summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--extensions/libxt_hashlimit.t4
-rw-r--r--include/xtables.h2
-rw-r--r--iptables/Makefile.am2
-rw-r--r--iptables/ip6tables.c197
-rw-r--r--iptables/iptables.c210
-rw-r--r--iptables/nft-arp.c260
-rw-r--r--iptables/nft-bridge.c12
-rw-r--r--iptables/nft-cache.c52
-rw-r--r--iptables/nft-chain.h1
-rw-r--r--iptables/nft-cmd.c2
-rw-r--r--iptables/nft-ipv4.c168
-rw-r--r--iptables/nft-ipv6.c141
-rw-r--r--iptables/nft-shared.c160
-rw-r--r--iptables/nft-shared.h42
-rw-r--r--iptables/nft.c141
-rw-r--r--iptables/nft.h4
-rwxr-xr-xiptables/tests/shell/testcases/chain/0004extra-base_037
-rwxr-xr-xiptables/tests/shell/testcases/chain/0005base-delete_034
-rwxr-xr-xiptables/tests/shell/testcases/ebtables/0007-chain-policies_02
-rw-r--r--iptables/xshared.c231
-rw-r--r--iptables/xshared.h24
-rw-r--r--iptables/xtables-arp-standalone.c65
-rw-r--r--iptables/xtables-arp.c749
-rw-r--r--iptables/xtables-eb-translate.c1
-rw-r--r--iptables/xtables-eb.c7
-rw-r--r--iptables/xtables-monitor.c2
-rw-r--r--iptables/xtables-multi.h3
-rw-r--r--iptables/xtables-restore.c9
-rw-r--r--iptables/xtables-save.c9
-rw-r--r--iptables/xtables-standalone.c54
-rw-r--r--iptables/xtables-translate.c21
-rw-r--r--iptables/xtables.c357
-rwxr-xr-xxlate-test.py18
33 files changed, 1227 insertions, 1794 deletions
diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t
index 83699337..206d9293 100644
--- a/extensions/libxt_hashlimit.t
+++ b/extensions/libxt_hashlimit.t
@@ -3,12 +3,12 @@
-m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
+-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
+-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
diff --git a/include/xtables.h b/include/xtables.h
index e51f4bfd..ca674c26 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -420,10 +420,12 @@ struct xtables_globals
{
unsigned int option_offset;
const char *program_name, *program_version;
+ const char *optstring;
struct option *orig_opts;
struct option *opts;
void (*exit_err)(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
int (*compat_rev)(const char *name, uint8_t rev, int opt);
+ void (*print_help)(const struct xtables_rule_match *m);
};
#define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false}
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index f7895210..0258264c 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -37,7 +37,7 @@ xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \
xtables-standalone.c xtables.c nft.c \
nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
xtables-monitor.c nft-cache.c \
- xtables-arp-standalone.c xtables-arp.c \
+ xtables-arp.c \
nft-bridge.c nft-cmd.c nft-chain.c \
xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index e967c040..5a64566e 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -233,82 +233,6 @@ static int is_exthdr(uint16_t proto)
proto == IPPROTO_DSTOPTS);
}
-static void
-parse_chain(const char *chainname)
-{
- const char *ptr;
-
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chainname, XT_EXTENSION_MAXNAMELEN);
-
- if (*chainname == '-' || *chainname == '!')
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *chainname);
-
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
-
- for (ptr = chainname; *ptr; ptr++)
- if (isspace(*ptr))
- xtables_error(PARAMETER_PROBLEM,
- "Invalid chain name `%s'", chainname);
-}
-
-static void
-print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
-{
- struct xt_counters counters;
- const char *pol = ip6tc_get_policy(chain, &counters, handle);
- printf("Chain %s", chain);
- if (pol) {
- printf(" (policy %s", pol);
- if (!(format & FMT_NOCOUNTS)) {
- fputc(' ', stdout);
- xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
- fputs("packets, ", stdout);
- xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
- fputs("bytes", stdout);
- }
- printf(")\n");
- } else {
- unsigned int refs;
- if (!ip6tc_get_references(&refs, chain, handle))
- printf(" (ERROR obtaining refs)\n");
- else
- printf(" (%u references)\n", refs);
- }
-
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4s ", "%s "), "num");
- if (!(format & FMT_NOCOUNTS)) {
- if (format & FMT_KILOMEGAGIGA) {
- printf(FMT("%5s ","%s "), "pkts");
- printf(FMT("%5s ","%s "), "bytes");
- } else {
- printf(FMT("%8s ","%s "), "pkts");
- printf(FMT("%10s ","%s "), "bytes");
- }
- }
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ","%s "), "target");
- fputs(" prot ", stdout);
- if (format & FMT_OPTIONS)
- fputs("opt", stdout);
- if (format & FMT_VIA) {
- printf(FMT(" %-6s ","%s "), "in");
- printf(FMT("%-6s ","%s "), "out");
- }
- printf(FMT(" %-19s ","%s "), "source");
- printf(FMT(" %-19s "," %s "), "destination");
- printf("\n");
-}
-
-
static int
print_match(const struct xt_entry_match *m,
const struct ip6t_ip6 *ip,
@@ -355,33 +279,10 @@ print_firewall(const struct ip6t_entry *fw,
t = ip6t_get_target((struct ip6t_entry *)fw);
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4u ", "%u "), num);
-
- if (!(format & FMT_NOCOUNTS)) {
- xtables_print_num(fw->counters.pcnt, format);
- xtables_print_num(fw->counters.bcnt, format);
- }
-
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ", "%s "), targname);
-
- fputc(fw->ipv6.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
- {
- const char *pname = proto_to_name(fw->ipv6.proto, format&FMT_NUMERIC);
- if (pname)
- printf(FMT("%-5s", "%s "), pname);
- else
- printf(FMT("%-5hu", "%hu "), fw->ipv6.proto);
- }
+ print_rule_details(num, &fw->counters, targname, fw->ipv6.proto,
+ fw->ipv6.flags, fw->ipv6.invflags, format);
- if (format & FMT_OPTIONS) {
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputc(' ', stdout); /* Invert flag of FRAG */
- fputc(' ', stdout); /* -f */
- fputc(' ', stdout);
- }
+ print_fragment(fw->ipv6.flags, fw->ipv6.invflags, format, true);
print_ifaces(fw->ipv6.iniface, fw->ipv6.outiface,
fw->ipv6.invflags, format);
@@ -711,8 +612,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
if (found) printf("\n");
- if (!rulenum)
- print_header(format, this, handle);
+ if (!rulenum) {
+ struct xt_counters counters;
+ unsigned int urefs;
+ const char *pol;
+ int refs = - 1;
+
+ pol = ip6tc_get_policy(this, &counters, handle);
+ if (!pol && ip6tc_get_references(&urefs, this, handle))
+ refs = urefs;
+
+ print_header(format, this, pol, &counters, refs, 0);
+ }
i = ip6tc_first_rule(this, handle);
num = 0;
@@ -733,45 +644,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
return found;
}
-/* This assumes that mask is contiguous, and byte-bounded. */
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask,
- int invert)
-{
- unsigned int i;
-
- if (mask[0] == 0)
- return;
-
- printf("%s -%c ", invert ? " !" : "", letter);
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (mask[i] != 0) {
- if (iface[i] != '\0')
- printf("%c", iface[i]);
- } else {
- /* we can access iface[i-1] here, because
- * a few lines above we make sure that mask[0] != 0 */
- if (iface[i-1] != '\0')
- printf("+");
- break;
- }
- }
-}
-
-static void print_proto(uint16_t proto, int invert)
-{
- if (proto) {
- const char *pname = proto_to_name(proto, 0);
- const char *invertstr = invert ? " !" : "";
-
- if (pname)
- printf("%s -p %s", invertstr, pname);
- else
- printf("%s -p %u", invertstr, proto);
- }
-}
-
static int print_match_save(const struct xt_entry_match *e,
const struct ip6t_ip6 *ip)
{
@@ -803,27 +675,6 @@ static int print_match_save(const struct xt_entry_match *e,
return 0;
}
-/* Print a given ip including mask if necessary. */
-static void print_ip(const char *prefix, const struct in6_addr *ip,
- const struct in6_addr *mask, int invert)
-{
- char buf[51];
- int l = xtables_ip6mask_to_cidr(mask);
-
- if (l == 0 && !invert)
- return;
-
- printf("%s %s %s",
- invert ? " !" : "",
- prefix,
- inet_ntop(AF_INET6, ip, buf, sizeof buf));
-
- if (l == -1)
- printf("/%s", inet_ntop(AF_INET6, mask, buf, sizeof buf));
- else
- printf("/%d", l);
-}
-
/* We want this to be readable, so only print out necessary fields.
* Because that's the kind of world I want to live in.
*/
@@ -841,19 +692,15 @@ void print_rule6(const struct ip6t_entry *e,
printf("-A %s", chain);
/* Print IP part. */
- print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk),
- e->ipv6.invflags & IP6T_INV_SRCIP);
-
- print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
- e->ipv6.invflags & IP6T_INV_DSTIP);
-
- print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
- e->ipv6.invflags & IP6T_INV_VIA_IN);
+ save_ipv6_addr('s', &e->ipv6.src, &e->ipv6.smsk,
+ e->ipv6.invflags & IP6T_INV_SRCIP);
- print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
- e->ipv6.invflags & IP6T_INV_VIA_OUT);
+ save_ipv6_addr('d', &e->ipv6.dst, &e->ipv6.dmsk,
+ e->ipv6.invflags & IP6T_INV_DSTIP);
- print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO);
+ save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask,
+ e->ipv6.outiface, e->ipv6.outiface_mask,
+ e->ipv6.proto, 0, e->ipv6.invflags);
#if 0
/* not definied in ipv6
diff --git a/iptables/iptables.c b/iptables/iptables.c
index b925f089..ac51c612 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -223,81 +223,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
-static void
-parse_chain(const char *chainname)
-{
- const char *ptr;
-
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chainname, XT_EXTENSION_MAXNAMELEN);
-
- if (*chainname == '-' || *chainname == '!')
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *chainname);
-
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
-
- for (ptr = chainname; *ptr; ptr++)
- if (isspace(*ptr))
- xtables_error(PARAMETER_PROBLEM,
- "Invalid chain name `%s'", chainname);
-}
-
-static void
-print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
-{
- struct xt_counters counters;
- const char *pol = iptc_get_policy(chain, &counters, handle);
- printf("Chain %s", chain);
- if (pol) {
- printf(" (policy %s", pol);
- if (!(format & FMT_NOCOUNTS)) {
- fputc(' ', stdout);
- xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
- fputs("packets, ", stdout);
- xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
- fputs("bytes", stdout);
- }
- printf(")\n");
- } else {
- unsigned int refs;
- if (!iptc_get_references(&refs, chain, handle))
- printf(" (ERROR obtaining refs)\n");
- else
- printf(" (%u references)\n", refs);
- }
-
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4s ", "%s "), "num");
- if (!(format & FMT_NOCOUNTS)) {
- if (format & FMT_KILOMEGAGIGA) {
- printf(FMT("%5s ","%s "), "pkts");
- printf(FMT("%5s ","%s "), "bytes");
- } else {
- printf(FMT("%8s ","%s "), "pkts");
- printf(FMT("%10s ","%s "), "bytes");
- }
- }
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ","%s "), "target");
- fputs(" prot ", stdout);
- if (format & FMT_OPTIONS)
- fputs("opt", stdout);
- if (format & FMT_VIA) {
- printf(FMT(" %-6s ","%s "), "in");
- printf(FMT("%-6s ","%s "), "out");
- }
- printf(FMT(" %-19s ","%s "), "source");
- printf(FMT(" %-19s "," %s "), "destination");
- printf("\n");
-}
-
static int
print_match(const struct xt_entry_match *m,
@@ -336,7 +261,6 @@ print_firewall(const struct ipt_entry *fw,
{
struct xtables_target *target, *tg;
const struct xt_entry_target *t;
- uint8_t flags;
if (!iptc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -345,35 +269,11 @@ print_firewall(const struct ipt_entry *fw,
XTF_LOAD_MUST_SUCCEED);
t = ipt_get_target((struct ipt_entry *)fw);
- flags = fw->ip.flags;
-
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4u ", "%u "), num);
-
- if (!(format & FMT_NOCOUNTS)) {
- xtables_print_num(fw->counters.pcnt, format);
- xtables_print_num(fw->counters.bcnt, format);
- }
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ", "%s "), targname);
+ print_rule_details(num, &fw->counters, targname, fw->ip.proto,
+ fw->ip.flags, fw->ip.invflags, format);
- fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
- {
- const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC);
- if (pname)
- printf(FMT("%-5s", "%s "), pname);
- else
- printf(FMT("%-5hu", "%hu "), fw->ip.proto);
- }
-
- if (format & FMT_OPTIONS) {
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputc(fw->ip.invflags & IPT_INV_FRAG ? '!' : '-', stdout);
- fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
- fputc(' ', stdout);
- }
+ print_fragment(fw->ip.flags, fw->ip.invflags, format, false);
print_ifaces(fw->ip.iniface, fw->ip.outiface, fw->ip.invflags, format);
@@ -702,8 +602,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
if (found) printf("\n");
- if (!rulenum)
- print_header(format, this, handle);
+ if (!rulenum) {
+ struct xt_counters counters;
+ unsigned int urefs;
+ const char *pol;
+ int refs = -1;
+
+ pol = iptc_get_policy(this, &counters, handle);
+ if (!pol && iptc_get_references(&urefs, this, handle))
+ refs = urefs;
+
+ print_header(format, this, pol, &counters, refs, 0);
+ }
i = iptc_first_rule(this, handle);
num = 0;
@@ -724,19 +634,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
return found;
}
-static void print_proto(uint16_t proto, int invert)
-{
- if (proto) {
- const char *pname = proto_to_name(proto, 0);
- const char *invertstr = invert ? " !" : "";
-
- if (pname)
- printf("%s -p %s", invertstr, pname);
- else
- printf("%s -p %u", invertstr, proto);
- }
-}
-
#define IP_PARTS_NATIVE(n) \
(unsigned int)((n)>>24)&0xFF, \
(unsigned int)((n)>>16)&0xFF, \
@@ -745,32 +642,6 @@ static void print_proto(uint16_t proto, int invert)
#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
-/* This assumes that mask is contiguous, and byte-bounded. */
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask,
- int invert)
-{
- unsigned int i;
-
- if (mask[0] == 0)
- return;
-
- printf("%s -%c ", invert ? " !" : "", letter);
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (mask[i] != 0) {
- if (iface[i] != '\0')
- printf("%c", iface[i]);
- } else {
- /* we can access iface[i-1] here, because
- * a few lines above we make sure that mask[0] != 0 */
- if (iface[i-1] != '\0')
- printf("+");
- break;
- }
- }
-}
-
static int print_match_save(const struct xt_entry_match *e,
const struct ipt_ip *ip)
{
@@ -802,36 +673,6 @@ static int print_match_save(const struct xt_entry_match *e,
return 0;
}
-/* Print a given ip including mask if necessary. */
-static void print_ip(const char *prefix, uint32_t ip,
- uint32_t mask, int invert)
-{
- uint32_t bits, hmask = ntohl(mask);
- int i;
-
- if (!mask && !ip && !invert)
- return;
-
- printf("%s %s %u.%u.%u.%u",
- invert ? " !" : "",
- prefix,
- IP_PARTS(ip));
-
- if (mask == 0xFFFFFFFFU) {
- printf("/32");
- return;
- }
-
- i = 32;
- bits = 0xFFFFFFFEU;
- while (--i >= 0 && hmask != bits)
- bits <<= 1;
- if (i >= 0)
- printf("/%u", i);
- else
- printf("/%u.%u.%u.%u", IP_PARTS(mask));
-}
-
/* We want this to be readable, so only print out necessary fields.
* Because that's the kind of world I want to live in.
*/
@@ -849,23 +690,16 @@ void print_rule4(const struct ipt_entry *e,
printf("-A %s", chain);
/* Print IP part. */
- print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr,
- e->ip.invflags & IPT_INV_SRCIP);
+ save_ipv4_addr('s', &e->ip.src, &e->ip.smsk,
+ e->ip.invflags & IPT_INV_SRCIP);
- print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
+ save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk,
e->ip.invflags & IPT_INV_DSTIP);
- print_iface('i', e->ip.iniface, e->ip.iniface_mask,
- e->ip.invflags & IPT_INV_VIA_IN);
-
- print_iface('o', e->ip.outiface, e->ip.outiface_mask,
- e->ip.invflags & IPT_INV_VIA_OUT);
-
- print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
-
- if (e->ip.flags & IPT_F_FRAG)
- printf("%s -f",
- e->ip.invflags & IPT_INV_FRAG ? " !" : "");
+ save_rule_details(e->ip.iniface, e->ip.iniface_mask,
+ e->ip.outiface, e->ip.outiface_mask,
+ e->ip.proto, e->ip.flags & IPT_F_FRAG,
+ e->ip.invflags);
/* Print matchinfo part */
if (e->target_offset)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 2a9387a1..b211a309 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -308,11 +308,10 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
static void nft_arp_print_header(unsigned int format, const char *chain,
const char *pol,
const struct xt_counters *counters,
- bool basechain, uint32_t refs,
- uint32_t entries)
+ int refs, uint32_t entries)
{
printf("Chain %s", chain);
- if (basechain && pol) {
+ if (pol) {
printf(" (policy %s", pol);
if (!(format & FMT_NOCOUNTS)) {
fputc(' ', stdout);
@@ -323,7 +322,7 @@ static void nft_arp_print_header(unsigned int format, const char *chain,
}
printf(")\n");
} else {
- printf(" (%u references)\n", refs);
+ printf(" (%d references)\n", refs);
}
}
@@ -479,6 +478,7 @@ nft_arp_save_rule(const void *data, unsigned int format)
format |= FMT_NUMERIC;
+ printf(" ");
nft_arp_print_rule_details(cs, format);
if (cs->target && cs->target->save)
cs->target->save(&cs->fw, cs->target->t);
@@ -546,6 +546,251 @@ static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy)
printf(":%s %s\n", chain, policy ?: "-");
}
+static int getlength_and_mask(const char *from, uint8_t *to, uint8_t *mask)
+{
+ char *dup = strdup(from);
+ char *p, *buffer;
+ int i, ret = -1;
+
+ if (!dup)
+ return -1;
+
+ if ( (p = strrchr(dup, '/')) != NULL) {
+ *p = '\0';
+ i = strtol(p+1, &buffer, 10);
+ if (*buffer != '\0' || i < 0 || i > 255)
+ goto out_err;
+ *mask = (uint8_t)i;
+ } else
+ *mask = 255;
+ i = strtol(dup, &buffer, 10);
+ if (*buffer != '\0' || i < 0 || i > 255)
+ goto out_err;
+ *to = (uint8_t)i;
+ ret = 0;
+out_err:
+ free(dup);
+ return ret;
+
+}
+
+static int get16_and_mask(const char *from, uint16_t *to,
+ uint16_t *mask, int base)
+{
+ char *dup = strdup(from);
+ char *p, *buffer;
+ int i, ret = -1;
+
+ if (!dup)
+ return -1;
+
+ if ( (p = strrchr(dup, '/')) != NULL) {
+ *p = '\0';
+ i = strtol(p+1, &buffer, base);
+ if (*buffer != '\0' || i < 0 || i > 65535)
+ goto out_err;
+ *mask = htons((uint16_t)i);
+ } else
+ *mask = 65535;
+ i = strtol(dup, &buffer, base);
+ if (*buffer != '\0' || i < 0 || i > 65535)
+ goto out_err;
+ *to = htons((uint16_t)i);
+ ret = 0;
+out_err:
+ free(dup);
+ return ret;
+}
+
+static void nft_arp_post_parse(int command,
+ struct iptables_command_state *cs,
+ struct xtables_args *args)
+{
+ cs->arp.arp.invflags = args->invflags;
+
+ memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ);
+ memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ);
+
+ memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ);
+ memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ);
+
+ cs->arp.counters.pcnt = args->pcnt_cnt;
+ cs->arp.counters.bcnt = args->bcnt_cnt;
+
+ if (command & (CMD_REPLACE | CMD_INSERT |
+ CMD_DELETE | CMD_APPEND | CMD_CHECK)) {
+ if (!(cs->options & OPT_DESTINATION))
+ args->dhostnetworkmask = "0.0.0.0/0";
+ if (!(cs->options & OPT_SOURCE))
+ args->shostnetworkmask = "0.0.0.0/0";
+ }
+
+ if (args->shostnetworkmask)
+ xtables_ipparse_multiple(args->shostnetworkmask,
+ &args->s.addr.v4, &args->s.mask.v4,
+ &args->s.naddrs);
+ if (args->dhostnetworkmask)
+ xtables_ipparse_multiple(args->dhostnetworkmask,
+ &args->d.addr.v4, &args->d.mask.v4,
+ &args->d.naddrs);
+
+ if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
+ (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
+ xtables_error(PARAMETER_PROBLEM,
+ "! not allowed with multiple"
+ " source or destination IP addresses");
+
+ if (args->src_mac &&
+ xtables_parse_mac_and_mask(args->src_mac,
+ cs->arp.arp.src_devaddr.addr,
+ cs->arp.arp.src_devaddr.mask))
+ xtables_error(PARAMETER_PROBLEM,
+ "Problem with specified source mac");
+ if (args->dst_mac &&
+ xtables_parse_mac_and_mask(args->dst_mac,
+ cs->arp.arp.tgt_devaddr.addr,
+ cs->arp.arp.tgt_devaddr.mask))
+ xtables_error(PARAMETER_PROBLEM,
+ "Problem with specified destination mac");
+ if (args->arp_hlen) {
+ getlength_and_mask(args->arp_hlen, &cs->arp.arp.arhln,
+ &cs->arp.arp.arhln_mask);
+
+ if (cs->arp.arp.arhln != 6)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only harware address length of 6 is supported currently.");
+ }
+ if (args->arp_opcode) {
+ if (get16_and_mask(args->arp_opcode, &cs->arp.arp.arpop,
+ &cs->arp.arp.arpop_mask, 10)) {
+ int i;
+
+ for (i = 0; i < NUMOPCODES; i++)
+ if (!strcasecmp(arp_opcodes[i],
+ args->arp_opcode))
+ break;
+ if (i == NUMOPCODES)
+ xtables_error(PARAMETER_PROBLEM,
+ "Problem with specified opcode");
+ cs->arp.arp.arpop = htons(i+1);
+ }
+ }
+ if (args->arp_htype) {
+ if (get16_and_mask(args->arp_htype, &cs->arp.arp.arhrd,
+ &cs->arp.arp.arhrd_mask, 16)) {
+ if (strcasecmp(args->arp_htype, "Ethernet"))
+ xtables_error(PARAMETER_PROBLEM,
+ "Problem with specified hardware type");
+ cs->arp.arp.arhrd = htons(1);
+ }
+ }
+ if (args->arp_ptype) {
+ if (get16_and_mask(args->arp_ptype, &cs->arp.arp.arpro,
+ &cs->arp.arp.arpro_mask, 0)) {
+ if (strcasecmp(args->arp_ptype, "ipv4"))
+ xtables_error(PARAMETER_PROBLEM,
+ "Problem with specified protocol type");
+ cs->arp.arp.arpro = htons(0x800);
+ }
+ }
+}
+
+static void nft_arp_init_cs(struct iptables_command_state *cs)
+{
+ cs->arp.arp.arhln = 6;
+ cs->arp.arp.arhln_mask = 255;
+ cs->arp.arp.arhrd = htons(ARPHRD_ETHER);
+ cs->arp.arp.arhrd_mask = 65535;
+}
+
+static int
+nft_arp_add_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ bool append, int rulenum)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ cs->arp.arp.src.s_addr = args->s.addr.v4[i].s_addr;
+ cs->arp.arp.smsk.s_addr = args->s.mask.v4[i].s_addr;
+ for (j = 0; j < args->d.naddrs; j++) {
+ cs->arp.arp.tgt.s_addr = args->d.addr.v4[j].s_addr;
+ cs->arp.arp.tmsk.s_addr = args->d.mask.v4[j].s_addr;
+ if (append) {
+ ret = nft_cmd_rule_append(h, chain, table, cs, NULL,
+ verbose);
+ } else {
+ ret = nft_cmd_rule_insert(h, chain, table, cs,
+ rulenum, verbose);
+ }
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_arp_delete_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ cs->arp.arp.src.s_addr = args->s.addr.v4[i].s_addr;
+ cs->arp.arp.smsk.s_addr = args->s.mask.v4[i].s_addr;
+ for (j = 0; j < args->d.naddrs; j++) {
+ cs->arp.arp.tgt.s_addr = args->d.addr.v4[j].s_addr;
+ cs->arp.arp.tmsk.s_addr = args->d.mask.v4[j].s_addr;
+ ret = nft_cmd_rule_delete(h, chain, table, cs, verbose);
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_arp_check_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ cs->arp.arp.src.s_addr = args->s.addr.v4[i].s_addr;
+ cs->arp.arp.smsk.s_addr = args->s.mask.v4[i].s_addr;
+ for (j = 0; j < args->d.naddrs; j++) {
+ cs->arp.arp.tgt.s_addr = args->d.addr.v4[j].s_addr;
+ cs->arp.arp.tmsk.s_addr = args->d.mask.v4[j].s_addr;
+ ret = nft_cmd_rule_check(h, chain, table, cs, verbose);
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_arp_replace_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ int rulenum)
+{
+ cs->arp.arp.src.s_addr = args->s.addr.v4->s_addr;
+ cs->arp.arp.tgt.s_addr = args->d.addr.v4->s_addr;
+ cs->arp.arp.smsk.s_addr = args->s.mask.v4->s_addr;
+ cs->arp.arp.tmsk.s_addr = args->d.mask.v4->s_addr;
+
+ return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose);
+}
+
struct nft_family_ops nft_family_ops_arp = {
.add = nft_arp_add,
.is_same = nft_arp_is_same,
@@ -557,8 +802,13 @@ struct nft_family_ops nft_family_ops_arp = {
.print_rule = nft_arp_print_rule,
.save_rule = nft_arp_save_rule,
.save_chain = nft_arp_save_chain,
- .post_parse = NULL,
+ .post_parse = nft_arp_post_parse,
.rule_to_cs = nft_rule_to_iptables_command_state,
+ .init_cs = nft_arp_init_cs,
.clear_cs = nft_clear_iptables_command_state,
.parse_target = nft_ipv46_parse_target,
+ .add_entry = nft_arp_add_entry,
+ .delete_entry = nft_arp_delete_entry,
+ .check_entry = nft_arp_check_entry,
+ .replace_entry = nft_arp_replace_entry,
};
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 11f3df35..5cde302c 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -534,7 +534,7 @@ static void nft_bridge_print_table_header(const char *tablename)
static void nft_bridge_print_header(unsigned int format, const char *chain,
const char *pol,
const struct xt_counters *counters,
- bool basechain, uint32_t refs, uint32_t entries)
+ int refs, uint32_t entries)
{
printf("Bridge chain: %s, entries: %u, policy: %s\n",
chain, entries, pol ?: "RETURN");
@@ -601,7 +601,7 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)
printf("%s ", ent->e_name);
}
-static void nft_bridge_save_rule(const void *data, unsigned int format)
+static void __nft_bridge_save_rule(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
@@ -652,6 +652,12 @@ static void nft_bridge_save_rule(const void *data, unsigned int format)
fputc('\n', stdout);
}
+static void nft_bridge_save_rule(const void *data, unsigned int format)
+{
+ printf(" ");
+ __nft_bridge_save_rule(data, format);
+}
+
static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format)
{
@@ -661,7 +667,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
printf("%d ", num);
nft_rule_to_ebtables_command_state(h, r, &cs);
- nft_bridge_save_rule(&cs, format);
+ __nft_bridge_save_rule(&cs, format);
ebt_cs_clean(&cs);
}
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 2c88301c..43ac291e 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -202,26 +202,52 @@ nft_chain_find(struct nft_handle *h, const char *table, const char *chain)
return NULL;
}
+static int
+nft_cache_add_base_chain(struct nft_handle *h, const struct builtin_table *t,
+ struct nft_chain *nc)
+{
+ uint32_t hooknum = nftnl_chain_get_u32(nc->nftnl, NFTNL_CHAIN_HOOKNUM);
+ const char *name = nftnl_chain_get_str(nc->nftnl, NFTNL_CHAIN_NAME);
+ const char *type = nftnl_chain_get_str(nc->nftnl, NFTNL_CHAIN_TYPE);
+ uint32_t prio = nftnl_chain_get_u32(nc->nftnl, NFTNL_CHAIN_PRIO);
+ const struct builtin_chain *bc = NULL;
+ int i;
+
+ for (i = 0; i < NF_IP_NUMHOOKS && t->chains[i].name != NULL; i++) {
+ if (hooknum == t->chains[i].hook) {
+ bc = &t->chains[i];
+ break;
+ }
+ }
+
+ if (!bc ||
+ prio != bc->prio ||
+ strcmp(name, bc->name) ||
+ strcmp(type, bc->type))
+ return -EINVAL;
+
+ nc->base_slot = &h->cache->table[t->type].base_chains[hooknum];
+ if (*nc->base_slot)
+ return -EEXIST;
+
+ *nc->base_slot = nc;
+ return 0;
+}
+
int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
struct nftnl_chain *c)
{
const char *cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
struct nft_chain *nc = nft_chain_alloc(c);
+ int ret;
if (nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM)) {
- uint32_t hooknum = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM);
-
- if (hooknum >= NF_INET_NUMHOOKS) {
+ ret = nft_cache_add_base_chain(h, t, nc);
+ if (ret) {
+ h->cache->table[t->type].tainted = true;
nft_chain_free(nc);
- return -EINVAL;
+ return ret;
}
-
- if (h->cache->table[t->type].base_chains[hooknum]) {
- nft_chain_free(nc);
- return -EEXIST;
- }
-
- h->cache->table[t->type].base_chains[hooknum] = nc;
} else {
list_add_tail(&nc->head,
&h->cache->table[t->type].chains->list);
@@ -314,9 +340,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data)
goto out;
}
- if (nft_cache_add_chain(h, t, c))
- goto out;
-
+ nft_cache_add_chain(h, t, c);
return MNL_CB_OK;
out:
nftnl_chain_free(c);
diff --git a/iptables/nft-chain.h b/iptables/nft-chain.h
index 137f4b7f..9adf1738 100644
--- a/iptables/nft-chain.h
+++ b/iptables/nft-chain.h
@@ -9,6 +9,7 @@ struct nft_handle;
struct nft_chain {
struct list_head head;
struct hlist_node hnode;
+ struct nft_chain **base_slot;
struct nftnl_chain *nftnl;
};
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 2d874bd4..fcd01bd0 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -220,7 +220,7 @@ int nft_cmd_chain_del(struct nft_handle *h, const char *chain,
/* This triggers nft_bridge_chain_postprocess() when fetching the
* rule cache.
*/
- if (h->family == NFPROTO_BRIDGE)
+ if (h->family == NFPROTO_BRIDGE || !chain)
nft_cache_level_set(h, NFT_CL_RULES, cmd);
else
nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 34f94bd8..f3626098 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -134,32 +134,6 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
ctx->flags &= ~NFT_XT_CTX_BITWISE;
}
-static const char *mask_to_str(uint32_t mask)
-{
- static char mask_str[INET_ADDRSTRLEN];
- uint32_t bits, hmask = ntohl(mask);
- struct in_addr mask_addr = {
- .s_addr = mask,
- };
- int i;
-
- if (mask == 0xFFFFFFFFU) {
- sprintf(mask_str, "32");
- return mask_str;
- }
-
- i = 32;
- bits = 0xFFFFFFFEU;
- while (--i >= 0 && hmask != bits)
- bits <<= 1;
- if (i >= 0)
- sprintf(mask_str, "%u", i);
- else
- inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
-
- return mask_str;
-}
-
static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
void *data)
{
@@ -252,19 +226,6 @@ static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
cs->fw.ip.flags |= IPT_F_GOTO;
}
-static void print_fragment(unsigned int flags, unsigned int invflags,
- unsigned int format)
-{
- if (!(format & FMT_OPTIONS))
- return;
-
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout);
- fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
- fputc(' ', stdout);
-}
-
static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format)
{
@@ -272,9 +233,9 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_rule_to_iptables_command_state(h, r, &cs);
- print_rule_details(&cs, cs.jumpto, cs.fw.ip.flags,
- cs.fw.ip.invflags, cs.fw.ip.proto, num, format);
- print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format);
+ print_rule_details(num, &cs.counters, cs.jumpto, cs.fw.ip.proto,
+ cs.fw.ip.flags, cs.fw.ip.invflags, format);
+ print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format, false);
print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags,
format);
print_ipv4_addresses(&cs.fw, format);
@@ -295,37 +256,19 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_clear_iptables_command_state(&cs);
}
-static void save_ipv4_addr(char letter, const struct in_addr *addr,
- uint32_t mask, int invert)
-{
- char addrbuf[INET_ADDRSTRLEN];
-
- if (!mask && !invert && !addr->s_addr)
- return;
-
- printf("%s-%c %s/%s ", invert ? "! " : "", letter,
- inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
- mask_to_str(mask));
-}
-
static void nft_ipv4_save_rule(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
- save_ipv4_addr('s', &cs->fw.ip.src, cs->fw.ip.smsk.s_addr,
+ save_ipv4_addr('s', &cs->fw.ip.src, &cs->fw.ip.smsk,
cs->fw.ip.invflags & IPT_INV_SRCIP);
- save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr,
+ save_ipv4_addr('d', &cs->fw.ip.dst, &cs->fw.ip.dmsk,
cs->fw.ip.invflags & IPT_INV_DSTIP);
- save_rule_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto,
- cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
- cs->fw.ip.outiface, cs->fw.ip.outiface_mask);
-
- if (cs->fw.ip.flags & IPT_F_FRAG) {
- if (cs->fw.ip.invflags & IPT_INV_FRAG)
- printf("! ");
- printf("-f ");
- }
+ save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
+ cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
+ cs->fw.ip.proto, cs->fw.ip.flags & IPT_F_FRAG,
+ cs->fw.ip.invflags);
save_matches_and_target(cs, cs->fw.ip.flags & IPT_F_GOTO,
&cs->fw, format);
@@ -468,6 +411,95 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
return ret;
}
+static int
+nft_ipv4_add_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ bool append, int rulenum)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ cs->fw.ip.src.s_addr = args->s.addr.v4[i].s_addr;
+ cs->fw.ip.smsk.s_addr = args->s.mask.v4[i].s_addr;
+ for (j = 0; j < args->d.naddrs; j++) {
+ cs->fw.ip.dst.s_addr = args->d.addr.v4[j].s_addr;
+ cs->fw.ip.dmsk.s_addr = args->d.mask.v4[j].s_addr;
+
+ if (append) {
+ ret = nft_cmd_rule_append(h, chain, table,
+ cs, NULL, verbose);
+ } else {
+ ret = nft_cmd_rule_insert(h, chain, table,
+ cs, rulenum, verbose);
+ }
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_ipv4_delete_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ cs->fw.ip.src.s_addr = args->s.addr.v4[i].s_addr;
+ cs->fw.ip.smsk.s_addr = args->s.mask.v4[i].s_addr;
+ for (j = 0; j < args->d.naddrs; j++) {
+ cs->fw.ip.dst.s_addr = args->d.addr.v4[j].s_addr;
+ cs->fw.ip.dmsk.s_addr = args->d.mask.v4[j].s_addr;
+ ret = nft_cmd_rule_delete(h, chain, table, cs, verbose);
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_ipv4_check_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ cs->fw.ip.src.s_addr = args->s.addr.v4[i].s_addr;
+ cs->fw.ip.smsk.s_addr = args->s.mask.v4[i].s_addr;
+ for (j = 0; j < args->d.naddrs; j++) {
+ cs->fw.ip.dst.s_addr = args->d.addr.v4[j].s_addr;
+ cs->fw.ip.dmsk.s_addr = args->d.mask.v4[j].s_addr;
+ ret = nft_cmd_rule_check(h, chain, table, cs, verbose);
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_ipv4_replace_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ int rulenum)
+{
+ cs->fw.ip.src.s_addr = args->s.addr.v4->s_addr;
+ cs->fw.ip.dst.s_addr = args->d.addr.v4->s_addr;
+ cs->fw.ip.smsk.s_addr = args->s.mask.v4->s_addr;
+ cs->fw.ip.dmsk.s_addr = args->d.mask.v4->s_addr;
+
+ return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose);
+}
+
struct nft_family_ops nft_family_ops_ipv4 = {
.add = nft_ipv4_add,
.is_same = nft_ipv4_is_same,
@@ -484,4 +516,8 @@ struct nft_family_ops nft_family_ops_ipv4 = {
.rule_to_cs = nft_rule_to_iptables_command_state,
.clear_cs = nft_clear_iptables_command_state,
.xlate = nft_ipv4_xlate,
+ .add_entry = nft_ipv4_add_entry,
+ .delete_entry = nft_ipv4_delete_entry,
+ .check_entry = nft_ipv4_check_entry,
+ .replace_entry = nft_ipv4_replace_entry,
};
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index d9c9400a..13213088 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -198,14 +198,9 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_rule_to_iptables_command_state(h, r, &cs);
- print_rule_details(&cs, cs.jumpto, cs.fw6.ipv6.flags,
- cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto,
- num, format);
- if (format & FMT_OPTIONS) {
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputs(" ", stdout);
- }
+ print_rule_details(num, &cs.counters, cs.jumpto, cs.fw6.ipv6.proto,
+ cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format);
+ print_fragment(cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format, true);
print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface,
cs.fw6.ipv6.invflags, format);
print_ipv6_addresses(&cs.fw6, format);
@@ -224,26 +219,6 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_clear_iptables_command_state(&cs);
}
-static void save_ipv6_addr(char letter, const struct in6_addr *addr,
- const struct in6_addr *mask,
- int invert)
-{
- char addr_str[INET6_ADDRSTRLEN];
- int l = xtables_ip6mask_to_cidr(mask);
-
- if (!invert && l == 0)
- return;
-
- printf("%s-%c %s",
- invert ? "! " : "", letter,
- inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
-
- if (l == -1)
- printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
- else
- printf("/%d ", l);
-}
-
static void nft_ipv6_save_rule(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
@@ -253,9 +228,9 @@ static void nft_ipv6_save_rule(const void *data, unsigned int format)
save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
cs->fw6.ipv6.invflags & IP6T_INV_DSTIP);
- save_rule_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,
- cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
- cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask);
+ save_rule_details(cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
+ cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask,
+ cs->fw6.ipv6.proto, 0, cs->fw6.ipv6.invflags);
save_matches_and_target(cs, cs->fw6.ipv6.flags & IP6T_F_GOTO,
&cs->fw6, format);
@@ -410,6 +385,106 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
return ret;
}
+static int
+nft_ipv6_add_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ bool append, int rulenum)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ memcpy(&cs->fw6.ipv6.src,
+ &args->s.addr.v6[i], sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.smsk,
+ &args->s.mask.v6[i], sizeof(struct in6_addr));
+ for (j = 0; j < args->d.naddrs; j++) {
+ memcpy(&cs->fw6.ipv6.dst,
+ &args->d.addr.v6[j], sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.dmsk,
+ &args->d.mask.v6[j], sizeof(struct in6_addr));
+ if (append) {
+ ret = nft_cmd_rule_append(h, chain, table,
+ cs, NULL, verbose);
+ } else {
+ ret = nft_cmd_rule_insert(h, chain, table,
+ cs, rulenum, verbose);
+ }
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_ipv6_delete_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ memcpy(&cs->fw6.ipv6.src,
+ &args->s.addr.v6[i], sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.smsk,
+ &args->s.mask.v6[i], sizeof(struct in6_addr));
+ for (j = 0; j < args->d.naddrs; j++) {
+ memcpy(&cs->fw6.ipv6.dst,
+ &args->d.addr.v6[j], sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.dmsk,
+ &args->d.mask.v6[j], sizeof(struct in6_addr));
+ ret = nft_cmd_rule_delete(h, chain, table, cs, verbose);
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_ipv6_check_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose)
+{
+ unsigned int i, j;
+ int ret = 1;
+
+ for (i = 0; i < args->s.naddrs; i++) {
+ memcpy(&cs->fw6.ipv6.src,
+ &args->s.addr.v6[i], sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.smsk,
+ &args->s.mask.v6[i], sizeof(struct in6_addr));
+ for (j = 0; j < args->d.naddrs; j++) {
+ memcpy(&cs->fw6.ipv6.dst,
+ &args->d.addr.v6[j], sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.dmsk,
+ &args->d.mask.v6[j], sizeof(struct in6_addr));
+ ret = nft_cmd_rule_check(h, chain, table, cs, verbose);
+ }
+ }
+
+ return ret;
+}
+
+static int
+nft_ipv6_replace_entry(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ int rulenum)
+{
+ memcpy(&cs->fw6.ipv6.src, args->s.addr.v6, sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.dst, args->d.addr.v6, sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.smsk, args->s.mask.v6, sizeof(struct in6_addr));
+ memcpy(&cs->fw6.ipv6.dmsk, args->d.mask.v6, sizeof(struct in6_addr));
+
+ return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose);
+}
+
struct nft_family_ops nft_family_ops_ipv6 = {
.add = nft_ipv6_add,
.is_same = nft_ipv6_is_same,
@@ -426,4 +501,8 @@ struct nft_family_ops nft_family_ops_ipv6 = {
.rule_to_cs = nft_rule_to_iptables_command_state,
.clear_cs = nft_clear_iptables_command_state,
.xlate = nft_ipv6_xlate,
+ .add_entry = nft_ipv6_add_entry,
+ .delete_entry = nft_ipv6_delete_entry,
+ .check_entry = nft_ipv6_check_entry,
+ .replace_entry = nft_ipv6_replace_entry,
};
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 4253b081..b281ba29 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -373,21 +373,6 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
ctx->h->ops->parse_match(match, ctx->cs);
}
-void print_proto(uint16_t proto, int invert)
-{
- const struct protoent *pent = getprotobynumber(proto);
-
- if (invert)
- printf("! ");
-
- if (pent) {
- printf("-p %s ", pent->p_name);
- return;
- }
-
- printf("-p %u ", proto);
-}
-
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv)
{
uint32_t len;
@@ -714,130 +699,6 @@ void nft_clear_iptables_command_state(struct iptables_command_state *cs)
}
}
-void print_header(unsigned int format, const char *chain, const char *pol,
- const struct xt_counters *counters, bool basechain,
- uint32_t refs, uint32_t entries)
-{
- printf("Chain %s", chain);
- if (basechain) {
- printf(" (policy %s", pol);
- if (!(format & FMT_NOCOUNTS)) {
- fputc(' ', stdout);
- xtables_print_num(counters->pcnt, (format|FMT_NOTABLE));
- fputs("packets, ", stdout);
- xtables_print_num(counters->bcnt, (format|FMT_NOTABLE));
- fputs("bytes", stdout);
- }
- printf(")\n");
- } else {
- printf(" (%u references)\n", refs);
- }
-
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4s ", "%s "), "num");
- if (!(format & FMT_NOCOUNTS)) {
- if (format & FMT_KILOMEGAGIGA) {
- printf(FMT("%5s ","%s "), "pkts");
- printf(FMT("%5s ","%s "), "bytes");
- } else {
- printf(FMT("%8s ","%s "), "pkts");
- printf(FMT("%10s ","%s "), "bytes");
- }
- }
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ","%s "), "target");
- fputs(" prot ", stdout);
- if (format & FMT_OPTIONS)
- fputs("opt", stdout);
- if (format & FMT_VIA) {
- printf(FMT(" %-6s ","%s "), "in");
- printf(FMT("%-6s ","%s "), "out");
- }
- printf(FMT(" %-19s ","%s "), "source");
- printf(FMT(" %-19s "," %s "), "destination");
- printf("\n");
-}
-
-void print_rule_details(const struct iptables_command_state *cs,
- const char *targname, uint8_t flags,
- uint8_t invflags, uint8_t proto,
- unsigned int num, unsigned int format)
-{
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4u ", "%u "), num);
-
- if (!(format & FMT_NOCOUNTS)) {
- xtables_print_num(cs->counters.pcnt, format);
- xtables_print_num(cs->counters.bcnt, format);
- }
-
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ", "%s "), targname ? targname : "");
-
- fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout);
- {
- const char *pname =
- proto_to_name(proto, format&FMT_NUMERIC);
- if (pname)
- printf(FMT("%-5s", "%s "), pname);
- else
- printf(FMT("%-5hu", "%hu "), proto);
- }
-}
-
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask, int inv)
-{
- unsigned int i;
-
- if (mask[0] == 0)
- return;
-
- printf("%s-%c ", inv ? "! " : "", letter);
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (mask[i] != 0) {
- if (iface[i] != '\0')
- printf("%c", iface[i]);
- } else {
- if (iface[i-1] != '\0')
- printf("+");
- break;
- }
- }
-
- printf(" ");
-}
-
-void save_rule_details(const struct iptables_command_state *cs,
- uint8_t invflags, uint16_t proto,
- const char *iniface,
- unsigned const char *iniface_mask,
- const char *outiface,
- unsigned const char *outiface_mask)
-{
- if (iniface != NULL) {
- print_iface('i', iniface, iniface_mask,
- invflags & IPT_INV_VIA_IN);
- }
- if (outiface != NULL) {
- print_iface('o', outiface, outiface_mask,
- invflags & IPT_INV_VIA_OUT);
- }
-
- if (proto > 0) {
- const char *pname = proto_to_name(proto, 0);
-
- if (invflags & XT_INV_PROTO)
- printf("! ");
-
- if (pname)
- printf("-p %s ", pname);
- else
- printf("-p %u ", proto);
- }
-}
-
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy)
{
const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
@@ -856,33 +717,33 @@ void save_matches_and_target(const struct iptables_command_state *cs,
for (matchp = cs->matches; matchp; matchp = matchp->next) {
if (matchp->match->alias) {
- printf("-m %s",
+ printf(" -m %s",
matchp->match->alias(matchp->match->m));
} else
- printf("-m %s", matchp->match->name);
+ printf(" -m %s", matchp->match->name);
if (matchp->match->save != NULL) {
/* cs->fw union makes the trick */
matchp->match->save(fw, matchp->match->m);
}
- printf(" ");
}
if ((format & (FMT_NOCOUNTS | FMT_C_COUNTS)) == FMT_C_COUNTS)
- printf("-c %llu %llu ",
+ printf(" -c %llu %llu",
(unsigned long long)cs->counters.pcnt,
(unsigned long long)cs->counters.bcnt);
if (cs->target != NULL) {
if (cs->target->alias) {
- printf("-j %s", cs->target->alias(cs->target->t));
+ printf(" -j %s", cs->target->alias(cs->target->t));
} else
- printf("-j %s", cs->jumpto);
+ printf(" -j %s", cs->jumpto);
- if (cs->target->save != NULL)
+ if (cs->target->save != NULL) {
cs->target->save(fw, cs->target->t);
+ }
} else if (strlen(cs->jumpto) > 0) {
- printf("-%c %s", goto_flag ? 'g' : 'j', cs->jumpto);
+ printf(" -%c %s", goto_flag ? 'g' : 'j', cs->jumpto);
}
printf("\n");
@@ -992,6 +853,7 @@ void nft_check_xt_legacy(int family, bool is_ipt_save)
{
static const char tables6[] = "/proc/net/ip6_tables_names";
static const char tables4[] = "/proc/net/ip_tables_names";
+ static const char tablesa[] = "/proc/net/arp_tables_names";
const char *prefix = "ip";
FILE *fp = NULL;
char buf[1024];
@@ -1004,6 +866,10 @@ void nft_check_xt_legacy(int family, bool is_ipt_save)
fp = fopen(tables6, "r");
prefix = "ip6";
break;
+ case NFPROTO_ARP:
+ fp = fopen(tablesa, "r");
+ prefix = "arp";
+ break;
default:
break;
}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index cc8f3a79..bcf8486e 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -94,8 +94,8 @@ struct nft_family_ops {
void (*print_table_header)(const char *tablename);
void (*print_header)(unsigned int format, const char *chain,
const char *pol,
- const struct xt_counters *counters, bool basechain,
- uint32_t refs, uint32_t entries);
+ const struct xt_counters *counters,
+ int refs, uint32_t entries);
void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format);
void (*save_rule)(const void *data, unsigned int format);
@@ -106,10 +106,29 @@ struct nft_family_ops {
struct xtables_args *args);
void (*parse_match)(struct xtables_match *m, void *data);
void (*parse_target)(struct xtables_target *t, void *data);
+ void (*init_cs)(struct iptables_command_state *cs);
void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r,
struct iptables_command_state *cs);
void (*clear_cs)(struct iptables_command_state *cs);
int (*xlate)(const void *data, struct xt_xlate *xl);
+ int (*add_entry)(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ bool append, int rulenum);
+ int (*delete_entry)(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose);
+ int (*check_entry)(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose);
+ int (*replace_entry)(struct nft_handle *h,
+ const char *chain, const char *table,
+ struct iptables_command_state *cs,
+ struct xtables_args *args, bool verbose,
+ int rulenum);
};
void add_meta(struct nftnl_rule *r, uint32_t key);
@@ -139,27 +158,13 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
unsigned char *iniface_mask, char *outiface,
unsigned char *outiface_mask, uint8_t *invflags);
-void print_proto(uint16_t proto, int invert);
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
void nft_rule_to_iptables_command_state(struct nft_handle *h,
const struct nftnl_rule *r,
struct iptables_command_state *cs);
void nft_clear_iptables_command_state(struct iptables_command_state *cs);
-void print_header(unsigned int format, const char *chain, const char *pol,
- const struct xt_counters *counters, bool basechain,
- uint32_t refs, uint32_t entries);
-void print_rule_details(const struct iptables_command_state *cs,
- const char *targname, uint8_t flags,
- uint8_t invflags, uint8_t proto,
- unsigned int num, unsigned int format);
void print_matches_and_target(struct iptables_command_state *cs,
unsigned int format);
-void save_rule_details(const struct iptables_command_state *cs,
- uint8_t invflags, uint16_t proto,
- const char *iniface,
- unsigned const char *iniface_mask,
- const char *outiface,
- unsigned const char *outiface_mask);
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
void save_matches_and_target(const struct iptables_command_state *cs,
bool goto_flag, const void *fw,
@@ -176,6 +181,7 @@ struct addr_mask {
union {
struct in_addr *v4;
struct in6_addr *v6;
+ void *ptr;
} addr;
unsigned int naddrs;
@@ -183,6 +189,7 @@ struct addr_mask {
union {
struct in_addr *v4;
struct in6_addr *v6;
+ void *ptr;
} mask;
};
@@ -197,6 +204,9 @@ struct xtables_args {
const char *shostnetworkmask, *dhostnetworkmask;
const char *pcnt, *bcnt;
struct addr_mask s, d;
+ const char *src_mac, *dst_mac;
+ const char *arp_hlen, *arp_opcode;
+ const char *arp_htype, *arp_ptype;
unsigned long long pcnt_cnt, bcnt_cnt;
};
diff --git a/iptables/nft.c b/iptables/nft.c
index 89dde9ec..887c735b 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -863,7 +863,22 @@ int nft_restart(struct nft_handle *h)
return 0;
}
-int nft_init(struct nft_handle *h, int family, const struct builtin_table *t)
+static const struct builtin_table *builtin_tables_lookup(int family)
+{
+ switch (family) {
+ case AF_INET:
+ case AF_INET6:
+ return xtables_ipv4;
+ case NFPROTO_ARP:
+ return xtables_arp;
+ case NFPROTO_BRIDGE:
+ return xtables_bridge;
+ default:
+ return NULL;
+ }
+}
+
+int nft_init(struct nft_handle *h, int family)
{
memset(h, 0, sizeof(*h));
@@ -881,7 +896,7 @@ int nft_init(struct nft_handle *h, int family, const struct builtin_table *t)
xtables_error(PARAMETER_PROBLEM, "Unknown family");
h->portid = mnl_socket_get_portid(h->nl);
- h->tables = t;
+ h->tables = builtin_tables_lookup(family);
h->cache = &h->__cache[0];
h->family = family;
@@ -1498,10 +1513,10 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
/* print chain name */
switch(type) {
case NFT_RULE_APPEND:
- printf("-A %s ", chain);
+ printf("-A %s", chain);
break;
case NFT_RULE_DEL:
- printf("-D %s ", chain);
+ printf("-D %s", chain);
break;
}
@@ -1838,32 +1853,47 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table
struct chain_del_data {
struct nft_handle *handle;
- struct nft_cache *cache;
- enum nft_table_type type;
+ const char *chain;
bool verbose;
};
+static bool nft_may_delete_chain(struct nftnl_chain *c)
+{
+ if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY) &&
+ nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY) != NF_ACCEPT)
+ return false;
+
+ return nftnl_rule_lookup_byindex(c, 0) == NULL;
+}
+
static int __nft_chain_del(struct nft_chain *nc, void *data)
{
struct chain_del_data *d = data;
struct nftnl_chain *c = nc->nftnl;
struct nft_handle *h = d->handle;
+ bool builtin = nft_chain_builtin(c);
+ struct obj_update *obj;
+ int ret = 0;
- if (d->verbose)
+ if (d->verbose && !builtin)
fprintf(stdout, "Deleting chain `%s'\n",
nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));
/* XXX This triggers a fast lookup from the kernel. */
nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
- if (!batch_chain_add(h, NFT_COMPAT_CHAIN_DEL, c))
+ obj = batch_chain_add(h, NFT_COMPAT_CHAIN_DEL, c);
+ if (!obj)
return -1;
- if (nft_chain_builtin(c)) {
- uint32_t num = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM);
-
- if (nc == d->cache->table[d->type].base_chains[num])
- d->cache->table[d->type].base_chains[num] = NULL;
+ if (builtin) {
+ obj->skip = !nft_may_delete_chain(c);
+ if (obj->skip && d->chain) {
+ /* complain if explicitly requested */
+ errno = EBUSY;
+ ret = -1;
+ }
+ *nc->base_slot = NULL;
}
/* nftnl_chain is freed when deleting the batch object */
@@ -1871,15 +1901,15 @@ static int __nft_chain_del(struct nft_chain *nc, void *data)
nft_chain_list_del(nc);
nft_chain_free(nc);
- return 0;
+ return ret;
}
int nft_chain_del(struct nft_handle *h, const char *chain,
- const char *table, bool verbose)
+ const char *table, bool verbose)
{
- const struct builtin_table *t;
struct chain_del_data d = {
.handle = h,
+ .chain = chain,
.verbose = verbose,
};
struct nft_chain *c;
@@ -1894,32 +1924,10 @@ int nft_chain_del(struct nft_handle *h, const char *chain,
return 0;
}
- if (nft_chain_builtin(c->nftnl)) {
- t = nft_table_builtin_find(h, table);
- if (!t) {
- errno = EINVAL;
- return 0;
- }
-
- d.type = t->type;
- d.cache = h->cache;
- }
-
ret = __nft_chain_del(c, &d);
- if (ret == -2)
- errno = EINVAL;
goto out;
}
- t = nft_table_builtin_find(h, table);
- if (!t) {
- errno = EINVAL;
- return 0;
- }
-
- d.type = t->type;
- d.cache = h->cache;
-
if (verbose)
nft_cache_sort_chains(h, table);
@@ -2390,7 +2398,6 @@ static void __nft_print_header(struct nft_handle *h,
{
struct nftnl_chain *c = nc->nftnl;
const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
- bool basechain = !!nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM);
uint32_t refs = nftnl_chain_get_u32(c, NFTNL_CHAIN_USE);
uint32_t entries = nft_rule_count(h, c);
struct xt_counters ctrs = {
@@ -2399,11 +2406,12 @@ static void __nft_print_header(struct nft_handle *h,
};
const char *pname = NULL;
- if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY))
+ if (nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) &&
+ nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY))
pname = policy_name[nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY)];
h->ops->print_header(format, chain_name, pname,
- &ctrs, basechain, refs - entries, entries);
+ &ctrs, refs - entries, entries);
}
struct nft_rule_list_cb_data {
@@ -2770,10 +2778,14 @@ static void nft_refresh_transaction(struct nft_handle *h)
n->skip = !nft_chain_find(h, tablename, chainname);
break;
+ case NFT_COMPAT_CHAIN_DEL:
+ if (!nftnl_chain_get(n->chain, NFTNL_CHAIN_HOOKNUM))
+ break;
+ n->skip = !nft_may_delete_chain(n->chain);
+ break;
case NFT_COMPAT_TABLE_ADD:
case NFT_COMPAT_CHAIN_ADD:
case NFT_COMPAT_CHAIN_ZERO:
- case NFT_COMPAT_CHAIN_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
case NFT_COMPAT_CHAIN_UPDATE:
case NFT_COMPAT_CHAIN_RENAME:
@@ -3513,38 +3525,8 @@ static int nft_is_rule_compatible(struct nftnl_rule *rule, void *data)
static int nft_is_chain_compatible(struct nft_chain *nc, void *data)
{
struct nftnl_chain *c = nc->nftnl;
- const struct builtin_table *table;
- const struct builtin_chain *chain;
- const char *tname, *cname, *type;
- struct nft_handle *h = data;
- enum nf_inet_hooks hook;
- int prio;
-
- if (nftnl_rule_foreach(c, nft_is_rule_compatible, NULL))
- return -1;
- if (!nft_chain_builtin(c))
- return 0;
-
- tname = nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE);
- table = nft_table_builtin_find(h, tname);
- if (!table)
- return -1;
-
- cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
- chain = nft_chain_builtin_find(table, cname);
- if (!chain)
- return -1;
-
- type = nftnl_chain_get_str(c, NFTNL_CHAIN_TYPE);
- prio = nftnl_chain_get_u32(c, NFTNL_CHAIN_PRIO);
- hook = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM);
- if (strcmp(type, chain->type) ||
- prio != chain->prio ||
- hook != chain->hook)
- return -1;
-
- return 0;
+ return nftnl_rule_foreach(c, nft_is_rule_compatible, NULL);
}
bool nft_is_table_compatible(struct nft_handle *h,
@@ -3559,13 +3541,24 @@ bool nft_is_table_compatible(struct nft_handle *h,
return !nft_chain_foreach(h, table, nft_is_chain_compatible, h);
}
+bool nft_is_table_tainted(struct nft_handle *h, const char *table)
+{
+ const struct builtin_table *t = nft_table_builtin_find(h, table);
+
+ return t ? h->cache->table[t->type].tainted : false;
+}
+
void nft_assert_table_compatible(struct nft_handle *h,
const char *table, const char *chain)
{
const char *pfx = "", *sfx = "";
- if (nft_is_table_compatible(h, table, chain))
+ if (nft_is_table_compatible(h, table, chain)) {
+ if (nft_is_table_tainted(h, table))
+ printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n",
+ table);
return;
+ }
if (chain) {
pfx = "chain `";
diff --git a/iptables/nft.h b/iptables/nft.h
index a7b652ff..f189b03f 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -45,6 +45,7 @@ struct nft_cache {
struct nftnl_set_list *sets;
bool exists;
bool sorted;
+ bool tainted;
} table[NFT_TABLE_MAX];
};
@@ -122,7 +123,7 @@ extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX];
int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
int (*cb)(const struct nlmsghdr *nlh, void *data),
void *data);
-int nft_init(struct nft_handle *h, int family, const struct builtin_table *t);
+int nft_init(struct nft_handle *h, int family);
void nft_fini(struct nft_handle *h);
int nft_restart(struct nft_handle *h);
@@ -262,6 +263,7 @@ void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
bool nft_is_table_compatible(struct nft_handle *h,
const char *table, const char *chain);
+bool nft_is_table_tainted(struct nft_handle *h, const char *table);
void nft_assert_table_compatible(struct nft_handle *h,
const char *table, const char *chain);
diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0
new file mode 100755
index 00000000..cc07e4be
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0004extra-base_0
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+case $XT_MULTI in
+*xtables-nft-multi)
+ ;;
+*)
+ echo skip $XT_MULTI
+ exit 0
+ ;;
+esac
+
+set -e
+
+nft -f - <<EOF
+table ip filter {
+ chain a {
+ type filter hook input priority filter
+ }
+
+ chain INPUT {
+ type filter hook input priority filter
+ counter packets 218 bytes 91375 accept
+ }
+
+ chain x {
+ type filter hook input priority filter
+ }
+}
+EOF
+
+EXPECT="# Table \`filter' contains incompatible base-chains, use 'nft' tool to list them.
+-P INPUT ACCEPT
+-P FORWARD ACCEPT
+-P OUTPUT ACCEPT
+-A INPUT -j ACCEPT"
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S)
diff --git a/iptables/tests/shell/testcases/chain/0005base-delete_0 b/iptables/tests/shell/testcases/chain/0005base-delete_0
new file mode 100755
index 00000000..033a2819
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0005base-delete_0
@@ -0,0 +1,34 @@
+#!/bin/bash -x
+
+$XT_MULTI iptables -N foo || exit 1
+$XT_MULTI iptables -P FORWARD DROP || exit 1
+$XT_MULTI iptables -X || exit 1
+$XT_MULTI iptables -X foo && exit 1
+
+# indefinite -X fails if a non-empty user-defined chain exists
+$XT_MULTI iptables -N foo
+$XT_MULTI iptables -N bar
+$XT_MULTI iptables -A bar -j ACCEPT
+$XT_MULTI iptables -X && exit 1
+$XT_MULTI iptables -D bar -j ACCEPT
+$XT_MULTI iptables -X || exit 1
+
+# make sure OUTPUT chain is created by iptables-nft
+$XT_MULTI iptables -A OUTPUT -j ACCEPT || exit 1
+$XT_MULTI iptables -D OUTPUT -j ACCEPT || exit 1
+
+case $XT_MULTI in
+*xtables-nft-multi)
+ # must not delete chain FORWARD, its policy is not ACCEPT
+ $XT_MULTI iptables -X FORWARD && exit 1
+ nft list chain ip filter FORWARD || exit 1
+ # this should evict chain OUTPUT
+ $XT_MULTI iptables -X OUTPUT || exit 1
+ nft list chain ip filter OUTPUT && exit 1
+ ;;
+*)
+ $XT_MULTI iptables -X FORWARD && exit 1
+ $XT_MULTI iptables -X OUTPUT && exit 1
+ ;;
+esac
+exit 0
diff --git a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0
index faf37d02..d79f91b1 100755
--- a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0
+++ b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
case "$XT_MULTI" in
*xtables-nft-multi)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 2d3ef679..a1ca2b0f 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -9,6 +9,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <arpa/inet.h>
#include <sys/file.h>
#include <sys/socket.h>
#include <sys/un.h>
@@ -47,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t,
}
}
-const char *
+static const char *
proto_to_name(uint16_t proto, int nolookup)
{
unsigned int i;
@@ -106,7 +107,7 @@ static bool should_load_proto(struct iptables_command_state *cs)
return !cs->proto_used;
}
-struct xtables_match *load_proto(struct iptables_command_state *cs)
+static struct xtables_match *load_proto(struct iptables_command_state *cs)
{
if (!should_load_proto(cs))
return NULL;
@@ -546,6 +547,52 @@ void debug_print_argv(struct argv_store *store)
}
#endif
+void print_header(unsigned int format, const char *chain, const char *pol,
+ const struct xt_counters *counters,
+ int refs, uint32_t entries)
+{
+ printf("Chain %s", chain);
+ if (pol) {
+ printf(" (policy %s", pol);
+ if (!(format & FMT_NOCOUNTS)) {
+ fputc(' ', stdout);
+ xtables_print_num(counters->pcnt, (format|FMT_NOTABLE));
+ fputs("packets, ", stdout);
+ xtables_print_num(counters->bcnt, (format|FMT_NOTABLE));
+ fputs("bytes", stdout);
+ }
+ printf(")\n");
+ } else if (refs < 0) {
+ printf(" (ERROR obtaining refs)\n");
+ } else {
+ printf(" (%d references)\n", refs);
+ }
+
+ if (format & FMT_LINENUMBERS)
+ printf(FMT("%-4s ", "%s "), "num");
+ if (!(format & FMT_NOCOUNTS)) {
+ if (format & FMT_KILOMEGAGIGA) {
+ printf(FMT("%5s ","%s "), "pkts");
+ printf(FMT("%5s ","%s "), "bytes");
+ } else {
+ printf(FMT("%8s ","%s "), "pkts");
+ printf(FMT("%10s ","%s "), "bytes");
+ }
+ }
+ if (!(format & FMT_NOTARGET))
+ printf(FMT("%-9s ","%s "), "target");
+ fputs(" prot ", stdout);
+ if (format & FMT_OPTIONS)
+ fputs("opt", stdout);
+ if (format & FMT_VIA) {
+ printf(FMT(" %-6s ","%s "), "in");
+ printf(FMT("%-6s ","%s "), "out");
+ }
+ printf(FMT(" %-19s ","%s "), "source");
+ printf(FMT(" %-19s "," %s "), "destination");
+ printf("\n");
+}
+
const char *ipv4_addr_to_string(const struct in_addr *addr,
const struct in_addr *mask,
unsigned int format)
@@ -578,6 +625,42 @@ void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format)
ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format));
}
+static const char *mask_to_str(const struct in_addr *mask)
+{
+ uint32_t bits, hmask = ntohl(mask->s_addr);
+ static char mask_str[INET_ADDRSTRLEN];
+ int i;
+
+ if (mask->s_addr == 0xFFFFFFFFU) {
+ sprintf(mask_str, "32");
+ return mask_str;
+ }
+
+ i = 32;
+ bits = 0xFFFFFFFEU;
+ while (--i >= 0 && hmask != bits)
+ bits <<= 1;
+ if (i >= 0)
+ sprintf(mask_str, "%u", i);
+ else
+ inet_ntop(AF_INET, mask, mask_str, sizeof(mask_str));
+
+ return mask_str;
+}
+
+void save_ipv4_addr(char letter, const struct in_addr *addr,
+ const struct in_addr *mask, int invert)
+{
+ char addrbuf[INET_ADDRSTRLEN];
+
+ if (!mask->s_addr && !invert && !addr->s_addr)
+ return;
+
+ printf("%s -%c %s/%s", invert ? " !" : "", letter,
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
+ mask_to_str(mask));
+}
+
static const char *ipv6_addr_to_string(const struct in6_addr *addr,
const struct in6_addr *mask,
unsigned int format)
@@ -612,6 +695,44 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format)
&fw6->ipv6.dmsk, format));
}
+void save_ipv6_addr(char letter, const struct in6_addr *addr,
+ const struct in6_addr *mask, int invert)
+{
+ int l = xtables_ip6mask_to_cidr(mask);
+ char addr_str[INET6_ADDRSTRLEN];
+
+ if (!invert && l == 0)
+ return;
+
+ printf("%s -%c %s",
+ invert ? " !" : "", letter,
+ inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
+
+ if (l == -1)
+ printf("/%s", inet_ntop(AF_INET6, mask,
+ addr_str, sizeof(addr_str)));
+ else
+ printf("/%d", l);
+}
+
+void print_fragment(unsigned int flags, unsigned int invflags,
+ unsigned int format, bool fake)
+{
+ if (!(format & FMT_OPTIONS))
+ return;
+
+ if (format & FMT_NOTABLE)
+ fputs("opt ", stdout);
+
+ if (fake) {
+ fputs(" ", stdout);
+ } else {
+ fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout);
+ fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
+ }
+ fputc(' ', stdout);
+}
+
/* Luckily, IPT_INV_VIA_IN and IPT_INV_VIA_OUT
* have the same values as IP6T_INV_VIA_IN and IP6T_INV_VIA_OUT
* so this function serves for both iptables and ip6tables */
@@ -637,6 +758,31 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
printf(FMT("%-6s ", "out %s "), iface);
}
+/* This assumes that mask is contiguous, and byte-bounded. */
+void save_iface(char letter, const char *iface,
+ const unsigned char *mask, int invert)
+{
+ unsigned int i;
+
+ if (mask[0] == 0)
+ return;
+
+ printf("%s -%c ", invert ? " !" : "", letter);
+
+ for (i = 0; i < IFNAMSIZ; i++) {
+ if (mask[i] != 0) {
+ if (iface[i] != '\0')
+ printf("%c", iface[i]);
+ } else {
+ /* we can access iface[i-1] here, because
+ * a few lines above we make sure that mask[0] != 0 */
+ if (iface[i-1] != '\0')
+ printf("+");
+ break;
+ }
+ }
+}
+
void command_match(struct iptables_command_state *cs, bool invert)
{
struct option *opts = xt_params->opts;
@@ -892,3 +1038,84 @@ set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
*invflg |= inverse_for_options[i];
}
}
+
+void parse_chain(const char *chainname)
+{
+ const char *ptr;
+
+ if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name `%s' too long (must be under %u chars)",
+ chainname, XT_EXTENSION_MAXNAMELEN);
+
+ if (*chainname == '-' || *chainname == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name not allowed to start with `%c'\n",
+ *chainname);
+
+ if (xtables_find_target(chainname, XTF_TRY_LOAD))
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name may not clash with target name\n");
+
+ for (ptr = chainname; *ptr; ptr++)
+ if (isspace(*ptr))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid chain name `%s'", chainname);
+}
+
+void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
+ const char *targname, uint8_t proto, uint8_t flags,
+ uint8_t invflags, unsigned int format)
+{
+ const char *pname = proto_to_name(proto, format&FMT_NUMERIC);
+
+ if (format & FMT_LINENUMBERS)
+ printf(FMT("%-4u ", "%u "), linenum);
+
+ if (!(format & FMT_NOCOUNTS)) {
+ xtables_print_num(ctrs->pcnt, format);
+ xtables_print_num(ctrs->bcnt, format);
+ }
+
+ if (!(format & FMT_NOTARGET))
+ printf(FMT("%-9s ", "%s "), targname ? targname : "");
+
+ fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout);
+
+ if (pname)
+ printf(FMT("%-5s", "%s "), pname);
+ else
+ printf(FMT("%-5hu", "%hu "), proto);
+}
+
+void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
+ const char *outiface, unsigned const char *outiface_mask,
+ uint16_t proto, int frag, uint8_t invflags)
+{
+ if (iniface != NULL) {
+ save_iface('i', iniface, iniface_mask,
+ invflags & IPT_INV_VIA_IN);
+ }
+ if (outiface != NULL) {
+ save_iface('o', outiface, outiface_mask,
+ invflags & IPT_INV_VIA_OUT);
+ }
+
+ if (proto > 0) {
+ const char *pname = proto_to_name(proto, 0);
+
+ if (invflags & XT_INV_PROTO)
+ printf(" !");
+
+ if (pname)
+ printf(" -p %s", pname);
+ else
+ printf(" -p %u", proto);
+ }
+
+ if (frag) {
+ if (invflags & IPT_INV_FRAG)
+ printf(" !");
+ printf(" -f");
+ }
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 823894f9..060c62ef 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -68,6 +68,8 @@ struct xtables_globals;
struct xtables_rule_match;
struct xtables_target;
+#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
+
/* define invflags which won't collide with IPT ones */
#define IPT_INV_SRCDEVADDR 0x0080
#define IPT_INV_TGTDEVADDR 0x0100
@@ -162,10 +164,8 @@ enum {
extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
-extern const char *proto_to_name(uint16_t, int);
extern int command_default(struct iptables_command_state *,
struct xtables_globals *, bool invert);
-extern struct xtables_match *load_proto(struct iptables_command_state *);
extern int subcmd_main(int, char **, const struct subcommand *);
extern void xs_init_target(struct xtables_target *);
extern void xs_init_match(struct xtables_match *);
@@ -219,11 +219,23 @@ void debug_print_argv(struct argv_store *store);
const char *ipv4_addr_to_string(const struct in_addr *addr,
const struct in_addr *mask,
unsigned int format);
+void print_header(unsigned int format, const char *chain, const char *pol,
+ const struct xt_counters *counters,
+ int refs, uint32_t entries);
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
+void save_ipv4_addr(char letter, const struct in_addr *addr,
+ const struct in_addr *mask, int invert);
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
+void save_ipv6_addr(char letter, const struct in6_addr *addr,
+ const struct in6_addr *mask, int invert);
void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
unsigned int format);
+void save_iface(char letter, const char *iface,
+ const unsigned char *mask, int invert);
+
+void print_fragment(unsigned int flags, unsigned int invflags,
+ unsigned int format, bool fake);
void command_match(struct iptables_command_state *cs, bool invert);
const char *xt_parse_target(const char *targetname);
@@ -233,8 +245,16 @@ char cmd2char(int option);
void add_command(unsigned int *cmd, const int newcmd,
const int othercmds, int invert);
int parse_rulenumber(const char *rule);
+void parse_chain(const char *chainname);
void generic_opt_check(int command, int options);
char opt2char(int option);
+void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
+ const char *targname, uint8_t proto, uint8_t flags,
+ uint8_t invflags, unsigned int format);
+void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
+ const char *outiface, unsigned const char *outiface_mask,
+ uint16_t proto, int frag, uint8_t invflags);
+
#endif /* IPTABLES_XSHARED_H */
diff --git a/iptables/xtables-arp-standalone.c b/iptables/xtables-arp-standalone.c
deleted file mode 100644
index 04cf7dcc..00000000
--- a/iptables/xtables-arp-standalone.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au
- *
- * Based on the ipchains code by Paul Russell and Michael Neuling
- *
- * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
- * Paul 'Rusty' Russell <rusty@rustcorp.com.au>
- * Marc Boucher <marc+nf@mbsi.ca>
- * James Morris <jmorris@intercode.com.au>
- * Harald Welte <laforge@gnumonks.org>
- * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * arptables -- IP firewall administration for kernels with
- * firewall table (aimed for the 2.3 kernels)
- *
- * See the accompanying manual page arptables(8) for information
- * about proper usage of this program.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-#include <xtables.h>
-#include "nft.h"
-#include <linux/netfilter_arp/arp_tables.h>
-
-#include "xtables-multi.h"
-
-extern struct xtables_globals arptables_globals;
-
-int xtables_arp_main(int argc, char *argv[])
-{
- int ret;
- char *table = "filter";
- struct nft_handle h;
-
- nft_init_arp(&h, "arptables");
-
- ret = do_commandarp(&h, argc, argv, &table, false);
- if (ret)
- ret = nft_commit(&h);
-
- nft_fini(&h);
- xtables_fini();
-
- if (!ret)
- fprintf(stderr, "arptables: %s\n", nft_strerror(errno));
-
- exit(!ret);
-}
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 9a079f06..cca19438 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -30,35 +30,23 @@
#include "config.h"
#include <getopt.h>
#include <string.h>
-#include <netdb.h>
-#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
-#include <inttypes.h>
-#include <dlfcn.h>
-#include <ctype.h>
-#include <stdarg.h>
-#include <limits.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <sys/wait.h>
-#include <net/if.h>
-#include <netinet/ether.h>
-#include <iptables.h>
#include <xtables.h>
#include "xshared.h"
#include "nft.h"
#include "nft-arp.h"
-#include <linux/netfilter_arp/arp_tables.h>
static struct option original_opts[] = {
{ "append", 1, 0, 'A' },
{ "delete", 1, 0, 'D' },
+ { "check", 1, 0, 'C'},
{ "insert", 1, 0, 'I' },
{ "replace", 1, 0, 'R' },
{ "list", 2, 0, 'L' },
+ { "list-rules", 2, 0, 'S'},
{ "flush", 2, 0, 'F' },
{ "zero", 2, 0, 'Z' },
{ "new-chain", 1, 0, 'N' },
@@ -97,82 +85,30 @@ static struct option original_opts[] = {
#define opts xt_params->opts
extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
+static void printhelp(const struct xtables_rule_match *m);
struct xtables_globals arptables_globals = {
.option_offset = 0,
.program_version = PACKAGE_VERSION,
+ .optstring = OPTSTRING_COMMON "C:R:S::" "h::l:nv" /* "m:" */,
.orig_opts = original_opts,
.exit_err = xtables_exit_error,
.compat_rev = nft_compatible_revision,
+ .print_help = printhelp,
};
-/***********************************************/
-/* ARPTABLES SPECIFIC NEW FUNCTIONS ADDED HERE */
-/***********************************************/
-
-static int getlength_and_mask(char *from, uint8_t *to, uint8_t *mask)
-{
- char *p, *buffer;
- int i;
-
- if ( (p = strrchr(from, '/')) != NULL) {
- *p = '\0';
- i = strtol(p+1, &buffer, 10);
- if (*buffer != '\0' || i < 0 || i > 255)
- return -1;
- *mask = (uint8_t)i;
- } else
- *mask = 255;
- i = strtol(from, &buffer, 10);
- if (*buffer != '\0' || i < 0 || i > 255)
- return -1;
- *to = (uint8_t)i;
- return 0;
-}
-
-static int get16_and_mask(char *from, uint16_t *to, uint16_t *mask, int base)
-{
- char *p, *buffer;
- int i;
-
- if ( (p = strrchr(from, '/')) != NULL) {
- *p = '\0';
- i = strtol(p+1, &buffer, base);
- if (*buffer != '\0' || i < 0 || i > 65535)
- return -1;
- *mask = htons((uint16_t)i);
- } else
- *mask = 65535;
- i = strtol(from, &buffer, base);
- if (*buffer != '\0' || i < 0 || i > 65535)
- return -1;
- *to = htons((uint16_t)i);
- return 0;
-}
-
-/*********************************************/
-/* ARPTABLES SPECIFIC NEW FUNCTIONS END HERE */
-/*********************************************/
-
-static void
-exit_tryhelp(int status)
-{
- fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
- arptables_globals.program_name,
- arptables_globals.program_version);
- exit(status);
-}
-
static void
-printhelp(void)
+printhelp(const struct xtables_rule_match *m)
{
struct xtables_target *t = NULL;
int i;
printf("%s v%s\n\n"
-"Usage: %s -[AD] chain rule-specification [options]\n"
-" %s -[RI] chain rulenum rule-specification [options]\n"
+"Usage: %s -[ACD] chain rule-specification [options]\n"
+" %s -I chain [rulenum] rule-specification [options]\n"
+" %s -R chain rulenum rule-specification [options]\n"
" %s -D chain rulenum [options]\n"
-" %s -[LFZ] [chain] [options]\n"
+" %s -[LS] [chain [rulenum]] [options]\n"
+" %s -[FZ] [chain] [options]\n"
" %s -[NX] chain\n"
" %s -E old-chain-name new-chain-name\n"
" %s -P chain target [options]\n"
@@ -186,11 +122,14 @@ printhelp(void)
arptables_globals.program_name,
arptables_globals.program_name,
arptables_globals.program_name,
+ arptables_globals.program_name,
+ arptables_globals.program_name,
arptables_globals.program_name);
printf(
"Commands:\n"
"Either long or short options are allowed.\n"
" --append -A chain Append to chain\n"
+" --check -C chain Check for the existence of a rule\n"
" --delete -D chain Delete matching rule from chain\n"
" --delete -D chain rulenum\n"
" Delete rule rulenum (1 = first) from chain\n"
@@ -198,9 +137,13 @@ printhelp(void)
" Insert in chain as rulenum (default 1=first)\n"
" --replace -R chain rulenum\n"
" Replace rule rulenum (1 = first) in chain\n"
-" --list -L [chain] List the rules in a chain or all chains\n"
+" --list -L [chain [rulenum]]\n"
+" List the rules in a chain or all chains\n"
+" --list-rules -S [chain [rulenum]]\n"
+" Print the rules in a chain or all chains\n"
" --flush -F [chain] Delete all rules in chain or all chains\n"
-" --zero -Z [chain] Zero counters in chain or all chains\n"
+" --zero -Z [chain [rulenum]]\n"
+" Zero counters in chain or all chains\n"
" --new -N chain Create a new user-defined chain\n"
" --delete-chain\n"
" -X [chain] Delete a user-defined chain\n"
@@ -255,134 +198,6 @@ printhelp(void)
}
}
-static int
-check_inverse(const char option[], int *invert, int *optidx, int argc)
-{
- if (option && strcmp(option, "!") == 0) {
- if (*invert)
- xtables_error(PARAMETER_PROBLEM,
- "Multiple `!' flags not allowed");
- *invert = true;
- if (optidx) {
- *optidx = *optidx+1;
- if (argc && *optidx > argc)
- xtables_error(PARAMETER_PROBLEM,
- "no argument following `!'");
- }
-
- return true;
- }
- return false;
-}
-
-static int
-list_entries(struct nft_handle *h, const char *chain, const char *table,
- int rulenum, int verbose, int numeric, int expanded,
- int linenumbers)
-{
- unsigned int format;
-
- format = FMT_OPTIONS;
- if (!verbose)
- format |= FMT_NOCOUNTS;
- else
- format |= FMT_VIA;
-
- if (numeric)
- format |= FMT_NUMERIC;
-
- if (!expanded)
- format |= FMT_KILOMEGAGIGA;
-
- if (linenumbers)
- format |= FMT_LINENUMBERS;
-
- return nft_cmd_rule_list(h, chain, table, rulenum, format);
-}
-
-static int
-append_entry(struct nft_handle *h,
- const char *chain,
- const char *table,
- struct iptables_command_state *cs,
- int rulenum,
- unsigned int nsaddrs,
- const struct in_addr saddrs[],
- const struct in_addr smasks[],
- unsigned int ndaddrs,
- const struct in_addr daddrs[],
- const struct in_addr dmasks[],
- bool verbose, bool append)
-{
- unsigned int i, j;
- int ret = 1;
-
- for (i = 0; i < nsaddrs; i++) {
- cs->arp.arp.src.s_addr = saddrs[i].s_addr;
- cs->arp.arp.smsk.s_addr = smasks[i].s_addr;
- for (j = 0; j < ndaddrs; j++) {
- cs->arp.arp.tgt.s_addr = daddrs[j].s_addr;
- cs->arp.arp.tmsk.s_addr = dmasks[j].s_addr;
- if (append) {
- ret = nft_cmd_rule_append(h, chain, table, cs, NULL,
- verbose);
- } else {
- ret = nft_cmd_rule_insert(h, chain, table, cs,
- rulenum, verbose);
- }
- }
- }
-
- return ret;
-}
-
-static int
-replace_entry(const char *chain,
- const char *table,
- struct iptables_command_state *cs,
- unsigned int rulenum,
- const struct in_addr *saddr,
- const struct in_addr *smask,
- const struct in_addr *daddr,
- const struct in_addr *dmask,
- bool verbose, struct nft_handle *h)
-{
- cs->arp.arp.src.s_addr = saddr->s_addr;
- cs->arp.arp.tgt.s_addr = daddr->s_addr;
- cs->arp.arp.smsk.s_addr = smask->s_addr;
- cs->arp.arp.tmsk.s_addr = dmask->s_addr;
-
- return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose);
-}
-
-static int
-delete_entry(const char *chain,
- const char *table,
- struct iptables_command_state *cs,
- unsigned int nsaddrs,
- const struct in_addr saddrs[],
- const struct in_addr smasks[],
- unsigned int ndaddrs,
- const struct in_addr daddrs[],
- const struct in_addr dmasks[],
- bool verbose, struct nft_handle *h)
-{
- unsigned int i, j;
- int ret = 1;
-
- for (i = 0; i < nsaddrs; i++) {
- cs->arp.arp.src.s_addr = saddrs[i].s_addr;
- cs->arp.arp.smsk.s_addr = smasks[i].s_addr;
- for (j = 0; j < ndaddrs; j++) {
- cs->arp.arp.tgt.s_addr = daddrs[j].s_addr;
- cs->arp.arp.tmsk.s_addr = dmasks[j].s_addr;
- ret = nft_cmd_rule_delete(h, chain, table, cs, verbose);
- }
- }
-
- return ret;
-}
-
int nft_init_arp(struct nft_handle *h, const char *pname)
{
arptables_globals.program_name = pname;
@@ -397,531 +212,9 @@ int nft_init_arp(struct nft_handle *h, const char *pname)
init_extensionsa();
#endif
- if (nft_init(h, NFPROTO_ARP, xtables_arp) < 0)
+ if (nft_init(h, NFPROTO_ARP) < 0)
xtables_error(OTHER_PROBLEM,
"Could not initialize nftables layer.");
return 0;
}
-
-int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
- bool restore)
-{
- struct iptables_command_state cs = {
- .jumpto = "",
- .arp.arp = {
- .arhln = 6,
- .arhln_mask = 255,
- .arhrd = htons(ARPHRD_ETHER),
- .arhrd_mask = 65535,
- },
- };
- int invert = 0;
- unsigned int nsaddrs = 0, ndaddrs = 0;
- struct in_addr *saddrs = NULL, *smasks = NULL;
- struct in_addr *daddrs = NULL, *dmasks = NULL;
-
- int c, verbose = 0;
- const char *chain = NULL;
- const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
- const char *policy = NULL, *newname = NULL;
- unsigned int rulenum = 0, options = 0, command = 0;
- const char *pcnt = NULL, *bcnt = NULL;
- int ret = 1;
- struct xtables_target *t;
-
- /* re-set optind to 0 in case do_command gets called
- * a second time */
- optind = 0;
-
- for (t = xtables_targets; t; t = t->next) {
- t->tflags = 0;
- t->used = 0;
- }
-
- /* Suppress error messages: we may add new options if we
- demand-load a protocol. */
- opterr = 0;
-
- opts = xt_params->orig_opts;
- while ((c = getopt_long(argc, argv,
- "-A:D:R:I:L::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:l:i:vnt:m:c:",
- opts, NULL)) != -1) {
- switch (c) {
- /*
- * Command selection
- */
- case 'A':
- add_command(&command, CMD_APPEND, CMD_NONE,
- invert);
- chain = optarg;
- break;
-
- case 'D':
- add_command(&command, CMD_DELETE, CMD_NONE,
- invert);
- chain = optarg;
- if (xs_has_arg(argc, argv)) {
- rulenum = parse_rulenumber(argv[optind++]);
- command = CMD_DELETE_NUM;
- }
- break;
-
- case 'R':
- add_command(&command, CMD_REPLACE, CMD_NONE,
- invert);
- chain = optarg;
- if (xs_has_arg(argc, argv))
- rulenum = parse_rulenumber(argv[optind++]);
- else
- xtables_error(PARAMETER_PROBLEM,
- "-%c requires a rule number",
- cmd2char(CMD_REPLACE));
- break;
-
- case 'I':
- add_command(&command, CMD_INSERT, CMD_NONE,
- invert);
- chain = optarg;
- if (xs_has_arg(argc, argv))
- rulenum = parse_rulenumber(argv[optind++]);
- else rulenum = 1;
- break;
-
- case 'L':
- add_command(&command, CMD_LIST, CMD_ZERO,
- invert);
- if (optarg) chain = optarg;
- else if (xs_has_arg(argc, argv))
- chain = argv[optind++];
- break;
-
- case 'F':
- add_command(&command, CMD_FLUSH, CMD_NONE,
- invert);
- if (optarg) chain = optarg;
- else if (xs_has_arg(argc, argv))
- chain = argv[optind++];
- break;
-
- case 'Z':
- add_command(&command, CMD_ZERO, CMD_LIST,
- invert);
- if (optarg) chain = optarg;
- else if (xs_has_arg(argc, argv))
- chain = argv[optind++];
- break;
-
- case 'N':
- if (optarg && *optarg == '-')
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `-'\n");
- if (xtables_find_target(optarg, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
- add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
- invert);
- chain = optarg;
- break;
-
- case 'X':
- add_command(&command, CMD_DELETE_CHAIN, CMD_NONE,
- invert);
- if (optarg) chain = optarg;
- else if (xs_has_arg(argc, argv))
- chain = argv[optind++];
- break;
-
- case 'E':
- add_command(&command, CMD_RENAME_CHAIN, CMD_NONE,
- invert);
- chain = optarg;
- if (xs_has_arg(argc, argv))
- newname = argv[optind++];
- else
- xtables_error(PARAMETER_PROBLEM,
- "-%c requires old-chain-name and "
- "new-chain-name",
- cmd2char(CMD_RENAME_CHAIN));
- break;
-
- case 'P':
- add_command(&command, CMD_SET_POLICY, CMD_NONE,
- invert);
- chain = optarg;
- if (xs_has_arg(argc, argv))
- policy = argv[optind++];
- else
- xtables_error(PARAMETER_PROBLEM,
- "-%c requires a chain and a policy",
- cmd2char(CMD_SET_POLICY));
- break;
-
- case 'h':
- if (!optarg)
- optarg = argv[optind];
-
- printhelp();
- command = CMD_NONE;
- break;
- case 's':
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_SOURCE, &cs.arp.arp.invflags,
- invert);
- shostnetworkmask = argv[optind-1];
- break;
-
- case 'd':
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_DESTINATION, &cs.arp.arp.invflags,
- invert);
- dhostnetworkmask = argv[optind-1];
- break;
-
- case 2:/* src-mac */
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_S_MAC, &cs.arp.arp.invflags,
- invert);
- if (xtables_parse_mac_and_mask(argv[optind - 1],
- cs.arp.arp.src_devaddr.addr, cs.arp.arp.src_devaddr.mask))
- xtables_error(PARAMETER_PROBLEM, "Problem with specified "
- "source mac");
- break;
-
- case 3:/* dst-mac */
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_D_MAC, &cs.arp.arp.invflags,
- invert);
-
- if (xtables_parse_mac_and_mask(argv[optind - 1],
- cs.arp.arp.tgt_devaddr.addr, cs.arp.arp.tgt_devaddr.mask))
- xtables_error(PARAMETER_PROBLEM, "Problem with specified "
- "destination mac");
- break;
-
- case 'l':/* hardware length */
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_H_LENGTH, &cs.arp.arp.invflags,
- invert);
- getlength_and_mask(argv[optind - 1], &cs.arp.arp.arhln,
- &cs.arp.arp.arhln_mask);
-
- if (cs.arp.arp.arhln != 6) {
- xtables_error(PARAMETER_PROBLEM,
- "Only harware address length of"
- " 6 is supported currently.");
- }
-
- break;
-
- case 8: /* was never supported, not even in arptables-legacy */
- xtables_error(PARAMETER_PROBLEM, "not supported");
- case 4:/* opcode */
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_OPCODE, &cs.arp.arp.invflags,
- invert);
- if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arpop,
- &cs.arp.arp.arpop_mask, 10)) {
- int i;
-
- for (i = 0; i < NUMOPCODES; i++)
- if (!strcasecmp(arp_opcodes[i], optarg))
- break;
- if (i == NUMOPCODES)
- xtables_error(PARAMETER_PROBLEM, "Problem with specified opcode");
- cs.arp.arp.arpop = htons(i+1);
- }
- break;
-
- case 5:/* h-type */
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_H_TYPE, &cs.arp.arp.invflags,
- invert);
- if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arhrd,
- &cs.arp.arp.arhrd_mask, 16)) {
- if (strcasecmp(argv[optind-1], "Ethernet"))
- xtables_error(PARAMETER_PROBLEM, "Problem with specified hardware type");
- cs.arp.arp.arhrd = htons(1);
- }
- break;
-
- case 6:/* proto-type */
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_P_TYPE, &cs.arp.arp.invflags,
- invert);
- if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arpro,
- &cs.arp.arp.arpro_mask, 0)) {
- if (strcasecmp(argv[optind-1], "ipv4"))
- xtables_error(PARAMETER_PROBLEM, "Problem with specified protocol type");
- cs.arp.arp.arpro = htons(0x800);
- }
- break;
-
- case 'j':
- set_option(&options, OPT_JUMP, &cs.arp.arp.invflags,
- invert);
- command_jump(&cs, optarg);
- break;
-
- case 'i':
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_VIANAMEIN, &cs.arp.arp.invflags,
- invert);
- xtables_parse_interface(argv[optind-1],
- cs.arp.arp.iniface,
- cs.arp.arp.iniface_mask);
- break;
-
- case 'o':
- check_inverse(optarg, &invert, &optind, argc);
- set_option(&options, OPT_VIANAMEOUT, &cs.arp.arp.invflags,
- invert);
- xtables_parse_interface(argv[optind-1],
- cs.arp.arp.outiface,
- cs.arp.arp.outiface_mask);
- break;
-
- case 'v':
- if (!verbose)
- set_option(&options, OPT_VERBOSE,
- &cs.arp.arp.invflags, invert);
- verbose++;
- break;
-
- case 'm': /* ignored by arptables-legacy */
- break;
- case 'n':
- set_option(&options, OPT_NUMERIC, &cs.arp.arp.invflags,
- invert);
- break;
-
- case 't':
- if (invert)
- xtables_error(PARAMETER_PROBLEM,
- "unexpected ! flag before --table");
- /* ignore this option.
- * arptables-legacy parses it, but libarptc doesn't use it.
- * arptables only has a 'filter' table anyway.
- */
- break;
-
- case 'V':
- if (invert)
- printf("Not %s ;-)\n", arptables_globals.program_version);
- else
- printf("%s v%s (nf_tables)\n",
- arptables_globals.program_name,
- arptables_globals.program_version);
- exit(0);
-
- case '0':
- set_option(&options, OPT_LINENUMBERS, &cs.arp.arp.invflags,
- invert);
- break;
-
- case 'M':
- //modprobe = optarg;
- break;
-
- case 'c':
-
- set_option(&options, OPT_COUNTERS, &cs.arp.arp.invflags,
- invert);
- pcnt = optarg;
- if (xs_has_arg(argc, argv))
- bcnt = argv[optind++];
- else
- xtables_error(PARAMETER_PROBLEM,
- "-%c requires packet and byte counter",
- opt2char(OPT_COUNTERS));
-
- if (sscanf(pcnt, "%llu", &cs.arp.counters.pcnt) != 1)
- xtables_error(PARAMETER_PROBLEM,
- "-%c packet counter not numeric",
- opt2char(OPT_COUNTERS));
-
- if (sscanf(bcnt, "%llu", &cs.arp.counters.bcnt) != 1)
- xtables_error(PARAMETER_PROBLEM,
- "-%c byte counter not numeric",
- opt2char(OPT_COUNTERS));
-
- break;
-
-
- case 1: /* non option */
- if (optarg[0] == '!' && optarg[1] == '\0') {
- if (invert)
- xtables_error(PARAMETER_PROBLEM,
- "multiple consecutive ! not"
- " allowed");
- invert = true;
- optarg[0] = '\0';
- continue;
- }
- printf("Bad argument `%s'\n", optarg);
- exit_tryhelp(2);
-
- default:
- if (cs.target) {
- xtables_option_tpcall(c, argv,
- invert, cs.target, &cs.arp);
- }
- break;
- }
- invert = false;
- }
-
- if (cs.target)
- xtables_option_tfcall(cs.target);
-
- if (optind < argc)
- xtables_error(PARAMETER_PROBLEM,
- "unknown arguments found on commandline");
- if (invert)
- xtables_error(PARAMETER_PROBLEM,
- "nothing appropriate following !");
-
- if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND)) {
- if (!(options & OPT_DESTINATION))
- dhostnetworkmask = "0.0.0.0/0";
- if (!(options & OPT_SOURCE))
- shostnetworkmask = "0.0.0.0/0";
- }
-
- if (shostnetworkmask)
- xtables_ipparse_multiple(shostnetworkmask, &saddrs,
- &smasks, &nsaddrs);
-
- if (dhostnetworkmask)
- xtables_ipparse_multiple(dhostnetworkmask, &daddrs,
- &dmasks, &ndaddrs);
-
- if ((nsaddrs > 1 || ndaddrs > 1) &&
- (cs.arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
- xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple"
- " source or destination IP addresses");
-
- if (command == CMD_REPLACE && (nsaddrs != 1 || ndaddrs != 1))
- xtables_error(PARAMETER_PROBLEM, "Replacement rule does not "
- "specify a unique address");
-
- if (chain && strlen(chain) > ARPT_FUNCTION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %i chars)",
- chain, ARPT_FUNCTION_MAXNAMELEN);
-
- if (command == CMD_APPEND
- || command == CMD_DELETE
- || command == CMD_INSERT
- || command == CMD_REPLACE) {
- if (strcmp(chain, "PREROUTING") == 0
- || strcmp(chain, "INPUT") == 0) {
- /* -o not valid with incoming packets. */
- if (options & OPT_VIANAMEOUT)
- xtables_error(PARAMETER_PROBLEM,
- "Can't use -%c with %s\n",
- opt2char(OPT_VIANAMEOUT),
- chain);
- }
-
- if (strcmp(chain, "POSTROUTING") == 0
- || strcmp(chain, "OUTPUT") == 0) {
- /* -i not valid with outgoing packets */
- if (options & OPT_VIANAMEIN)
- xtables_error(PARAMETER_PROBLEM,
- "Can't use -%c with %s\n",
- opt2char(OPT_VIANAMEIN),
- chain);
- }
- }
-
- switch (command) {
- case CMD_APPEND:
- ret = append_entry(h, chain, *table, &cs, 0,
- nsaddrs, saddrs, smasks,
- ndaddrs, daddrs, dmasks,
- options&OPT_VERBOSE, true);
- break;
- case CMD_DELETE:
- ret = delete_entry(chain, *table, &cs,
- nsaddrs, saddrs, smasks,
- ndaddrs, daddrs, dmasks,
- options&OPT_VERBOSE, h);
- break;
- case CMD_DELETE_NUM:
- ret = nft_cmd_rule_delete_num(h, chain, *table, rulenum - 1, verbose);
- break;
- case CMD_REPLACE:
- ret = replace_entry(chain, *table, &cs, rulenum - 1,
- saddrs, smasks, daddrs, dmasks,
- options&OPT_VERBOSE, h);
- break;
- case CMD_INSERT:
- ret = append_entry(h, chain, *table, &cs, rulenum - 1,
- nsaddrs, saddrs, smasks,
- ndaddrs, daddrs, dmasks,
- options&OPT_VERBOSE, false);
- break;
- case CMD_LIST:
- ret = list_entries(h, chain, *table,
- rulenum,
- options&OPT_VERBOSE,
- options&OPT_NUMERIC,
- /*options&OPT_EXPANDED*/0,
- options&OPT_LINENUMBERS);
- break;
- case CMD_FLUSH:
- ret = nft_cmd_rule_flush(h, chain, *table, options & OPT_VERBOSE);
- break;
- case CMD_ZERO:
- ret = nft_cmd_chain_zero_counters(h, chain, *table,
- options & OPT_VERBOSE);
- break;
- case CMD_LIST|CMD_ZERO:
- ret = list_entries(h, chain, *table, rulenum,
- options&OPT_VERBOSE,
- options&OPT_NUMERIC,
- /*options&OPT_EXPANDED*/0,
- options&OPT_LINENUMBERS);
- if (ret)
- ret = nft_cmd_chain_zero_counters(h, chain, *table,
- options & OPT_VERBOSE);
- break;
- case CMD_NEW_CHAIN:
- ret = nft_cmd_chain_user_add(h, chain, *table);
- break;
- case CMD_DELETE_CHAIN:
- ret = nft_cmd_chain_del(h, chain, *table,
- options & OPT_VERBOSE);
- break;
- case CMD_RENAME_CHAIN:
- ret = nft_cmd_chain_user_rename(h, chain, *table, newname);
- break;
- case CMD_SET_POLICY:
- ret = nft_cmd_chain_set(h, *table, chain, policy, NULL);
- if (ret < 0)
- xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n",
- policy);
- break;
- case CMD_NONE:
- break;
- default:
- /* We should never reach this... */
- exit_tryhelp(2);
- }
-
- free(saddrs);
- free(smasks);
- free(daddrs);
- free(dmasks);
-
- nft_clear_iptables_command_state(&cs);
- xtables_free_opts(1);
-
-/* if (verbose > 1)
- dump_entries(*handle);*/
-
- return ret;
-}
diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 0539a829..a6c86b65 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -87,7 +87,6 @@ static int parse_rule_number(const char *rule)
/* Default command line options. Do not mess around with the already
* assigned numbers unless you know what you are doing */
extern struct option ebt_original_options[];
-extern struct xtables_globals ebtables_globals;
#define opts ebtables_globals.opts
#define prog_name ebtables_globals.program_name
#define prog_vers ebtables_globals.program_version
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 23023ce1..3f58754d 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -220,6 +220,7 @@ extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ..
struct xtables_globals ebtables_globals = {
.option_offset = 0,
.program_version = PACKAGE_VERSION,
+ .optstring = OPTSTRING_COMMON "h",
.orig_opts = ebt_original_options,
.exit_err = xtables_exit_error,
.compat_rev = nft_compatible_revision,
@@ -672,7 +673,7 @@ int nft_init_eb(struct nft_handle *h, const char *pname)
init_extensionsb();
#endif
- if (nft_init(h, NFPROTO_BRIDGE, xtables_bridge) < 0)
+ if (nft_init(h, NFPROTO_BRIDGE) < 0)
xtables_error(OTHER_PROBLEM,
"Could not initialize nftables layer.");
@@ -732,8 +733,8 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
opterr = false;
/* Getopt saves the day */
- while ((c = getopt_long(argc, argv,
- "-A:D:C:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, xt_params->optstring,
+ opts, NULL)) != -1) {
cs.c = c;
switch (c) {
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 21d4bec0..73dc80c2 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -631,7 +631,7 @@ int xtables_monitor_main(int argc, char *argv[])
init_extensions6();
#endif
- if (nft_init(&h, AF_INET, xtables_ipv4)) {
+ if (nft_init(&h, AF_INET)) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
diff --git a/iptables/xtables-multi.h b/iptables/xtables-multi.h
index 0fedb430..94c24d5a 100644
--- a/iptables/xtables-multi.h
+++ b/iptables/xtables-multi.h
@@ -22,6 +22,9 @@ extern int xtables_eb_restore_main(int, char **);
extern int xtables_eb_save_main(int, char **);
extern int xtables_config_main(int, char **);
extern int xtables_monitor_main(int, char **);
+
+extern struct xtables_globals arptables_globals;
+extern struct xtables_globals ebtables_globals;
#endif
#endif /* _XTABLES_MULTI_H */
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 72832103..aa8b397f 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -281,7 +281,6 @@ void xtables_restore_parse(struct nft_handle *h,
static int
xtables_restore_main(int family, const char *progname, int argc, char *argv[])
{
- const struct builtin_table *tables;
struct nft_xt_restore_parse p = {
.commit = true,
.cb = &restore_cb,
@@ -360,7 +359,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
switch (family) {
case NFPROTO_IPV4:
case NFPROTO_IPV6: /* fallthough, same table */
- tables = xtables_ipv4;
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
@@ -368,17 +366,14 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
#endif
break;
case NFPROTO_ARP:
- tables = xtables_arp;
- break;
case NFPROTO_BRIDGE:
- tables = xtables_bridge;
break;
default:
fprintf(stderr, "Unknown family %d\n", family);
return 1;
}
- if (nft_init(&h, family, tables) < 0) {
+ if (nft_init(&h, family) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
@@ -456,7 +451,7 @@ int xtables_eb_restore_main(int argc, char *argv[])
static const struct nft_xt_restore_cb arp_restore_cb = {
.commit = nft_commit,
.table_flush = nft_cmd_table_flush,
- .do_command = do_commandarp,
+ .do_command = do_commandx,
.chain_set = nft_cmd_chain_set,
.chain_restore = nft_cmd_chain_restore,
};
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 98cd0ed3..c6ebb0ec 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -78,6 +78,9 @@ __do_output(struct nft_handle *h, const char *tablename, void *data)
printf("# Table `%s' is incompatible, use 'nft' tool.\n",
tablename);
return 0;
+ } else if (nft_is_table_tainted(h, tablename)) {
+ printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n",
+ tablename);
}
now = time(NULL);
@@ -128,7 +131,6 @@ static int
xtables_save_main(int family, int argc, char *argv[],
const char *optstring, const struct option *longopts)
{
- const struct builtin_table *tables;
const char *tablename = NULL;
struct do_output_data d = {
.format = FMT_NOCOUNTS,
@@ -205,11 +207,9 @@ xtables_save_main(int family, int argc, char *argv[],
init_extensions4();
init_extensions6();
#endif
- tables = xtables_ipv4;
d.commit = true;
break;
case NFPROTO_ARP:
- tables = xtables_arp;
break;
case NFPROTO_BRIDGE: {
const char *ctr = getenv("EBTABLES_SAVE_COUNTER");
@@ -220,7 +220,6 @@ xtables_save_main(int family, int argc, char *argv[],
d.format &= ~FMT_NOCOUNTS;
d.format |= FMT_C_COUNTS | FMT_EBT_SAVE;
}
- tables = xtables_bridge;
break;
}
default:
@@ -228,7 +227,7 @@ xtables_save_main(int family, int argc, char *argv[],
return 1;
}
- if (nft_init(&h, family, tables) < 0) {
+ if (nft_init(&h, family) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
index 1a6b7cf7..5482a856 100644
--- a/iptables/xtables-standalone.c
+++ b/iptables/xtables-standalone.c
@@ -39,32 +39,51 @@
#include "xtables-multi.h"
#include "nft.h"
+static struct xtables_globals *xtables_globals_lookup(int family)
+{
+ switch (family) {
+ case AF_INET:
+ case AF_INET6:
+ return &xtables_globals;
+ case NFPROTO_ARP:
+ return &arptables_globals;
+ case NFPROTO_BRIDGE:
+ return &ebtables_globals;
+ default:
+ xtables_error(OTHER_PROBLEM, "Unknown family value %d", family);
+ }
+}
+
static int
xtables_main(int family, const char *progname, int argc, char *argv[])
{
- int ret;
char *table = "filter";
struct nft_handle h;
+ int ret;
- xtables_globals.program_name = progname;
- ret = xtables_init_all(&xtables_globals, family);
+ ret = xtables_init_all(xtables_globals_lookup(family), family);
if (ret < 0) {
- fprintf(stderr, "%s/%s Failed to initialize xtables\n",
- xtables_globals.program_name,
- xtables_globals.program_version);
- exit(1);
+ fprintf(stderr, "%s: Failed to initialize xtables\n", progname);
+ exit(1);
}
+ xt_params->program_name = progname;
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
- init_extensions();
- init_extensions4();
- init_extensions6();
+ switch (family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ init_extensions();
+ init_extensions4();
+ init_extensions6();
+ break;
+ case NFPROTO_ARP:
+ init_extensionsa();
+ break;
+ }
#endif
- if (nft_init(&h, family, xtables_ipv4) < 0) {
- fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
- xtables_globals.program_name,
- xtables_globals.program_version,
- strerror(errno));
+ if (nft_init(&h, family) < 0) {
+ fprintf(stderr, "%s: Failed to initialize nft: %s\n",
+ xt_params->program_name, strerror(errno));
exit(EXIT_FAILURE);
}
@@ -96,3 +115,8 @@ int xtables_ip6_main(int argc, char *argv[])
{
return xtables_main(NFPROTO_IPV6, "ip6tables", argc, argv);
}
+
+int xtables_arp_main(int argc, char *argv[])
+{
+ return xtables_main(NFPROTO_ARP, "arptables", argc, argv);
+}
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 49f44b6f..e2948c50 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -253,11 +253,18 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
.restore = restore,
.xlate = true,
};
- struct iptables_command_state cs;
+ struct iptables_command_state cs = {
+ .jumpto = "",
+ .argv = argv,
+ };
+
struct xtables_args args = {
.family = h->family,
};
+ if (h->ops->init_cs)
+ h->ops->init_cs(&cs);
+
do_parse(h, argc, argv, &p, &cs, &args);
cs.restore = restore;
@@ -354,9 +361,10 @@ static void print_usage(const char *name, const char *version)
{
fprintf(stderr, "%s %s "
"(c) 2014 by Pablo Neira Ayuso <pablo@netfilter.org>\n"
- "Usage: %s [-h] [-f]\n"
+ "Usage: %s [-h] [-f <FILE>] [-V]\n"
" [ --help ]\n"
- " [ --file=<FILE> ]\n", name, version, name);
+ " [ --file=<FILE> ]\n"
+ " [ --version ]\n", name, version, name);
exit(1);
}
@@ -464,7 +472,6 @@ static int xtables_xlate_main_common(struct nft_handle *h,
int family,
const char *progname)
{
- const struct builtin_table *tables;
int ret;
xtables_globals.program_name = progname;
@@ -484,20 +491,16 @@ static int xtables_xlate_main_common(struct nft_handle *h,
init_extensions4();
init_extensions6();
#endif
- tables = xtables_ipv4;
break;
case NFPROTO_ARP:
- tables = xtables_arp;
- break;
case NFPROTO_BRIDGE:
- tables = xtables_bridge;
break;
default:
fprintf(stderr, "Unknown family %d\n", family);
return 1;
}
- if (nft_init(h, family, tables) < 0) {
+ if (nft_init(h, family) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 0a700e08..32b93d2b 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -36,11 +36,13 @@
#include <stdarg.h>
#include <limits.h>
#include <unistd.h>
+#include <netinet/ether.h>
#include <iptables.h>
#include <xtables.h>
#include <fcntl.h>
#include "xshared.h"
#include "nft-shared.h"
+#include "nft-arp.h"
#include "nft.h"
static struct option original_opts[] = {
@@ -85,13 +87,16 @@ static struct option original_opts[] = {
};
void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
+static void printhelp(const struct xtables_rule_match *m);
struct xtables_globals xtables_globals = {
.option_offset = 0,
.program_version = PACKAGE_VERSION,
+ .optstring = OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x",
.orig_opts = original_opts,
.exit_err = xtables_exit_error,
.compat_rev = nft_compatible_revision,
+ .print_help = printhelp,
};
#define opts xt_params->opts
@@ -223,168 +228,6 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
static int
-add_entry(const char *chain,
- const char *table,
- struct iptables_command_state *cs,
- int rulenum, int family,
- const struct addr_mask s,
- const struct addr_mask d,
- bool verbose, struct nft_handle *h, bool append)
-{
- unsigned int i, j;
- int ret = 1;
-
- for (i = 0; i < s.naddrs; i++) {
- if (family == AF_INET) {
- cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr;
- cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr;
- for (j = 0; j < d.naddrs; j++) {
- cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr;
- cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr;
-
- if (append) {
- ret = nft_cmd_rule_append(h, chain, table,
- cs, NULL,
- verbose);
- } else {
- ret = nft_cmd_rule_insert(h, chain, table,
- cs, rulenum,
- verbose);
- }
- }
- } else if (family == AF_INET6) {
- memcpy(&cs->fw6.ipv6.src,
- &s.addr.v6[i], sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.smsk,
- &s.mask.v6[i], sizeof(struct in6_addr));
- for (j = 0; j < d.naddrs; j++) {
- memcpy(&cs->fw6.ipv6.dst,
- &d.addr.v6[j], sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.dmsk,
- &d.mask.v6[j], sizeof(struct in6_addr));
- if (append) {
- ret = nft_cmd_rule_append(h, chain, table,
- cs, NULL,
- verbose);
- } else {
- ret = nft_cmd_rule_insert(h, chain, table,
- cs, rulenum,
- verbose);
- }
- }
- }
- }
-
- return ret;
-}
-
-static int
-replace_entry(const char *chain, const char *table,
- struct iptables_command_state *cs,
- unsigned int rulenum,
- int family,
- const struct addr_mask s,
- const struct addr_mask d,
- bool verbose, struct nft_handle *h)
-{
- if (family == AF_INET) {
- cs->fw.ip.src.s_addr = s.addr.v4->s_addr;
- cs->fw.ip.dst.s_addr = d.addr.v4->s_addr;
- cs->fw.ip.smsk.s_addr = s.mask.v4->s_addr;
- cs->fw.ip.dmsk.s_addr = d.mask.v4->s_addr;
- } else if (family == AF_INET6) {
- memcpy(&cs->fw6.ipv6.src, s.addr.v6, sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.dst, d.addr.v6, sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.smsk, s.mask.v6, sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.dmsk, d.mask.v6, sizeof(struct in6_addr));
- } else
- return 1;
-
- return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose);
-}
-
-static int
-delete_entry(const char *chain, const char *table,
- struct iptables_command_state *cs,
- int family,
- const struct addr_mask s,
- const struct addr_mask d,
- bool verbose,
- struct nft_handle *h)
-{
- unsigned int i, j;
- int ret = 1;
-
- for (i = 0; i < s.naddrs; i++) {
- if (family == AF_INET) {
- cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr;
- cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr;
- for (j = 0; j < d.naddrs; j++) {
- cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr;
- cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr;
- ret = nft_cmd_rule_delete(h, chain,
- table, cs, verbose);
- }
- } else if (family == AF_INET6) {
- memcpy(&cs->fw6.ipv6.src,
- &s.addr.v6[i], sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.smsk,
- &s.mask.v6[i], sizeof(struct in6_addr));
- for (j = 0; j < d.naddrs; j++) {
- memcpy(&cs->fw6.ipv6.dst,
- &d.addr.v6[j], sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.dmsk,
- &d.mask.v6[j], sizeof(struct in6_addr));
- ret = nft_cmd_rule_delete(h, chain,
- table, cs, verbose);
- }
- }
- }
-
- return ret;
-}
-
-static int
-check_entry(const char *chain, const char *table,
- struct iptables_command_state *cs,
- int family,
- const struct addr_mask s,
- const struct addr_mask d,
- bool verbose, struct nft_handle *h)
-{
- unsigned int i, j;
- int ret = 1;
-
- for (i = 0; i < s.naddrs; i++) {
- if (family == AF_INET) {
- cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr;
- cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr;
- for (j = 0; j < d.naddrs; j++) {
- cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr;
- cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr;
- ret = nft_cmd_rule_check(h, chain,
- table, cs, verbose);
- }
- } else if (family == AF_INET6) {
- memcpy(&cs->fw6.ipv6.src,
- &s.addr.v6[i], sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.smsk,
- &s.mask.v6[i], sizeof(struct in6_addr));
- for (j = 0; j < d.naddrs; j++) {
- memcpy(&cs->fw6.ipv6.dst,
- &d.addr.v6[j], sizeof(struct in6_addr));
- memcpy(&cs->fw6.ipv6.dmsk,
- &d.mask.v6[j], sizeof(struct in6_addr));
- ret = nft_cmd_rule_check(h, chain,
- table, cs, verbose);
- }
- }
- }
-
- return ret;
-}
-
-static int
list_entries(struct nft_handle *h, const char *chain, const char *table,
int rulenum, int verbose, int numeric, int expanded,
int linenumbers)
@@ -419,6 +262,47 @@ list_rules(struct nft_handle *h, const char *chain, const char *table,
return nft_cmd_rule_list_save(h, chain, table, rulenum, counters);
}
+static void check_empty_interface(struct nft_handle *h, const char *arg)
+{
+ const char *msg = "Empty interface is likely to be undesired";
+
+ if (*arg != '\0')
+ return;
+
+ if (h->family != NFPROTO_ARP)
+ xtables_error(PARAMETER_PROBLEM, msg);
+
+ fprintf(stderr, "%s", msg);
+}
+
+static void check_inverse(struct nft_handle *h, const char option[],
+ bool *invert, int *optidx, int argc)
+{
+ switch (h->family) {
+ case NFPROTO_ARP:
+ break;
+ default:
+ return;
+ }
+
+ if (!option || strcmp(option, "!"))
+ return;
+
+ fprintf(stderr, "Using intrapositioned negation (`--option ! this`) "
+ "is deprecated in favor of extrapositioned (`! --option this`).\n");
+
+ if (*invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "Multiple `!' flags not allowed");
+ *invert = true;
+ if (optidx) {
+ *optidx = *optidx + 1;
+ if (argc && *optidx > argc)
+ xtables_error(PARAMETER_PROBLEM,
+ "no argument following `!'");
+ }
+}
+
void do_parse(struct nft_handle *h, int argc, char *argv[],
struct nft_xt_cmd_parse *p, struct iptables_command_state *cs,
struct xtables_args *args)
@@ -432,10 +316,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
bool invert = false;
int wait = 0;
- memset(cs, 0, sizeof(*cs));
- cs->jumpto = "";
- cs->argv = argv;
-
/* re-set optind to 0 in case do_command4 gets called
* a second time */
optind = 0;
@@ -455,8 +335,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
opterr = 0;
opts = xt_params->orig_opts;
- while ((cs->c = getopt_long(argc, argv,
- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46",
+ while ((cs->c = getopt_long(argc, argv, xt_params->optstring,
opts, NULL)) != -1) {
switch (cs->c) {
/*
@@ -545,14 +424,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 'N':
- if (optarg && (*optarg == '-' || *optarg == '!'))
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *optarg);
- if (xtables_find_target(optarg, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
+ parse_chain(optarg);
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
invert);
p->chain = optarg;
@@ -601,7 +473,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
xtables_find_match(cs->protocol,
XTF_TRY_LOAD, &cs->matches);
- printhelp(cs->matches);
+ xt_params->print_help(cs->matches);
p->command = CMD_NONE;
return;
@@ -609,14 +481,16 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
* Option selection
*/
case 'p':
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_PROTOCOL,
&args->invflags, invert);
/* Canonicalize into lower case */
- for (cs->protocol = optarg; *cs->protocol; cs->protocol++)
+ for (cs->protocol = argv[optind - 1];
+ *cs->protocol; cs->protocol++)
*cs->protocol = tolower(*cs->protocol);
- cs->protocol = optarg;
+ cs->protocol = argv[optind - 1];
args->proto = xtables_parse_protocol(cs->protocol);
if (args->proto == 0 &&
@@ -625,19 +499,22 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
"rule would never match protocol");
/* This needs to happen here to parse extensions */
- h->ops->proto_parse(cs, args);
+ if (h->ops->proto_parse)
+ h->ops->proto_parse(cs, args);
break;
case 's':
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_SOURCE,
&args->invflags, invert);
- args->shostnetworkmask = optarg;
+ args->shostnetworkmask = argv[optind - 1];
break;
case 'd':
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_DESTINATION,
&args->invflags, invert);
- args->dhostnetworkmask = optarg;
+ args->dhostnetworkmask = argv[optind - 1];
break;
#ifdef IPT_F_GOTO
@@ -649,33 +526,72 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
#endif
+ case 2:/* src-mac */
+ check_inverse(h, optarg, &invert, &optind, argc);
+ set_option(&cs->options, OPT_S_MAC, &args->invflags,
+ invert);
+ args->src_mac = argv[optind - 1];
+ break;
+
+ case 3:/* dst-mac */
+ check_inverse(h, optarg, &invert, &optind, argc);
+ set_option(&cs->options, OPT_D_MAC, &args->invflags,
+ invert);
+ args->dst_mac = argv[optind - 1];
+ break;
+
+ case 'l':/* hardware length */
+ check_inverse(h, optarg, &invert, &optind, argc);
+ set_option(&cs->options, OPT_H_LENGTH, &args->invflags,
+ invert);
+ args->arp_hlen = argv[optind - 1];
+ break;
+
+ case 8: /* was never supported, not even in arptables-legacy */
+ xtables_error(PARAMETER_PROBLEM, "not supported");
+ case 4:/* opcode */
+ check_inverse(h, optarg, &invert, &optind, argc);
+ set_option(&cs->options, OPT_OPCODE, &args->invflags,
+ invert);
+ args->arp_opcode = argv[optind - 1];
+ break;
+
+ case 5:/* h-type */
+ check_inverse(h, optarg, &invert, &optind, argc);
+ set_option(&cs->options, OPT_H_TYPE, &args->invflags,
+ invert);
+ args->arp_htype = argv[optind - 1];
+ break;
+
+ case 6:/* proto-type */
+ check_inverse(h, optarg, &invert, &optind, argc);
+ set_option(&cs->options, OPT_P_TYPE, &args->invflags,
+ invert);
+ args->arp_ptype = argv[optind - 1];
+ break;
+
case 'j':
set_option(&cs->options, OPT_JUMP, &args->invflags,
invert);
- command_jump(cs, optarg);
+ command_jump(cs, argv[optind - 1]);
break;
-
case 'i':
- if (*optarg == '\0')
- xtables_error(PARAMETER_PROBLEM,
- "Empty interface is likely to be "
- "undesired");
+ check_empty_interface(h, optarg);
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_VIANAMEIN,
&args->invflags, invert);
- xtables_parse_interface(optarg,
+ xtables_parse_interface(argv[optind - 1],
args->iniface,
args->iniface_mask);
break;
case 'o':
- if (*optarg == '\0')
- xtables_error(PARAMETER_PROBLEM,
- "Empty interface is likely to be "
- "undesired");
+ check_empty_interface(h, optarg);
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_VIANAMEOUT,
&args->invflags, invert);
- xtables_parse_interface(optarg,
+ xtables_parse_interface(argv[optind - 1],
args->outiface,
args->outiface_mask);
break;
@@ -823,7 +739,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
exit_tryhelp(2);
default:
- if (command_default(cs, &xtables_globals, invert))
+ if (command_default(cs, xt_params, invert))
/* cf. ip6tables.c */
continue;
break;
@@ -912,42 +828,46 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
.table = *table,
.restore = restore,
};
- struct iptables_command_state cs;
+ struct iptables_command_state cs = {
+ .jumpto = "",
+ .argv = argv,
+ };
struct xtables_args args = {
.family = h->family,
};
+ if (h->ops->init_cs)
+ h->ops->init_cs(&cs);
+
do_parse(h, argc, argv, &p, &cs, &args);
switch (p.command) {
case CMD_APPEND:
- ret = add_entry(p.chain, p.table, &cs, 0, h->family,
- args.s, args.d,
- cs.options & OPT_VERBOSE, h, true);
+ ret = h->ops->add_entry(h, p.chain, p.table, &cs, &args,
+ cs.options & OPT_VERBOSE, true,
+ p.rulenum - 1);
break;
case CMD_DELETE:
- ret = delete_entry(p.chain, p.table, &cs, h->family,
- args.s, args.d,
- cs.options & OPT_VERBOSE, h);
+ ret = h->ops->delete_entry(h, p.chain, p.table, &cs, &args,
+ cs.options & OPT_VERBOSE);
break;
case CMD_DELETE_NUM:
ret = nft_cmd_rule_delete_num(h, p.chain, p.table,
p.rulenum - 1, p.verbose);
break;
case CMD_CHECK:
- ret = check_entry(p.chain, p.table, &cs, h->family,
- args.s, args.d,
- cs.options & OPT_VERBOSE, h);
+ ret = h->ops->check_entry(h, p.chain, p.table, &cs, &args,
+ cs.options & OPT_VERBOSE);
break;
case CMD_REPLACE:
- ret = replace_entry(p.chain, p.table, &cs, p.rulenum - 1,
- h->family, args.s, args.d,
- cs.options & OPT_VERBOSE, h);
+ ret = h->ops->replace_entry(h, p.chain, p.table, &cs, &args,
+ cs.options & OPT_VERBOSE,
+ p.rulenum - 1);
break;
case CMD_INSERT:
- ret = add_entry(p.chain, p.table, &cs, p.rulenum - 1,
- h->family, args.s, args.d,
- cs.options&OPT_VERBOSE, h, false);
+ ret = h->ops->add_entry(h, p.chain, p.table, &cs, &args,
+ cs.options & OPT_VERBOSE, false,
+ p.rulenum - 1);
break;
case CMD_FLUSH:
ret = nft_cmd_rule_flush(h, p.chain, p.table,
@@ -1019,17 +939,10 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
nft_clear_iptables_command_state(&cs);
- if (h->family == AF_INET) {
- free(args.s.addr.v4);
- free(args.s.mask.v4);
- free(args.d.addr.v4);
- free(args.d.mask.v4);
- } else if (h->family == AF_INET6) {
- free(args.s.addr.v6);
- free(args.s.mask.v6);
- free(args.d.addr.v6);
- free(args.d.mask.v6);
- }
+ free(args.s.addr.ptr);
+ free(args.s.mask.ptr);
+ free(args.d.addr.ptr);
+ free(args.d.mask.ptr);
xtables_free_opts(1);
return ret;
diff --git a/xlate-test.py b/xlate-test.py
index 4a56e798..d78e8648 100755
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -80,15 +80,15 @@ def run_test(name, payload):
def load_test_files():
test_files = total_tests = total_passed = total_error = total_failed = 0
- for test in sorted(os.listdir("extensions")):
- if test.endswith(".txlate"):
- with open("extensions/" + test, "r") as payload:
- tests, passed, failed, errors = run_test(test, payload)
- test_files += 1
- total_tests += tests
- total_passed += passed
- total_failed += failed
- total_error += errors
+ tests = sorted(os.listdir("extensions"))
+ for test in ['extensions/' + f for f in tests if f.endswith(".txlate")]:
+ with open(test, "r") as payload:
+ tests, passed, failed, errors = run_test(test, payload)
+ test_files += 1
+ total_tests += tests
+ total_passed += passed
+ total_failed += failed
+ total_error += errors
return (test_files, total_tests, total_passed, total_failed, total_error)