diff options
43 files changed, 374 insertions, 182 deletions
@@ -1,4 +1,8 @@ *.a +*.gcda +*.gcno +*.gcno.gcov.json.gz +*.gcov *.la *.lo *.so diff --git a/configure.ac b/configure.ac index 071afaf1..ea5d2d49 100644 --- a/configure.ac +++ b/configure.ac @@ -71,6 +71,9 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH], [Path to the xtables lock [[/run/xtables.lock]]]), [xt_lock_name="$withval"], [xt_lock_name="/run/xtables.lock"]) +AC_ARG_ENABLE([profiling], + AS_HELP_STRING([--enable-profiling], [build for use of gcov/gprof]), + [enable_profiling="$enableval"], [enable_profiling="no"]) AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined]) saved_LDFLAGS="$LDFLAGS"; @@ -188,6 +191,11 @@ if [[ -n "$ksourcedir" ]]; then fi; pkgdatadir='${datadir}/xtables'; +if test "x$enable_profiling" = "xyes"; then + regular_CFLAGS+=" -fprofile-arcs -ftest-coverage" + regular_LDFLAGS+=" -lgcov --coverage" +fi + define([EXPAND_VARIABLE], [$2=[$]$1 if test $prefix = 'NONE'; then @@ -205,6 +213,7 @@ eval "$2=[$]$2" AC_SUBST([regular_CFLAGS]) AC_SUBST([regular_CPPFLAGS]) AC_SUBST([noundef_LDFLAGS]) +AC_SUBST([regular_LDFLAGS]) AC_SUBST([kinclude_CPPFLAGS]) AC_SUBST([kbuilddir]) AC_SUBST([ksourcedir]) @@ -250,6 +259,7 @@ Iptables Configuration: nfsynproxy util support: ${enable_nfsynproxy} nftables support: ${enable_nftables} connlabel support: ${enable_connlabel} + profiling support: ${enable_profiling} Build parameters: Put plugins into executable (static): ${enable_static} diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 6dad4e02..3c68f8de 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -24,7 +24,7 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@ @libnftnl_CFLAGS@ AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@ -AM_LDFLAGS = @noundef_LDFLAGS@ +AM_LDFLAGS = @noundef_LDFLAGS@ @regular_LDFLAGS@ ifeq (${V},) AM_LIBTOOL_SILENT = --silent diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t index c6c31727..97cb3baa 100644 --- a/extensions/libebt_standard.t +++ b/extensions/libebt_standard.t @@ -12,12 +12,17 @@ :INPUT -i foobar;=;OK -o foobar;=;FAIL +--logical-in br0;=;OK +--logical-out br1;=;FAIL :FORWARD -i foobar;=;OK -o foobar;=;OK +--logical-in br0 --logical-out br1;=;OK :OUTPUT -i foobar;=;FAIL -o foobar;=;OK +--logical-in br0;=;FAIL +--logical-out br1;=;OK :PREROUTING *nat -i foobar;=;OK diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 64018ce1..08dba42d 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, static void conntrack_dump_ports(const char *prefix, const char *opt, - u_int16_t port_low, u_int16_t port_high) + uint16_t port_low, uint16_t port_high) { if (port_high == 0 || port_low == port_high) printf(" %s%s %u", prefix, opt, port_low); @@ -1289,9 +1289,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, } if (sinfo->match_flags & XT_CONNTRACK_ORIGSRC) { - if (&sinfo->origsrc_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct original saddr %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGSRC ? "!= " : ""); @@ -1301,9 +1298,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, } if (sinfo->match_flags & XT_CONNTRACK_ORIGDST) { - if (&sinfo->origdst_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct original daddr %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGDST ? "!= " : ""); @@ -1313,9 +1307,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, } if (sinfo->match_flags & XT_CONNTRACK_REPLSRC) { - if (&sinfo->replsrc_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct reply saddr %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLSRC ? "!= " : ""); @@ -1325,9 +1316,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, } if (sinfo->match_flags & XT_CONNTRACK_REPLDST) { - if (&sinfo->repldst_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct reply daddr %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLDST ? "!= " : ""); diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c index a4c5415f..3fb6cf1a 100644 --- a/extensions/libxt_sctp.c +++ b/extensions/libxt_sctp.c @@ -112,9 +112,13 @@ static const struct sctp_chunk_names sctp_chunk_names[] { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------", .nftname = "ecne" }, { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------", .nftname = "cwr" }, { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T", .nftname = "shutdown-complete" }, + { .name = "I_DATA", .chunk_type = 64, .valid_flags = "----IUBE", .nftname = "i-data"}, + { .name = "RE_CONFIG", .chunk_type = 130, .valid_flags = "--------", .nftname = "re-config"}, + { .name = "PAD", .chunk_type = 132, .valid_flags = "--------", .nftname = "pad"}, { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------", .nftname = "asconf" }, { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------", .nftname = "asconf-ack" }, { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------", .nftname = "forward-tsn" }, + { .name = "I_FORWARD_TSN", .chunk_type = 194, .valid_flags = "--------", .nftname = "i-forward-tsn" }, }; static void diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man index 3e5ffa09..06da04f8 100644 --- a/extensions/libxt_sctp.man +++ b/extensions/libxt_sctp.man @@ -19,12 +19,14 @@ Match if any of the given chunk types is present with given flags. only Match if only the given chunk types are present with given flags and none are missing. -Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN chunk type available flags .br DATA I U B E i u b e .br +I_DATA I U B E i u b e +.br ABORT T t .br SHUTDOWN_COMPLETE T t diff --git a/extensions/libxt_sctp.t b/extensions/libxt_sctp.t index 4016e4fb..4d3b113d 100644 --- a/extensions/libxt_sctp.t +++ b/extensions/libxt_sctp.t @@ -27,3 +27,7 @@ -p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK -p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK -p sctp -m sctp --chunk-types all SHUTDOWN_COMPLETE;=;OK +-p sctp -m sctp --chunk-types all I_DATA;=;OK +-p sctp -m sctp --chunk-types all RE_CONFIG;=;OK +-p sctp -m sctp --chunk-types all PAD;=;OK +-p sctp -m sctp --chunk-types all I_FORWARD_TSN;=;OK diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate index bb817525..6443abf9 100644 --- a/extensions/libxt_sctp.txlate +++ b/extensions/libxt_sctp.txlate @@ -41,4 +41,4 @@ iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT: nft add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT -nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing counter accept +nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk i-data missing sctp chunk re-config missing sctp chunk pad missing sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing sctp chunk i-forward-tsn missing counter accept diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c index 16921023..a2137ab1 100644 --- a/extensions/libxt_set.c +++ b/extensions/libxt_set.c @@ -22,6 +22,12 @@ #include <linux/netfilter/xt_set.h> #include "libxt_set.h" +#ifdef DEBUG +#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +#else +#define DEBUGP(x, args...) +#endif + /* Revision 0 */ static void diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h index ad895a75..597bf7eb 100644 --- a/extensions/libxt_set.h +++ b/extensions/libxt_set.h @@ -6,7 +6,6 @@ #include <sys/types.h> #include <sys/socket.h> #include <errno.h> -#include "../iptables/xshared.h" static int get_version(unsigned *version) diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c index 739a8e7f..5d72a5cd 100644 --- a/extensions/libxt_string.c +++ b/extensions/libxt_string.c @@ -78,14 +78,13 @@ static void string_init(struct xt_entry_match *m) static void parse_string(const char *s, struct xt_string_info *info) -{ +{ /* xt_string does not need \0 at the end of the pattern */ - if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) { - memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); - info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE); - return; - } - xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); + if (strlen(s) > sizeof(info->pattern)) + xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); + + info->patlen = strnlen(s, sizeof(info->pattern)); + memcpy(info->pattern, s, info->patlen); } static void @@ -269,7 +268,7 @@ string_print(const void *ip, const struct xt_entry_match *match, int numeric) printf(" ALGO name %s", info->algo); if (info->from_offset != 0) printf(" FROM %u", info->from_offset); - if (info->to_offset != 0) + if (info->to_offset != UINT16_MAX) printf(" TO %u", info->to_offset); if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE) printf(" ICASE"); @@ -293,7 +292,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match) printf(" --algo %s", info->algo); if (info->from_offset != 0) printf(" --from %u", info->from_offset); - if (info->to_offset != 0) + if (info->to_offset != UINT16_MAX) printf(" --to %u", info->to_offset); if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE) printf(" --icase"); diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t index d68f099d..2f4b30cb 100644 --- a/extensions/libxt_string.t +++ b/extensions/libxt_string.t @@ -1,18 +1,11 @@ :INPUT,FORWARD,OUTPUT -# ERROR: cannot find: iptables -I INPUT -m string --algo bm --string "test" -# -m string --algo bm --string "test";=;OK -# ERROR: cannot find: iptables -I INPUT -m string --algo kmp --string "test") -# -m string --algo kmp --string "test";=;OK -# ERROR: cannot find: iptables -I INPUT -m string --algo kmp ! --string "test" -# -m string --algo kmp ! --string "test";=;OK -# cannot find: iptables -I INPUT -m string --algo bm --string "xxxxxxxxxxx" ....] -# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK -# ERROR: cannot load: iptables -A INPUT -m string --algo bm --string "xxxx" -# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK -# ERROR: cannot load: iptables -A INPUT -m string --algo bm --hexstring "|0a0a0a0a|" -# -m string --algo bm --hexstring "|0a0a0a0a|";=;OK -# ERROR: cannot find: iptables -I INPUT -m string --algo bm --from 0 --to 65535 --string "test" -# -m string --algo bm --from 0 --to 65535 --string "test";=;OK +-m string --algo bm --string "test";-m string --string "test" --algo bm;OK +-m string --string "test" --algo kmp;=;OK +-m string ! --string "test" --algo kmp;=;OK +-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK +-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL +-m string --hex-string "|0a0a0a0a|" --algo bm;=;OK +-m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK -m string --algo wrong;;FAIL -m string --algo bm;;FAIL -m string;;FAIL diff --git a/include/libipq/libipq.h b/include/libipq/libipq.h index 3cd13292..dd0cb205 100644 --- a/include/libipq/libipq.h +++ b/include/libipq/libipq.h @@ -24,7 +24,7 @@ #include <errno.h> #include <unistd.h> #include <fcntl.h> -#include <sys/types.h> +#include <stdint.h> #include <sys/socket.h> #include <sys/uio.h> #include <asm/types.h> @@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t; struct ipq_handle { int fd; - u_int8_t blocking; + uint8_t blocking; struct sockaddr_nl local; struct sockaddr_nl peer; }; -struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol); +struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol); int ipq_destroy_handle(struct ipq_handle *h); ssize_t ipq_read(const struct ipq_handle *h, unsigned char *buf, size_t len, int timeout); -int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len); +int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len); ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf); diff --git a/include/libiptc/libxtc.h b/include/libiptc/libxtc.h index 37010188..a1d16ef9 100644 --- a/include/libiptc/libxtc.h +++ b/include/libiptc/libxtc.h @@ -10,7 +10,7 @@ extern "C" { #endif #ifndef XT_MIN_ALIGN -/* xt_entry has pointers and u_int64_t's in it, so if you align to +/* xt_entry has pointers and uint64_t's in it, so if you align to it, you'll also align to any crazy matches and targets someone might write */ #define XT_MIN_ALIGN (__alignof__(struct xt_entry)) diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h new file mode 100644 index 00000000..2ae00932 --- /dev/null +++ b/include/linux/netfilter/nf_log.h @@ -0,0 +1,15 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _NETFILTER_NF_LOG_H +#define _NETFILTER_NF_LOG_H + +#define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define NF_LOG_TCPOPT 0x02 /* Log TCP options */ +#define NF_LOG_IPOPT 0x04 /* Log IP options */ +#define NF_LOG_UID 0x08 /* Log UID owning local socket */ +#define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ +#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define NF_LOG_MASK 0x2f + +#define NF_LOG_PREFIXLEN 128 + +#endif /* _NETFILTER_NF_LOG_H */ diff --git a/include/linux/netfilter_arp/arpt_mangle.h b/include/linux/netfilter_arp/arpt_mangle.h index 250f5029..8c2b16a1 100644 --- a/include/linux/netfilter_arp/arpt_mangle.h +++ b/include/linux/netfilter_arp/arpt_mangle.h @@ -13,7 +13,7 @@ struct arpt_mangle union { struct in_addr tgt_ip; } u_t; - u_int8_t flags; + __u8 flags; int target; }; diff --git a/include/xtables.h b/include/xtables.h index c2694b7b..9eba4f61 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -585,27 +585,6 @@ static inline void xtables_print_mark_mask(unsigned int mark, xtables_print_val_mask(mark, mask, NULL); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -# ifdef _INIT -# undef _init -# define _init _INIT -# endif - extern void init_extensions(void); - extern void init_extensions4(void); - extern void init_extensions6(void); - extern void init_extensionsa(void); - extern void init_extensionsb(void); -#else -# define _init __attribute__((constructor)) _INIT -# define EMPTY_FUNC_DEF(x) static inline void x(void) {} - EMPTY_FUNC_DEF(init_extensions) - EMPTY_FUNC_DEF(init_extensions4) - EMPTY_FUNC_DEF(init_extensions6) - EMPTY_FUNC_DEF(init_extensionsa) - EMPTY_FUNC_DEF(init_extensionsb) -# undef EMPTY_FUNC_DEF -#endif - extern const struct xtables_pprot xtables_chain_protos[]; extern uint16_t xtables_parse_protocol(const char *s); @@ -663,9 +642,55 @@ void xtables_announce_chain(const char *name); # define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) # endif +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) +# ifdef _INIT +# undef _init +# define _init _INIT +# endif + extern void init_extensions(void); + extern void init_extensions4(void); + extern void init_extensions6(void); + extern void init_extensionsa(void); + extern void init_extensionsb(void); +#else +# define _init __attribute__((constructor)) _INIT +# define EMPTY_FUNC_DEF(x) static inline void x(void) {} + EMPTY_FUNC_DEF(init_extensions) + EMPTY_FUNC_DEF(init_extensions4) + EMPTY_FUNC_DEF(init_extensions6) + EMPTY_FUNC_DEF(init_extensionsa) + EMPTY_FUNC_DEF(init_extensionsb) +# undef EMPTY_FUNC_DEF +#endif + extern void _init(void); -#endif +/** + * xtables_afinfo - protocol family dependent information + * @kmod: kernel module basename (e.g. "ip_tables") + * @proc_exists: file which exists in procfs when module already loaded + * @libprefix: prefix of .so library name (e.g. "libipt_") + * @family: nfproto family + * @ipproto: used by setsockopt (e.g. IPPROTO_IP) + * @so_rev_match: optname to check revision support of match + * @so_rev_target: optname to check revision support of target + */ +struct xtables_afinfo { + const char *kmod; + const char *proc_exists; + const char *libprefix; + uint8_t family; + uint8_t ipproto; + int so_rev_match; + int so_rev_target; +}; + +extern const struct xtables_afinfo *afinfo; + +/* base offset of merged extensions' consecutive options */ +#define XT_OPTION_OFFSET_SCALE 256 + +#endif /* XTABLES_INTERNAL */ #ifdef __cplusplus } /* extern "C" */ diff --git a/iptables/Makefile.am b/iptables/Makefile.am index 0258264c..23f8352d 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -2,6 +2,7 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${libmnl_CFLAGS} ${libnftnl_CFLAGS} ${libnetfilter_conntrack_CFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} BUILT_SOURCES = diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index 627ff0e4..f81c632f 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -417,6 +417,11 @@ other errors cause an exit code of 1. .SH BUGS Bugs? What's this? ;-) Well, you might want to have a look at http://bugzilla.netfilter.org/ +\fBiptables\fP will exit immediately with an error code of 111 if it finds +that it was called as a setuid-to-root program. +iptables cannot be used safely in this manner because it trusts +the shared libraries (matches, targets) loaded at run time, the search +path can be set using environment variables. .SH COMPATIBILITY WITH IPCHAINS This \fBiptables\fP is very similar to ipchains by Rusty Russell. The main difference is diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 27e95c1a..74e19cca 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -40,15 +40,24 @@ extern struct nft_family_ops nft_family_ops_ipv6; extern struct nft_family_ops nft_family_ops_arp; extern struct nft_family_ops nft_family_ops_bridge; +static struct nftnl_expr *xt_nftnl_expr_alloc(const char *name) +{ + struct nftnl_expr *expr = nftnl_expr_alloc(name); + + if (expr) + return expr; + + xtables_error(RESOURCE_PROBLEM, + "Failed to allocate nftnl expression '%s'", name); +} + void add_meta(struct nft_handle *h, struct nftnl_rule *r, uint32_t key, uint8_t *dreg) { struct nftnl_expr *expr; uint8_t reg; - expr = nftnl_expr_alloc("meta"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("meta"); reg = NFT_REG_1; nftnl_expr_set_u32(expr, NFTNL_EXPR_META_KEY, key); @@ -64,9 +73,7 @@ void add_payload(struct nft_handle *h, struct nftnl_rule *r, struct nftnl_expr *expr; uint8_t reg; - expr = nftnl_expr_alloc("payload"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("payload"); reg = NFT_REG_1; nftnl_expr_set_u32(expr, NFTNL_EXPR_PAYLOAD_BASE, base); @@ -85,9 +92,7 @@ void add_bitwise_u16(struct nft_handle *h, struct nftnl_rule *r, struct nftnl_expr *expr; uint8_t reg; - expr = nftnl_expr_alloc("bitwise"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("bitwise"); reg = NFT_REG_1; nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, sreg); @@ -107,9 +112,7 @@ void add_bitwise(struct nft_handle *h, struct nftnl_rule *r, uint32_t xor[4] = { 0 }; uint8_t reg = *dreg; - expr = nftnl_expr_alloc("bitwise"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("bitwise"); nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, sreg); nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_DREG, reg); @@ -126,9 +129,7 @@ void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len, { struct nftnl_expr *expr; - expr = nftnl_expr_alloc("cmp"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("cmp"); nftnl_expr_set_u32(expr, NFTNL_EXPR_CMP_SREG, sreg); nftnl_expr_set_u32(expr, NFTNL_EXPR_CMP_OP, op); diff --git a/iptables/nft.c b/iptables/nft.c index ec79f2bc..ee003511 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1208,8 +1208,8 @@ static int __add_nft_among(struct nft_handle *h, const char *table, nftnl_rule_add_expr(r, e); if (ip) { - e = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst], - sizeof(struct in_addr), ®); + e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst], + sizeof(struct in_addr), NFT_REG32_02); if (!e) return -ENOMEM; nftnl_rule_add_expr(r, e); diff --git a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 new file mode 100755 index 00000000..b5df9725 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 @@ -0,0 +1,98 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +sfx=$(mktemp -u "XXXXXXXX") +nsa="nsa-$sfx" +nsb="nsb-$sfx" +nsc="nsc-$sfx" + +cleanup() +{ + ip netns del "$nsa" + ip netns del "$nsb" + ip netns del "$nsc" +} + +trap cleanup EXIT + +assert_fail() +{ + if [ $1 -eq 0 ]; then + echo "FAILED: $2" + exit 1 + fi +} + +assert_pass() +{ + if [ $1 -ne 0 ]; then + echo "FAILED: $2" + exit 2 + fi +} + +ip netns add "$nsa" +ip netns add "$nsb" +ip netns add "$nsc" + +ip link add name c_b netns "$nsc" type veth peer name b_c netns "$nsb" +ip link add name s_b netns "$nsa" type veth peer name b_s netns "$nsb" +ip netns exec "$nsb" ip link add name br0 type bridge + +ip -net "$nsb" link set b_c up +ip netns exec "$nsb" ip link set b_s up +ip netns exec "$nsb" ip addr add 10.167.11.254/24 dev br0 +ip netns exec "$nsb" ip link set br0 up +ip netns exec "$nsb" ip link set b_c master br0 +ip netns exec "$nsb" ip link set b_s master br0 +ip netns exec "$nsc" ip addr add 10.167.11.2/24 dev c_b +ip netns exec "$nsc" ip link set c_b up +ip -net "$nsa" addr add 10.167.11.1/24 dev s_b +ip -net "$nsa" link set s_b up + +ip netns exec "$nsc" ping -q 10.167.11.1 -c1 >/dev/null || exit 1 + +bf_bridge_mac1=`ip netns exec "$nsb" cat /sys/class/net/b_s/address` +bf_bridge_mac0=`ip netns exec "$nsb" cat /sys/class/net/b_c/address` +bf_client_mac1=`ip netns exec "$nsc" cat /sys/class/net/c_b/address` +bf_server_mac1=`ip netns exec "$nsa" cat /sys/class/net/s_b/address` + +bf_server_ip1="10.167.11.1" +bf_bridge_ip0="10.167.11.254" +bf_client_ip1="10.167.11.2" +pktsize=64 + +# --among-src [mac,IP] +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_fail $? "--among-src [match]" + +# ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc + +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src ! $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_pass $? "--among-src [not match]" + +# --among-dst [mac,IP] +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_fail $? "--among-dst [match]" + +# --among-dst ! [mac,IP] +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst ! $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_pass $? "--among-dst [not match]" + +exit 0 diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 index 7b0e6468..2a1518d6 100755 --- a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 @@ -6,23 +6,38 @@ set -e # ensure verbose output is identical between legacy and nft tools RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT' -VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2' +VOUT1='ACCEPT all opt -- in eth2 out eth3 feed:babe::1 -> feed:babe::2' RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT' -VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5' +VOUT2='ACCEPT all opt -- in eth2 out eth3 feed:babe::4 -> feed:babe::5' +RULE3='-p icmpv6 -m icmp6 --icmpv6-type no-route' +VOUT3=' ipv6-icmp opt -- in * out * ::/0 -> ::/0 ipv6-icmptype 1 code 0' +RULE4='-m dst --dst-len 42 -m rt --rt-type 23' +VOUT4=' all opt -- in * out * ::/0 -> ::/0 dst length:42 rt type:23' +RULE5='-m frag --fragid 1337 -j LOG' +VOUT5='LOG all opt -- in * out * ::/0 -> ::/0 frag id:1337 LOG flags 0 level 4' diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -A FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -A FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -A FORWARD $RULE5) diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -C FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -C FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -C FORWARD $RULE5) EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2 - 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::1 feed:babe::2 + 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 58 -- * * ::/0 ::/0 ipv6-icmptype 1 code 0 + 0 0 0 -- * * ::/0 ::/0 dst length:42 rt type:23 + 0 0 LOG 0 -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 index bea1a690..1a3af46f 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 @@ -12,5 +12,5 @@ EOF EXPECT='Chain FORWARD (policy ACCEPT) target prot opt source destination -ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ' +ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ' diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD) diff --git a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 index 5daf7a78..087156b1 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 @@ -60,7 +60,7 @@ Flushing chain \`OUTPUT' Flushing chain \`secfoo' Deleting chain \`secfoo'" -EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' -e 's/opt --/opt /' <<< "$EXPECT") +EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' <<< "$EXPECT") diff -u -Z <(echo "$EXPECT") <($XT_MULTI iptables-restore -v <<< "$DUMP") diff -u -Z <(echo "$EXPECT6") <($XT_MULTI ip6tables-restore -v <<< "$DUMP") diff --git a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 index 50c0cae8..bcfaad36 100755 --- a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 +++ b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 @@ -1,13 +1,5 @@ #!/bin/bash -case "$(basename $XT_MULTI)" in - xtables-legacy-multi) - ;; - *) - echo "skip $XT_MULTI" - exit 0 - ;; -esac - dump=$(dirname $0)/dumps/fedora27-iptables diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump) +diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump) diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 new file mode 100755 index 00000000..b86d71f2 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +# Test recent performance improvements in iptables-save due to reduced +# overhead. + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET=$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo ":mychain$i -" + echo "-A FORWARD -p tcp --dport 22 -j mychain$i" + done + echo "COMMIT" +) + +RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) +SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) + +do_grep() { # (name, threshold, pattern) + local cnt=$(grep -c "$3") + [[ $cnt -le $2 ]] && return 0 + echo "ERROR: Too many $3 lookups for $1: $cnt > $2" + exit 1 +} + +# iptables prefers hard-coded protocol names instead of looking them up first + +do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" + +# iptables-nft-save pointlessly checked whether chain jumps are targets + +do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" + +exit 0 diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 index 5d2af4c8..15c72af3 100755 --- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 @@ -21,8 +21,8 @@ EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all -- eth2 eth3 10.0.0.1 10.0.0.2 - 0 0 ACCEPT all -- eth2 eth3 10.0.0.4 10.0.0.5 + 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.1 10.0.0.2 + 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.4 10.0.0.5 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 index 36da1907..21793472 100755 --- a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 +++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 @@ -10,6 +10,7 @@ $XT_MULTI iptables-restore -c <<EOF [12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" [22:123] -A FOO -m comment --comment one [44:123] -A FOO -m comment --comment two +[66:123] -A FOO -m comment --comment three COMMIT EOF EXPECT="*filter @@ -20,6 +21,7 @@ EXPECT="*filter [0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" [0:0] -A FOO -m comment --comment one [0:0] -A FOO -m comment --comment two +[0:0] -A FOO -m comment --comment three COMMIT" COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") @@ -28,6 +30,18 @@ if [ $COUNTER != "[12:345]" ]; then RC=1 fi +$XT_MULTI iptables -Z FOO 2 +COUNTER=$($XT_MULTI iptables-save -c | grep "comment two"| cut -f 1 -d " ") +if [ $COUNTER != "[0:0]" ]; then + echo "Counter $COUNTER is wrong, should have been zeroed" + RC=1 +fi +COUNTER=$($XT_MULTI iptables-save -c | grep "comment three"| cut -f 1 -d " ") +if [ $COUNTER != "[66:123]" ]; then + echo "Counter $COUNTER is wrong, should not have been zeroed" + RC=1 +fi + $XT_MULTI iptables -Z FOO COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") if [ $COUNTER = "[0:0]" ]; then @@ -60,5 +74,6 @@ fi $XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR" $XT_MULTI iptables -D FOO -m comment --comment one $XT_MULTI iptables -D FOO -m comment --comment two +$XT_MULTI iptables -D FOO -m comment --comment three $XT_MULTI iptables -X FOO exit $RC diff --git a/iptables/xshared.c b/iptables/xshared.c index a8512d38..69515789 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -39,8 +39,8 @@ char *arp_opcodes[] = * to the commandline, and see expected results. So we call help for all * specified matches and targets. */ -void print_extension_helps(const struct xtables_target *t, - const struct xtables_rule_match *m) +static void print_extension_helps(const struct xtables_target *t, + const struct xtables_rule_match *m) { for (; t != NULL; t = t->next) { if (t->used) { @@ -129,8 +129,8 @@ static struct xtables_match *load_proto(struct iptables_command_state *cs) cs->options & OPT_NUMERIC, &cs->matches); } -int command_default(struct iptables_command_state *cs, - struct xtables_globals *gl, bool invert) +static int command_default(struct iptables_command_state *cs, + struct xtables_globals *gl, bool invert) { struct xtables_rule_match *matchp; struct xtables_match *m; @@ -731,7 +731,7 @@ void print_fragment(unsigned int flags, unsigned int invflags, fputs("opt ", stdout); if (fake) { - fputs(" ", stdout); + fputs("--", stdout); } else { fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout); fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); @@ -789,7 +789,7 @@ void save_iface(char letter, const char *iface, } } -void command_match(struct iptables_command_state *cs, bool invert) +static void command_match(struct iptables_command_state *cs, bool invert) { struct option *opts = xt_params->opts; struct xtables_match *m; @@ -827,7 +827,7 @@ void command_match(struct iptables_command_state *cs, bool invert) xt_params->opts = opts; } -const char *xt_parse_target(const char *targetname) +static const char *xt_parse_target(const char *targetname) { const char *ptr; @@ -889,7 +889,7 @@ void command_jump(struct iptables_command_state *cs, const char *jumpto) xt_params->opts = opts; } -char cmd2char(int option) +static char cmd2char(int option) { /* cmdflags index corresponds with position of bit in CMD_* values */ static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', @@ -905,8 +905,8 @@ char cmd2char(int option) return cmdflags[i]; } -void add_command(unsigned int *cmd, const int newcmd, - const int othercmds, int invert) +static void add_command(unsigned int *cmd, const int newcmd, + const int othercmds, int invert) { if (invert) xtables_error(PARAMETER_PROBLEM, "unexpected '!' flag"); @@ -917,7 +917,7 @@ void add_command(unsigned int *cmd, const int newcmd, } /* Can't be zero. */ -int parse_rulenumber(const char *rule) +static int parse_rulenumber(const char *rule) { unsigned int rulenum; @@ -928,6 +928,10 @@ int parse_rulenumber(const char *rule) return rulenum; } +#define NUMBER_OF_OPT ARRAY_SIZE(optflags) +static const char optflags[] += { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 }; + /* Table of legal combinations of commands and options. If any of the * given commands make an option legal, that option is legal (applies to * CMD_LIST and CMD_ZERO only). @@ -957,7 +961,7 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = /*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' ',' ',' ',' ',' ',' ',' '}, }; -void generic_opt_check(int command, int options) +static void generic_opt_check(int command, int options) { int i, j, legal = 0; @@ -992,7 +996,7 @@ void generic_opt_check(int command, int options) } } -char opt2char(int option) +static char opt2char(int option) { const char *ptr; @@ -1024,8 +1028,8 @@ static const int inverse_for_options[NUMBER_OF_OPT] = /* 6 */ IPT_INV_PROTO, }; -void -set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, +static void +set_option(unsigned int *options, unsigned int option, uint16_t *invflg, bool invert) { if (*options & option) @@ -1088,10 +1092,10 @@ void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout); - if (pname) - printf(FMT("%-5s", "%s "), pname); + if (((format & (FMT_NUMERIC | FMT_NOTABLE)) == FMT_NUMERIC) || !pname) + printf(FMT("%-4hu ", "%hu "), proto); else - printf(FMT("%-5hu", "%hu "), proto); + printf(FMT("%-4s ", "%s "), pname); } void save_rule_details(const char *iniface, unsigned const char *iniface_mask, diff --git a/iptables/xshared.h b/iptables/xshared.h index 14568bb0..1a019a7c 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -39,10 +39,6 @@ enum { OPT_P_TYPE = 1 << 17, }; -#define NUMBER_OF_OPT ARRAY_SIZE(optflags) -static const char optflags[] -= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 }; - enum { CMD_NONE = 0, CMD_INSERT = 1 << 0, @@ -69,7 +65,7 @@ struct xtables_target; #define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" #define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x" -#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */ +#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ #define EBT_OPTSTRING OPTSTRING_COMMON "hv" /* define invflags which won't collide with IPT ones */ @@ -79,30 +75,6 @@ struct xtables_target; #define IPT_INV_ARPOP 0x0400 #define IPT_INV_ARPHRD 0x0800 -void -set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, - bool invert); - -/** - * xtables_afinfo - protocol family dependent information - * @kmod: kernel module basename (e.g. "ip_tables") - * @proc_exists: file which exists in procfs when module already loaded - * @libprefix: prefix of .so library name (e.g. "libipt_") - * @family: nfproto family - * @ipproto: used by setsockopt (e.g. IPPROTO_IP) - * @so_rev_match: optname to check revision support of match - * @so_rev_target: optname to check revision support of target - */ -struct xtables_afinfo { - const char *kmod; - const char *proc_exists; - const char *libprefix; - uint8_t family; - uint8_t ipproto; - int so_rev_match; - int so_rev_target; -}; - /* trick for ebtables-compat, since watchers are targets */ struct ebt_match { struct ebt_match *next; @@ -160,14 +132,6 @@ struct subcommand { mainfunc_t main; }; -enum { - XT_OPTION_OFFSET_SCALE = 256, -}; - -extern void print_extension_helps(const struct xtables_target *, - const struct xtables_rule_match *); -extern int command_default(struct iptables_command_state *, - struct xtables_globals *, bool invert); extern int subcmd_main(int, char **, const struct subcommand *); extern void xs_init_target(struct xtables_target *); extern void xs_init_match(struct xtables_match *); @@ -199,8 +163,6 @@ int parse_counters(const char *string, struct xt_counters *ctr); bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line); bool xs_has_arg(int argc, char *argv[]); -extern const struct xtables_afinfo *afinfo; - #define MAX_ARGC 255 struct argv_store { int argc; @@ -239,19 +201,10 @@ void save_iface(char letter, const char *iface, void print_fragment(unsigned int flags, unsigned int invflags, unsigned int format, bool fake); -void command_match(struct iptables_command_state *cs, bool invert); -const char *xt_parse_target(const char *targetname); void command_jump(struct iptables_command_state *cs, const char *jumpto); -char cmd2char(int option); -void add_command(unsigned int *cmd, const int newcmd, - const int othercmds, int invert); -int parse_rulenumber(const char *rule); void assert_valid_chain_name(const char *chainname); -void generic_opt_check(int command, int options); -char opt2char(int option); - void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, const char *targname, uint8_t proto, uint8_t flags, uint8_t invflags, unsigned int format); diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 3d15063e..b986fd9e 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -1077,6 +1077,9 @@ print_zero: flags |= LIST_MAC2; break; case 11: /* init-table */ + if (restore) + xtables_error(PARAMETER_PROBLEM, + "--init-table is not supported in daemon mode"); nft_cmd_table_flush(h, *table, false); return 1; case 13 : diff --git a/iptables/xtables-legacy-multi.c b/iptables/xtables-legacy-multi.c index 3b7905ff..2c719315 100644 --- a/iptables/xtables-legacy-multi.c +++ b/iptables/xtables-legacy-multi.c @@ -14,10 +14,6 @@ #include "ip6tables-multi.h" #endif -#ifdef ENABLE_NFTABLES -#include "xtables-multi.h" -#endif - static const struct subcommand multi_subcommands[] = { #ifdef ENABLE_IPV4 {"iptables", iptables_main}, diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 905bb7fe..a1eba2f4 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -339,7 +339,7 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg inet_ntop(AF_INET, &iph->daddr, addrbuf, sizeof(addrbuf)); printf("DST=%s ", addrbuf); - printf("LEN=%d TOS=0x%x TTL=%d ID=%d", ntohs(iph->tot_len), iph->tos, iph->ttl, ntohs(iph->id)); + printf("LEN=%d TOS=0x%x TTL=%d ID=%d ", ntohs(iph->tot_len), iph->tos, iph->ttl, ntohs(iph->id)); if (iph->frag_off & htons(0x8000)) printf("CE "); if (iph->frag_off & htons(IP_DF)) @@ -362,7 +362,7 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg printf("OPT ("); for (i = 0; i < optsize; i++) printf("%02X", op[i]); - printf(")"); + printf(") "); } break; } diff --git a/libipq/Makefile.am b/libipq/Makefile.am index 9e3a2ca6..2cdaf32e 100644 --- a/libipq/Makefile.am +++ b/libipq/Makefile.am @@ -2,6 +2,7 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include +AM_LDFLAGS = ${regular_LDFLAGS} libipq_la_SOURCES = libipq.c lib_LTLIBRARIES = libipq.la diff --git a/libipq/ipq_create_handle.3 b/libipq/ipq_create_handle.3 index 11ef95c4..ebe46daa 100644 --- a/libipq/ipq_create_handle.3 +++ b/libipq/ipq_create_handle.3 @@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(em create and destroy libipq handles. .br .B #include <libipq.h> .sp -.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");" +.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");" .br .BI "int ipq_destroy_handle(struct ipq_handle *" h ); .SH DESCRIPTION diff --git a/libipq/ipq_set_mode.3 b/libipq/ipq_set_mode.3 index 0edd3c00..e206886c 100644 --- a/libipq/ipq_set_mode.3 +++ b/libipq/ipq_set_mode.3 @@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queuing mode .br .B #include <libipq.h> .sp -.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range ); +.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range ); .SH DESCRIPTION The .B ipq_set_mode diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am index 464a0696..097842f2 100644 --- a/libiptc/Makefile.am +++ b/libiptc/Makefile.am @@ -2,6 +2,7 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} pkgconfig_DATA = libiptc.pc libip4tc.pc libip6tc.pc diff --git a/libxtables/Makefile.am b/libxtables/Makefile.am index 8ff6b0ca..2f4a12e5 100644 --- a/libxtables/Makefile.am +++ b/libxtables/Makefile.am @@ -1,7 +1,8 @@ # -*- Makefile -*- AM_CFLAGS = ${regular_CFLAGS} -AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS} +AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} lib_LTLIBRARIES = libxtables.la libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c diff --git a/libxtables/xtables.c b/libxtables/xtables.c index 96fd783a..479dbae0 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -28,6 +28,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <netinet/ether.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/statfs.h> @@ -45,7 +46,6 @@ #include <xtables.h> #include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */ -#include <linux/if_ether.h> /* ETH_ALEN */ #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <libiptc/libxtc.h> @@ -64,7 +64,6 @@ #endif #include <getopt.h> #include "iptables/internal.h" -#include "xshared.h" #define NPROTO 255 @@ -72,6 +71,10 @@ #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" #endif +#ifndef ETH_ALEN +#define ETH_ALEN 6 +#endif + /* we need this for ip6?tables-restore. ip6?tables-restore.c sets line to the * current line of the input file, in order to give a more precise error * message. ip6?tables itself doesn't need this, so it is initialized to the @@ -773,6 +776,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, struct xtables_match *ptr; const char *icmp6 = "icmp6"; bool found = false; + bool seen = false; if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, @@ -791,6 +795,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { ptr = *dptr; *dptr = (*dptr)->next; + seen = true; if (!found && xtables_fully_register_pending_match(ptr, prev)) { found = true; @@ -804,6 +809,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, dptr = &((*dptr)->next); } + if (seen && !found) + fprintf(stderr, + "Warning: Extension %s is not supported, missing kernel module?\n", + name); + for (ptr = xtables_matches; ptr; ptr = ptr->next) { if (extension_cmp(name, ptr->name, ptr->family)) { struct xtables_match *clone; @@ -896,6 +906,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) struct xtables_target **dptr; struct xtables_target *ptr; bool found = false; + bool seen = false; /* Standard target? */ if (strcmp(name, "") == 0 @@ -914,6 +925,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { ptr = *dptr; *dptr = (*dptr)->next; + seen = true; if (!found && xtables_fully_register_pending_target(ptr, prev)) { found = true; @@ -927,6 +939,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) dptr = &((*dptr)->next); } + if (seen && !found) + fprintf(stderr, + "Warning: Extension %s is not supported, missing kernel module?\n", + name); + for (ptr = xtables_targets; ptr; ptr = ptr->next) { if (extension_cmp(name, ptr->name, ptr->family)) { struct xtables_target *clone; @@ -2245,8 +2262,6 @@ void xtables_print_num(uint64_t number, unsigned int format) printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); } -#include <netinet/ether.h> - static const unsigned char mac_type_unicast[ETH_ALEN] = {}; static const unsigned char msk_type_unicast[ETH_ALEN] = {1}; static const unsigned char mac_type_multicast[ETH_ALEN] = {1}; diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index 9d3ac5c8..8174a560 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -21,7 +21,6 @@ #include <arpa/inet.h> #include <netinet/ip.h> #include "xtables.h" -#include "xshared.h" #ifndef IPTOS_NORMALSVC # define IPTOS_NORMALSVC 0 #endif diff --git a/utils/Makefile.am b/utils/Makefile.am index 42bd9737..327a29e0 100644 --- a/utils/Makefile.am +++ b/utils/Makefile.am @@ -3,6 +3,7 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \ -I${top_srcdir}/include ${libnfnetlink_CFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} sbin_PROGRAMS = pkgdata_DATA = |