| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Add protocol and flags for the compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use new services in nf_tables to support atomic commit.
Commit per table, although we support global commit at once,
call commit for each table to emulate iptables-restore
behaviour by now.
Keep table dormant/wake up code in iptables/nft.c as it can
be used in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
xtables-restore has to purge out user-defined chains that are
not defined in the configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
xtables-standalone.c: In function ‘xtables_main’:
xtables-standalone.c:64:2: warning: implicit declaration of function ‘do_commandx’ [-Wimplicit-function-declaration]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary of changes to add IPv6 support to the xtables utility:
* modify all commands (add, delete, replace, check and listing) to
support IPv6 addresses.
And for the internal nft library:
* add family to struct nft_handle and modify all caller to use this
family instead of the hardcoded AF_INET.
* move code that we can re-use for IPv4 and IPv6 into helper functions.
* add IPv6 rule printing support.
* add support to parse IPv6 address.
Pablo added several improvements to this patch:
* added basic xtables-save and xtables-restore support (so it defaults
to IPv4)
* fixed a couple of bugs found while testing
* added reference when -f is used to point to -m frag (until we can make
this consistent with IPv4).
Note that we use one single xtables binary utility for IPv4 and IPv6.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch gets existing code in sync with Patrick's chain
renaming new approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for dormant tables for xtables-restore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
We use the new special chain types defined in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Now that we use that in kernel space and in libnftables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Rework code to remove __nft_check_rule and split it into
logical fragments.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
NAT table uses different chain priorities, adapt the existing
code to allow this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
They belong to nf_tables_compat.h
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
|
| |
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
|
| |
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
|
| |
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
|
| |
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the automatic creation of built-in table and
chains. Now it initializes all built-in chains belonging a table
at once.
This happens with commands: -P, -A, -I, -N
Note that xtables skips chain initialization if it notices that
the table already exists in the kernel.
Thanks to Tomasz Bursztyka for spotting problems with -N.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to emulate the iptables behaviour, this patch changes
the current behaviour to:
1st) check if the table and chains are built-in.
2nd) If they don't exists, create them. If they exists, don't touch
them.
The automatic creation happens in the -I and -P paths.
We should provide a new command to allow to delete (unregister)
built-in tables and chains. It would be similar to unloading
the iptable_X module that registers the custom table.
This is not done for other commands like -C or -D since they
will fail while trying to find the rule in the kernel if such
combination of chain and table does not exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following utilities:
* xtables
* xtables-restore
* xtables-save
* xtables-config
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
It's not required and breaks on static-only uClibc builds which don't
have the header file.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
... to get 76e230e ('iptables: link against libnetfilter_conntrack'),
else static build doesn't work.
Conflicts:
extensions/GNUmakefile.in
[ CPPFLAGS was added in master, so keep it ]
Reported-By: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linking currently fails in --enable-static case:
../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name':
iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name'
[..]
It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack.
If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@
and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty,
therefore producing no harm to include unconditionally.
Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the following error while running nfsynproxy here:
pcap_compile: not-yet-activated pcap_t passed to pcap_compile
According to what I have read, we have to compile the filter
once the pcap_t handle has been activated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not accept silently sets with wrong protocol family but reject
them with an error message. It makes straightforward to catch user
errors.
[ Use afinfo instead to avoid a binary interface update --pablo ]
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Originally synconf, but Jesper D. Brouer suggested to change
the name to avoid a possible filename clash. I also include
nfsynproxy in the final configure report --pablo ]
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Gao feng reported problems while getting the cluster match working with
arptables. This patch adds a note in the manpage to warn about the arptables-jf
syntax, which is different from mainstream arptables.
Reported-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As of commit 056564f6a (Add new exit value to indicate concurrency
issues), the IPv4 iptables binary returns exit status 4 to indicate that
the kernel returned EAGAIN when trying to update a table. But ip6tables
still returns exit status 1 under the same circumstances. Update
ip6tables to bring it in line with iptables behavior.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In commit 927385017047d (iptables: improve error reporting with extension
loading troubles), a new error message was added in an attempt to handle
the case where a match does not support a particular protocol family.
For instance, attempting to use the osf match on IPv6.
Unfortunately, this error message now triggers when creating a new chain
which has the same name as a match extension, because iptables calls
xtables_find_target with the name of the new chain to verify it does not
clash with an existing target. For example:
# iptables -N tcp
/usr/lib/xtables/libxt_tcp.so: no "tcp" extension found for this protocol
I attempted to resolve this by adding a new XTF flag, but that required changes
in many different places (including -j handling). It seems easiest just to
remove this warning and stick with the original error message of ENOENT, even
if less than precise.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As pointed out by Andrew Domaszek, iptables allows whitespace to be included in
chain names. This causes issues with iptables-restore, and later iptables
actions on the chain. Attached patch disallows whitespace, and also consolidates
all chain name checking into a new function.
This closes netfilter bugzilla #855.
[ Included ip6tables changed as well --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"All other Makefiles add CPPFLAGS to ${COMPILE} (automake), but GNUmakefile.in
doesn't set it."
http://bugs.debian.org/665286
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fedora, ArchLinux, Ubuntu, and Debian, at the least, use
alternative syslog daemons by default these days. Let's make
the syslog reference generic.
Reference: http://bugs.debian.org/567564
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As pointed out by Peter Hoelsken, rules created with non-standard
masks such as 0.255.0.0, 0.0.255.0, etc. are displayed when output
with iptables -L in CIDR notation as -1. This is because the cidr
variable in xtables_ipmask_to_numeric is unsigned, and the return
value of -1 from xtables_ipmask_to_cidr is therefore converted to
UINT_MAX. Add a cast to workaround the issue.
This closes netfilter bugzilla #854.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Add usage examples for string and hex string patterns.
References: http://bugs.debian.org/699904
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Remove it.
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds the software version to the first line of the
following manpages:
iptables-save.8
iptables-restore.8
iptables-apply.8
iptables-xml.1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
iptables-xml.8 was moved to iptables-xm1.1.
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The extension man page shows "port-unreach" and "port-unreachable" as
default icmpv6 and icomp reject-with types. Either and variations work
fine for writing rules, but they are displayed as "icmp6-port-unreachable"
and "icmp-port-unreachable". Let's make that consistent.
http://bugs.debian.org/644819
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The first might work. The second doesn't.
(The other corrections in the bug report are already implemented.)
http://bugs.debian.org/654983
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Corrects an example address with subnet mask.
http://bugs.debian.org/698393
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CMD_ZERO_NUM is 14, so it has to be defined in position 15 in the
commands_v_options array. This does not manifests easily since
commands from 9 to 14 have a very similar pattern in such array.
Based on this patch: http://patchwork.ozlabs.org/patch/188153/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\|
| |
| |
| |
| |
| | |
To retrieve:
iptables: state match incompatibilty across versions
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As reported in Debian bug #718810 [1], state match rules added in < 1.4.16
iptables versions are incorrectly displayed by >= 1.4.16 iptables versions.
Issue bisected to commit 0d701631 (libxt_state: replace as an alias to
xt_conntrack).
Fix this by adding the missing .print and .save functions for state match
aliases in the conntrack match.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\|
| |
| |
| |
| |
| | |
To retrieve:
iptables: correctly reference generated file
|
