| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
No translation. The kernel match will alter packet type
(meta set pkttype), but also replace dst mac with the bridges' mac address,
however nft currently doesn't allow to retrieve this at runtime.
So just add this without the xlate part for now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
adds snat and dnat.
Translation for snat isn't complete, the --snat-arp switch isn't supported so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
gcc emits these warnings:
xtables-eb-translate.c:185:2: warning: ‘strncpy’ specified bound 29 equals destination size [-Wstringop-truncation]
strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
This uncovered broken translation of ethernet + mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iptables and ip6tables don't need this because iptables is AF_INET,
ip6tables AF_INET6, etc.
But tools that can change af in-between such as nftables will then
may then find to find such module.
One example is conntrack, it offsers NFPROTO_IPV4 and NFPROTO_IPV6.
When first loading with NFPROTO_IPV6, the IPV4 would be discarded.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
ip6tables-save didn't include the masks.
Furhermore, mask decoding used the ipv4 struct which caused it to write
into parts of ipv6 saddr.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
kernel would reject ip, ip6 etc. without -p ip, -p ip6.
So add it. On reverse, search the match list to decide if -p
has to be translated or not.
Also, icmp and icmpv6 also imply l3 protocol, so no need to translate
that either.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow checking for an all-zero mac address by replacing checks on the
address with a check on the option flag.
Its set when '-d' or '-s' appears on the command line and when seeing
a linklayer payload request for ether s/daddr.
Same for -p: s this flag gets removed during getopt when 'p' is encountered.
So, if its set, no need to check protocol type.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Reduces repetition, follow patch adds back suppression of
src/dst mac when it was not given.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
They don't exist in the legacy ABI, so don't pretend otherwise.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
before:
Bridge chain: OUTPUT, entries: 4, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out notlogout -j CONTINUE
--logical-out logout -j CONTINUE
after:
Bridge chain: OUTPUT, entries: 5, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out ! notlogout -j CONTINUE
--logical-out logout -j CONTINUE
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
nft_bridge_print_firewall
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Use iptables_command_state instead.
This allows to re-use code from the ip(6)tables layer and
reduces cop&pasted code.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This always uses xtables_ipv4 (which is same as _ipv6).
Pass the correct skeleton instead, this is needed to handle ebtables
correctly from xt-translate, as it doesn't use ip/ip6 tables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
if (outiface[len] == '\0')
is always true. 'eth+' is stored as 'eth' with length 3, so
"eth"[3] == 0.
'eth' is stored as 'eth\0' with length 4, so "eth\0"[4] is also true.
Add a helper for this, then use it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch add some testcases for psid, nsid, and lsid matches
into libip6t_srh.t
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
src: iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0
exp: nft add rule ip mangle PREROUTING counter ct mark set 0x0
res: nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x0
Fixes: db7b4e0de960 ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new feature to iptables that allow bitshifting for
--restore,set and save-mark operations. This allows existing logic
operators (and, or and xor) and mask to co-operate with new bitshift
operations.
The intention is to provide uses with more fexible uses of skb->mark
and ct->mark. For example, users can save extra bits in skb->mark:
skb->mark = ct->mark << 8;
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch extends the libip6t_srh shared library to support matching
previous SID, next SID, and last SID.
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
I added and verified these tests after applying Florian's fixed wrt.
nf_nat_range2 size for rev2.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
With no -n, semantics for *filter are to delete filter table and all its
content.
This restores the similar behaviour introduced in ca165845f7ec
("xtables-compat-restore: flush rules and delete user-defined chains").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
# iptables-compat -X
iptables: No chain/target/match by that name.
While it should display no error message at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-n still flushes user-defined chains and its content, the following snippet:
iptables-compat -N FOO
iptables-compat -I INPUT
iptables-compat -I FOO
iptables-compat -I FOO
iptables-compat-save > A
iptables-compat-restore < A
iptables-compat -N BAR
iptables-compat -A BAR
iptables-compat-restore -n < A
results in:
iptables-compat-save
# Generated by xtables-save v1.6.2 on Mon May 7 17:18:44 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BAR - [0:0]
:FOO - [0:0]
-A INPUT
-A INPUT
-A BAR
-A FOO
-A FOO
COMMIT
# Completed on Mon May 7 17:18:44 2018
Still, user-defined chains that are not re-defined, such as BAR, are
left in place.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Instead of deleting the table and base chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
DNAT tests fail on nf-next.git, kernel complains about target size
mismatch (40 vs 48), this fixes this for me.
Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap ranges")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
needed to display rules that exceed 4k (MNL buffer size).
This can happen with many matches in a rule or when using
-m cgroup (4k per match).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
noticed that iptables-compat-save exits with 1 on success,
whereas iptables-compat-save -t filter returns 0 (as expected).
Caused by double-invert of return value, so ge rid of those.
do_output now returns a value suitable to pass to exit() or return from main.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
We don't need extra locking as we don't go though rmw cycle
when adding a rule, but accept the option for compatibility with
legacy ebtables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rateest test needs to insert rateest targets with
@progname syntax.
However, this used the system-installed binary rather than the one
from git.
Morever, it did not respect --nftables switch, i.e. add occurs with
iptables so iptables-compat won't find it.
Fixes: d7ac61b58e78 ("add nft switch and test binaries from git")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-translate -A I -f
nft add rule ip filter I ip frag-off != 0 counter
iptables however checks:
frag_off = ntohs(iph->frag_off) & IP_OFFSET;
if (NF_INVF(ipinfo, IPT_INV_FRAG,
(ipinfo->flags & IPT_F_FRAG) && !frag_off))
return false;
So we need to mask off non-offset bits.
Second issue is that we negated the meaning in ipt-restore.
-f should match if (frag_off & IP_OFFSET) NE 0
! -f matches non-fragmented packets, i.e.
frag_off & IP_OFFSET == 0.
So we cannot use nft_invflags2cmp(), as that will use
NEQ for negation, but we need EQ instead here.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
memcmp uses tg1->userspacesize, make sure its same as tg2 first.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
no need to and with all-ones mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Remove dead code that uses the ancient non-batch netlink API. Chains
are already purged out from table flush.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following snippet fails if user chain FOO exists, but it should not fail:
iptables-compat -F
iptables-compat -N FOO
iptables-compat-save > foo
iptables-compat-restore < foo
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is only needed by 3.16, which was released 8 months after nftables was
merged upstream. That kernel version supports a reduced featureset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
nat prio for in/out were inverted.
arp no longer has a forward chain.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
... or when using multiple --comment lines.
This is more of a 'cosmetic' fix to handle the test suite case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
same as iptables-test: use the translate tools in the current working
directory, not the system-wide ones.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nft-arp.c:112:3: note: 'sprintf' output between 2 and 21 bytes into a destination of size 20
sprintf(buf, "/%s", addr_to_dotted(mask));
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Kernel clamps udata size at 256 bytes, udata size however also includes
internal bookkeeping which brings us over this limit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a proposal patch for iptables DNAT extension to support shifted portmap
ranges. It is related to the kernel patch proposed in earlier message '[PATCH
v5] netfilter : add NAT support for shifted portmap ranges'.
A new struct nf_nat_range2 was added as extension for existing struct
nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT
revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with
older kernels is not impacted.
The syntax for shifted portmaps uses an extra value in '--to-destination' for
setting the base port which determines the offset in the redirect port range
for incoming connections. i.e. : iptables -t nat -A zone_wan_prerouting -p tcp
-m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000'
The base port value is totally optional, so current behavior is not impacted in
any way. The use of slash '/' as separator is an arbitrary choice, all other
suggestions are valid of course (original proposal used semicolon but this was
not practical for commandline use) Another approach using an additional option
seems also possible (i.e. '--base-port 5000'). However, that would mean more
parsing logic with extra lines of code and thus increased risk for regression.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
instead of testing the system-wide installed iptables, test the
version from git instead.
Also add a --nftables switch to feed the test cases to xt-compat.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Only ip and ip6tables have revision retrieval support; pretend
ebtables and arptables are always ok.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updating iptables from 1.4.x to 1.6.x brokes rules print/save output
and causes rules load after reboot to fail. Here is example from
iptables-save(8) output after update:
-A CHAIN1 -m set [unsupported revision] -j DROP
-A CHAIN1 -m set [unsupported revision] -j DROP
Similar output could be obtained via iptables -L CHAIN1. While issue
reproduced with xt_set match it is not specific to any match or
target module: it is related on how xtables handles revisions.
In this particular case we have following situation:
1) Kernel supports revisions from 1 to 4.
2) Rules configured with iptables 1.4.x supporting only
revisions from 1 to 3. Choosen highest possible revision 3.
3) Rules printed/saved with iptables 1.6.x supporting revisions
from 1 to 4.
4) Xtables registers matches/targets with highest supported
revision by the kernel. This is 4 in our case after update to
iptables 1.6.x.
5) When printing/saving kernel submits match/target with revision
it is configured (3), while iptables thinks that rules configured
with highest supported (4). That's causes revision mismatch in
during print and "[unsupported revision]" output.
To fix this issue we now store all supported by kernel and xtables
revisions in xt_matches/xt_targets list sorted in descending order.
Introduce helper routines to find match/target with given revision
and use them to find right revision to print submitted by kernel
entry.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keep the order of matches by appending them; keep order between
revisions of same match from most to least recent. All of this
keeps xtables_find_match() happy to find most recent supported
by kernel revision in the given order.
Apply the same for targets, except prepend targets; order between
revisions preserved too.
All this needed to fix nasty bug related to iptables package update
and broken print/save output.
After this change all supported revisions of match/target stored
in corresponding list with following pattern:
xt_matches xt_targets
========== ==========
m1 m2 m3 mN tN t1 t2 t3
+-----+--+---+---~~~---+ +---~~~---+---+----+--+
|43210|10|210|revisions| |revisions|210|3210|10|
+-----+--+---+---~~~---+ +---~~~---+---+----+--+
Where new [m]atches added to the list tail and new [t]argets added
to the list head to preserve previous behaviour. Multiple revisions
of single match/target type are grouped together and sorted in
descending order. Both this ensures xtables_find_match() and
xtables_find_target() behaviour remains the same after change: find
highest supported match/target revision given by it's name.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|