| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Change the scope of the weird character check loop so that
it checks for invalid characters when the interface name
contains a wildcard.
Fixes Bugzilla #1085.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
|
|
| |
ares->ai_canonname is never used, so there is no point in requesting
that piece of information with AI_CANONNAME.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The error path already terminally returns from the function, so there
is no point in having an explicit else block.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Replace gethostbyaddr() with getnameinfo() as getnameinfo()
deprecates the former and allows programs to
eliminate IPv4-versus-IPv6 dependencies
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Remove unnecessary debug code
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Make the function host_to_ipaddr() similar to host_to_ip6addr(),
using getaddrinfo() instead of the obsoleted gethostbyname().
Signed-off-by: Arpan Kapoor <rpnkpr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Initialize comment buffer when allocation the xt translation structure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for match comment to nftables.
This patch also adds the relevant infrastructure for carrying out
the translation.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\"
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new function allows us to add comments to the nft rule. This
can be used to provide a translation for the comment match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release data area that is allocated by xt_buf_alloc().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides the infrastructure and two new utilities to
translate iptables commands to nft, they are:
1) iptables-restore-translate which basically takes a file that contains
the ruleset in iptables-restore format and converts it to the nft
syntax, eg.
% iptables-restore-translate -f ipt-ruleset > nft-ruleset
% cat nft-ruleset
# Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter INPUT iifname lo counter accept
# -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid:
...
The rules that cannot be translated are left commented. Users should be able
to run this to track down the nft progress to see at what point it can fully
replace iptables and their filtering policy.
2) iptables-translate which suggests a translation for an iptables
command:
$ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
While at it, update comment format for the respective blocks.
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using libxtables with an external program (nft) which switches family
contexts (using xtables_set_nfproto()), the xtables_find_{match,target}
functions need to compare the family too.
We want to avoid this situation:
1) user first sets afinfo to IPv6
2) xtables_find_target() finds & load ip6t_REJECT and uses it
3) afinfo change to IPv4
4) user then tries to use ipt_REJECT
5) xtables_find_target() finds ip6t_REJECT instead (same target name)
6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
These two families only work under nft compat, so leave unset the fields
that we don't use. Basically, we need neither the module autoload code
nor the native get/setsockopt() revision infrastructure since we use the
one that nft_compat provides through nfnetlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support to use the mangle target extensions, along with
the required changes in the surrounding code.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are some extension which may name-clash, for example:
* libxt_mark.so
* liebt_mark.so
Let's search first for AF-specific extension and then for the generic libxt_**.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame:
357 switch (vfork()) {
358 case 0:
359 argv[0] = (char *)modprobe;
360 argv[1] = (char *)modname;
361 if (quiet) {
362 argv[2] = "-q";
363 argv[3] = NULL;
364 } else {
365 argv[2] = NULL;
366 argv[3] = NULL;
367 }
368 execv(argv[0], argv);
369
370 /* not usually reached */
371 exit(1);
modprobe pointed to a non-existant program /sbin/modprobe, so execv()
always failed. Not a problem in itself on our platform, as the kernel
modules are pre-loaded before iptables-restore is run, but it took a
bit of headscratching to track this down, as a stack frame was
corrupted, leading to failures quite a while after the function
containing this code had returned!
Relevant caution in man 2 vfork:
"The vfork() function has the same effect as fork(2), except that
the behavior is undefined if the process created by vfork() either
modifies any data ... or calls any other function before
successfully calling _exit(2) or one of the exec(3) family of
functions."
Apparently this has not been a problem for us in earlier versions of
glibc, maybe because vfork was more like fork, maybe because the
stack corruption was innocuous. Ours is a corner case anyway, as
it might not have been a problem had modprobe existed or had
modprobe been a symlink to /bin/true. But it seems odd to disregard
man page cautions, and our problem goes away if they are heeded.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The LSB of xtables_pending_matches was overwritten with zero
that lead to segmentation fault. But simply adding an additional variable
in the code or changing compilation options modified the behaviour so that no
segmentation fault happens so it is rather subtle.
(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
In case of bits % 8 == 0 we write the byte behind *p
(2) p[bits/8] = 0xff << (8 - (bits & 7));
In case of bits == 128 we write the byte behind *p
Closes bug 943.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
getaddrinfo return value on error can also be positive.
On Android they're positive, e.g.:
android-ndk-r9d/platforms/android-19/arch-arm/usr/include/netdb.h
147 #define EAI_NONAME 8 /* hostname nor servname provided, or not known */
And as a plus, it's not bad to conform to specs.
Signed-off-by: Domen Puncer Kugler <domen.puncer@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
http://www.gnu.org/licenses/gpl-2.0.html
http://www.fsf.org/about/contact/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\
| |
| |
| |
| | |
This merges the branch that contains the iptables over nftables
compatibility layer into master.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds the following utilities:
* xtables
* xtables-restore
* xtables-save
* xtables-config
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |/
|
|
|
|
|
|
| |
If an invalid MAC address is used on the commmand line, the error message
`ether' was not really describing the problem.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
... to get 76e230e ('iptables: link against libnetfilter_conntrack'),
else static build doesn't work.
Conflicts:
extensions/GNUmakefile.in
[ CPPFLAGS was added in master, so keep it ]
Reported-By: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linking currently fails in --enable-static case:
../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name':
iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name'
[..]
It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack.
If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@
and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty,
therefore producing no harm to include unconditionally.
Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In commit 927385017047d (iptables: improve error reporting with extension
loading troubles), a new error message was added in an attempt to handle
the case where a match does not support a particular protocol family.
For instance, attempting to use the osf match on IPv6.
Unfortunately, this error message now triggers when creating a new chain
which has the same name as a match extension, because iptables calls
xtables_find_target with the name of the new chain to verify it does not
clash with an existing target. For example:
# iptables -N tcp
/usr/lib/xtables/libxt_tcp.so: no "tcp" extension found for this protocol
I attempted to resolve this by adding a new XTF flag, but that required changes
in many different places (including -j handling). It seems easiest just to
remove this warning and stick with the original error message of ENOENT, even
if less than precise.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
As pointed out by Peter Hoelsken, rules created with non-standard
masks such as 0.255.0.0, 0.0.255.0, etc. are displayed when output
with iptables -L in CIDR notation as -1. This is because the cidr
variable in xtables_ipmask_to_numeric is unsigned, and the return
value of -1 from xtables_ipmask_to_cidr is therefore converted to
UINT_MAX. Add a cast to workaround the issue.
This closes netfilter bugzilla #854.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Similar to how iptables does not print /32 on IPv4 addresses, ip6tables
should not print out /128 on IPv6 addresses.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| |
|
|
|
|
|
|
|
|
|
| |
In bug #455, Dmitry V. Levin proposed a more robust get_modprobe
implementation. The patch below is a version of his patch,
updated to apply to current git.
This closes bug #455.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken:
-A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN
With iptables 1.4.18:
iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32)
This was probably broken by the augmented parser.
Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This function is used both by iptables and ip6tables, and
refactorize to avoid longer than 80-chars per column lines
of code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This function is shared by iptables and ip6tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL
which was always false (true). real_name was never NULL, so cs->jumpto
would always be used, which rendered -j NOTRACK unusable, since the
chosen real name.revision is for example NOTRACK.1, which does not exist
at the kernel side.
# ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
dbg: Using NOTRACK.1
WARNING: The NOTRACK target is obsolete. Use CT instead.
iptables: Protocol wrong type for socket.
To reasonably support the extra-special verdict names, make it so that
real_name remains NULL when an extension defined no alias, which we can
then use to determine whether the user entered an alias name (which
needs to be followed) or not.
[ I have mangled this patch to remove a comment unnecessarily large.
BTW, this patch gets this very close to the initial target aliasing
proposal --pablo ]
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch allows for match names listed on the command line to be
rewritten to new names and revisions, like we did for targets before.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch allows for target names listed on the command line to be
rewritten to new names and revisions.
As before, we will pick a revision that is supported by the kernel - now
including real_name in the search. This gives us the possibility to test
for many action names.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
|
| |
Alias support will require testing for more conditions, so move the
revision comparison code into a separate function where it can be
shared between matches and targets.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds generic functions to return the mask in CIDR
notation whenever is possible.
This patch also simplifies xtables_ip[6]mask_to_numeric, that
now use these new two functions.
This patch also bumps libxtables_vcurrent and libxtables_vage
since we added a couple new interfaces (thanks to Jan Engelhardt
for his little reminder on this).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
iptables(exe) requires libext.a, but extensions/ require libxtables.la
(in iptables/). This circular dependency does not work out, so
separate libxtables into its own directory and put it in front.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
