diff options
33 files changed, 1227 insertions, 1794 deletions
diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t index 83699337..206d9293 100644 --- a/extensions/libxt_hashlimit.t +++ b/extensions/libxt_hashlimit.t @@ -3,12 +3,12 @@ -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK --m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK +-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK --m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK +-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK diff --git a/include/xtables.h b/include/xtables.h index e51f4bfd..ca674c26 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -420,10 +420,12 @@ struct xtables_globals { unsigned int option_offset; const char *program_name, *program_version; + const char *optstring; struct option *orig_opts; struct option *opts; void (*exit_err)(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); int (*compat_rev)(const char *name, uint8_t rev, int opt); + void (*print_help)(const struct xtables_rule_match *m); }; #define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false} diff --git a/iptables/Makefile.am b/iptables/Makefile.am index f7895210..0258264c 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -37,7 +37,7 @@ xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \ xtables-standalone.c xtables.c nft.c \ nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \ xtables-monitor.c nft-cache.c \ - xtables-arp-standalone.c xtables-arp.c \ + xtables-arp.c \ nft-bridge.c nft-cmd.c nft-chain.c \ xtables-eb-standalone.c xtables-eb.c \ xtables-eb-translate.c \ diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index e967c040..5a64566e 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -233,82 +233,6 @@ static int is_exthdr(uint16_t proto) proto == IPPROTO_DSTOPTS); } -static void -parse_chain(const char *chainname) -{ - const char *ptr; - - if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %u chars)", - chainname, XT_EXTENSION_MAXNAMELEN); - - if (*chainname == '-' || *chainname == '!') - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `%c'\n", *chainname); - - if (xtables_find_target(chainname, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - - for (ptr = chainname; *ptr; ptr++) - if (isspace(*ptr)) - xtables_error(PARAMETER_PROBLEM, - "Invalid chain name `%s'", chainname); -} - -static void -print_header(unsigned int format, const char *chain, struct xtc_handle *handle) -{ - struct xt_counters counters; - const char *pol = ip6tc_get_policy(chain, &counters, handle); - printf("Chain %s", chain); - if (pol) { - printf(" (policy %s", pol); - if (!(format & FMT_NOCOUNTS)) { - fputc(' ', stdout); - xtables_print_num(counters.pcnt, (format|FMT_NOTABLE)); - fputs("packets, ", stdout); - xtables_print_num(counters.bcnt, (format|FMT_NOTABLE)); - fputs("bytes", stdout); - } - printf(")\n"); - } else { - unsigned int refs; - if (!ip6tc_get_references(&refs, chain, handle)) - printf(" (ERROR obtaining refs)\n"); - else - printf(" (%u references)\n", refs); - } - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4s ", "%s "), "num"); - if (!(format & FMT_NOCOUNTS)) { - if (format & FMT_KILOMEGAGIGA) { - printf(FMT("%5s ","%s "), "pkts"); - printf(FMT("%5s ","%s "), "bytes"); - } else { - printf(FMT("%8s ","%s "), "pkts"); - printf(FMT("%10s ","%s "), "bytes"); - } - } - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ","%s "), "target"); - fputs(" prot ", stdout); - if (format & FMT_OPTIONS) - fputs("opt", stdout); - if (format & FMT_VIA) { - printf(FMT(" %-6s ","%s "), "in"); - printf(FMT("%-6s ","%s "), "out"); - } - printf(FMT(" %-19s ","%s "), "source"); - printf(FMT(" %-19s "," %s "), "destination"); - printf("\n"); -} - - static int print_match(const struct xt_entry_match *m, const struct ip6t_ip6 *ip, @@ -355,33 +279,10 @@ print_firewall(const struct ip6t_entry *fw, t = ip6t_get_target((struct ip6t_entry *)fw); - if (format & FMT_LINENUMBERS) - printf(FMT("%-4u ", "%u "), num); - - if (!(format & FMT_NOCOUNTS)) { - xtables_print_num(fw->counters.pcnt, format); - xtables_print_num(fw->counters.bcnt, format); - } - - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ", "%s "), targname); - - fputc(fw->ipv6.invflags & XT_INV_PROTO ? '!' : ' ', stdout); - { - const char *pname = proto_to_name(fw->ipv6.proto, format&FMT_NUMERIC); - if (pname) - printf(FMT("%-5s", "%s "), pname); - else - printf(FMT("%-5hu", "%hu "), fw->ipv6.proto); - } + print_rule_details(num, &fw->counters, targname, fw->ipv6.proto, + fw->ipv6.flags, fw->ipv6.invflags, format); - if (format & FMT_OPTIONS) { - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputc(' ', stdout); /* Invert flag of FRAG */ - fputc(' ', stdout); /* -f */ - fputc(' ', stdout); - } + print_fragment(fw->ipv6.flags, fw->ipv6.invflags, format, true); print_ifaces(fw->ipv6.iniface, fw->ipv6.outiface, fw->ipv6.invflags, format); @@ -711,8 +612,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, if (found) printf("\n"); - if (!rulenum) - print_header(format, this, handle); + if (!rulenum) { + struct xt_counters counters; + unsigned int urefs; + const char *pol; + int refs = - 1; + + pol = ip6tc_get_policy(this, &counters, handle); + if (!pol && ip6tc_get_references(&urefs, this, handle)) + refs = urefs; + + print_header(format, this, pol, &counters, refs, 0); + } i = ip6tc_first_rule(this, handle); num = 0; @@ -733,45 +644,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, return found; } -/* This assumes that mask is contiguous, and byte-bounded. */ -static void -print_iface(char letter, const char *iface, const unsigned char *mask, - int invert) -{ - unsigned int i; - - if (mask[0] == 0) - return; - - printf("%s -%c ", invert ? " !" : "", letter); - - for (i = 0; i < IFNAMSIZ; i++) { - if (mask[i] != 0) { - if (iface[i] != '\0') - printf("%c", iface[i]); - } else { - /* we can access iface[i-1] here, because - * a few lines above we make sure that mask[0] != 0 */ - if (iface[i-1] != '\0') - printf("+"); - break; - } - } -} - -static void print_proto(uint16_t proto, int invert) -{ - if (proto) { - const char *pname = proto_to_name(proto, 0); - const char *invertstr = invert ? " !" : ""; - - if (pname) - printf("%s -p %s", invertstr, pname); - else - printf("%s -p %u", invertstr, proto); - } -} - static int print_match_save(const struct xt_entry_match *e, const struct ip6t_ip6 *ip) { @@ -803,27 +675,6 @@ static int print_match_save(const struct xt_entry_match *e, return 0; } -/* Print a given ip including mask if necessary. */ -static void print_ip(const char *prefix, const struct in6_addr *ip, - const struct in6_addr *mask, int invert) -{ - char buf[51]; - int l = xtables_ip6mask_to_cidr(mask); - - if (l == 0 && !invert) - return; - - printf("%s %s %s", - invert ? " !" : "", - prefix, - inet_ntop(AF_INET6, ip, buf, sizeof buf)); - - if (l == -1) - printf("/%s", inet_ntop(AF_INET6, mask, buf, sizeof buf)); - else - printf("/%d", l); -} - /* We want this to be readable, so only print out necessary fields. * Because that's the kind of world I want to live in. */ @@ -841,19 +692,15 @@ void print_rule6(const struct ip6t_entry *e, printf("-A %s", chain); /* Print IP part. */ - print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk), - e->ipv6.invflags & IP6T_INV_SRCIP); - - print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk), - e->ipv6.invflags & IP6T_INV_DSTIP); - - print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask, - e->ipv6.invflags & IP6T_INV_VIA_IN); + save_ipv6_addr('s', &e->ipv6.src, &e->ipv6.smsk, + e->ipv6.invflags & IP6T_INV_SRCIP); - print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask, - e->ipv6.invflags & IP6T_INV_VIA_OUT); + save_ipv6_addr('d', &e->ipv6.dst, &e->ipv6.dmsk, + e->ipv6.invflags & IP6T_INV_DSTIP); - print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO); + save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask, + e->ipv6.outiface, e->ipv6.outiface_mask, + e->ipv6.proto, 0, e->ipv6.invflags); #if 0 /* not definied in ipv6 diff --git a/iptables/iptables.c b/iptables/iptables.c index b925f089..ac51c612 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -223,81 +223,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...) /* Christophe Burki wants `-p 6' to imply `-m tcp'. */ -static void -parse_chain(const char *chainname) -{ - const char *ptr; - - if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %u chars)", - chainname, XT_EXTENSION_MAXNAMELEN); - - if (*chainname == '-' || *chainname == '!') - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `%c'\n", *chainname); - - if (xtables_find_target(chainname, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - - for (ptr = chainname; *ptr; ptr++) - if (isspace(*ptr)) - xtables_error(PARAMETER_PROBLEM, - "Invalid chain name `%s'", chainname); -} - -static void -print_header(unsigned int format, const char *chain, struct xtc_handle *handle) -{ - struct xt_counters counters; - const char *pol = iptc_get_policy(chain, &counters, handle); - printf("Chain %s", chain); - if (pol) { - printf(" (policy %s", pol); - if (!(format & FMT_NOCOUNTS)) { - fputc(' ', stdout); - xtables_print_num(counters.pcnt, (format|FMT_NOTABLE)); - fputs("packets, ", stdout); - xtables_print_num(counters.bcnt, (format|FMT_NOTABLE)); - fputs("bytes", stdout); - } - printf(")\n"); - } else { - unsigned int refs; - if (!iptc_get_references(&refs, chain, handle)) - printf(" (ERROR obtaining refs)\n"); - else - printf(" (%u references)\n", refs); - } - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4s ", "%s "), "num"); - if (!(format & FMT_NOCOUNTS)) { - if (format & FMT_KILOMEGAGIGA) { - printf(FMT("%5s ","%s "), "pkts"); - printf(FMT("%5s ","%s "), "bytes"); - } else { - printf(FMT("%8s ","%s "), "pkts"); - printf(FMT("%10s ","%s "), "bytes"); - } - } - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ","%s "), "target"); - fputs(" prot ", stdout); - if (format & FMT_OPTIONS) - fputs("opt", stdout); - if (format & FMT_VIA) { - printf(FMT(" %-6s ","%s "), "in"); - printf(FMT("%-6s ","%s "), "out"); - } - printf(FMT(" %-19s ","%s "), "source"); - printf(FMT(" %-19s "," %s "), "destination"); - printf("\n"); -} - static int print_match(const struct xt_entry_match *m, @@ -336,7 +261,6 @@ print_firewall(const struct ipt_entry *fw, { struct xtables_target *target, *tg; const struct xt_entry_target *t; - uint8_t flags; if (!iptc_is_chain(targname, handle)) target = xtables_find_target(targname, XTF_TRY_LOAD); @@ -345,35 +269,11 @@ print_firewall(const struct ipt_entry *fw, XTF_LOAD_MUST_SUCCEED); t = ipt_get_target((struct ipt_entry *)fw); - flags = fw->ip.flags; - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4u ", "%u "), num); - - if (!(format & FMT_NOCOUNTS)) { - xtables_print_num(fw->counters.pcnt, format); - xtables_print_num(fw->counters.bcnt, format); - } - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ", "%s "), targname); + print_rule_details(num, &fw->counters, targname, fw->ip.proto, + fw->ip.flags, fw->ip.invflags, format); - fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout); - { - const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC); - if (pname) - printf(FMT("%-5s", "%s "), pname); - else - printf(FMT("%-5hu", "%hu "), fw->ip.proto); - } - - if (format & FMT_OPTIONS) { - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputc(fw->ip.invflags & IPT_INV_FRAG ? '!' : '-', stdout); - fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); - fputc(' ', stdout); - } + print_fragment(fw->ip.flags, fw->ip.invflags, format, false); print_ifaces(fw->ip.iniface, fw->ip.outiface, fw->ip.invflags, format); @@ -702,8 +602,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, if (found) printf("\n"); - if (!rulenum) - print_header(format, this, handle); + if (!rulenum) { + struct xt_counters counters; + unsigned int urefs; + const char *pol; + int refs = -1; + + pol = iptc_get_policy(this, &counters, handle); + if (!pol && iptc_get_references(&urefs, this, handle)) + refs = urefs; + + print_header(format, this, pol, &counters, refs, 0); + } i = iptc_first_rule(this, handle); num = 0; @@ -724,19 +634,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, return found; } -static void print_proto(uint16_t proto, int invert) -{ - if (proto) { - const char *pname = proto_to_name(proto, 0); - const char *invertstr = invert ? " !" : ""; - - if (pname) - printf("%s -p %s", invertstr, pname); - else - printf("%s -p %u", invertstr, proto); - } -} - #define IP_PARTS_NATIVE(n) \ (unsigned int)((n)>>24)&0xFF, \ (unsigned int)((n)>>16)&0xFF, \ @@ -745,32 +642,6 @@ static void print_proto(uint16_t proto, int invert) #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n)) -/* This assumes that mask is contiguous, and byte-bounded. */ -static void -print_iface(char letter, const char *iface, const unsigned char *mask, - int invert) -{ - unsigned int i; - - if (mask[0] == 0) - return; - - printf("%s -%c ", invert ? " !" : "", letter); - - for (i = 0; i < IFNAMSIZ; i++) { - if (mask[i] != 0) { - if (iface[i] != '\0') - printf("%c", iface[i]); - } else { - /* we can access iface[i-1] here, because - * a few lines above we make sure that mask[0] != 0 */ - if (iface[i-1] != '\0') - printf("+"); - break; - } - } -} - static int print_match_save(const struct xt_entry_match *e, const struct ipt_ip *ip) { @@ -802,36 +673,6 @@ static int print_match_save(const struct xt_entry_match *e, return 0; } -/* Print a given ip including mask if necessary. */ -static void print_ip(const char *prefix, uint32_t ip, - uint32_t mask, int invert) -{ - uint32_t bits, hmask = ntohl(mask); - int i; - - if (!mask && !ip && !invert) - return; - - printf("%s %s %u.%u.%u.%u", - invert ? " !" : "", - prefix, - IP_PARTS(ip)); - - if (mask == 0xFFFFFFFFU) { - printf("/32"); - return; - } - - i = 32; - bits = 0xFFFFFFFEU; - while (--i >= 0 && hmask != bits) - bits <<= 1; - if (i >= 0) - printf("/%u", i); - else - printf("/%u.%u.%u.%u", IP_PARTS(mask)); -} - /* We want this to be readable, so only print out necessary fields. * Because that's the kind of world I want to live in. */ @@ -849,23 +690,16 @@ void print_rule4(const struct ipt_entry *e, printf("-A %s", chain); /* Print IP part. */ - print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr, - e->ip.invflags & IPT_INV_SRCIP); + save_ipv4_addr('s', &e->ip.src, &e->ip.smsk, + e->ip.invflags & IPT_INV_SRCIP); - print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr, + save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk, e->ip.invflags & IPT_INV_DSTIP); - print_iface('i', e->ip.iniface, e->ip.iniface_mask, - e->ip.invflags & IPT_INV_VIA_IN); - - print_iface('o', e->ip.outiface, e->ip.outiface_mask, - e->ip.invflags & IPT_INV_VIA_OUT); - - print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO); - - if (e->ip.flags & IPT_F_FRAG) - printf("%s -f", - e->ip.invflags & IPT_INV_FRAG ? " !" : ""); + save_rule_details(e->ip.iniface, e->ip.iniface_mask, + e->ip.outiface, e->ip.outiface_mask, + e->ip.proto, e->ip.flags & IPT_F_FRAG, + e->ip.invflags); /* Print matchinfo part */ if (e->target_offset) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 2a9387a1..b211a309 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -308,11 +308,10 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, static void nft_arp_print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, - bool basechain, uint32_t refs, - uint32_t entries) + int refs, uint32_t entries) { printf("Chain %s", chain); - if (basechain && pol) { + if (pol) { printf(" (policy %s", pol); if (!(format & FMT_NOCOUNTS)) { fputc(' ', stdout); @@ -323,7 +322,7 @@ static void nft_arp_print_header(unsigned int format, const char *chain, } printf(")\n"); } else { - printf(" (%u references)\n", refs); + printf(" (%d references)\n", refs); } } @@ -479,6 +478,7 @@ nft_arp_save_rule(const void *data, unsigned int format) format |= FMT_NUMERIC; + printf(" "); nft_arp_print_rule_details(cs, format); if (cs->target && cs->target->save) cs->target->save(&cs->fw, cs->target->t); @@ -546,6 +546,251 @@ static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy) printf(":%s %s\n", chain, policy ?: "-"); } +static int getlength_and_mask(const char *from, uint8_t *to, uint8_t *mask) +{ + char *dup = strdup(from); + char *p, *buffer; + int i, ret = -1; + + if (!dup) + return -1; + + if ( (p = strrchr(dup, '/')) != NULL) { + *p = '\0'; + i = strtol(p+1, &buffer, 10); + if (*buffer != '\0' || i < 0 || i > 255) + goto out_err; + *mask = (uint8_t)i; + } else + *mask = 255; + i = strtol(dup, &buffer, 10); + if (*buffer != '\0' || i < 0 || i > 255) + goto out_err; + *to = (uint8_t)i; + ret = 0; +out_err: + free(dup); + return ret; + +} + +static int get16_and_mask(const char *from, uint16_t *to, + uint16_t *mask, int base) +{ + char *dup = strdup(from); + char *p, *buffer; + int i, ret = -1; + + if (!dup) + return -1; + + if ( (p = strrchr(dup, '/')) != NULL) { + *p = '\0'; + i = strtol(p+1, &buffer, base); + if (*buffer != '\0' || i < 0 || i > 65535) + goto out_err; + *mask = htons((uint16_t)i); + } else + *mask = 65535; + i = strtol(dup, &buffer, base); + if (*buffer != '\0' || i < 0 || i > 65535) + goto out_err; + *to = htons((uint16_t)i); + ret = 0; +out_err: + free(dup); + return ret; +} + +static void nft_arp_post_parse(int command, + struct iptables_command_state *cs, + struct xtables_args *args) +{ + cs->arp.arp.invflags = args->invflags; + + memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ); + memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ); + + memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ); + memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ); + + cs->arp.counters.pcnt = args->pcnt_cnt; + cs->arp.counters.bcnt = args->bcnt_cnt; + + if (command & (CMD_REPLACE | CMD_INSERT | + CMD_DELETE | CMD_APPEND | CMD_CHECK)) { + if (!(cs->options & OPT_DESTINATION)) + args->dhostnetworkmask = "0.0.0.0/0"; + if (!(cs->options & OPT_SOURCE)) + args->shostnetworkmask = "0.0.0.0/0"; + } + + if (args->shostnetworkmask) + xtables_ipparse_multiple(args->shostnetworkmask, + &args->s.addr.v4, &args->s.mask.v4, + &args->s.naddrs); + if (args->dhostnetworkmask) + xtables_ipparse_multiple(args->dhostnetworkmask, + &args->d.addr.v4, &args->d.mask.v4, + &args->d.naddrs); + + if ((args->s.naddrs > 1 || args->d.naddrs > 1) && + (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP))) + xtables_error(PARAMETER_PROBLEM, + "! not allowed with multiple" + " source or destination IP addresses"); + + if (args->src_mac && + xtables_parse_mac_and_mask(args->src_mac, + cs->arp.arp.src_devaddr.addr, + cs->arp.arp.src_devaddr.mask)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified source mac"); + if (args->dst_mac && + xtables_parse_mac_and_mask(args->dst_mac, + cs->arp.arp.tgt_devaddr.addr, + cs->arp.arp.tgt_devaddr.mask)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified destination mac"); + if (args->arp_hlen) { + getlength_and_mask(args->arp_hlen, &cs->arp.arp.arhln, + &cs->arp.arp.arhln_mask); + + if (cs->arp.arp.arhln != 6) + xtables_error(PARAMETER_PROBLEM, + "Only harware address length of 6 is supported currently."); + } + if (args->arp_opcode) { + if (get16_and_mask(args->arp_opcode, &cs->arp.arp.arpop, + &cs->arp.arp.arpop_mask, 10)) { + int i; + + for (i = 0; i < NUMOPCODES; i++) + if (!strcasecmp(arp_opcodes[i], + args->arp_opcode)) + break; + if (i == NUMOPCODES) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified opcode"); + cs->arp.arp.arpop = htons(i+1); + } + } + if (args->arp_htype) { + if (get16_and_mask(args->arp_htype, &cs->arp.arp.arhrd, + &cs->arp.arp.arhrd_mask, 16)) { + if (strcasecmp(args->arp_htype, "Ethernet")) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified hardware type"); + cs->arp.arp.arhrd = htons(1); + } + } + if (args->arp_ptype) { + if (get16_and_mask(args->arp_ptype, &cs->arp.arp.arpro, + &cs->arp.arp.arpro_mask, 0)) { + if (strcasecmp(args->arp_ptype, "ipv4")) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified protocol type"); + cs->arp.arp.arpro = htons(0x800); + } + } +} + +static void nft_arp_init_cs(struct iptables_command_state *cs) +{ + cs->arp.arp.arhln = 6; + cs->arp.arp.arhln_mask = 255; + cs->arp.arp.arhrd = htons(ARPHRD_ETHER); + cs->arp.arp.arhrd_mask = 65535; +} + +static int +nft_arp_add_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->arp.arp.src.s_addr = args->s.addr.v4[i].s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4[i].s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->arp.arp.tgt.s_addr = args->d.addr.v4[j].s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4[j].s_addr; + if (append) { + ret = nft_cmd_rule_append(h, chain, table, cs, NULL, + verbose); + } else { + ret = nft_cmd_rule_insert(h, chain, table, cs, + rulenum, verbose); + } + } + } + + return ret; +} + +static int +nft_arp_delete_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->arp.arp.src.s_addr = args->s.addr.v4[i].s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4[i].s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->arp.arp.tgt.s_addr = args->d.addr.v4[j].s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4[j].s_addr; + ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_arp_check_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->arp.arp.src.s_addr = args->s.addr.v4[i].s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4[i].s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->arp.arp.tgt.s_addr = args->d.addr.v4[j].s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4[j].s_addr; + ret = nft_cmd_rule_check(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_arp_replace_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum) +{ + cs->arp.arp.src.s_addr = args->s.addr.v4->s_addr; + cs->arp.arp.tgt.s_addr = args->d.addr.v4->s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4->s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4->s_addr; + + return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); +} + struct nft_family_ops nft_family_ops_arp = { .add = nft_arp_add, .is_same = nft_arp_is_same, @@ -557,8 +802,13 @@ struct nft_family_ops nft_family_ops_arp = { .print_rule = nft_arp_print_rule, .save_rule = nft_arp_save_rule, .save_chain = nft_arp_save_chain, - .post_parse = NULL, + .post_parse = nft_arp_post_parse, .rule_to_cs = nft_rule_to_iptables_command_state, + .init_cs = nft_arp_init_cs, .clear_cs = nft_clear_iptables_command_state, .parse_target = nft_ipv46_parse_target, + .add_entry = nft_arp_add_entry, + .delete_entry = nft_arp_delete_entry, + .check_entry = nft_arp_check_entry, + .replace_entry = nft_arp_replace_entry, }; diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 11f3df35..5cde302c 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -534,7 +534,7 @@ static void nft_bridge_print_table_header(const char *tablename) static void nft_bridge_print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, - bool basechain, uint32_t refs, uint32_t entries) + int refs, uint32_t entries) { printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, entries, pol ?: "RETURN"); @@ -601,7 +601,7 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask) printf("%s ", ent->e_name); } -static void nft_bridge_save_rule(const void *data, unsigned int format) +static void __nft_bridge_save_rule(const void *data, unsigned int format) { const struct iptables_command_state *cs = data; @@ -652,6 +652,12 @@ static void nft_bridge_save_rule(const void *data, unsigned int format) fputc('\n', stdout); } +static void nft_bridge_save_rule(const void *data, unsigned int format) +{ + printf(" "); + __nft_bridge_save_rule(data, format); +} + static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r, unsigned int num, unsigned int format) { @@ -661,7 +667,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r, printf("%d ", num); nft_rule_to_ebtables_command_state(h, r, &cs); - nft_bridge_save_rule(&cs, format); + __nft_bridge_save_rule(&cs, format); ebt_cs_clean(&cs); } diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c index 2c88301c..43ac291e 100644 --- a/iptables/nft-cache.c +++ b/iptables/nft-cache.c @@ -202,26 +202,52 @@ nft_chain_find(struct nft_handle *h, const char *table, const char *chain) return NULL; } +static int +nft_cache_add_base_chain(struct nft_handle *h, const struct builtin_table *t, + struct nft_chain *nc) +{ + uint32_t hooknum = nftnl_chain_get_u32(nc->nftnl, NFTNL_CHAIN_HOOKNUM); + const char *name = nftnl_chain_get_str(nc->nftnl, NFTNL_CHAIN_NAME); + const char *type = nftnl_chain_get_str(nc->nftnl, NFTNL_CHAIN_TYPE); + uint32_t prio = nftnl_chain_get_u32(nc->nftnl, NFTNL_CHAIN_PRIO); + const struct builtin_chain *bc = NULL; + int i; + + for (i = 0; i < NF_IP_NUMHOOKS && t->chains[i].name != NULL; i++) { + if (hooknum == t->chains[i].hook) { + bc = &t->chains[i]; + break; + } + } + + if (!bc || + prio != bc->prio || + strcmp(name, bc->name) || + strcmp(type, bc->type)) + return -EINVAL; + + nc->base_slot = &h->cache->table[t->type].base_chains[hooknum]; + if (*nc->base_slot) + return -EEXIST; + + *nc->base_slot = nc; + return 0; +} + int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, struct nftnl_chain *c) { const char *cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); struct nft_chain *nc = nft_chain_alloc(c); + int ret; if (nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM)) { - uint32_t hooknum = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM); - - if (hooknum >= NF_INET_NUMHOOKS) { + ret = nft_cache_add_base_chain(h, t, nc); + if (ret) { + h->cache->table[t->type].tainted = true; nft_chain_free(nc); - return -EINVAL; + return ret; } - - if (h->cache->table[t->type].base_chains[hooknum]) { - nft_chain_free(nc); - return -EEXIST; - } - - h->cache->table[t->type].base_chains[hooknum] = nc; } else { list_add_tail(&nc->head, &h->cache->table[t->type].chains->list); @@ -314,9 +340,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data) goto out; } - if (nft_cache_add_chain(h, t, c)) - goto out; - + nft_cache_add_chain(h, t, c); return MNL_CB_OK; out: nftnl_chain_free(c); diff --git a/iptables/nft-chain.h b/iptables/nft-chain.h index 137f4b7f..9adf1738 100644 --- a/iptables/nft-chain.h +++ b/iptables/nft-chain.h @@ -9,6 +9,7 @@ struct nft_handle; struct nft_chain { struct list_head head; struct hlist_node hnode; + struct nft_chain **base_slot; struct nftnl_chain *nftnl; }; diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c index 2d874bd4..fcd01bd0 100644 --- a/iptables/nft-cmd.c +++ b/iptables/nft-cmd.c @@ -220,7 +220,7 @@ int nft_cmd_chain_del(struct nft_handle *h, const char *chain, /* This triggers nft_bridge_chain_postprocess() when fetching the * rule cache. */ - if (h->family == NFPROTO_BRIDGE) + if (h->family == NFPROTO_BRIDGE || !chain) nft_cache_level_set(h, NFT_CL_RULES, cmd); else nft_cache_level_set(h, NFT_CL_CHAINS, cmd); diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 34f94bd8..f3626098 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -134,32 +134,6 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv) ctx->flags &= ~NFT_XT_CTX_BITWISE; } -static const char *mask_to_str(uint32_t mask) -{ - static char mask_str[INET_ADDRSTRLEN]; - uint32_t bits, hmask = ntohl(mask); - struct in_addr mask_addr = { - .s_addr = mask, - }; - int i; - - if (mask == 0xFFFFFFFFU) { - sprintf(mask_str, "32"); - return mask_str; - } - - i = 32; - bits = 0xFFFFFFFEU; - while (--i >= 0 && hmask != bits) - bits <<= 1; - if (i >= 0) - sprintf(mask_str, "%u", i); - else - inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str)); - - return mask_str; -} - static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, void *data) { @@ -252,19 +226,6 @@ static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto, cs->fw.ip.flags |= IPT_F_GOTO; } -static void print_fragment(unsigned int flags, unsigned int invflags, - unsigned int format) -{ - if (!(format & FMT_OPTIONS)) - return; - - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout); - fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); - fputc(' ', stdout); -} - static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, unsigned int num, unsigned int format) { @@ -272,9 +233,9 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, nft_rule_to_iptables_command_state(h, r, &cs); - print_rule_details(&cs, cs.jumpto, cs.fw.ip.flags, - cs.fw.ip.invflags, cs.fw.ip.proto, num, format); - print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format); + print_rule_details(num, &cs.counters, cs.jumpto, cs.fw.ip.proto, + cs.fw.ip.flags, cs.fw.ip.invflags, format); + print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format, false); print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags, format); print_ipv4_addresses(&cs.fw, format); @@ -295,37 +256,19 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, nft_clear_iptables_command_state(&cs); } -static void save_ipv4_addr(char letter, const struct in_addr *addr, - uint32_t mask, int invert) -{ - char addrbuf[INET_ADDRSTRLEN]; - - if (!mask && !invert && !addr->s_addr) - return; - - printf("%s-%c %s/%s ", invert ? "! " : "", letter, - inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)), - mask_to_str(mask)); -} - static void nft_ipv4_save_rule(const void *data, unsigned int format) { const struct iptables_command_state *cs = data; - save_ipv4_addr('s', &cs->fw.ip.src, cs->fw.ip.smsk.s_addr, + save_ipv4_addr('s', &cs->fw.ip.src, &cs->fw.ip.smsk, cs->fw.ip.invflags & IPT_INV_SRCIP); - save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr, + save_ipv4_addr('d', &cs->fw.ip.dst, &cs->fw.ip.dmsk, cs->fw.ip.invflags & IPT_INV_DSTIP); - save_rule_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto, - cs->fw.ip.iniface, cs->fw.ip.iniface_mask, - cs->fw.ip.outiface, cs->fw.ip.outiface_mask); - - if (cs->fw.ip.flags & IPT_F_FRAG) { - if (cs->fw.ip.invflags & IPT_INV_FRAG) - printf("! "); - printf("-f "); - } + save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask, + cs->fw.ip.outiface, cs->fw.ip.outiface_mask, + cs->fw.ip.proto, cs->fw.ip.flags & IPT_F_FRAG, + cs->fw.ip.invflags); save_matches_and_target(cs, cs->fw.ip.flags & IPT_F_GOTO, &cs->fw, format); @@ -468,6 +411,95 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) return ret; } +static int +nft_ipv4_add_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->fw.ip.src.s_addr = args->s.addr.v4[i].s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4[i].s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->fw.ip.dst.s_addr = args->d.addr.v4[j].s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4[j].s_addr; + + if (append) { + ret = nft_cmd_rule_append(h, chain, table, + cs, NULL, verbose); + } else { + ret = nft_cmd_rule_insert(h, chain, table, + cs, rulenum, verbose); + } + } + } + + return ret; +} + +static int +nft_ipv4_delete_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->fw.ip.src.s_addr = args->s.addr.v4[i].s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4[i].s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->fw.ip.dst.s_addr = args->d.addr.v4[j].s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4[j].s_addr; + ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv4_check_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->fw.ip.src.s_addr = args->s.addr.v4[i].s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4[i].s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->fw.ip.dst.s_addr = args->d.addr.v4[j].s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4[j].s_addr; + ret = nft_cmd_rule_check(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv4_replace_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum) +{ + cs->fw.ip.src.s_addr = args->s.addr.v4->s_addr; + cs->fw.ip.dst.s_addr = args->d.addr.v4->s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4->s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4->s_addr; + + return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); +} + struct nft_family_ops nft_family_ops_ipv4 = { .add = nft_ipv4_add, .is_same = nft_ipv4_is_same, @@ -484,4 +516,8 @@ struct nft_family_ops nft_family_ops_ipv4 = { .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = nft_clear_iptables_command_state, .xlate = nft_ipv4_xlate, + .add_entry = nft_ipv4_add_entry, + .delete_entry = nft_ipv4_delete_entry, + .check_entry = nft_ipv4_check_entry, + .replace_entry = nft_ipv4_replace_entry, }; diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index d9c9400a..13213088 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -198,14 +198,9 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, nft_rule_to_iptables_command_state(h, r, &cs); - print_rule_details(&cs, cs.jumpto, cs.fw6.ipv6.flags, - cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto, - num, format); - if (format & FMT_OPTIONS) { - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputs(" ", stdout); - } + print_rule_details(num, &cs.counters, cs.jumpto, cs.fw6.ipv6.proto, + cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format); + print_fragment(cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format, true); print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface, cs.fw6.ipv6.invflags, format); print_ipv6_addresses(&cs.fw6, format); @@ -224,26 +219,6 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, nft_clear_iptables_command_state(&cs); } -static void save_ipv6_addr(char letter, const struct in6_addr *addr, - const struct in6_addr *mask, - int invert) -{ - char addr_str[INET6_ADDRSTRLEN]; - int l = xtables_ip6mask_to_cidr(mask); - - if (!invert && l == 0) - return; - - printf("%s-%c %s", - invert ? "! " : "", letter, - inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str))); - - if (l == -1) - printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str))); - else - printf("/%d ", l); -} - static void nft_ipv6_save_rule(const void *data, unsigned int format) { const struct iptables_command_state *cs = data; @@ -253,9 +228,9 @@ static void nft_ipv6_save_rule(const void *data, unsigned int format) save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, cs->fw6.ipv6.invflags & IP6T_INV_DSTIP); - save_rule_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto, - cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask, - cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask); + save_rule_details(cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask, + cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask, + cs->fw6.ipv6.proto, 0, cs->fw6.ipv6.invflags); save_matches_and_target(cs, cs->fw6.ipv6.flags & IP6T_F_GOTO, &cs->fw6, format); @@ -410,6 +385,106 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) return ret; } +static int +nft_ipv6_add_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + memcpy(&cs->fw6.ipv6.src, + &args->s.addr.v6[i], sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, + &args->s.mask.v6[i], sizeof(struct in6_addr)); + for (j = 0; j < args->d.naddrs; j++) { + memcpy(&cs->fw6.ipv6.dst, + &args->d.addr.v6[j], sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, + &args->d.mask.v6[j], sizeof(struct in6_addr)); + if (append) { + ret = nft_cmd_rule_append(h, chain, table, + cs, NULL, verbose); + } else { + ret = nft_cmd_rule_insert(h, chain, table, + cs, rulenum, verbose); + } + } + } + + return ret; +} + +static int +nft_ipv6_delete_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + memcpy(&cs->fw6.ipv6.src, + &args->s.addr.v6[i], sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, + &args->s.mask.v6[i], sizeof(struct in6_addr)); + for (j = 0; j < args->d.naddrs; j++) { + memcpy(&cs->fw6.ipv6.dst, + &args->d.addr.v6[j], sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, + &args->d.mask.v6[j], sizeof(struct in6_addr)); + ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv6_check_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + memcpy(&cs->fw6.ipv6.src, + &args->s.addr.v6[i], sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, + &args->s.mask.v6[i], sizeof(struct in6_addr)); + for (j = 0; j < args->d.naddrs; j++) { + memcpy(&cs->fw6.ipv6.dst, + &args->d.addr.v6[j], sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, + &args->d.mask.v6[j], sizeof(struct in6_addr)); + ret = nft_cmd_rule_check(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv6_replace_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum) +{ + memcpy(&cs->fw6.ipv6.src, args->s.addr.v6, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dst, args->d.addr.v6, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, args->s.mask.v6, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, args->d.mask.v6, sizeof(struct in6_addr)); + + return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); +} + struct nft_family_ops nft_family_ops_ipv6 = { .add = nft_ipv6_add, .is_same = nft_ipv6_is_same, @@ -426,4 +501,8 @@ struct nft_family_ops nft_family_ops_ipv6 = { .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = nft_clear_iptables_command_state, .xlate = nft_ipv6_xlate, + .add_entry = nft_ipv6_add_entry, + .delete_entry = nft_ipv6_delete_entry, + .check_entry = nft_ipv6_check_entry, + .replace_entry = nft_ipv6_replace_entry, }; diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 4253b081..b281ba29 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -373,21 +373,6 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e) ctx->h->ops->parse_match(match, ctx->cs); } -void print_proto(uint16_t proto, int invert) -{ - const struct protoent *pent = getprotobynumber(proto); - - if (invert) - printf("! "); - - if (pent) { - printf("-p %s ", pent->p_name); - return; - } - - printf("-p %u ", proto); -} - void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv) { uint32_t len; @@ -714,130 +699,6 @@ void nft_clear_iptables_command_state(struct iptables_command_state *cs) } } -void print_header(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries) -{ - printf("Chain %s", chain); - if (basechain) { - printf(" (policy %s", pol); - if (!(format & FMT_NOCOUNTS)) { - fputc(' ', stdout); - xtables_print_num(counters->pcnt, (format|FMT_NOTABLE)); - fputs("packets, ", stdout); - xtables_print_num(counters->bcnt, (format|FMT_NOTABLE)); - fputs("bytes", stdout); - } - printf(")\n"); - } else { - printf(" (%u references)\n", refs); - } - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4s ", "%s "), "num"); - if (!(format & FMT_NOCOUNTS)) { - if (format & FMT_KILOMEGAGIGA) { - printf(FMT("%5s ","%s "), "pkts"); - printf(FMT("%5s ","%s "), "bytes"); - } else { - printf(FMT("%8s ","%s "), "pkts"); - printf(FMT("%10s ","%s "), "bytes"); - } - } - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ","%s "), "target"); - fputs(" prot ", stdout); - if (format & FMT_OPTIONS) - fputs("opt", stdout); - if (format & FMT_VIA) { - printf(FMT(" %-6s ","%s "), "in"); - printf(FMT("%-6s ","%s "), "out"); - } - printf(FMT(" %-19s ","%s "), "source"); - printf(FMT(" %-19s "," %s "), "destination"); - printf("\n"); -} - -void print_rule_details(const struct iptables_command_state *cs, - const char *targname, uint8_t flags, - uint8_t invflags, uint8_t proto, - unsigned int num, unsigned int format) -{ - if (format & FMT_LINENUMBERS) - printf(FMT("%-4u ", "%u "), num); - - if (!(format & FMT_NOCOUNTS)) { - xtables_print_num(cs->counters.pcnt, format); - xtables_print_num(cs->counters.bcnt, format); - } - - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ", "%s "), targname ? targname : ""); - - fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout); - { - const char *pname = - proto_to_name(proto, format&FMT_NUMERIC); - if (pname) - printf(FMT("%-5s", "%s "), pname); - else - printf(FMT("%-5hu", "%hu "), proto); - } -} - -static void -print_iface(char letter, const char *iface, const unsigned char *mask, int inv) -{ - unsigned int i; - - if (mask[0] == 0) - return; - - printf("%s-%c ", inv ? "! " : "", letter); - - for (i = 0; i < IFNAMSIZ; i++) { - if (mask[i] != 0) { - if (iface[i] != '\0') - printf("%c", iface[i]); - } else { - if (iface[i-1] != '\0') - printf("+"); - break; - } - } - - printf(" "); -} - -void save_rule_details(const struct iptables_command_state *cs, - uint8_t invflags, uint16_t proto, - const char *iniface, - unsigned const char *iniface_mask, - const char *outiface, - unsigned const char *outiface_mask) -{ - if (iniface != NULL) { - print_iface('i', iniface, iniface_mask, - invflags & IPT_INV_VIA_IN); - } - if (outiface != NULL) { - print_iface('o', outiface, outiface_mask, - invflags & IPT_INV_VIA_OUT); - } - - if (proto > 0) { - const char *pname = proto_to_name(proto, 0); - - if (invflags & XT_INV_PROTO) - printf("! "); - - if (pname) - printf("-p %s ", pname); - else - printf("-p %u ", proto); - } -} - void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy) { const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); @@ -856,33 +717,33 @@ void save_matches_and_target(const struct iptables_command_state *cs, for (matchp = cs->matches; matchp; matchp = matchp->next) { if (matchp->match->alias) { - printf("-m %s", + printf(" -m %s", matchp->match->alias(matchp->match->m)); } else - printf("-m %s", matchp->match->name); + printf(" -m %s", matchp->match->name); if (matchp->match->save != NULL) { /* cs->fw union makes the trick */ matchp->match->save(fw, matchp->match->m); } - printf(" "); } if ((format & (FMT_NOCOUNTS | FMT_C_COUNTS)) == FMT_C_COUNTS) - printf("-c %llu %llu ", + printf(" -c %llu %llu", (unsigned long long)cs->counters.pcnt, (unsigned long long)cs->counters.bcnt); if (cs->target != NULL) { if (cs->target->alias) { - printf("-j %s", cs->target->alias(cs->target->t)); + printf(" -j %s", cs->target->alias(cs->target->t)); } else - printf("-j %s", cs->jumpto); + printf(" -j %s", cs->jumpto); - if (cs->target->save != NULL) + if (cs->target->save != NULL) { cs->target->save(fw, cs->target->t); + } } else if (strlen(cs->jumpto) > 0) { - printf("-%c %s", goto_flag ? 'g' : 'j', cs->jumpto); + printf(" -%c %s", goto_flag ? 'g' : 'j', cs->jumpto); } printf("\n"); @@ -992,6 +853,7 @@ void nft_check_xt_legacy(int family, bool is_ipt_save) { static const char tables6[] = "/proc/net/ip6_tables_names"; static const char tables4[] = "/proc/net/ip_tables_names"; + static const char tablesa[] = "/proc/net/arp_tables_names"; const char *prefix = "ip"; FILE *fp = NULL; char buf[1024]; @@ -1004,6 +866,10 @@ void nft_check_xt_legacy(int family, bool is_ipt_save) fp = fopen(tables6, "r"); prefix = "ip6"; break; + case NFPROTO_ARP: + fp = fopen(tablesa, "r"); + prefix = "arp"; + break; default: break; } diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index cc8f3a79..bcf8486e 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -94,8 +94,8 @@ struct nft_family_ops { void (*print_table_header)(const char *tablename); void (*print_header)(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries); + const struct xt_counters *counters, + int refs, uint32_t entries); void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r, unsigned int num, unsigned int format); void (*save_rule)(const void *data, unsigned int format); @@ -106,10 +106,29 @@ struct nft_family_ops { struct xtables_args *args); void (*parse_match)(struct xtables_match *m, void *data); void (*parse_target)(struct xtables_target *t, void *data); + void (*init_cs)(struct iptables_command_state *cs); void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); void (*clear_cs)(struct iptables_command_state *cs); int (*xlate)(const void *data, struct xt_xlate *xl); + int (*add_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum); + int (*delete_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose); + int (*check_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose); + int (*replace_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum); }; void add_meta(struct nftnl_rule *r, uint32_t key); @@ -139,27 +158,13 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface, int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, unsigned char *iniface_mask, char *outiface, unsigned char *outiface_mask, uint8_t *invflags); -void print_proto(uint16_t proto, int invert); void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); void nft_rule_to_iptables_command_state(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); void nft_clear_iptables_command_state(struct iptables_command_state *cs); -void print_header(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries); -void print_rule_details(const struct iptables_command_state *cs, - const char *targname, uint8_t flags, - uint8_t invflags, uint8_t proto, - unsigned int num, unsigned int format); void print_matches_and_target(struct iptables_command_state *cs, unsigned int format); -void save_rule_details(const struct iptables_command_state *cs, - uint8_t invflags, uint16_t proto, - const char *iniface, - unsigned const char *iniface_mask, - const char *outiface, - unsigned const char *outiface_mask); void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy); void save_matches_and_target(const struct iptables_command_state *cs, bool goto_flag, const void *fw, @@ -176,6 +181,7 @@ struct addr_mask { union { struct in_addr *v4; struct in6_addr *v6; + void *ptr; } addr; unsigned int naddrs; @@ -183,6 +189,7 @@ struct addr_mask { union { struct in_addr *v4; struct in6_addr *v6; + void *ptr; } mask; }; @@ -197,6 +204,9 @@ struct xtables_args { const char *shostnetworkmask, *dhostnetworkmask; const char *pcnt, *bcnt; struct addr_mask s, d; + const char *src_mac, *dst_mac; + const char *arp_hlen, *arp_opcode; + const char *arp_htype, *arp_ptype; unsigned long long pcnt_cnt, bcnt_cnt; }; diff --git a/iptables/nft.c b/iptables/nft.c index 89dde9ec..887c735b 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -863,7 +863,22 @@ int nft_restart(struct nft_handle *h) return 0; } -int nft_init(struct nft_handle *h, int family, const struct builtin_table *t) +static const struct builtin_table *builtin_tables_lookup(int family) +{ + switch (family) { + case AF_INET: + case AF_INET6: + return xtables_ipv4; + case NFPROTO_ARP: + return xtables_arp; + case NFPROTO_BRIDGE: + return xtables_bridge; + default: + return NULL; + } +} + +int nft_init(struct nft_handle *h, int family) { memset(h, 0, sizeof(*h)); @@ -881,7 +896,7 @@ int nft_init(struct nft_handle *h, int family, const struct builtin_table *t) xtables_error(PARAMETER_PROBLEM, "Unknown family"); h->portid = mnl_socket_get_portid(h->nl); - h->tables = t; + h->tables = builtin_tables_lookup(family); h->cache = &h->__cache[0]; h->family = family; @@ -1498,10 +1513,10 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, /* print chain name */ switch(type) { case NFT_RULE_APPEND: - printf("-A %s ", chain); + printf("-A %s", chain); break; case NFT_RULE_DEL: - printf("-D %s ", chain); + printf("-D %s", chain); break; } @@ -1838,32 +1853,47 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table struct chain_del_data { struct nft_handle *handle; - struct nft_cache *cache; - enum nft_table_type type; + const char *chain; bool verbose; }; +static bool nft_may_delete_chain(struct nftnl_chain *c) +{ + if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY) && + nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY) != NF_ACCEPT) + return false; + + return nftnl_rule_lookup_byindex(c, 0) == NULL; +} + static int __nft_chain_del(struct nft_chain *nc, void *data) { struct chain_del_data *d = data; struct nftnl_chain *c = nc->nftnl; struct nft_handle *h = d->handle; + bool builtin = nft_chain_builtin(c); + struct obj_update *obj; + int ret = 0; - if (d->verbose) + if (d->verbose && !builtin) fprintf(stdout, "Deleting chain `%s'\n", nftnl_chain_get_str(c, NFTNL_CHAIN_NAME)); /* XXX This triggers a fast lookup from the kernel. */ nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); - if (!batch_chain_add(h, NFT_COMPAT_CHAIN_DEL, c)) + obj = batch_chain_add(h, NFT_COMPAT_CHAIN_DEL, c); + if (!obj) return -1; - if (nft_chain_builtin(c)) { - uint32_t num = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM); - - if (nc == d->cache->table[d->type].base_chains[num]) - d->cache->table[d->type].base_chains[num] = NULL; + if (builtin) { + obj->skip = !nft_may_delete_chain(c); + if (obj->skip && d->chain) { + /* complain if explicitly requested */ + errno = EBUSY; + ret = -1; + } + *nc->base_slot = NULL; } /* nftnl_chain is freed when deleting the batch object */ @@ -1871,15 +1901,15 @@ static int __nft_chain_del(struct nft_chain *nc, void *data) nft_chain_list_del(nc); nft_chain_free(nc); - return 0; + return ret; } int nft_chain_del(struct nft_handle *h, const char *chain, - const char *table, bool verbose) + const char *table, bool verbose) { - const struct builtin_table *t; struct chain_del_data d = { .handle = h, + .chain = chain, .verbose = verbose, }; struct nft_chain *c; @@ -1894,32 +1924,10 @@ int nft_chain_del(struct nft_handle *h, const char *chain, return 0; } - if (nft_chain_builtin(c->nftnl)) { - t = nft_table_builtin_find(h, table); - if (!t) { - errno = EINVAL; - return 0; - } - - d.type = t->type; - d.cache = h->cache; - } - ret = __nft_chain_del(c, &d); - if (ret == -2) - errno = EINVAL; goto out; } - t = nft_table_builtin_find(h, table); - if (!t) { - errno = EINVAL; - return 0; - } - - d.type = t->type; - d.cache = h->cache; - if (verbose) nft_cache_sort_chains(h, table); @@ -2390,7 +2398,6 @@ static void __nft_print_header(struct nft_handle *h, { struct nftnl_chain *c = nc->nftnl; const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); - bool basechain = !!nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM); uint32_t refs = nftnl_chain_get_u32(c, NFTNL_CHAIN_USE); uint32_t entries = nft_rule_count(h, c); struct xt_counters ctrs = { @@ -2399,11 +2406,12 @@ static void __nft_print_header(struct nft_handle *h, }; const char *pname = NULL; - if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY)) + if (nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) && + nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY)) pname = policy_name[nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY)]; h->ops->print_header(format, chain_name, pname, - &ctrs, basechain, refs - entries, entries); + &ctrs, refs - entries, entries); } struct nft_rule_list_cb_data { @@ -2770,10 +2778,14 @@ static void nft_refresh_transaction(struct nft_handle *h) n->skip = !nft_chain_find(h, tablename, chainname); break; + case NFT_COMPAT_CHAIN_DEL: + if (!nftnl_chain_get(n->chain, NFTNL_CHAIN_HOOKNUM)) + break; + n->skip = !nft_may_delete_chain(n->chain); + break; case NFT_COMPAT_TABLE_ADD: case NFT_COMPAT_CHAIN_ADD: case NFT_COMPAT_CHAIN_ZERO: - case NFT_COMPAT_CHAIN_DEL: case NFT_COMPAT_CHAIN_USER_FLUSH: case NFT_COMPAT_CHAIN_UPDATE: case NFT_COMPAT_CHAIN_RENAME: @@ -3513,38 +3525,8 @@ static int nft_is_rule_compatible(struct nftnl_rule *rule, void *data) static int nft_is_chain_compatible(struct nft_chain *nc, void *data) { struct nftnl_chain *c = nc->nftnl; - const struct builtin_table *table; - const struct builtin_chain *chain; - const char *tname, *cname, *type; - struct nft_handle *h = data; - enum nf_inet_hooks hook; - int prio; - - if (nftnl_rule_foreach(c, nft_is_rule_compatible, NULL)) - return -1; - if (!nft_chain_builtin(c)) - return 0; - - tname = nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE); - table = nft_table_builtin_find(h, tname); - if (!table) - return -1; - - cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); - chain = nft_chain_builtin_find(table, cname); - if (!chain) - return -1; - - type = nftnl_chain_get_str(c, NFTNL_CHAIN_TYPE); - prio = nftnl_chain_get_u32(c, NFTNL_CHAIN_PRIO); - hook = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM); - if (strcmp(type, chain->type) || - prio != chain->prio || - hook != chain->hook) - return -1; - - return 0; + return nftnl_rule_foreach(c, nft_is_rule_compatible, NULL); } bool nft_is_table_compatible(struct nft_handle *h, @@ -3559,13 +3541,24 @@ bool nft_is_table_compatible(struct nft_handle *h, return !nft_chain_foreach(h, table, nft_is_chain_compatible, h); } +bool nft_is_table_tainted(struct nft_handle *h, const char *table) +{ + const struct builtin_table *t = nft_table_builtin_find(h, table); + + return t ? h->cache->table[t->type].tainted : false; +} + void nft_assert_table_compatible(struct nft_handle *h, const char *table, const char *chain) { const char *pfx = "", *sfx = ""; - if (nft_is_table_compatible(h, table, chain)) + if (nft_is_table_compatible(h, table, chain)) { + if (nft_is_table_tainted(h, table)) + printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n", + table); return; + } if (chain) { pfx = "chain `"; diff --git a/iptables/nft.h b/iptables/nft.h index a7b652ff..f189b03f 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -45,6 +45,7 @@ struct nft_cache { struct nftnl_set_list *sets; bool exists; bool sorted; + bool tainted; } table[NFT_TABLE_MAX]; }; @@ -122,7 +123,7 @@ extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX]; int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, int (*cb)(const struct nlmsghdr *nlh, void *data), void *data); -int nft_init(struct nft_handle *h, int family, const struct builtin_table *t); +int nft_init(struct nft_handle *h, int family); void nft_fini(struct nft_handle *h); int nft_restart(struct nft_handle *h); @@ -262,6 +263,7 @@ void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); bool nft_is_table_compatible(struct nft_handle *h, const char *table, const char *chain); +bool nft_is_table_tainted(struct nft_handle *h, const char *table); void nft_assert_table_compatible(struct nft_handle *h, const char *table, const char *chain); diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 new file mode 100755 index 00000000..cc07e4be --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +case $XT_MULTI in +*xtables-nft-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +set -e + +nft -f - <<EOF +table ip filter { + chain a { + type filter hook input priority filter + } + + chain INPUT { + type filter hook input priority filter + counter packets 218 bytes 91375 accept + } + + chain x { + type filter hook input priority filter + } +} +EOF + +EXPECT="# Table \`filter' contains incompatible base-chains, use 'nft' tool to list them. +-P INPUT ACCEPT +-P FORWARD ACCEPT +-P OUTPUT ACCEPT +-A INPUT -j ACCEPT" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S) diff --git a/iptables/tests/shell/testcases/chain/0005base-delete_0 b/iptables/tests/shell/testcases/chain/0005base-delete_0 new file mode 100755 index 00000000..033a2819 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0005base-delete_0 @@ -0,0 +1,34 @@ +#!/bin/bash -x + +$XT_MULTI iptables -N foo || exit 1 +$XT_MULTI iptables -P FORWARD DROP || exit 1 +$XT_MULTI iptables -X || exit 1 +$XT_MULTI iptables -X foo && exit 1 + +# indefinite -X fails if a non-empty user-defined chain exists +$XT_MULTI iptables -N foo +$XT_MULTI iptables -N bar +$XT_MULTI iptables -A bar -j ACCEPT +$XT_MULTI iptables -X && exit 1 +$XT_MULTI iptables -D bar -j ACCEPT +$XT_MULTI iptables -X || exit 1 + +# make sure OUTPUT chain is created by iptables-nft +$XT_MULTI iptables -A OUTPUT -j ACCEPT || exit 1 +$XT_MULTI iptables -D OUTPUT -j ACCEPT || exit 1 + +case $XT_MULTI in +*xtables-nft-multi) + # must not delete chain FORWARD, its policy is not ACCEPT + $XT_MULTI iptables -X FORWARD && exit 1 + nft list chain ip filter FORWARD || exit 1 + # this should evict chain OUTPUT + $XT_MULTI iptables -X OUTPUT || exit 1 + nft list chain ip filter OUTPUT && exit 1 + ;; +*) + $XT_MULTI iptables -X FORWARD && exit 1 + $XT_MULTI iptables -X OUTPUT && exit 1 + ;; +esac +exit 0 diff --git a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 index faf37d02..d79f91b1 100755 --- a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 +++ b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash case "$XT_MULTI" in *xtables-nft-multi) diff --git a/iptables/xshared.c b/iptables/xshared.c index 2d3ef679..a1ca2b0f 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -9,6 +9,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <arpa/inet.h> #include <sys/file.h> #include <sys/socket.h> #include <sys/un.h> @@ -47,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t, } } -const char * +static const char * proto_to_name(uint16_t proto, int nolookup) { unsigned int i; @@ -106,7 +107,7 @@ static bool should_load_proto(struct iptables_command_state *cs) return !cs->proto_used; } -struct xtables_match *load_proto(struct iptables_command_state *cs) +static struct xtables_match *load_proto(struct iptables_command_state *cs) { if (!should_load_proto(cs)) return NULL; @@ -546,6 +547,52 @@ void debug_print_argv(struct argv_store *store) } #endif +void print_header(unsigned int format, const char *chain, const char *pol, + const struct xt_counters *counters, + int refs, uint32_t entries) +{ + printf("Chain %s", chain); + if (pol) { + printf(" (policy %s", pol); + if (!(format & FMT_NOCOUNTS)) { + fputc(' ', stdout); + xtables_print_num(counters->pcnt, (format|FMT_NOTABLE)); + fputs("packets, ", stdout); + xtables_print_num(counters->bcnt, (format|FMT_NOTABLE)); + fputs("bytes", stdout); + } + printf(")\n"); + } else if (refs < 0) { + printf(" (ERROR obtaining refs)\n"); + } else { + printf(" (%d references)\n", refs); + } + + if (format & FMT_LINENUMBERS) + printf(FMT("%-4s ", "%s "), "num"); + if (!(format & FMT_NOCOUNTS)) { + if (format & FMT_KILOMEGAGIGA) { + printf(FMT("%5s ","%s "), "pkts"); + printf(FMT("%5s ","%s "), "bytes"); + } else { + printf(FMT("%8s ","%s "), "pkts"); + printf(FMT("%10s ","%s "), "bytes"); + } + } + if (!(format & FMT_NOTARGET)) + printf(FMT("%-9s ","%s "), "target"); + fputs(" prot ", stdout); + if (format & FMT_OPTIONS) + fputs("opt", stdout); + if (format & FMT_VIA) { + printf(FMT(" %-6s ","%s "), "in"); + printf(FMT("%-6s ","%s "), "out"); + } + printf(FMT(" %-19s ","%s "), "source"); + printf(FMT(" %-19s "," %s "), "destination"); + printf("\n"); +} + const char *ipv4_addr_to_string(const struct in_addr *addr, const struct in_addr *mask, unsigned int format) @@ -578,6 +625,42 @@ void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format) ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format)); } +static const char *mask_to_str(const struct in_addr *mask) +{ + uint32_t bits, hmask = ntohl(mask->s_addr); + static char mask_str[INET_ADDRSTRLEN]; + int i; + + if (mask->s_addr == 0xFFFFFFFFU) { + sprintf(mask_str, "32"); + return mask_str; + } + + i = 32; + bits = 0xFFFFFFFEU; + while (--i >= 0 && hmask != bits) + bits <<= 1; + if (i >= 0) + sprintf(mask_str, "%u", i); + else + inet_ntop(AF_INET, mask, mask_str, sizeof(mask_str)); + + return mask_str; +} + +void save_ipv4_addr(char letter, const struct in_addr *addr, + const struct in_addr *mask, int invert) +{ + char addrbuf[INET_ADDRSTRLEN]; + + if (!mask->s_addr && !invert && !addr->s_addr) + return; + + printf("%s -%c %s/%s", invert ? " !" : "", letter, + inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)), + mask_to_str(mask)); +} + static const char *ipv6_addr_to_string(const struct in6_addr *addr, const struct in6_addr *mask, unsigned int format) @@ -612,6 +695,44 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) &fw6->ipv6.dmsk, format)); } +void save_ipv6_addr(char letter, const struct in6_addr *addr, + const struct in6_addr *mask, int invert) +{ + int l = xtables_ip6mask_to_cidr(mask); + char addr_str[INET6_ADDRSTRLEN]; + + if (!invert && l == 0) + return; + + printf("%s -%c %s", + invert ? " !" : "", letter, + inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str))); + + if (l == -1) + printf("/%s", inet_ntop(AF_INET6, mask, + addr_str, sizeof(addr_str))); + else + printf("/%d", l); +} + +void print_fragment(unsigned int flags, unsigned int invflags, + unsigned int format, bool fake) +{ + if (!(format & FMT_OPTIONS)) + return; + + if (format & FMT_NOTABLE) + fputs("opt ", stdout); + + if (fake) { + fputs(" ", stdout); + } else { + fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout); + fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); + } + fputc(' ', stdout); +} + /* Luckily, IPT_INV_VIA_IN and IPT_INV_VIA_OUT * have the same values as IP6T_INV_VIA_IN and IP6T_INV_VIA_OUT * so this function serves for both iptables and ip6tables */ @@ -637,6 +758,31 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags, printf(FMT("%-6s ", "out %s "), iface); } +/* This assumes that mask is contiguous, and byte-bounded. */ +void save_iface(char letter, const char *iface, + const unsigned char *mask, int invert) +{ + unsigned int i; + + if (mask[0] == 0) + return; + + printf("%s -%c ", invert ? " !" : "", letter); + + for (i = 0; i < IFNAMSIZ; i++) { + if (mask[i] != 0) { + if (iface[i] != '\0') + printf("%c", iface[i]); + } else { + /* we can access iface[i-1] here, because + * a few lines above we make sure that mask[0] != 0 */ + if (iface[i-1] != '\0') + printf("+"); + break; + } + } +} + void command_match(struct iptables_command_state *cs, bool invert) { struct option *opts = xt_params->opts; @@ -892,3 +1038,84 @@ set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, *invflg |= inverse_for_options[i]; } } + +void parse_chain(const char *chainname) +{ + const char *ptr; + + if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, + "chain name `%s' too long (must be under %u chars)", + chainname, XT_EXTENSION_MAXNAMELEN); + + if (*chainname == '-' || *chainname == '!') + xtables_error(PARAMETER_PROBLEM, + "chain name not allowed to start with `%c'\n", + *chainname); + + if (xtables_find_target(chainname, XTF_TRY_LOAD)) + xtables_error(PARAMETER_PROBLEM, + "chain name may not clash with target name\n"); + + for (ptr = chainname; *ptr; ptr++) + if (isspace(*ptr)) + xtables_error(PARAMETER_PROBLEM, + "Invalid chain name `%s'", chainname); +} + +void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, + const char *targname, uint8_t proto, uint8_t flags, + uint8_t invflags, unsigned int format) +{ + const char *pname = proto_to_name(proto, format&FMT_NUMERIC); + + if (format & FMT_LINENUMBERS) + printf(FMT("%-4u ", "%u "), linenum); + + if (!(format & FMT_NOCOUNTS)) { + xtables_print_num(ctrs->pcnt, format); + xtables_print_num(ctrs->bcnt, format); + } + + if (!(format & FMT_NOTARGET)) + printf(FMT("%-9s ", "%s "), targname ? targname : ""); + + fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout); + + if (pname) + printf(FMT("%-5s", "%s "), pname); + else + printf(FMT("%-5hu", "%hu "), proto); +} + +void save_rule_details(const char *iniface, unsigned const char *iniface_mask, + const char *outiface, unsigned const char *outiface_mask, + uint16_t proto, int frag, uint8_t invflags) +{ + if (iniface != NULL) { + save_iface('i', iniface, iniface_mask, + invflags & IPT_INV_VIA_IN); + } + if (outiface != NULL) { + save_iface('o', outiface, outiface_mask, + invflags & IPT_INV_VIA_OUT); + } + + if (proto > 0) { + const char *pname = proto_to_name(proto, 0); + + if (invflags & XT_INV_PROTO) + printf(" !"); + + if (pname) + printf(" -p %s", pname); + else + printf(" -p %u", proto); + } + + if (frag) { + if (invflags & IPT_INV_FRAG) + printf(" !"); + printf(" -f"); + } +} diff --git a/iptables/xshared.h b/iptables/xshared.h index 823894f9..060c62ef 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -68,6 +68,8 @@ struct xtables_globals; struct xtables_rule_match; struct xtables_target; +#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" + /* define invflags which won't collide with IPT ones */ #define IPT_INV_SRCDEVADDR 0x0080 #define IPT_INV_TGTDEVADDR 0x0100 @@ -162,10 +164,8 @@ enum { extern void print_extension_helps(const struct xtables_target *, const struct xtables_rule_match *); -extern const char *proto_to_name(uint16_t, int); extern int command_default(struct iptables_command_state *, struct xtables_globals *, bool invert); -extern struct xtables_match *load_proto(struct iptables_command_state *); extern int subcmd_main(int, char **, const struct subcommand *); extern void xs_init_target(struct xtables_target *); extern void xs_init_match(struct xtables_match *); @@ -219,11 +219,23 @@ void debug_print_argv(struct argv_store *store); const char *ipv4_addr_to_string(const struct in_addr *addr, const struct in_addr *mask, unsigned int format); +void print_header(unsigned int format, const char *chain, const char *pol, + const struct xt_counters *counters, + int refs, uint32_t entries); void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); +void save_ipv4_addr(char letter, const struct in_addr *addr, + const struct in_addr *mask, int invert); void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); +void save_ipv6_addr(char letter, const struct in6_addr *addr, + const struct in6_addr *mask, int invert); void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags, unsigned int format); +void save_iface(char letter, const char *iface, + const unsigned char *mask, int invert); + +void print_fragment(unsigned int flags, unsigned int invflags, + unsigned int format, bool fake); void command_match(struct iptables_command_state *cs, bool invert); const char *xt_parse_target(const char *targetname); @@ -233,8 +245,16 @@ char cmd2char(int option); void add_command(unsigned int *cmd, const int newcmd, const int othercmds, int invert); int parse_rulenumber(const char *rule); +void parse_chain(const char *chainname); void generic_opt_check(int command, int options); char opt2char(int option); +void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, + const char *targname, uint8_t proto, uint8_t flags, + uint8_t invflags, unsigned int format); +void save_rule_details(const char *iniface, unsigned const char *iniface_mask, + const char *outiface, unsigned const char *outiface_mask, + uint16_t proto, int frag, uint8_t invflags); + #endif /* IPTABLES_XSHARED_H */ diff --git a/iptables/xtables-arp-standalone.c b/iptables/xtables-arp-standalone.c deleted file mode 100644 index 04cf7dcc..00000000 --- a/iptables/xtables-arp-standalone.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au - * - * Based on the ipchains code by Paul Russell and Michael Neuling - * - * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>: - * Paul 'Rusty' Russell <rusty@rustcorp.com.au> - * Marc Boucher <marc+nf@mbsi.ca> - * James Morris <jmorris@intercode.com.au> - * Harald Welte <laforge@gnumonks.org> - * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * arptables -- IP firewall administration for kernels with - * firewall table (aimed for the 2.3 kernels) - * - * See the accompanying manual page arptables(8) for information - * about proper usage of this program. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <errno.h> -#include <string.h> -#include <xtables.h> -#include "nft.h" -#include <linux/netfilter_arp/arp_tables.h> - -#include "xtables-multi.h" - -extern struct xtables_globals arptables_globals; - -int xtables_arp_main(int argc, char *argv[]) -{ - int ret; - char *table = "filter"; - struct nft_handle h; - - nft_init_arp(&h, "arptables"); - - ret = do_commandarp(&h, argc, argv, &table, false); - if (ret) - ret = nft_commit(&h); - - nft_fini(&h); - xtables_fini(); - - if (!ret) - fprintf(stderr, "arptables: %s\n", nft_strerror(errno)); - - exit(!ret); -} diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index 9a079f06..cca19438 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -30,35 +30,23 @@ #include "config.h" #include <getopt.h> #include <string.h> -#include <netdb.h> -#include <errno.h> #include <stdio.h> #include <stdlib.h> -#include <inttypes.h> -#include <dlfcn.h> -#include <ctype.h> -#include <stdarg.h> -#include <limits.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/wait.h> -#include <net/if.h> -#include <netinet/ether.h> -#include <iptables.h> #include <xtables.h> #include "xshared.h" #include "nft.h" #include "nft-arp.h" -#include <linux/netfilter_arp/arp_tables.h> static struct option original_opts[] = { { "append", 1, 0, 'A' }, { "delete", 1, 0, 'D' }, + { "check", 1, 0, 'C'}, { "insert", 1, 0, 'I' }, { "replace", 1, 0, 'R' }, { "list", 2, 0, 'L' }, + { "list-rules", 2, 0, 'S'}, { "flush", 2, 0, 'F' }, { "zero", 2, 0, 'Z' }, { "new-chain", 1, 0, 'N' }, @@ -97,82 +85,30 @@ static struct option original_opts[] = { #define opts xt_params->opts extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); +static void printhelp(const struct xtables_rule_match *m); struct xtables_globals arptables_globals = { .option_offset = 0, .program_version = PACKAGE_VERSION, + .optstring = OPTSTRING_COMMON "C:R:S::" "h::l:nv" /* "m:" */, .orig_opts = original_opts, .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, + .print_help = printhelp, }; -/***********************************************/ -/* ARPTABLES SPECIFIC NEW FUNCTIONS ADDED HERE */ -/***********************************************/ - -static int getlength_and_mask(char *from, uint8_t *to, uint8_t *mask) -{ - char *p, *buffer; - int i; - - if ( (p = strrchr(from, '/')) != NULL) { - *p = '\0'; - i = strtol(p+1, &buffer, 10); - if (*buffer != '\0' || i < 0 || i > 255) - return -1; - *mask = (uint8_t)i; - } else - *mask = 255; - i = strtol(from, &buffer, 10); - if (*buffer != '\0' || i < 0 || i > 255) - return -1; - *to = (uint8_t)i; - return 0; -} - -static int get16_and_mask(char *from, uint16_t *to, uint16_t *mask, int base) -{ - char *p, *buffer; - int i; - - if ( (p = strrchr(from, '/')) != NULL) { - *p = '\0'; - i = strtol(p+1, &buffer, base); - if (*buffer != '\0' || i < 0 || i > 65535) - return -1; - *mask = htons((uint16_t)i); - } else - *mask = 65535; - i = strtol(from, &buffer, base); - if (*buffer != '\0' || i < 0 || i > 65535) - return -1; - *to = htons((uint16_t)i); - return 0; -} - -/*********************************************/ -/* ARPTABLES SPECIFIC NEW FUNCTIONS END HERE */ -/*********************************************/ - -static void -exit_tryhelp(int status) -{ - fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", - arptables_globals.program_name, - arptables_globals.program_version); - exit(status); -} - static void -printhelp(void) +printhelp(const struct xtables_rule_match *m) { struct xtables_target *t = NULL; int i; printf("%s v%s\n\n" -"Usage: %s -[AD] chain rule-specification [options]\n" -" %s -[RI] chain rulenum rule-specification [options]\n" +"Usage: %s -[ACD] chain rule-specification [options]\n" +" %s -I chain [rulenum] rule-specification [options]\n" +" %s -R chain rulenum rule-specification [options]\n" " %s -D chain rulenum [options]\n" -" %s -[LFZ] [chain] [options]\n" +" %s -[LS] [chain [rulenum]] [options]\n" +" %s -[FZ] [chain] [options]\n" " %s -[NX] chain\n" " %s -E old-chain-name new-chain-name\n" " %s -P chain target [options]\n" @@ -186,11 +122,14 @@ printhelp(void) arptables_globals.program_name, arptables_globals.program_name, arptables_globals.program_name, + arptables_globals.program_name, + arptables_globals.program_name, arptables_globals.program_name); printf( "Commands:\n" "Either long or short options are allowed.\n" " --append -A chain Append to chain\n" +" --check -C chain Check for the existence of a rule\n" " --delete -D chain Delete matching rule from chain\n" " --delete -D chain rulenum\n" " Delete rule rulenum (1 = first) from chain\n" @@ -198,9 +137,13 @@ printhelp(void) " Insert in chain as rulenum (default 1=first)\n" " --replace -R chain rulenum\n" " Replace rule rulenum (1 = first) in chain\n" -" --list -L [chain] List the rules in a chain or all chains\n" +" --list -L [chain [rulenum]]\n" +" List the rules in a chain or all chains\n" +" --list-rules -S [chain [rulenum]]\n" +" Print the rules in a chain or all chains\n" " --flush -F [chain] Delete all rules in chain or all chains\n" -" --zero -Z [chain] Zero counters in chain or all chains\n" +" --zero -Z [chain [rulenum]]\n" +" Zero counters in chain or all chains\n" " --new -N chain Create a new user-defined chain\n" " --delete-chain\n" " -X [chain] Delete a user-defined chain\n" @@ -255,134 +198,6 @@ printhelp(void) } } -static int -check_inverse(const char option[], int *invert, int *optidx, int argc) -{ - if (option && strcmp(option, "!") == 0) { - if (*invert) - xtables_error(PARAMETER_PROBLEM, - "Multiple `!' flags not allowed"); - *invert = true; - if (optidx) { - *optidx = *optidx+1; - if (argc && *optidx > argc) - xtables_error(PARAMETER_PROBLEM, - "no argument following `!'"); - } - - return true; - } - return false; -} - -static int -list_entries(struct nft_handle *h, const char *chain, const char *table, - int rulenum, int verbose, int numeric, int expanded, - int linenumbers) -{ - unsigned int format; - - format = FMT_OPTIONS; - if (!verbose) - format |= FMT_NOCOUNTS; - else - format |= FMT_VIA; - - if (numeric) - format |= FMT_NUMERIC; - - if (!expanded) - format |= FMT_KILOMEGAGIGA; - - if (linenumbers) - format |= FMT_LINENUMBERS; - - return nft_cmd_rule_list(h, chain, table, rulenum, format); -} - -static int -append_entry(struct nft_handle *h, - const char *chain, - const char *table, - struct iptables_command_state *cs, - int rulenum, - unsigned int nsaddrs, - const struct in_addr saddrs[], - const struct in_addr smasks[], - unsigned int ndaddrs, - const struct in_addr daddrs[], - const struct in_addr dmasks[], - bool verbose, bool append) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < nsaddrs; i++) { - cs->arp.arp.src.s_addr = saddrs[i].s_addr; - cs->arp.arp.smsk.s_addr = smasks[i].s_addr; - for (j = 0; j < ndaddrs; j++) { - cs->arp.arp.tgt.s_addr = daddrs[j].s_addr; - cs->arp.arp.tmsk.s_addr = dmasks[j].s_addr; - if (append) { - ret = nft_cmd_rule_append(h, chain, table, cs, NULL, - verbose); - } else { - ret = nft_cmd_rule_insert(h, chain, table, cs, - rulenum, verbose); - } - } - } - - return ret; -} - -static int -replace_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - unsigned int rulenum, - const struct in_addr *saddr, - const struct in_addr *smask, - const struct in_addr *daddr, - const struct in_addr *dmask, - bool verbose, struct nft_handle *h) -{ - cs->arp.arp.src.s_addr = saddr->s_addr; - cs->arp.arp.tgt.s_addr = daddr->s_addr; - cs->arp.arp.smsk.s_addr = smask->s_addr; - cs->arp.arp.tmsk.s_addr = dmask->s_addr; - - return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); -} - -static int -delete_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - unsigned int nsaddrs, - const struct in_addr saddrs[], - const struct in_addr smasks[], - unsigned int ndaddrs, - const struct in_addr daddrs[], - const struct in_addr dmasks[], - bool verbose, struct nft_handle *h) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < nsaddrs; i++) { - cs->arp.arp.src.s_addr = saddrs[i].s_addr; - cs->arp.arp.smsk.s_addr = smasks[i].s_addr; - for (j = 0; j < ndaddrs; j++) { - cs->arp.arp.tgt.s_addr = daddrs[j].s_addr; - cs->arp.arp.tmsk.s_addr = dmasks[j].s_addr; - ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); - } - } - - return ret; -} - int nft_init_arp(struct nft_handle *h, const char *pname) { arptables_globals.program_name = pname; @@ -397,531 +212,9 @@ int nft_init_arp(struct nft_handle *h, const char *pname) init_extensionsa(); #endif - if (nft_init(h, NFPROTO_ARP, xtables_arp) < 0) + if (nft_init(h, NFPROTO_ARP) < 0) xtables_error(OTHER_PROBLEM, "Could not initialize nftables layer."); return 0; } - -int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, - bool restore) -{ - struct iptables_command_state cs = { - .jumpto = "", - .arp.arp = { - .arhln = 6, - .arhln_mask = 255, - .arhrd = htons(ARPHRD_ETHER), - .arhrd_mask = 65535, - }, - }; - int invert = 0; - unsigned int nsaddrs = 0, ndaddrs = 0; - struct in_addr *saddrs = NULL, *smasks = NULL; - struct in_addr *daddrs = NULL, *dmasks = NULL; - - int c, verbose = 0; - const char *chain = NULL; - const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; - const char *policy = NULL, *newname = NULL; - unsigned int rulenum = 0, options = 0, command = 0; - const char *pcnt = NULL, *bcnt = NULL; - int ret = 1; - struct xtables_target *t; - - /* re-set optind to 0 in case do_command gets called - * a second time */ - optind = 0; - - for (t = xtables_targets; t; t = t->next) { - t->tflags = 0; - t->used = 0; - } - - /* Suppress error messages: we may add new options if we - demand-load a protocol. */ - opterr = 0; - - opts = xt_params->orig_opts; - while ((c = getopt_long(argc, argv, - "-A:D:R:I:L::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:l:i:vnt:m:c:", - opts, NULL)) != -1) { - switch (c) { - /* - * Command selection - */ - case 'A': - add_command(&command, CMD_APPEND, CMD_NONE, - invert); - chain = optarg; - break; - - case 'D': - add_command(&command, CMD_DELETE, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) { - rulenum = parse_rulenumber(argv[optind++]); - command = CMD_DELETE_NUM; - } - break; - - case 'R': - add_command(&command, CMD_REPLACE, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argv[optind++]); - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a rule number", - cmd2char(CMD_REPLACE)); - break; - - case 'I': - add_command(&command, CMD_INSERT, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argv[optind++]); - else rulenum = 1; - break; - - case 'L': - add_command(&command, CMD_LIST, CMD_ZERO, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argv[optind++]; - break; - - case 'F': - add_command(&command, CMD_FLUSH, CMD_NONE, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argv[optind++]; - break; - - case 'Z': - add_command(&command, CMD_ZERO, CMD_LIST, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argv[optind++]; - break; - - case 'N': - if (optarg && *optarg == '-') - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `-'\n"); - if (xtables_find_target(optarg, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - add_command(&command, CMD_NEW_CHAIN, CMD_NONE, - invert); - chain = optarg; - break; - - case 'X': - add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argv[optind++]; - break; - - case 'E': - add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - newname = argv[optind++]; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires old-chain-name and " - "new-chain-name", - cmd2char(CMD_RENAME_CHAIN)); - break; - - case 'P': - add_command(&command, CMD_SET_POLICY, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - policy = argv[optind++]; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a chain and a policy", - cmd2char(CMD_SET_POLICY)); - break; - - case 'h': - if (!optarg) - optarg = argv[optind]; - - printhelp(); - command = CMD_NONE; - break; - case 's': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_SOURCE, &cs.arp.arp.invflags, - invert); - shostnetworkmask = argv[optind-1]; - break; - - case 'd': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_DESTINATION, &cs.arp.arp.invflags, - invert); - dhostnetworkmask = argv[optind-1]; - break; - - case 2:/* src-mac */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_S_MAC, &cs.arp.arp.invflags, - invert); - if (xtables_parse_mac_and_mask(argv[optind - 1], - cs.arp.arp.src_devaddr.addr, cs.arp.arp.src_devaddr.mask)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified " - "source mac"); - break; - - case 3:/* dst-mac */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_D_MAC, &cs.arp.arp.invflags, - invert); - - if (xtables_parse_mac_and_mask(argv[optind - 1], - cs.arp.arp.tgt_devaddr.addr, cs.arp.arp.tgt_devaddr.mask)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified " - "destination mac"); - break; - - case 'l':/* hardware length */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_H_LENGTH, &cs.arp.arp.invflags, - invert); - getlength_and_mask(argv[optind - 1], &cs.arp.arp.arhln, - &cs.arp.arp.arhln_mask); - - if (cs.arp.arp.arhln != 6) { - xtables_error(PARAMETER_PROBLEM, - "Only harware address length of" - " 6 is supported currently."); - } - - break; - - case 8: /* was never supported, not even in arptables-legacy */ - xtables_error(PARAMETER_PROBLEM, "not supported"); - case 4:/* opcode */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_OPCODE, &cs.arp.arp.invflags, - invert); - if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arpop, - &cs.arp.arp.arpop_mask, 10)) { - int i; - - for (i = 0; i < NUMOPCODES; i++) - if (!strcasecmp(arp_opcodes[i], optarg)) - break; - if (i == NUMOPCODES) - xtables_error(PARAMETER_PROBLEM, "Problem with specified opcode"); - cs.arp.arp.arpop = htons(i+1); - } - break; - - case 5:/* h-type */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_H_TYPE, &cs.arp.arp.invflags, - invert); - if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arhrd, - &cs.arp.arp.arhrd_mask, 16)) { - if (strcasecmp(argv[optind-1], "Ethernet")) - xtables_error(PARAMETER_PROBLEM, "Problem with specified hardware type"); - cs.arp.arp.arhrd = htons(1); - } - break; - - case 6:/* proto-type */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_P_TYPE, &cs.arp.arp.invflags, - invert); - if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arpro, - &cs.arp.arp.arpro_mask, 0)) { - if (strcasecmp(argv[optind-1], "ipv4")) - xtables_error(PARAMETER_PROBLEM, "Problem with specified protocol type"); - cs.arp.arp.arpro = htons(0x800); - } - break; - - case 'j': - set_option(&options, OPT_JUMP, &cs.arp.arp.invflags, - invert); - command_jump(&cs, optarg); - break; - - case 'i': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_VIANAMEIN, &cs.arp.arp.invflags, - invert); - xtables_parse_interface(argv[optind-1], - cs.arp.arp.iniface, - cs.arp.arp.iniface_mask); - break; - - case 'o': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_VIANAMEOUT, &cs.arp.arp.invflags, - invert); - xtables_parse_interface(argv[optind-1], - cs.arp.arp.outiface, - cs.arp.arp.outiface_mask); - break; - - case 'v': - if (!verbose) - set_option(&options, OPT_VERBOSE, - &cs.arp.arp.invflags, invert); - verbose++; - break; - - case 'm': /* ignored by arptables-legacy */ - break; - case 'n': - set_option(&options, OPT_NUMERIC, &cs.arp.arp.invflags, - invert); - break; - - case 't': - if (invert) - xtables_error(PARAMETER_PROBLEM, - "unexpected ! flag before --table"); - /* ignore this option. - * arptables-legacy parses it, but libarptc doesn't use it. - * arptables only has a 'filter' table anyway. - */ - break; - - case 'V': - if (invert) - printf("Not %s ;-)\n", arptables_globals.program_version); - else - printf("%s v%s (nf_tables)\n", - arptables_globals.program_name, - arptables_globals.program_version); - exit(0); - - case '0': - set_option(&options, OPT_LINENUMBERS, &cs.arp.arp.invflags, - invert); - break; - - case 'M': - //modprobe = optarg; - break; - - case 'c': - - set_option(&options, OPT_COUNTERS, &cs.arp.arp.invflags, - invert); - pcnt = optarg; - if (xs_has_arg(argc, argv)) - bcnt = argv[optind++]; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires packet and byte counter", - opt2char(OPT_COUNTERS)); - - if (sscanf(pcnt, "%llu", &cs.arp.counters.pcnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c packet counter not numeric", - opt2char(OPT_COUNTERS)); - - if (sscanf(bcnt, "%llu", &cs.arp.counters.bcnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c byte counter not numeric", - opt2char(OPT_COUNTERS)); - - break; - - - case 1: /* non option */ - if (optarg[0] == '!' && optarg[1] == '\0') { - if (invert) - xtables_error(PARAMETER_PROBLEM, - "multiple consecutive ! not" - " allowed"); - invert = true; - optarg[0] = '\0'; - continue; - } - printf("Bad argument `%s'\n", optarg); - exit_tryhelp(2); - - default: - if (cs.target) { - xtables_option_tpcall(c, argv, - invert, cs.target, &cs.arp); - } - break; - } - invert = false; - } - - if (cs.target) - xtables_option_tfcall(cs.target); - - if (optind < argc) - xtables_error(PARAMETER_PROBLEM, - "unknown arguments found on commandline"); - if (invert) - xtables_error(PARAMETER_PROBLEM, - "nothing appropriate following !"); - - if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND)) { - if (!(options & OPT_DESTINATION)) - dhostnetworkmask = "0.0.0.0/0"; - if (!(options & OPT_SOURCE)) - shostnetworkmask = "0.0.0.0/0"; - } - - if (shostnetworkmask) - xtables_ipparse_multiple(shostnetworkmask, &saddrs, - &smasks, &nsaddrs); - - if (dhostnetworkmask) - xtables_ipparse_multiple(dhostnetworkmask, &daddrs, - &dmasks, &ndaddrs); - - if ((nsaddrs > 1 || ndaddrs > 1) && - (cs.arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) - xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple" - " source or destination IP addresses"); - - if (command == CMD_REPLACE && (nsaddrs != 1 || ndaddrs != 1)) - xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " - "specify a unique address"); - - if (chain && strlen(chain) > ARPT_FUNCTION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %i chars)", - chain, ARPT_FUNCTION_MAXNAMELEN); - - if (command == CMD_APPEND - || command == CMD_DELETE - || command == CMD_INSERT - || command == CMD_REPLACE) { - if (strcmp(chain, "PREROUTING") == 0 - || strcmp(chain, "INPUT") == 0) { - /* -o not valid with incoming packets. */ - if (options & OPT_VIANAMEOUT) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEOUT), - chain); - } - - if (strcmp(chain, "POSTROUTING") == 0 - || strcmp(chain, "OUTPUT") == 0) { - /* -i not valid with outgoing packets */ - if (options & OPT_VIANAMEIN) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEIN), - chain); - } - } - - switch (command) { - case CMD_APPEND: - ret = append_entry(h, chain, *table, &cs, 0, - nsaddrs, saddrs, smasks, - ndaddrs, daddrs, dmasks, - options&OPT_VERBOSE, true); - break; - case CMD_DELETE: - ret = delete_entry(chain, *table, &cs, - nsaddrs, saddrs, smasks, - ndaddrs, daddrs, dmasks, - options&OPT_VERBOSE, h); - break; - case CMD_DELETE_NUM: - ret = nft_cmd_rule_delete_num(h, chain, *table, rulenum - 1, verbose); - break; - case CMD_REPLACE: - ret = replace_entry(chain, *table, &cs, rulenum - 1, - saddrs, smasks, daddrs, dmasks, - options&OPT_VERBOSE, h); - break; - case CMD_INSERT: - ret = append_entry(h, chain, *table, &cs, rulenum - 1, - nsaddrs, saddrs, smasks, - ndaddrs, daddrs, dmasks, - options&OPT_VERBOSE, false); - break; - case CMD_LIST: - ret = list_entries(h, chain, *table, - rulenum, - options&OPT_VERBOSE, - options&OPT_NUMERIC, - /*options&OPT_EXPANDED*/0, - options&OPT_LINENUMBERS); - break; - case CMD_FLUSH: - ret = nft_cmd_rule_flush(h, chain, *table, options & OPT_VERBOSE); - break; - case CMD_ZERO: - ret = nft_cmd_chain_zero_counters(h, chain, *table, - options & OPT_VERBOSE); - break; - case CMD_LIST|CMD_ZERO: - ret = list_entries(h, chain, *table, rulenum, - options&OPT_VERBOSE, - options&OPT_NUMERIC, - /*options&OPT_EXPANDED*/0, - options&OPT_LINENUMBERS); - if (ret) - ret = nft_cmd_chain_zero_counters(h, chain, *table, - options & OPT_VERBOSE); - break; - case CMD_NEW_CHAIN: - ret = nft_cmd_chain_user_add(h, chain, *table); - break; - case CMD_DELETE_CHAIN: - ret = nft_cmd_chain_del(h, chain, *table, - options & OPT_VERBOSE); - break; - case CMD_RENAME_CHAIN: - ret = nft_cmd_chain_user_rename(h, chain, *table, newname); - break; - case CMD_SET_POLICY: - ret = nft_cmd_chain_set(h, *table, chain, policy, NULL); - if (ret < 0) - xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", - policy); - break; - case CMD_NONE: - break; - default: - /* We should never reach this... */ - exit_tryhelp(2); - } - - free(saddrs); - free(smasks); - free(daddrs); - free(dmasks); - - nft_clear_iptables_command_state(&cs); - xtables_free_opts(1); - -/* if (verbose > 1) - dump_entries(*handle);*/ - - return ret; -} diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c index 0539a829..a6c86b65 100644 --- a/iptables/xtables-eb-translate.c +++ b/iptables/xtables-eb-translate.c @@ -87,7 +87,6 @@ static int parse_rule_number(const char *rule) /* Default command line options. Do not mess around with the already * assigned numbers unless you know what you are doing */ extern struct option ebt_original_options[]; -extern struct xtables_globals ebtables_globals; #define opts ebtables_globals.opts #define prog_name ebtables_globals.program_name #define prog_vers ebtables_globals.program_version diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 23023ce1..3f58754d 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -220,6 +220,7 @@ extern void xtables_exit_error(enum xtables_exittype status, const char *msg, .. struct xtables_globals ebtables_globals = { .option_offset = 0, .program_version = PACKAGE_VERSION, + .optstring = OPTSTRING_COMMON "h", .orig_opts = ebt_original_options, .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, @@ -672,7 +673,7 @@ int nft_init_eb(struct nft_handle *h, const char *pname) init_extensionsb(); #endif - if (nft_init(h, NFPROTO_BRIDGE, xtables_bridge) < 0) + if (nft_init(h, NFPROTO_BRIDGE) < 0) xtables_error(OTHER_PROBLEM, "Could not initialize nftables layer."); @@ -732,8 +733,8 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, opterr = false; /* Getopt saves the day */ - while ((c = getopt_long(argc, argv, - "-A:D:C:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { + while ((c = getopt_long(argc, argv, xt_params->optstring, + opts, NULL)) != -1) { cs.c = c; switch (c) { diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 21d4bec0..73dc80c2 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -631,7 +631,7 @@ int xtables_monitor_main(int argc, char *argv[]) init_extensions6(); #endif - if (nft_init(&h, AF_INET, xtables_ipv4)) { + if (nft_init(&h, AF_INET)) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, diff --git a/iptables/xtables-multi.h b/iptables/xtables-multi.h index 0fedb430..94c24d5a 100644 --- a/iptables/xtables-multi.h +++ b/iptables/xtables-multi.h @@ -22,6 +22,9 @@ extern int xtables_eb_restore_main(int, char **); extern int xtables_eb_save_main(int, char **); extern int xtables_config_main(int, char **); extern int xtables_monitor_main(int, char **); + +extern struct xtables_globals arptables_globals; +extern struct xtables_globals ebtables_globals; #endif #endif /* _XTABLES_MULTI_H */ diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index 72832103..aa8b397f 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -281,7 +281,6 @@ void xtables_restore_parse(struct nft_handle *h, static int xtables_restore_main(int family, const char *progname, int argc, char *argv[]) { - const struct builtin_table *tables; struct nft_xt_restore_parse p = { .commit = true, .cb = &restore_cb, @@ -360,7 +359,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) switch (family) { case NFPROTO_IPV4: case NFPROTO_IPV6: /* fallthough, same table */ - tables = xtables_ipv4; #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions4(); @@ -368,17 +366,14 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) #endif break; case NFPROTO_ARP: - tables = xtables_arp; - break; case NFPROTO_BRIDGE: - tables = xtables_bridge; break; default: fprintf(stderr, "Unknown family %d\n", family); return 1; } - if (nft_init(&h, family, tables) < 0) { + if (nft_init(&h, family) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, @@ -456,7 +451,7 @@ int xtables_eb_restore_main(int argc, char *argv[]) static const struct nft_xt_restore_cb arp_restore_cb = { .commit = nft_commit, .table_flush = nft_cmd_table_flush, - .do_command = do_commandarp, + .do_command = do_commandx, .chain_set = nft_cmd_chain_set, .chain_restore = nft_cmd_chain_restore, }; diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index 98cd0ed3..c6ebb0ec 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -78,6 +78,9 @@ __do_output(struct nft_handle *h, const char *tablename, void *data) printf("# Table `%s' is incompatible, use 'nft' tool.\n", tablename); return 0; + } else if (nft_is_table_tainted(h, tablename)) { + printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n", + tablename); } now = time(NULL); @@ -128,7 +131,6 @@ static int xtables_save_main(int family, int argc, char *argv[], const char *optstring, const struct option *longopts) { - const struct builtin_table *tables; const char *tablename = NULL; struct do_output_data d = { .format = FMT_NOCOUNTS, @@ -205,11 +207,9 @@ xtables_save_main(int family, int argc, char *argv[], init_extensions4(); init_extensions6(); #endif - tables = xtables_ipv4; d.commit = true; break; case NFPROTO_ARP: - tables = xtables_arp; break; case NFPROTO_BRIDGE: { const char *ctr = getenv("EBTABLES_SAVE_COUNTER"); @@ -220,7 +220,6 @@ xtables_save_main(int family, int argc, char *argv[], d.format &= ~FMT_NOCOUNTS; d.format |= FMT_C_COUNTS | FMT_EBT_SAVE; } - tables = xtables_bridge; break; } default: @@ -228,7 +227,7 @@ xtables_save_main(int family, int argc, char *argv[], return 1; } - if (nft_init(&h, family, tables) < 0) { + if (nft_init(&h, family) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c index 1a6b7cf7..5482a856 100644 --- a/iptables/xtables-standalone.c +++ b/iptables/xtables-standalone.c @@ -39,32 +39,51 @@ #include "xtables-multi.h" #include "nft.h" +static struct xtables_globals *xtables_globals_lookup(int family) +{ + switch (family) { + case AF_INET: + case AF_INET6: + return &xtables_globals; + case NFPROTO_ARP: + return &arptables_globals; + case NFPROTO_BRIDGE: + return &ebtables_globals; + default: + xtables_error(OTHER_PROBLEM, "Unknown family value %d", family); + } +} + static int xtables_main(int family, const char *progname, int argc, char *argv[]) { - int ret; char *table = "filter"; struct nft_handle h; + int ret; - xtables_globals.program_name = progname; - ret = xtables_init_all(&xtables_globals, family); + ret = xtables_init_all(xtables_globals_lookup(family), family); if (ret < 0) { - fprintf(stderr, "%s/%s Failed to initialize xtables\n", - xtables_globals.program_name, - xtables_globals.program_version); - exit(1); + fprintf(stderr, "%s: Failed to initialize xtables\n", progname); + exit(1); } + xt_params->program_name = progname; #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); - init_extensions6(); + switch (family) { + case NFPROTO_IPV4: + case NFPROTO_IPV6: + init_extensions(); + init_extensions4(); + init_extensions6(); + break; + case NFPROTO_ARP: + init_extensionsa(); + break; + } #endif - if (nft_init(&h, family, xtables_ipv4) < 0) { - fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", - xtables_globals.program_name, - xtables_globals.program_version, - strerror(errno)); + if (nft_init(&h, family) < 0) { + fprintf(stderr, "%s: Failed to initialize nft: %s\n", + xt_params->program_name, strerror(errno)); exit(EXIT_FAILURE); } @@ -96,3 +115,8 @@ int xtables_ip6_main(int argc, char *argv[]) { return xtables_main(NFPROTO_IPV6, "ip6tables", argc, argv); } + +int xtables_arp_main(int argc, char *argv[]) +{ + return xtables_main(NFPROTO_ARP, "arptables", argc, argv); +} diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 49f44b6f..e2948c50 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -253,11 +253,18 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], .restore = restore, .xlate = true, }; - struct iptables_command_state cs; + struct iptables_command_state cs = { + .jumpto = "", + .argv = argv, + }; + struct xtables_args args = { .family = h->family, }; + if (h->ops->init_cs) + h->ops->init_cs(&cs); + do_parse(h, argc, argv, &p, &cs, &args); cs.restore = restore; @@ -354,9 +361,10 @@ static void print_usage(const char *name, const char *version) { fprintf(stderr, "%s %s " "(c) 2014 by Pablo Neira Ayuso <pablo@netfilter.org>\n" - "Usage: %s [-h] [-f]\n" + "Usage: %s [-h] [-f <FILE>] [-V]\n" " [ --help ]\n" - " [ --file=<FILE> ]\n", name, version, name); + " [ --file=<FILE> ]\n" + " [ --version ]\n", name, version, name); exit(1); } @@ -464,7 +472,6 @@ static int xtables_xlate_main_common(struct nft_handle *h, int family, const char *progname) { - const struct builtin_table *tables; int ret; xtables_globals.program_name = progname; @@ -484,20 +491,16 @@ static int xtables_xlate_main_common(struct nft_handle *h, init_extensions4(); init_extensions6(); #endif - tables = xtables_ipv4; break; case NFPROTO_ARP: - tables = xtables_arp; - break; case NFPROTO_BRIDGE: - tables = xtables_bridge; break; default: fprintf(stderr, "Unknown family %d\n", family); return 1; } - if (nft_init(h, family, tables) < 0) { + if (nft_init(h, family) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, diff --git a/iptables/xtables.c b/iptables/xtables.c index 0a700e08..32b93d2b 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -36,11 +36,13 @@ #include <stdarg.h> #include <limits.h> #include <unistd.h> +#include <netinet/ether.h> #include <iptables.h> #include <xtables.h> #include <fcntl.h> #include "xshared.h" #include "nft-shared.h" +#include "nft-arp.h" #include "nft.h" static struct option original_opts[] = { @@ -85,13 +87,16 @@ static struct option original_opts[] = { }; void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); +static void printhelp(const struct xtables_rule_match *m); struct xtables_globals xtables_globals = { .option_offset = 0, .program_version = PACKAGE_VERSION, + .optstring = OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x", .orig_opts = original_opts, .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, + .print_help = printhelp, }; #define opts xt_params->opts @@ -223,168 +228,6 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...) /* Christophe Burki wants `-p 6' to imply `-m tcp'. */ static int -add_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - int rulenum, int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, struct nft_handle *h, bool append) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < s.naddrs; i++) { - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; - for (j = 0; j < d.naddrs; j++) { - cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; - - if (append) { - ret = nft_cmd_rule_append(h, chain, table, - cs, NULL, - verbose); - } else { - ret = nft_cmd_rule_insert(h, chain, table, - cs, rulenum, - verbose); - } - } - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, - &s.addr.v6[i], sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, - &s.mask.v6[i], sizeof(struct in6_addr)); - for (j = 0; j < d.naddrs; j++) { - memcpy(&cs->fw6.ipv6.dst, - &d.addr.v6[j], sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, - &d.mask.v6[j], sizeof(struct in6_addr)); - if (append) { - ret = nft_cmd_rule_append(h, chain, table, - cs, NULL, - verbose); - } else { - ret = nft_cmd_rule_insert(h, chain, table, - cs, rulenum, - verbose); - } - } - } - } - - return ret; -} - -static int -replace_entry(const char *chain, const char *table, - struct iptables_command_state *cs, - unsigned int rulenum, - int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, struct nft_handle *h) -{ - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4->s_addr; - cs->fw.ip.dst.s_addr = d.addr.v4->s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4->s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4->s_addr; - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, s.addr.v6, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dst, d.addr.v6, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, s.mask.v6, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, d.mask.v6, sizeof(struct in6_addr)); - } else - return 1; - - return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); -} - -static int -delete_entry(const char *chain, const char *table, - struct iptables_command_state *cs, - int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, - struct nft_handle *h) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < s.naddrs; i++) { - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; - for (j = 0; j < d.naddrs; j++) { - cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; - ret = nft_cmd_rule_delete(h, chain, - table, cs, verbose); - } - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, - &s.addr.v6[i], sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, - &s.mask.v6[i], sizeof(struct in6_addr)); - for (j = 0; j < d.naddrs; j++) { - memcpy(&cs->fw6.ipv6.dst, - &d.addr.v6[j], sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, - &d.mask.v6[j], sizeof(struct in6_addr)); - ret = nft_cmd_rule_delete(h, chain, - table, cs, verbose); - } - } - } - - return ret; -} - -static int -check_entry(const char *chain, const char *table, - struct iptables_command_state *cs, - int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, struct nft_handle *h) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < s.naddrs; i++) { - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; - for (j = 0; j < d.naddrs; j++) { - cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; - ret = nft_cmd_rule_check(h, chain, - table, cs, verbose); - } - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, - &s.addr.v6[i], sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, - &s.mask.v6[i], sizeof(struct in6_addr)); - for (j = 0; j < d.naddrs; j++) { - memcpy(&cs->fw6.ipv6.dst, - &d.addr.v6[j], sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, - &d.mask.v6[j], sizeof(struct in6_addr)); - ret = nft_cmd_rule_check(h, chain, - table, cs, verbose); - } - } - } - - return ret; -} - -static int list_entries(struct nft_handle *h, const char *chain, const char *table, int rulenum, int verbose, int numeric, int expanded, int linenumbers) @@ -419,6 +262,47 @@ list_rules(struct nft_handle *h, const char *chain, const char *table, return nft_cmd_rule_list_save(h, chain, table, rulenum, counters); } +static void check_empty_interface(struct nft_handle *h, const char *arg) +{ + const char *msg = "Empty interface is likely to be undesired"; + + if (*arg != '\0') + return; + + if (h->family != NFPROTO_ARP) + xtables_error(PARAMETER_PROBLEM, msg); + + fprintf(stderr, "%s", msg); +} + +static void check_inverse(struct nft_handle *h, const char option[], + bool *invert, int *optidx, int argc) +{ + switch (h->family) { + case NFPROTO_ARP: + break; + default: + return; + } + + if (!option || strcmp(option, "!")) + return; + + fprintf(stderr, "Using intrapositioned negation (`--option ! this`) " + "is deprecated in favor of extrapositioned (`! --option this`).\n"); + + if (*invert) + xtables_error(PARAMETER_PROBLEM, + "Multiple `!' flags not allowed"); + *invert = true; + if (optidx) { + *optidx = *optidx + 1; + if (argc && *optidx > argc) + xtables_error(PARAMETER_PROBLEM, + "no argument following `!'"); + } +} + void do_parse(struct nft_handle *h, int argc, char *argv[], struct nft_xt_cmd_parse *p, struct iptables_command_state *cs, struct xtables_args *args) @@ -432,10 +316,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], bool invert = false; int wait = 0; - memset(cs, 0, sizeof(*cs)); - cs->jumpto = ""; - cs->argv = argv; - /* re-set optind to 0 in case do_command4 gets called * a second time */ optind = 0; @@ -455,8 +335,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], opterr = 0; opts = xt_params->orig_opts; - while ((cs->c = getopt_long(argc, argv, - "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46", + while ((cs->c = getopt_long(argc, argv, xt_params->optstring, opts, NULL)) != -1) { switch (cs->c) { /* @@ -545,14 +424,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], break; case 'N': - if (optarg && (*optarg == '-' || *optarg == '!')) - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `%c'\n", *optarg); - if (xtables_find_target(optarg, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); + parse_chain(optarg); add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE, invert); p->chain = optarg; @@ -601,7 +473,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], xtables_find_match(cs->protocol, XTF_TRY_LOAD, &cs->matches); - printhelp(cs->matches); + xt_params->print_help(cs->matches); p->command = CMD_NONE; return; @@ -609,14 +481,16 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], * Option selection */ case 'p': + check_inverse(h, optarg, &invert, &optind, argc); set_option(&cs->options, OPT_PROTOCOL, &args->invflags, invert); /* Canonicalize into lower case */ - for (cs->protocol = optarg; *cs->protocol; cs->protocol++) + for (cs->protocol = argv[optind - 1]; + *cs->protocol; cs->protocol++) *cs->protocol = tolower(*cs->protocol); - cs->protocol = optarg; + cs->protocol = argv[optind - 1]; args->proto = xtables_parse_protocol(cs->protocol); if (args->proto == 0 && @@ -625,19 +499,22 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], "rule would never match protocol"); /* This needs to happen here to parse extensions */ - h->ops->proto_parse(cs, args); + if (h->ops->proto_parse) + h->ops->proto_parse(cs, args); break; case 's': + check_inverse(h, optarg, &invert, &optind, argc); set_option(&cs->options, OPT_SOURCE, &args->invflags, invert); - args->shostnetworkmask = optarg; + args->shostnetworkmask = argv[optind - 1]; break; case 'd': + check_inverse(h, optarg, &invert, &optind, argc); set_option(&cs->options, OPT_DESTINATION, &args->invflags, invert); - args->dhostnetworkmask = optarg; + args->dhostnetworkmask = argv[optind - 1]; break; #ifdef IPT_F_GOTO @@ -649,33 +526,72 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], break; #endif + case 2:/* src-mac */ + check_inverse(h, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_S_MAC, &args->invflags, + invert); + args->src_mac = argv[optind - 1]; + break; + + case 3:/* dst-mac */ + check_inverse(h, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_D_MAC, &args->invflags, + invert); + args->dst_mac = argv[optind - 1]; + break; + + case 'l':/* hardware length */ + check_inverse(h, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_H_LENGTH, &args->invflags, + invert); + args->arp_hlen = argv[optind - 1]; + break; + + case 8: /* was never supported, not even in arptables-legacy */ + xtables_error(PARAMETER_PROBLEM, "not supported"); + case 4:/* opcode */ + check_inverse(h, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_OPCODE, &args->invflags, + invert); + args->arp_opcode = argv[optind - 1]; + break; + + case 5:/* h-type */ + check_inverse(h, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_H_TYPE, &args->invflags, + invert); + args->arp_htype = argv[optind - 1]; + break; + + case 6:/* proto-type */ + check_inverse(h, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_P_TYPE, &args->invflags, + invert); + args->arp_ptype = argv[optind - 1]; + break; + case 'j': set_option(&cs->options, OPT_JUMP, &args->invflags, invert); - command_jump(cs, optarg); + command_jump(cs, argv[optind - 1]); break; - case 'i': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); + check_empty_interface(h, optarg); + check_inverse(h, optarg, &invert, &optind, argc); set_option(&cs->options, OPT_VIANAMEIN, &args->invflags, invert); - xtables_parse_interface(optarg, + xtables_parse_interface(argv[optind - 1], args->iniface, args->iniface_mask); break; case 'o': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); + check_empty_interface(h, optarg); + check_inverse(h, optarg, &invert, &optind, argc); set_option(&cs->options, OPT_VIANAMEOUT, &args->invflags, invert); - xtables_parse_interface(optarg, + xtables_parse_interface(argv[optind - 1], args->outiface, args->outiface_mask); break; @@ -823,7 +739,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], exit_tryhelp(2); default: - if (command_default(cs, &xtables_globals, invert)) + if (command_default(cs, xt_params, invert)) /* cf. ip6tables.c */ continue; break; @@ -912,42 +828,46 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, .table = *table, .restore = restore, }; - struct iptables_command_state cs; + struct iptables_command_state cs = { + .jumpto = "", + .argv = argv, + }; struct xtables_args args = { .family = h->family, }; + if (h->ops->init_cs) + h->ops->init_cs(&cs); + do_parse(h, argc, argv, &p, &cs, &args); switch (p.command) { case CMD_APPEND: - ret = add_entry(p.chain, p.table, &cs, 0, h->family, - args.s, args.d, - cs.options & OPT_VERBOSE, h, true); + ret = h->ops->add_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE, true, + p.rulenum - 1); break; case CMD_DELETE: - ret = delete_entry(p.chain, p.table, &cs, h->family, - args.s, args.d, - cs.options & OPT_VERBOSE, h); + ret = h->ops->delete_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE); break; case CMD_DELETE_NUM: ret = nft_cmd_rule_delete_num(h, p.chain, p.table, p.rulenum - 1, p.verbose); break; case CMD_CHECK: - ret = check_entry(p.chain, p.table, &cs, h->family, - args.s, args.d, - cs.options & OPT_VERBOSE, h); + ret = h->ops->check_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE); break; case CMD_REPLACE: - ret = replace_entry(p.chain, p.table, &cs, p.rulenum - 1, - h->family, args.s, args.d, - cs.options & OPT_VERBOSE, h); + ret = h->ops->replace_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE, + p.rulenum - 1); break; case CMD_INSERT: - ret = add_entry(p.chain, p.table, &cs, p.rulenum - 1, - h->family, args.s, args.d, - cs.options&OPT_VERBOSE, h, false); + ret = h->ops->add_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE, false, + p.rulenum - 1); break; case CMD_FLUSH: ret = nft_cmd_rule_flush(h, p.chain, p.table, @@ -1019,17 +939,10 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, nft_clear_iptables_command_state(&cs); - if (h->family == AF_INET) { - free(args.s.addr.v4); - free(args.s.mask.v4); - free(args.d.addr.v4); - free(args.d.mask.v4); - } else if (h->family == AF_INET6) { - free(args.s.addr.v6); - free(args.s.mask.v6); - free(args.d.addr.v6); - free(args.d.mask.v6); - } + free(args.s.addr.ptr); + free(args.s.mask.ptr); + free(args.d.addr.ptr); + free(args.d.mask.ptr); xtables_free_opts(1); return ret; diff --git a/xlate-test.py b/xlate-test.py index 4a56e798..d78e8648 100755 --- a/xlate-test.py +++ b/xlate-test.py @@ -80,15 +80,15 @@ def run_test(name, payload): def load_test_files(): test_files = total_tests = total_passed = total_error = total_failed = 0 - for test in sorted(os.listdir("extensions")): - if test.endswith(".txlate"): - with open("extensions/" + test, "r") as payload: - tests, passed, failed, errors = run_test(test, payload) - test_files += 1 - total_tests += tests - total_passed += passed - total_failed += failed - total_error += errors + tests = sorted(os.listdir("extensions")) + for test in ['extensions/' + f for f in tests if f.endswith(".txlate")]: + with open(test, "r") as payload: + tests, passed, failed, errors = run_test(test, payload) + test_files += 1 + total_tests += tests + total_passed += passed + total_failed += failed + total_error += errors return (test_files, total_tests, total_passed, total_failed, total_error) |