summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitignore4
-rw-r--r--configure.ac10
-rw-r--r--extensions/GNUmakefile.in2
-rw-r--r--extensions/libebt_standard.t5
-rw-r--r--extensions/libxt_conntrack.c12
-rw-r--r--extensions/libxt_sctp.c4
-rw-r--r--extensions/libxt_sctp.man4
-rw-r--r--extensions/libxt_sctp.t4
-rw-r--r--extensions/libxt_sctp.txlate2
-rw-r--r--extensions/libxt_set.c6
-rw-r--r--extensions/libxt_set.h1
-rw-r--r--extensions/libxt_string.c17
-rw-r--r--extensions/libxt_string.t21
-rw-r--r--include/linux/netfilter/nf_log.h15
-rw-r--r--include/xtables.h69
-rw-r--r--iptables/Makefile.am1
-rw-r--r--iptables/iptables.8.in5
-rw-r--r--iptables/nft-shared.c31
-rw-r--r--iptables/nft.c4
-rwxr-xr-xiptables/tests/shell/testcases/ebtables/0008-ebtables-among_098
-rwxr-xr-xiptables/tests/shell/testcases/ip6tables/0002-verbose-output_023
-rwxr-xr-xiptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_02
-rwxr-xr-xiptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_02
-rwxr-xr-xiptables/tests/shell/testcases/ipt-save/0006iptables-xml_010
-rwxr-xr-xiptables/tests/shell/testcases/ipt-save/0007-overhead_037
-rwxr-xr-xiptables/tests/shell/testcases/iptables/0002-verbose-output_04
-rwxr-xr-xiptables/tests/shell/testcases/iptables/0007-zero-counters_015
-rw-r--r--iptables/xshared.c38
-rw-r--r--iptables/xshared.h49
-rw-r--r--iptables/xtables-eb.c3
-rw-r--r--iptables/xtables-legacy-multi.c4
-rw-r--r--iptables/xtables-monitor.c4
-rw-r--r--libipq/Makefile.am1
-rw-r--r--libiptc/Makefile.am1
-rw-r--r--libxtables/Makefile.am3
-rw-r--r--libxtables/xtables.c15
-rw-r--r--libxtables/xtoptions.c1
-rw-r--r--utils/Makefile.am1
38 files changed, 359 insertions, 169 deletions
diff --git a/.gitignore b/.gitignore
index e5595264..a206fb48 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,8 @@
*.a
+*.gcda
+*.gcno
+*.gcno.gcov.json.gz
+*.gcov
*.la
*.lo
*.so
diff --git a/configure.ac b/configure.ac
index 071afaf1..ea5d2d49 100644
--- a/configure.ac
+++ b/configure.ac
@@ -71,6 +71,9 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH],
[Path to the xtables lock [[/run/xtables.lock]]]),
[xt_lock_name="$withval"],
[xt_lock_name="/run/xtables.lock"])
+AC_ARG_ENABLE([profiling],
+ AS_HELP_STRING([--enable-profiling], [build for use of gcov/gprof]),
+ [enable_profiling="$enableval"], [enable_profiling="no"])
AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined])
saved_LDFLAGS="$LDFLAGS";
@@ -188,6 +191,11 @@ if [[ -n "$ksourcedir" ]]; then
fi;
pkgdatadir='${datadir}/xtables';
+if test "x$enable_profiling" = "xyes"; then
+ regular_CFLAGS+=" -fprofile-arcs -ftest-coverage"
+ regular_LDFLAGS+=" -lgcov --coverage"
+fi
+
define([EXPAND_VARIABLE],
[$2=[$]$1
if test $prefix = 'NONE'; then
@@ -205,6 +213,7 @@ eval "$2=[$]$2"
AC_SUBST([regular_CFLAGS])
AC_SUBST([regular_CPPFLAGS])
AC_SUBST([noundef_LDFLAGS])
+AC_SUBST([regular_LDFLAGS])
AC_SUBST([kinclude_CPPFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
@@ -250,6 +259,7 @@ Iptables Configuration:
nfsynproxy util support: ${enable_nfsynproxy}
nftables support: ${enable_nftables}
connlabel support: ${enable_connlabel}
+ profiling support: ${enable_profiling}
Build parameters:
Put plugins into executable (static): ${enable_static}
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 6dad4e02..3c68f8de 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -24,7 +24,7 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@ @libnftnl_CFLAGS@
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-AM_LDFLAGS = @noundef_LDFLAGS@
+AM_LDFLAGS = @noundef_LDFLAGS@ @regular_LDFLAGS@
ifeq (${V},)
AM_LIBTOOL_SILENT = --silent
diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t
index c6c31727..97cb3baa 100644
--- a/extensions/libebt_standard.t
+++ b/extensions/libebt_standard.t
@@ -12,12 +12,17 @@
:INPUT
-i foobar;=;OK
-o foobar;=;FAIL
+--logical-in br0;=;OK
+--logical-out br1;=;FAIL
:FORWARD
-i foobar;=;OK
-o foobar;=;OK
+--logical-in br0 --logical-out br1;=;OK
:OUTPUT
-i foobar;=;FAIL
-o foobar;=;OK
+--logical-in br0;=;FAIL
+--logical-out br1;=;OK
:PREROUTING
*nat
-i foobar;=;OK
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 234085c5..08dba42d 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1289,9 +1289,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if (sinfo->match_flags & XT_CONNTRACK_ORIGSRC) {
- if (&sinfo->origsrc_addr == 0L)
- return 0;
-
xt_xlate_add(xl, "%sct original saddr %s", space,
sinfo->invert_flags & XT_CONNTRACK_ORIGSRC ?
"!= " : "");
@@ -1301,9 +1298,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if (sinfo->match_flags & XT_CONNTRACK_ORIGDST) {
- if (&sinfo->origdst_addr == 0L)
- return 0;
-
xt_xlate_add(xl, "%sct original daddr %s", space,
sinfo->invert_flags & XT_CONNTRACK_ORIGDST ?
"!= " : "");
@@ -1313,9 +1307,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if (sinfo->match_flags & XT_CONNTRACK_REPLSRC) {
- if (&sinfo->replsrc_addr == 0L)
- return 0;
-
xt_xlate_add(xl, "%sct reply saddr %s", space,
sinfo->invert_flags & XT_CONNTRACK_REPLSRC ?
"!= " : "");
@@ -1325,9 +1316,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if (sinfo->match_flags & XT_CONNTRACK_REPLDST) {
- if (&sinfo->repldst_addr == 0L)
- return 0;
-
xt_xlate_add(xl, "%sct reply daddr %s", space,
sinfo->invert_flags & XT_CONNTRACK_REPLDST ?
"!= " : "");
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index a4c5415f..3fb6cf1a 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -112,9 +112,13 @@ static const struct sctp_chunk_names sctp_chunk_names[]
{ .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------", .nftname = "ecne" },
{ .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------", .nftname = "cwr" },
{ .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T", .nftname = "shutdown-complete" },
+ { .name = "I_DATA", .chunk_type = 64, .valid_flags = "----IUBE", .nftname = "i-data"},
+ { .name = "RE_CONFIG", .chunk_type = 130, .valid_flags = "--------", .nftname = "re-config"},
+ { .name = "PAD", .chunk_type = 132, .valid_flags = "--------", .nftname = "pad"},
{ .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------", .nftname = "asconf" },
{ .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------", .nftname = "asconf-ack" },
{ .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------", .nftname = "forward-tsn" },
+ { .name = "I_FORWARD_TSN", .chunk_type = 194, .valid_flags = "--------", .nftname = "i-forward-tsn" },
};
static void
diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man
index 3e5ffa09..06da04f8 100644
--- a/extensions/libxt_sctp.man
+++ b/extensions/libxt_sctp.man
@@ -19,12 +19,14 @@ Match if any of the given chunk types is present with given flags.
only
Match if only the given chunk types are present with given flags and none are missing.
-Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
+Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN
chunk type available flags
.br
DATA I U B E i u b e
.br
+I_DATA I U B E i u b e
+.br
ABORT T t
.br
SHUTDOWN_COMPLETE T t
diff --git a/extensions/libxt_sctp.t b/extensions/libxt_sctp.t
index 4016e4fb..4d3b113d 100644
--- a/extensions/libxt_sctp.t
+++ b/extensions/libxt_sctp.t
@@ -27,3 +27,7 @@
-p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK
-p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK
-p sctp -m sctp --chunk-types all SHUTDOWN_COMPLETE;=;OK
+-p sctp -m sctp --chunk-types all I_DATA;=;OK
+-p sctp -m sctp --chunk-types all RE_CONFIG;=;OK
+-p sctp -m sctp --chunk-types all PAD;=;OK
+-p sctp -m sctp --chunk-types all I_FORWARD_TSN;=;OK
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index bb817525..6443abf9 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -41,4 +41,4 @@ iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT:
nft add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept
iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT
-nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing counter accept
+nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk i-data missing sctp chunk re-config missing sctp chunk pad missing sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing sctp chunk i-forward-tsn missing counter accept
diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c
index 16921023..a2137ab1 100644
--- a/extensions/libxt_set.c
+++ b/extensions/libxt_set.c
@@ -22,6 +22,12 @@
#include <linux/netfilter/xt_set.h>
#include "libxt_set.h"
+#ifdef DEBUG
+#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
+#else
+#define DEBUGP(x, args...)
+#endif
+
/* Revision 0 */
static void
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index ad895a75..597bf7eb 100644
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -6,7 +6,6 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
-#include "../iptables/xshared.h"
static int
get_version(unsigned *version)
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 739a8e7f..5d72a5cd 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -78,14 +78,13 @@ static void string_init(struct xt_entry_match *m)
static void
parse_string(const char *s, struct xt_string_info *info)
-{
+{
/* xt_string does not need \0 at the end of the pattern */
- if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
- memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
- info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
- return;
- }
- xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+ if (strlen(s) > sizeof(info->pattern))
+ xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+
+ info->patlen = strnlen(s, sizeof(info->pattern));
+ memcpy(info->pattern, s, info->patlen);
}
static void
@@ -269,7 +268,7 @@ string_print(const void *ip, const struct xt_entry_match *match, int numeric)
printf(" ALGO name %s", info->algo);
if (info->from_offset != 0)
printf(" FROM %u", info->from_offset);
- if (info->to_offset != 0)
+ if (info->to_offset != UINT16_MAX)
printf(" TO %u", info->to_offset);
if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
printf(" ICASE");
@@ -293,7 +292,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match)
printf(" --algo %s", info->algo);
if (info->from_offset != 0)
printf(" --from %u", info->from_offset);
- if (info->to_offset != 0)
+ if (info->to_offset != UINT16_MAX)
printf(" --to %u", info->to_offset);
if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
printf(" --icase");
diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t
index d68f099d..2f4b30cb 100644
--- a/extensions/libxt_string.t
+++ b/extensions/libxt_string.t
@@ -1,18 +1,11 @@
:INPUT,FORWARD,OUTPUT
-# ERROR: cannot find: iptables -I INPUT -m string --algo bm --string "test"
-# -m string --algo bm --string "test";=;OK
-# ERROR: cannot find: iptables -I INPUT -m string --algo kmp --string "test")
-# -m string --algo kmp --string "test";=;OK
-# ERROR: cannot find: iptables -I INPUT -m string --algo kmp ! --string "test"
-# -m string --algo kmp ! --string "test";=;OK
-# cannot find: iptables -I INPUT -m string --algo bm --string "xxxxxxxxxxx" ....]
-# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK
-# ERROR: cannot load: iptables -A INPUT -m string --algo bm --string "xxxx"
-# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK
-# ERROR: cannot load: iptables -A INPUT -m string --algo bm --hexstring "|0a0a0a0a|"
-# -m string --algo bm --hexstring "|0a0a0a0a|";=;OK
-# ERROR: cannot find: iptables -I INPUT -m string --algo bm --from 0 --to 65535 --string "test"
-# -m string --algo bm --from 0 --to 65535 --string "test";=;OK
+-m string --algo bm --string "test";-m string --string "test" --algo bm;OK
+-m string --string "test" --algo kmp;=;OK
+-m string ! --string "test" --algo kmp;=;OK
+-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK
+-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL
+-m string --hex-string "|0a0a0a0a|" --algo bm;=;OK
+-m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK
-m string --algo wrong;;FAIL
-m string --algo bm;;FAIL
-m string;;FAIL
diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h
new file mode 100644
index 00000000..2ae00932
--- /dev/null
+++ b/include/linux/netfilter/nf_log.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _NETFILTER_NF_LOG_H
+#define _NETFILTER_NF_LOG_H
+
+#define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define NF_LOG_TCPOPT 0x02 /* Log TCP options */
+#define NF_LOG_IPOPT 0x04 /* Log IP options */
+#define NF_LOG_UID 0x08 /* Log UID owning local socket */
+#define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
+#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */
+#define NF_LOG_MASK 0x2f
+
+#define NF_LOG_PREFIXLEN 128
+
+#endif /* _NETFILTER_NF_LOG_H */
diff --git a/include/xtables.h b/include/xtables.h
index c2694b7b..9eba4f61 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -585,27 +585,6 @@ static inline void xtables_print_mark_mask(unsigned int mark,
xtables_print_val_mask(mark, mask, NULL);
}
-#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-# ifdef _INIT
-# undef _init
-# define _init _INIT
-# endif
- extern void init_extensions(void);
- extern void init_extensions4(void);
- extern void init_extensions6(void);
- extern void init_extensionsa(void);
- extern void init_extensionsb(void);
-#else
-# define _init __attribute__((constructor)) _INIT
-# define EMPTY_FUNC_DEF(x) static inline void x(void) {}
- EMPTY_FUNC_DEF(init_extensions)
- EMPTY_FUNC_DEF(init_extensions4)
- EMPTY_FUNC_DEF(init_extensions6)
- EMPTY_FUNC_DEF(init_extensionsa)
- EMPTY_FUNC_DEF(init_extensionsb)
-# undef EMPTY_FUNC_DEF
-#endif
-
extern const struct xtables_pprot xtables_chain_protos[];
extern uint16_t xtables_parse_protocol(const char *s);
@@ -663,9 +642,55 @@ void xtables_announce_chain(const char *name);
# define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
# endif
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+# ifdef _INIT
+# undef _init
+# define _init _INIT
+# endif
+ extern void init_extensions(void);
+ extern void init_extensions4(void);
+ extern void init_extensions6(void);
+ extern void init_extensionsa(void);
+ extern void init_extensionsb(void);
+#else
+# define _init __attribute__((constructor)) _INIT
+# define EMPTY_FUNC_DEF(x) static inline void x(void) {}
+ EMPTY_FUNC_DEF(init_extensions)
+ EMPTY_FUNC_DEF(init_extensions4)
+ EMPTY_FUNC_DEF(init_extensions6)
+ EMPTY_FUNC_DEF(init_extensionsa)
+ EMPTY_FUNC_DEF(init_extensionsb)
+# undef EMPTY_FUNC_DEF
+#endif
+
extern void _init(void);
-#endif
+/**
+ * xtables_afinfo - protocol family dependent information
+ * @kmod: kernel module basename (e.g. "ip_tables")
+ * @proc_exists: file which exists in procfs when module already loaded
+ * @libprefix: prefix of .so library name (e.g. "libipt_")
+ * @family: nfproto family
+ * @ipproto: used by setsockopt (e.g. IPPROTO_IP)
+ * @so_rev_match: optname to check revision support of match
+ * @so_rev_target: optname to check revision support of target
+ */
+struct xtables_afinfo {
+ const char *kmod;
+ const char *proc_exists;
+ const char *libprefix;
+ uint8_t family;
+ uint8_t ipproto;
+ int so_rev_match;
+ int so_rev_target;
+};
+
+extern const struct xtables_afinfo *afinfo;
+
+/* base offset of merged extensions' consecutive options */
+#define XT_OPTION_OFFSET_SCALE 256
+
+#endif /* XTABLES_INTERNAL */
#ifdef __cplusplus
} /* extern "C" */
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 0258264c..23f8352d 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -2,6 +2,7 @@
AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${libmnl_CFLAGS} ${libnftnl_CFLAGS} ${libnetfilter_conntrack_CFLAGS}
+AM_LDFLAGS = ${regular_LDFLAGS}
BUILT_SOURCES =
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 627ff0e4..f81c632f 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -417,6 +417,11 @@ other errors cause an exit code of 1.
.SH BUGS
Bugs? What's this? ;-)
Well, you might want to have a look at http://bugzilla.netfilter.org/
+\fBiptables\fP will exit immediately with an error code of 111 if it finds
+that it was called as a setuid-to-root program.
+iptables cannot be used safely in this manner because it trusts
+the shared libraries (matches, targets) loaded at run time, the search
+path can be set using environment variables.
.SH COMPATIBILITY WITH IPCHAINS
This \fBiptables\fP
is very similar to ipchains by Rusty Russell. The main difference is
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 27e95c1a..74e19cca 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -40,15 +40,24 @@ extern struct nft_family_ops nft_family_ops_ipv6;
extern struct nft_family_ops nft_family_ops_arp;
extern struct nft_family_ops nft_family_ops_bridge;
+static struct nftnl_expr *xt_nftnl_expr_alloc(const char *name)
+{
+ struct nftnl_expr *expr = nftnl_expr_alloc(name);
+
+ if (expr)
+ return expr;
+
+ xtables_error(RESOURCE_PROBLEM,
+ "Failed to allocate nftnl expression '%s'", name);
+}
+
void add_meta(struct nft_handle *h, struct nftnl_rule *r, uint32_t key,
uint8_t *dreg)
{
struct nftnl_expr *expr;
uint8_t reg;
- expr = nftnl_expr_alloc("meta");
- if (expr == NULL)
- return;
+ expr = xt_nftnl_expr_alloc("meta");
reg = NFT_REG_1;
nftnl_expr_set_u32(expr, NFTNL_EXPR_META_KEY, key);
@@ -64,9 +73,7 @@ void add_payload(struct nft_handle *h, struct nftnl_rule *r,
struct nftnl_expr *expr;
uint8_t reg;
- expr = nftnl_expr_alloc("payload");
- if (expr == NULL)
- return;
+ expr = xt_nftnl_expr_alloc("payload");
reg = NFT_REG_1;
nftnl_expr_set_u32(expr, NFTNL_EXPR_PAYLOAD_BASE, base);
@@ -85,9 +92,7 @@ void add_bitwise_u16(struct nft_handle *h, struct nftnl_rule *r,
struct nftnl_expr *expr;
uint8_t reg;
- expr = nftnl_expr_alloc("bitwise");
- if (expr == NULL)
- return;
+ expr = xt_nftnl_expr_alloc("bitwise");
reg = NFT_REG_1;
nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, sreg);
@@ -107,9 +112,7 @@ void add_bitwise(struct nft_handle *h, struct nftnl_rule *r,
uint32_t xor[4] = { 0 };
uint8_t reg = *dreg;
- expr = nftnl_expr_alloc("bitwise");
- if (expr == NULL)
- return;
+ expr = xt_nftnl_expr_alloc("bitwise");
nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, sreg);
nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_DREG, reg);
@@ -126,9 +129,7 @@ void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len,
{
struct nftnl_expr *expr;
- expr = nftnl_expr_alloc("cmp");
- if (expr == NULL)
- return;
+ expr = xt_nftnl_expr_alloc("cmp");
nftnl_expr_set_u32(expr, NFTNL_EXPR_CMP_SREG, sreg);
nftnl_expr_set_u32(expr, NFTNL_EXPR_CMP_OP, op);
diff --git a/iptables/nft.c b/iptables/nft.c
index ec79f2bc..ee003511 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1208,8 +1208,8 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
nftnl_rule_add_expr(r, e);
if (ip) {
- e = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
- sizeof(struct in_addr), &reg);
+ e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
+ sizeof(struct in_addr), NFT_REG32_02);
if (!e)
return -ENOMEM;
nftnl_rule_add_expr(r, e);
diff --git a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
new file mode 100755
index 00000000..b5df9725
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
+sfx=$(mktemp -u "XXXXXXXX")
+nsa="nsa-$sfx"
+nsb="nsb-$sfx"
+nsc="nsc-$sfx"
+
+cleanup()
+{
+ ip netns del "$nsa"
+ ip netns del "$nsb"
+ ip netns del "$nsc"
+}
+
+trap cleanup EXIT
+
+assert_fail()
+{
+ if [ $1 -eq 0 ]; then
+ echo "FAILED: $2"
+ exit 1
+ fi
+}
+
+assert_pass()
+{
+ if [ $1 -ne 0 ]; then
+ echo "FAILED: $2"
+ exit 2
+ fi
+}
+
+ip netns add "$nsa"
+ip netns add "$nsb"
+ip netns add "$nsc"
+
+ip link add name c_b netns "$nsc" type veth peer name b_c netns "$nsb"
+ip link add name s_b netns "$nsa" type veth peer name b_s netns "$nsb"
+ip netns exec "$nsb" ip link add name br0 type bridge
+
+ip -net "$nsb" link set b_c up
+ip netns exec "$nsb" ip link set b_s up
+ip netns exec "$nsb" ip addr add 10.167.11.254/24 dev br0
+ip netns exec "$nsb" ip link set br0 up
+ip netns exec "$nsb" ip link set b_c master br0
+ip netns exec "$nsb" ip link set b_s master br0
+ip netns exec "$nsc" ip addr add 10.167.11.2/24 dev c_b
+ip netns exec "$nsc" ip link set c_b up
+ip -net "$nsa" addr add 10.167.11.1/24 dev s_b
+ip -net "$nsa" link set s_b up
+
+ip netns exec "$nsc" ping -q 10.167.11.1 -c1 >/dev/null || exit 1
+
+bf_bridge_mac1=`ip netns exec "$nsb" cat /sys/class/net/b_s/address`
+bf_bridge_mac0=`ip netns exec "$nsb" cat /sys/class/net/b_c/address`
+bf_client_mac1=`ip netns exec "$nsc" cat /sys/class/net/c_b/address`
+bf_server_mac1=`ip netns exec "$nsa" cat /sys/class/net/s_b/address`
+
+bf_server_ip1="10.167.11.1"
+bf_bridge_ip0="10.167.11.254"
+bf_client_ip1="10.167.11.2"
+pktsize=64
+
+# --among-src [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null
+assert_fail $? "--among-src [match]"
+
+# ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc
+
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src ! $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null
+assert_pass $? "--among-src [not match]"
+
+# --among-dst [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null
+assert_fail $? "--among-dst [match]"
+
+# --among-dst ! [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst ! $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null
+assert_pass $? "--among-dst [not match]"
+
+exit 0
diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0
index 7b0e6468..2a1518d6 100755
--- a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0
+++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0
@@ -6,23 +6,38 @@ set -e
# ensure verbose output is identical between legacy and nft tools
RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT'
-VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2'
+VOUT1='ACCEPT all opt -- in eth2 out eth3 feed:babe::1 -> feed:babe::2'
RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT'
-VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5'
+VOUT2='ACCEPT all opt -- in eth2 out eth3 feed:babe::4 -> feed:babe::5'
+RULE3='-p icmpv6 -m icmp6 --icmpv6-type no-route'
+VOUT3=' ipv6-icmp opt -- in * out * ::/0 -> ::/0 ipv6-icmptype 1 code 0'
+RULE4='-m dst --dst-len 42 -m rt --rt-type 23'
+VOUT4=' all opt -- in * out * ::/0 -> ::/0 dst length:42 rt type:23'
+RULE5='-m frag --fragid 1337 -j LOG'
+VOUT5='LOG all opt -- in * out * ::/0 -> ::/0 frag id:1337 LOG flags 0 level 4'
diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1)
diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2)
+diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -A FORWARD $RULE3)
+diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -A FORWARD $RULE4)
+diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -A FORWARD $RULE5)
diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1)
diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2)
+diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -C FORWARD $RULE3)
+diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -C FORWARD $RULE4)
+diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -C FORWARD $RULE5)
EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2
- 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5
+ 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::1 feed:babe::2
+ 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::4 feed:babe::5
+ 0 0 58 -- * * ::/0 ::/0 ipv6-icmptype 1 code 0
+ 0 0 0 -- * * ::/0 ::/0 dst length:42 rt type:23
+ 0 0 LOG 0 -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination'
diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
index bea1a690..1a3af46f 100755
--- a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
@@ -12,5 +12,5 @@ EOF
EXPECT='Chain FORWARD (policy ACCEPT)
target prot opt source destination
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 '
+ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 '
diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
diff --git a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
index 5daf7a78..087156b1 100755
--- a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
@@ -60,7 +60,7 @@ Flushing chain \`OUTPUT'
Flushing chain \`secfoo'
Deleting chain \`secfoo'"
-EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' -e 's/opt --/opt /' <<< "$EXPECT")
+EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' <<< "$EXPECT")
diff -u -Z <(echo "$EXPECT") <($XT_MULTI iptables-restore -v <<< "$DUMP")
diff -u -Z <(echo "$EXPECT6") <($XT_MULTI ip6tables-restore -v <<< "$DUMP")
diff --git a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
index 50c0cae8..bcfaad36 100755
--- a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
+++ b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
@@ -1,13 +1,5 @@
#!/bin/bash
-case "$(basename $XT_MULTI)" in
- xtables-legacy-multi)
- ;;
- *)
- echo "skip $XT_MULTI"
- exit 0
- ;;
-esac
-
dump=$(dirname $0)/dumps/fedora27-iptables
diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump)
+diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump)
diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
new file mode 100755
index 00000000..b86d71f2
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Test recent performance improvements in iptables-save due to reduced
+# overhead.
+
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
+
+RULESET=$(
+ echo "*filter"
+ for ((i = 0; i < 100; i++)); do
+ echo ":mychain$i -"
+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
+ done
+ echo "COMMIT"
+)
+
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
+
+do_grep() { # (name, threshold, pattern)
+ local cnt=$(grep -c "$3")
+ [[ $cnt -le $2 ]] && return 0
+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
+ exit 1
+}
+
+# iptables prefers hard-coded protocol names instead of looking them up first
+
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
+
+# iptables-nft-save pointlessly checked whether chain jumps are targets
+
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
+
+exit 0
diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
index 5d2af4c8..15c72af3 100755
--- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
+++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
@@ -21,8 +21,8 @@ EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- eth2 eth3 10.0.0.1 10.0.0.2
- 0 0 ACCEPT all -- eth2 eth3 10.0.0.4 10.0.0.5
+ 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.1 10.0.0.2
+ 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.4 10.0.0.5
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination'
diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
index 36da1907..21793472 100755
--- a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
@@ -10,6 +10,7 @@ $XT_MULTI iptables-restore -c <<EOF
[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
[22:123] -A FOO -m comment --comment one
[44:123] -A FOO -m comment --comment two
+[66:123] -A FOO -m comment --comment three
COMMIT
EOF
EXPECT="*filter
@@ -20,6 +21,7 @@ EXPECT="*filter
[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
[0:0] -A FOO -m comment --comment one
[0:0] -A FOO -m comment --comment two
+[0:0] -A FOO -m comment --comment three
COMMIT"
COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
@@ -28,6 +30,18 @@ if [ $COUNTER != "[12:345]" ]; then
RC=1
fi
+$XT_MULTI iptables -Z FOO 2
+COUNTER=$($XT_MULTI iptables-save -c | grep "comment two"| cut -f 1 -d " ")
+if [ $COUNTER != "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, should have been zeroed"
+ RC=1
+fi
+COUNTER=$($XT_MULTI iptables-save -c | grep "comment three"| cut -f 1 -d " ")
+if [ $COUNTER != "[66:123]" ]; then
+ echo "Counter $COUNTER is wrong, should not have been zeroed"
+ RC=1
+fi
+
$XT_MULTI iptables -Z FOO
COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
if [ $COUNTER = "[0:0]" ]; then
@@ -60,5 +74,6 @@ fi
$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
$XT_MULTI iptables -D FOO -m comment --comment one
$XT_MULTI iptables -D FOO -m comment --comment two
+$XT_MULTI iptables -D FOO -m comment --comment three
$XT_MULTI iptables -X FOO
exit $RC
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 9b5e5b5b..69515789 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -39,8 +39,8 @@ char *arp_opcodes[] =
* to the commandline, and see expected results. So we call help for all
* specified matches and targets.
*/
-void print_extension_helps(const struct xtables_target *t,
- const struct xtables_rule_match *m)
+static void print_extension_helps(const struct xtables_target *t,
+ const struct xtables_rule_match *m)
{
for (; t != NULL; t = t->next) {
if (t->used) {
@@ -129,8 +129,8 @@ static struct xtables_match *load_proto(struct iptables_command_state *cs)
cs->options & OPT_NUMERIC, &cs->matches);
}
-int command_default(struct iptables_command_state *cs,
- struct xtables_globals *gl, bool invert)
+static int command_default(struct iptables_command_state *cs,
+ struct xtables_globals *gl, bool invert)
{
struct xtables_rule_match *matchp;
struct xtables_match *m;
@@ -731,7 +731,7 @@ void print_fragment(unsigned int flags, unsigned int invflags,
fputs("opt ", stdout);
if (fake) {
- fputs(" ", stdout);
+ fputs("--", stdout);
} else {
fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout);
fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
@@ -789,7 +789,7 @@ void save_iface(char letter, const char *iface,
}
}
-void command_match(struct iptables_command_state *cs, bool invert)
+static void command_match(struct iptables_command_state *cs, bool invert)
{
struct option *opts = xt_params->opts;
struct xtables_match *m;
@@ -827,7 +827,7 @@ void command_match(struct iptables_command_state *cs, bool invert)
xt_params->opts = opts;
}
-const char *xt_parse_target(const char *targetname)
+static const char *xt_parse_target(const char *targetname)
{
const char *ptr;
@@ -889,7 +889,7 @@ void command_jump(struct iptables_command_state *cs, const char *jumpto)
xt_params->opts = opts;
}
-char cmd2char(int option)
+static char cmd2char(int option)
{
/* cmdflags index corresponds with position of bit in CMD_* values */
static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
@@ -905,8 +905,8 @@ char cmd2char(int option)
return cmdflags[i];
}
-void add_command(unsigned int *cmd, const int newcmd,
- const int othercmds, int invert)
+static void add_command(unsigned int *cmd, const int newcmd,
+ const int othercmds, int invert)
{
if (invert)
xtables_error(PARAMETER_PROBLEM, "unexpected '!' flag");
@@ -917,7 +917,7 @@ void add_command(unsigned int *cmd, const int newcmd,
}
/* Can't be zero. */
-int parse_rulenumber(const char *rule)
+static int parse_rulenumber(const char *rule)
{
unsigned int rulenum;
@@ -928,6 +928,10 @@ int parse_rulenumber(const char *rule)
return rulenum;
}
+#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
+static const char optflags[]
+= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 };
+
/* Table of legal combinations of commands and options. If any of the
* given commands make an option legal, that option is legal (applies to
* CMD_LIST and CMD_ZERO only).
@@ -957,7 +961,7 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' ',' ',' ',' ',' ',' ',' '},
};
-void generic_opt_check(int command, int options)
+static void generic_opt_check(int command, int options)
{
int i, j, legal = 0;
@@ -992,7 +996,7 @@ void generic_opt_check(int command, int options)
}
}
-char opt2char(int option)
+static char opt2char(int option)
{
const char *ptr;
@@ -1024,7 +1028,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] =
/* 6 */ IPT_INV_PROTO,
};
-void
+static void
set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
bool invert)
{
@@ -1088,10 +1092,10 @@ void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout);
- if (pname)
- printf(FMT("%-5s", "%s "), pname);
+ if (((format & (FMT_NUMERIC | FMT_NOTABLE)) == FMT_NUMERIC) || !pname)
+ printf(FMT("%-4hu ", "%hu "), proto);
else
- printf(FMT("%-5hu", "%hu "), proto);
+ printf(FMT("%-4s ", "%s "), pname);
}
void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
diff --git a/iptables/xshared.h b/iptables/xshared.h
index f8212988..1a019a7c 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -39,10 +39,6 @@ enum {
OPT_P_TYPE = 1 << 17,
};
-#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
-static const char optflags[]
-= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 };
-
enum {
CMD_NONE = 0,
CMD_INSERT = 1 << 0,
@@ -69,7 +65,7 @@ struct xtables_target;
#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
/* define invflags which won't collide with IPT ones */
@@ -79,30 +75,6 @@ struct xtables_target;
#define IPT_INV_ARPOP 0x0400
#define IPT_INV_ARPHRD 0x0800
-void
-set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
- bool invert);
-
-/**
- * xtables_afinfo - protocol family dependent information
- * @kmod: kernel module basename (e.g. "ip_tables")
- * @proc_exists: file which exists in procfs when module already loaded
- * @libprefix: prefix of .so library name (e.g. "libipt_")
- * @family: nfproto family
- * @ipproto: used by setsockopt (e.g. IPPROTO_IP)
- * @so_rev_match: optname to check revision support of match
- * @so_rev_target: optname to check revision support of target
- */
-struct xtables_afinfo {
- const char *kmod;
- const char *proc_exists;
- const char *libprefix;
- uint8_t family;
- uint8_t ipproto;
- int so_rev_match;
- int so_rev_target;
-};
-
/* trick for ebtables-compat, since watchers are targets */
struct ebt_match {
struct ebt_match *next;
@@ -160,14 +132,6 @@ struct subcommand {
mainfunc_t main;
};
-enum {
- XT_OPTION_OFFSET_SCALE = 256,
-};
-
-extern void print_extension_helps(const struct xtables_target *,
- const struct xtables_rule_match *);
-extern int command_default(struct iptables_command_state *,
- struct xtables_globals *, bool invert);
extern int subcmd_main(int, char **, const struct subcommand *);
extern void xs_init_target(struct xtables_target *);
extern void xs_init_match(struct xtables_match *);
@@ -199,8 +163,6 @@ int parse_counters(const char *string, struct xt_counters *ctr);
bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line);
bool xs_has_arg(int argc, char *argv[]);
-extern const struct xtables_afinfo *afinfo;
-
#define MAX_ARGC 255
struct argv_store {
int argc;
@@ -239,19 +201,10 @@ void save_iface(char letter, const char *iface,
void print_fragment(unsigned int flags, unsigned int invflags,
unsigned int format, bool fake);
-void command_match(struct iptables_command_state *cs, bool invert);
-const char *xt_parse_target(const char *targetname);
void command_jump(struct iptables_command_state *cs, const char *jumpto);
-char cmd2char(int option);
-void add_command(unsigned int *cmd, const int newcmd,
- const int othercmds, int invert);
-int parse_rulenumber(const char *rule);
void assert_valid_chain_name(const char *chainname);
-void generic_opt_check(int command, int options);
-char opt2char(int option);
-
void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
const char *targname, uint8_t proto, uint8_t flags,
uint8_t invflags, unsigned int format);
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3d15063e..b986fd9e 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -1077,6 +1077,9 @@ print_zero:
flags |= LIST_MAC2;
break;
case 11: /* init-table */
+ if (restore)
+ xtables_error(PARAMETER_PROBLEM,
+ "--init-table is not supported in daemon mode");
nft_cmd_table_flush(h, *table, false);
return 1;
case 13 :
diff --git a/iptables/xtables-legacy-multi.c b/iptables/xtables-legacy-multi.c
index 3b7905ff..2c719315 100644
--- a/iptables/xtables-legacy-multi.c
+++ b/iptables/xtables-legacy-multi.c
@@ -14,10 +14,6 @@
#include "ip6tables-multi.h"
#endif
-#ifdef ENABLE_NFTABLES
-#include "xtables-multi.h"
-#endif
-
static const struct subcommand multi_subcommands[] = {
#ifdef ENABLE_IPV4
{"iptables", iptables_main},
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 905bb7fe..a1eba2f4 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -339,7 +339,7 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
inet_ntop(AF_INET, &iph->daddr, addrbuf, sizeof(addrbuf));
printf("DST=%s ", addrbuf);
- printf("LEN=%d TOS=0x%x TTL=%d ID=%d", ntohs(iph->tot_len), iph->tos, iph->ttl, ntohs(iph->id));
+ printf("LEN=%d TOS=0x%x TTL=%d ID=%d ", ntohs(iph->tot_len), iph->tos, iph->ttl, ntohs(iph->id));
if (iph->frag_off & htons(0x8000))
printf("CE ");
if (iph->frag_off & htons(IP_DF))
@@ -362,7 +362,7 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
printf("OPT (");
for (i = 0; i < optsize; i++)
printf("%02X", op[i]);
- printf(")");
+ printf(") ");
}
break;
}
diff --git a/libipq/Makefile.am b/libipq/Makefile.am
index 9e3a2ca6..2cdaf32e 100644
--- a/libipq/Makefile.am
+++ b/libipq/Makefile.am
@@ -2,6 +2,7 @@
AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include
+AM_LDFLAGS = ${regular_LDFLAGS}
libipq_la_SOURCES = libipq.c
lib_LTLIBRARIES = libipq.la
diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am
index 464a0696..097842f2 100644
--- a/libiptc/Makefile.am
+++ b/libiptc/Makefile.am
@@ -2,6 +2,7 @@
AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS}
+AM_LDFLAGS = ${regular_LDFLAGS}
pkgconfig_DATA = libiptc.pc libip4tc.pc libip6tc.pc
diff --git a/libxtables/Makefile.am b/libxtables/Makefile.am
index 8ff6b0ca..2f4a12e5 100644
--- a/libxtables/Makefile.am
+++ b/libxtables/Makefile.am
@@ -1,7 +1,8 @@
# -*- Makefile -*-
AM_CFLAGS = ${regular_CFLAGS}
-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS}
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS}
+AM_LDFLAGS = ${regular_LDFLAGS}
lib_LTLIBRARIES = libxtables.la
libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 0638f927..479dbae0 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -64,7 +64,6 @@
#endif
#include <getopt.h>
#include "iptables/internal.h"
-#include "xshared.h"
#define NPROTO 255
@@ -777,6 +776,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
struct xtables_match *ptr;
const char *icmp6 = "icmp6";
bool found = false;
+ bool seen = false;
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
@@ -795,6 +795,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
+ seen = true;
if (!found &&
xtables_fully_register_pending_match(ptr, prev)) {
found = true;
@@ -808,6 +809,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
dptr = &((*dptr)->next);
}
+ if (seen && !found)
+ fprintf(stderr,
+ "Warning: Extension %s is not supported, missing kernel module?\n",
+ name);
+
for (ptr = xtables_matches; ptr; ptr = ptr->next) {
if (extension_cmp(name, ptr->name, ptr->family)) {
struct xtables_match *clone;
@@ -900,6 +906,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
struct xtables_target **dptr;
struct xtables_target *ptr;
bool found = false;
+ bool seen = false;
/* Standard target? */
if (strcmp(name, "") == 0
@@ -918,6 +925,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
+ seen = true;
if (!found &&
xtables_fully_register_pending_target(ptr, prev)) {
found = true;
@@ -931,6 +939,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
dptr = &((*dptr)->next);
}
+ if (seen && !found)
+ fprintf(stderr,
+ "Warning: Extension %s is not supported, missing kernel module?\n",
+ name);
+
for (ptr = xtables_targets; ptr; ptr = ptr->next) {
if (extension_cmp(name, ptr->name, ptr->family)) {
struct xtables_target *clone;
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 9d3ac5c8..8174a560 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -21,7 +21,6 @@
#include <arpa/inet.h>
#include <netinet/ip.h>
#include "xtables.h"
-#include "xshared.h"
#ifndef IPTOS_NORMALSVC
# define IPTOS_NORMALSVC 0
#endif
diff --git a/utils/Makefile.am b/utils/Makefile.am
index 42bd9737..327a29e0 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -3,6 +3,7 @@
AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
-I${top_srcdir}/include ${libnfnetlink_CFLAGS}
+AM_LDFLAGS = ${regular_LDFLAGS}
sbin_PROGRAMS =
pkgdata_DATA =