summaryrefslogtreecommitdiffstats
path: root/libxtables
Commit message (Collapse)AuthorAgeFilesLines
* use nf_tables and nf_tables compatibility interfacePablo Neira Ayuso2013-12-301-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable-1.4.20'Florian Westphal2013-11-231-1/+1
|\ | | | | | | | | | | | | | | | | | | | | | | ... to get 76e230e ('iptables: link against libnetfilter_conntrack'), else static build doesn't work. Conflicts: extensions/GNUmakefile.in [ CPPFLAGS was added in master, so keep it ] Reported-By: Gustavo Zacarias <gustavo@zacarias.com.ar>
| * iptables: link against libnetfilter_conntrackJan Engelhardt2013-08-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linking currently fails in --enable-static case: ../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name': iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name' [..] It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack. If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@ and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty, therefore producing no harm to include unconditionally. Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Florian Westphal <fw@strlen.de>
* | iptables: spurious error in load_extensionPhil Oester2013-11-031-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit 927385017047d (iptables: improve error reporting with extension loading troubles), a new error message was added in an attempt to handle the case where a match does not support a particular protocol family. For instance, attempting to use the osf match on IPv6. Unfortunately, this error message now triggers when creating a new chain which has the same name as a match extension, because iptables calls xtables_find_target with the name of the new chain to verify it does not clash with an existing target. For example: # iptables -N tcp /usr/lib/xtables/libxt_tcp.so: no "tcp" extension found for this protocol I attempted to resolve this by adding a new XTF flag, but that required changes in many different places (including -j handling). It seems easiest just to remove this warning and stick with the original error message of ENOENT, even if less than precise. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masksPhil Oester2013-09-271-1/+1
|/ | | | | | | | | | | | | | As pointed out by Peter Hoelsken, rules created with non-standard masks such as 0.255.0.0, 0.0.255.0, etc. are displayed when output with iptables -L in CIDR notation as -1. This is because the cidr variable in xtables_ipmask_to_numeric is unsigned, and the return value of -1 from xtables_ipmask_to_cidr is therefore converted to UINT_MAX. Add a cast to workaround the issue. This closes netfilter bugzilla #854. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip6tables: don't print out /128Phil Oester2013-07-081-1/+5
| | | | | | | | Similar to how iptables does not print /32 on IPv4 addresses, ip6tables should not print out /128 on IPv6 addresses. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* xtables: improve get_modprobe handlingPhil Oester2013-05-291-11/+11
| | | | | | | | | | | In bug #455, Dmitry V. Levin proposed a more robust get_modprobe implementation. The patch below is a version of his patch, updated to apply to current git. This closes bug #455. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* libxtables: fix parsing of dotted network mask formatPablo Neira Ayuso2013-05-091-3/+35
| | | | | | | | | | | | | | After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken: -A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN With iptables 1.4.18: iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32) This was probably broken by the augmented parser. Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_print_numPablo Neira Ayuso2013-01-041-0/+29
| | | | | | | | This function is used both by iptables and ip6tables, and refactorize to avoid longer than 80-chars per column lines of code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_rule_matches_freePablo Neira Ayuso2013-01-041-0/+22
| | | | | | This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: restore NOTRACK functionality, target aliasingJan Engelhardt2012-10-081-12/+14
| | | | | | | | | | | | | | | | | | | | | | | | | Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL which was always false (true). real_name was never NULL, so cs->jumpto would always be used, which rendered -j NOTRACK unusable, since the chosen real name.revision is for example NOTRACK.1, which does not exist at the kernel side. # ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK dbg: Using NOTRACK.1 WARNING: The NOTRACK target is obsolete. Use CT instead. iptables: Protocol wrong type for socket. To reasonably support the extra-special verdict names, make it so that real_name remains NULL when an extension defined no alias, which we can then use to determine whether the user entered an alias name (which needs to be followed) or not. [ I have mangled this patch to remove a comment unnecessarily large. BTW, this patch gets this very close to the initial target aliasing proposal --pablo ] Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: support for match aliasesJan Engelhardt2012-09-291-4/+8
| | | | | | | This patch allows for match names listed on the command line to be rewritten to new names and revisions, like we did for targets before. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* iptables: support for target aliasesJan Engelhardt2012-09-271-7/+25
| | | | | | | | | | | This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxtables: consolidate preference logicJan Engelhardt2012-09-271-16/+53
| | | | | | | | Alias support will require testing for more conditions, so move the revision comparison code into a separate function where it can be shared between matches and targets. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxtables: add xtables_ip[6]mask_to_cidrPablo Neira Ayuso2012-07-141-9/+24
| | | | | | | | | | | | | | This patch adds generic functions to return the mask in CIDR notation whenever is possible. This patch also simplifies xtables_ip[6]mask_to_numeric, that now use these new two functions. This patch also bumps libxtables_vcurrent and libxtables_vage since we added a couple new interfaces (thanks to Jan Engelhardt for his little reminder on this). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Fix file descriptor leak in xtables_lmap_init on errorThomas Jarosch2011-09-281-0/+1
| | | | | Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: restore build order of modulesJan Engelhardt2011-09-193-0/+3023
iptables(exe) requires libext.a, but extensions/ require libxtables.la (in iptables/). This circular dependency does not work out, so separate libxtables into its own directory and put it in front. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>