specific places, libnftnl gives back a string on which iptables should not assume any line break, thus it's up to iptables to add it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: Remove useless error messageTomasz Bursztyka2014-02-121-40/+5
| | | | | | | | | | | | | | These are not helpful. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: Initialize a table only onceTomasz Bursztyka2014-02-122-0/+11
| | | | | | | | | | | | | | | | This helps to remove some runtime overhead, especially when running xtables-restore. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: A builtin chain might be created when restoringTomasz Bursztyka2014-02-123-0/+3
| | | | | | | | | | | | | | | | | | nft_chain_set() is directly used in xtables-restore.c, however at that point no builtin chains have been created yet thus the need to request to build it relevantly. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: Add useful debug output when a builtin table is createdTomasz Bursztyka2014-02-121-0/+8
| | | | | | | | | | | | | | This is useful to know if a builtin table is requested to be created. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft-compat: fix wrong protocol context in initializationPablo Neira Ayuso2014-02-112-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | This fixes matches/targets that are dependent on that IPv4/Ipv6 context, eg. # ip6tables-compat -I INPUT -j REJECT --reject-with icmp6-addr-unreachable # ip6tables-compat-save ... -A INPUT -j REJECT --reject-with icmp6-port-unreachable Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft-compat: fix IP6T_F_GOTO flag handlingPablo Neira Ayuso2014-02-115-13/+20
| | | | | | | | | | | | | | IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: adds save_matches_and_targetGiuseppe Longo2014-02-116-39/+53
| | | | | | | | | | | | | | | | | | | | | | This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: Add backward compatibility with -w optionTomasz Bursztyka2014-02-114-4/+14
| | | | | | | | | | | | | | Just to keep aligned with iptables legacy tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: add xtables-compat-multi for the nftables compatibility layerPablo Neira Ayuso2014-02-048-38/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch should allow distributors to switch to the iptables over nftables compatibility layer in a transparent way by updating symbolic links from: lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-multi to: lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-compat-multi Same thing with iptables-save, iptables-restore, ip6tables, ip6tables-save, ip6tables-restore and arptables. Note that, after this patch, the following new symlinks are installed: * iptables-compat * iptables-compat-save * iptables-compat-restore * ip6tables-compat * ip6tables-compat-save * ip6tables-compat-restore * arptables-compat which point to the new binary xtables-compat-multi. The idea is to keep both native and compatibility tools installed in the system, which should also make it easier for testing purposes. The iptables over nftables compatibility layer is enabled by default and it requires the libmnl and libnftnl libraries. If you don't want to compile the compatibility layer, you can still disable it through --disable-nftables. This patch also includes changes to adapt the existing code to this approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables-restore: remove dependency with libip4tcPablo Neira Ayuso2014-02-041-1/+5
| | | | | | | | | | | | | | Add a new operation structure, we don't actually need the libip4tc definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: Use new libnftnl library name against former libnftablesTomasz Bursztyka2014-01-208-18/+18
| | | | | | | | | | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEYPablo Neira Ayuso2014-01-102-9/+9
| | | | | | | | | | | | | | We have to use uint32_t instead uint8_t to adapt this to the libnftables changes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix wrong function to release iteratorPablo Neira Ayuso2013-12-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | nft.c: In function ‘nft_xtables_config_load’: nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default] In file included from nft.c:41:0: /usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’ Introduced in (12eb85b nft: fix memory leaks in nft_xtables_config_load) but that was my fault indeed since Ana sent a v2 patch that I have overlook. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: nft: fix memory leaks in nft_finiAna Rey2013-12-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) ==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) These objects are allocated from nft_init but they were not released appropriately in the exit path. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix memory leaks in nft_xtables_config_loadAna Rey2013-12-301-10/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with the valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5955B02: nft_table_list_alloc (table.c:425) ==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888) ==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) Fix these leaks and consolidate error handling in the exit path of nft_xtables_config_load Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables-standalone: call nft_fini in the error pathAna Rey2013-12-301-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This error is shown with valgrind tools: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x574CC76: mnl_socket_open (socket.c:117) ==7377== by 0x417495: nft_init (nft.c:598) ==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64) ==7377== by 0x5B87994: (below main) (libc-start.c:260) This patch calls nft_fini to release the objects that have been allocated in nft_init. This function was not used so far. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix out of bound memory copyPablo Neira Ayuso2013-12-301-9/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports an invalid read after a memory block: ==11114== Invalid read of size 8 ==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877) ==11114== by 0x41788E: add_match (nft.c:781) ==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72) ==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945) ==11114== by 0x418ACE: nft_rule_append (nft.c:1000) ==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424) ==11114== by 0x4152DE: do_commandx (xtables.c:1184) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) ==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd ==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==11114== by 0x52448C8: xtables_calloc (xtables.c:272) ==11114== by 0x410AC2: command_default (xshared.c:150) ==11114== by 0x4149A2: do_commandx (xtables.c:1075) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) m->u.match_size also contains the size of the xt_entry_match structure. Fix also the target path which is very similar. Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix inversion of built-in selectorsPablo Neira Ayuso2013-12-302-0/+8
| | | | | | | | | | | | | | | | | | | | (0ab045f xtables: fix missing ipt_entry for MASQUERADE target) broke inversion of built-in selectors, such as -s, -d, etc. We need to refresh the invflags if -p is used or set it for first time if -p is not used, otherwise inversion is ignored. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables-events: fix compilation due change in libnftablesPablo Neira Ayuso2013-12-301-2/+2
| | | | | | | | | | | | | | | | The patch (989b793 src: unify parse and output types) changed the table and chain type definitions, adapt this code to use the new ones. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be usedTomasz Bursztyka2013-12-301-0/+7
| | | | | | | | | | | | | | | | | | | | | | This is a temporary workaround mechanism until variable interface hardware address length can be handled through nftables. This defaults on the length of EUI-64 mac address, which should be the most common usage until this is appropriately fixed for all type of layer 2 addresses. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: arp: Fix a compilation warningTomasz Bursztyka2013-12-301-4/+4
| | | | | | | | | | | | | | | | | | | | This fixes such warning: xtables-arp.c: In function ‘check_inverse’: xtables-arp.c:561:54: attention : declaration of ‘optind’ shadows a global declaration [-Wshadow] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: arp: fix possible string overflowGiuseppe Longo2013-12-302-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch replaces strcat with strncat and strcpy with strncpy fixing possible string overflow. Based on the original patch: http://patchwork.ozlabs.org/patch/279672/ from Jaromír Končický via Jiri Popelka. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix interface wildcard matchingPablo Neira Ayuso2013-12-301-22/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In (73ea1cc nft: convert rule into a command state structure), the interface wildcard matching got broken. The previous handling was flawed by the use of ifnametoindex in scenario where the interface may vanished after a rule was added. This approach relies on the trailing '\0' to identify if this is an exact or wildcard matching, based on discussion with Florian. Based on initial patch from Anand Raj Manickam. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix bad length when comparing extension data areaPablo Neira Ayuso2013-12-301-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use ->userspacesize to compare the extension data area, otherwise we also compare the internal private pointers which are only meaningful to the kernelspace. This fixes: xtables -4 -D INPUT -m connlimit \ --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr But it also fixes many other matches/targets which use internal private data. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: pass ipt_entry to ->save_firewall hookPablo Neira Ayuso2013-12-302-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | The extension needs the ipt_entry not to crash. Since cs->fw actually points to an union that also contains cs->fw6, just pass cs->fw to make it work. This fixes: -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: fix missing ipt_entry for MASQUERADE targetPablo Neira Ayuso2013-12-304-12/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The MASQUERADE target relies on the ipt_entry information that is set in ->post_parse, which is too late. Add a new hook called ->pre_parse, that sets the protocol information accordingly. Thus: xtables -4 -A POSTROUTING -t nat -p tcp \ -j MASQUERADE --to-ports 1024 works again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: arp: add parse_target to nft_family_ops_arpGiuseppe Longo2013-12-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | This patch adds parse_target for arp family, fixing segfaults for xtables-arp -L after rules like: xtables-arp -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7 xtables-arp -A OUTPUT -o eth1 --h-length 6 \ -j mangle --mangle-mac-s 01:00:5e:00:01:01 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: arp: initialize flags in nft_arp_parse_metaGiuseppe Longo2013-12-301-1/+1
| | | | | | | | | | | | | | | | This small patch initialize the flags in nft_arp_parse_meta, now the nft_arp_rule_find is working properly. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: fix wrong target sizeTomasz Bursztyka2013-12-301-2/+5
| | | | | | | | | | | | | | The allocated area was not aligned. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * xtables: arp: Parse properly target optionsTomasz Bursztyka2013-12-301-2/+4
| | | | | | | | | | | | | | Target never gets its options parsed. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: Header inclusion missingTomasz Bursztyka2013-12-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Fixes compilation issues. nft-shared.c: In function ‘nft_ipv46_rule_find’: nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration] nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function) nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>