From 384958620abab397062b67fb2763e813b63f74f0 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 27 Sep 2012 19:12:53 +0200 Subject: use nf_tables and nf_tables compatibility interface This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso --- etc/xtables.conf | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 etc/xtables.conf (limited to 'etc') diff --git a/etc/xtables.conf b/etc/xtables.conf new file mode 100644 index 00000000..00b5df4f --- /dev/null +++ b/etc/xtables.conf @@ -0,0 +1,24 @@ +table raw prio -300 { + chain PREROUTING hook NF_INET_PRE_ROUTING + chain OUTPUT hook NF_INET_LOCAL_OUT +} + +table mangle prio -150 { + chain PREROUTING hook NF_INET_PRE_ROUTING + chain INPUT hook NF_INET_LOCAL_IN + chain FORWARD hook NF_INET_FORWARD + chain OUTPUT hook NF_INET_LOCAL_OUT + chain POSTROUTING hook NF_INET_POST_ROUTING +} + +table filter prio 0 { + chain INPUT hook NF_INET_LOCAL_IN + chain FORWARD hook NF_INET_FORWARD + chain OUTPUT hook NF_INET_LOCAL_OUT +} + +table security prio 150 { + chain INPUT hook NF_INET_LOCAL_IN + chain FORWARD hook NF_INET_FORWARD + chain OUTPUT hook NF_INET_LOCAL_OUT +} -- cgit v1.2.3 From c924c0cd07440aa9ce7465e2ba68fb266f07d7c3 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 10 Mar 2013 11:43:32 +0100 Subject: xtables-config: priority has to be per-chain to support To support NAT table chain configuration appropriately. Modify example configuration file as well. Signed-off-by: Pablo Neira Ayuso --- etc/xtables.conf | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) (limited to 'etc') diff --git a/etc/xtables.conf b/etc/xtables.conf index 00b5df4f..6d26ffe4 100644 --- a/etc/xtables.conf +++ b/etc/xtables.conf @@ -1,24 +1,31 @@ -table raw prio -300 { - chain PREROUTING hook NF_INET_PRE_ROUTING - chain OUTPUT hook NF_INET_LOCAL_OUT +table raw { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 } -table mangle prio -150 { - chain PREROUTING hook NF_INET_PRE_ROUTING - chain INPUT hook NF_INET_LOCAL_IN - chain FORWARD hook NF_INET_FORWARD - chain OUTPUT hook NF_INET_LOCAL_OUT - chain POSTROUTING hook NF_INET_POST_ROUTING +table mangle { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 + chain INPUT hook NF_INET_LOCAL_IN prio -150 + chain FORWARD hook NF_INET_FORWARD prio -150 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 + chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 } -table filter prio 0 { - chain INPUT hook NF_INET_LOCAL_IN - chain FORWARD hook NF_INET_FORWARD - chain OUTPUT hook NF_INET_LOCAL_OUT +table filter { + chain INPUT hook NF_INET_LOCAL_IN prio 0 + chain FORWARD hook NF_INET_FORWARD prio 0 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 } -table security prio 150 { - chain INPUT hook NF_INET_LOCAL_IN - chain FORWARD hook NF_INET_FORWARD - chain OUTPUT hook NF_INET_LOCAL_OUT +table nat { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 + chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 + chain INPUT hook NF_INET_LOCAL_IN prio -100 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 100 +} + +table security { + chain INPUT hook NF_INET_LOCAL_IN prio 150 + chain FORWARD hook NF_INET_FORWARD prio 150 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 150 } -- cgit v1.2.3 From 32c579fa6fa1155f316c202a95d3e946111891bd Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 10 Mar 2013 16:20:27 +0100 Subject: xtables: support family in /etc/xtables.conf file Signed-off-by: Pablo Neira Ayuso --- etc/xtables.conf | 54 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 28 insertions(+), 26 deletions(-) (limited to 'etc') diff --git a/etc/xtables.conf b/etc/xtables.conf index 6d26ffe4..1995b69f 100644 --- a/etc/xtables.conf +++ b/etc/xtables.conf @@ -1,31 +1,33 @@ -table raw { - chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 - chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 -} +family ipv4 { + table raw { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 + } -table mangle { - chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 - chain INPUT hook NF_INET_LOCAL_IN prio -150 - chain FORWARD hook NF_INET_FORWARD prio -150 - chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 - chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 -} + table mangle { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 + chain INPUT hook NF_INET_LOCAL_IN prio -150 + chain FORWARD hook NF_INET_FORWARD prio -150 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 + chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 + } -table filter { - chain INPUT hook NF_INET_LOCAL_IN prio 0 - chain FORWARD hook NF_INET_FORWARD prio 0 - chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 -} + table filter { + chain INPUT hook NF_INET_LOCAL_IN prio 0 + chain FORWARD hook NF_INET_FORWARD prio 0 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 + } -table nat { - chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 - chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 - chain INPUT hook NF_INET_LOCAL_IN prio -100 - chain OUTPUT hook NF_INET_LOCAL_OUT prio 100 -} + table nat { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 + chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 + chain INPUT hook NF_INET_LOCAL_IN prio -100 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 100 + } -table security { - chain INPUT hook NF_INET_LOCAL_IN prio 150 - chain FORWARD hook NF_INET_FORWARD prio 150 - chain OUTPUT hook NF_INET_LOCAL_OUT prio 150 + table security { + chain INPUT hook NF_INET_LOCAL_IN prio 150 + chain FORWARD hook NF_INET_FORWARD prio 150 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 150 + } } -- cgit v1.2.3 From 86eed10c9f2c42e0f50eb4e527a48ee9e63146f4 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 16 Jul 2013 22:18:47 +0200 Subject: nft: fix built-in chain ordering of the nat table Should be: % iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination instead of: % xtables -L -n -t nat Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Reported-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- etc/xtables.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/xtables.conf b/etc/xtables.conf index 1995b69f..6aee8aa8 100644 --- a/etc/xtables.conf +++ b/etc/xtables.conf @@ -20,9 +20,9 @@ family ipv4 { table nat { chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 - chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 chain INPUT hook NF_INET_LOCAL_IN prio -100 chain OUTPUT hook NF_INET_LOCAL_OUT prio 100 + chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 } table security { -- cgit v1.2.3 From 2bf54fd4eca0ea19e8effeb487d87b2e5a2cdc10 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 30 Jul 2013 20:17:44 +0200 Subject: etc: add default IPv6 table and chain definitions Add definition of table and chains to the optional xtables.conf file. Signed-off-by: Pablo Neira Ayuso --- etc/xtables.conf | 40 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/xtables.conf b/etc/xtables.conf index 6aee8aa8..7b2b8e5f 100644 --- a/etc/xtables.conf +++ b/etc/xtables.conf @@ -26,8 +26,42 @@ family ipv4 { } table security { - chain INPUT hook NF_INET_LOCAL_IN prio 150 - chain FORWARD hook NF_INET_FORWARD prio 150 - chain OUTPUT hook NF_INET_LOCAL_OUT prio 150 + chain INPUT hook NF_INET_LOCAL_IN prio 50 + chain FORWARD hook NF_INET_FORWARD prio 50 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 + } +} + +family ipv6 { + table raw { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 + } + + table mangle { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 + chain INPUT hook NF_INET_LOCAL_IN prio -150 + chain FORWARD hook NF_INET_FORWARD prio -150 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 + chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 + } + + table filter { + chain INPUT hook NF_INET_LOCAL_IN prio 0 + chain FORWARD hook NF_INET_FORWARD prio 0 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 + } + + table nat { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 + chain INPUT hook NF_INET_LOCAL_IN prio -100 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 100 + chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 + } + + table security { + chain INPUT hook NF_INET_LOCAL_IN prio 50 + chain FORWARD hook NF_INET_FORWARD prio 50 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 } } -- cgit v1.2.3 From 84909d171585d77fe769f03e2b1b96eab0aa0213 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Mon, 9 Sep 2013 12:54:04 +0200 Subject: xtables: bootstrap ARP compatibility layer for nftables This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- etc/xtables.conf | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'etc') diff --git a/etc/xtables.conf b/etc/xtables.conf index 7b2b8e5f..d37b0d7c 100644 --- a/etc/xtables.conf +++ b/etc/xtables.conf @@ -65,3 +65,11 @@ family ipv6 { chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 } } + +family arp { + table filter { + chain INPUT hook NF_ARP_IN prio 0 + chain FORWARD hook NF_ARP_FORWARD prio 0 + chain OUTPUT hook NF_ARP_OUT prio 0 + } +} \ No newline at end of file -- cgit v1.2.3