| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, each table's chain cache was potentially unallocated until
nftnl_chain_list_cb() saw a chain for it. This means such callback had to
check the chain_cache pointer for each chain belonging to that table.
In addition to the above, nft_chain_list_get() had to cover for the
possibility that a given table didn't have any chains at all in kernel,
so check requested table's chain cache once more and allocate it if
NULL.
Instead, simply iterate over all tables and preallocate their chain
caches prior to requesting the chain list from kernel. The only caveat
is to flush the chain cache completely before retrying in case of EINTR.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of doing all in one go, make two separate decisions:
1) If table has no chain cache, either continue or return depending on
whether we're flushing for a specific table.
2) With chain cache present, flushing strategy once more depends on
whether we're flushing for a specific table: If given, just remove
all rules and return. If not, free the cache and set to NULL (so that
it will be repopulated later), then continue the loop.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The function does not use passed struct nftnl_rule_list, so remove it
from its parameters.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Call to nft_table_builtin_find() in nft_is_table_compatible() is not
needed, as it is repeated in the latter call to nft_chain_list_get()
by nft_are_chains_compatible().
- Turn nft_is_chain_compatible(), nft_is_rule_compatible() and
nft_is_expr_compatible() into callbacks for use with respective
foreach functions.
- nft_are_chains_compatible() is not needed anymore due to foreach
function use.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no need to "delete" (actually, remove from cache) a chain if
noflush wasn't given: While handling the corresponding table line,
'table_flush' callback has already taken care of that.
This .chain_del indirection is not required since d1eb4d587297
("iptables-compat: chains are purge out already from table flush").
Streamlining the code further, move syntax checks to the top. If these
concede, there are three cases to distinguish:
A) Given chain name matches a builtin one in current table, so assume it
exists already and just set policy and counters.
B) Noflush was given and the (custom) chain exists already, flush it.
C) Custom chain was either flushed (noflush not given) or didn't exist
before, create it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
When converting to per table chain caches, these two error returns were
marked for review but apparently forgotten. Make sure error condition is
propagated when returning at those points.
Fixes: c58ecf9f8bcb7 ("xtables: Introduce per table chain caches")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Since there are per table chain caches, The chain list passed to that
function is comprised of chains belonging to the right table only.
Therefore the table name check can safely be skipped.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
With iptables-nft, logging of trace events is different from legacy.
Explain why and hint at how to receive events in this case.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2")
introduced a kernel/user headers conflict workaround that allows build
of iptables with kernel headers older than 4.2. This minor extension
allows build with kernel headers older than 3.12, which is the version
that introduced explicit IP headers synchronization.
Fixes: 8d9d7e4b9ef4 ("include: fix build with kernel headers before 4.2")
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Older versions of iptables allowed for negative realm values by accident
(they would be cast to unsigned). While this was clearly a bug, document
the fixed behaviour.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem with converting libxt_comment into nftables comment is that
rules change when parsing from kernel due to comment match being moved
to the end of the match list. And since match ordering matters, the rule
may not be found anymore when checking or deleting. Apart from that,
iptables-nft didn't support multiple comments per rule anymore. This is
a compatibility issue without technical reason.
Leave conversion from nftables comment to libxt_comment in place so we
don't break running systems during an update.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When e.g. ebtables-nft detects an incompatible table, a stray '.' was
printed as last line of output:
| # ebtables-nft -L
| table `filter' is incompatible, use 'nft' tool.
| .
This comes from ebtables' own exit_err callback. Instead use the common
one which also provides useful version information.
While being at it, align the final error message in xtables_eb_main()
with how the others print it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Relevant code for this was already present (short option '-c'), just the
long option definition was missing.
While being at it, add '-c' to help text.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
libip6t_mh.txlate: Fail
src: ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
exp: nft add rule ip6 filter INPUT meta l4proto 135 mh type 1 counter accept
res: nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
no more external callers.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
way too generic name.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
These definitions should be const, propagate this to all existing users.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Move this to the structure that stores, stateful information. Introduce
nft_table_initialized() and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Place this back into the structure that stores the state information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use enum nft_table_type to set the new type field in the structure that
define tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
since commit d9c6a5d0977a6d8bbe772dbc31a2c4f58eec1708
("xtables: merge {ip,arp}tables_command_state structs") arptables
uses the shared representation.
With only minor changes (e.g., use generic counters in command_state),
in print/save functions we can use the shared nftnl expression parser
too.
arptables-legacy prints (-L) the jump target first, i.e.:
-j MARK -d 0.0.0.0/8 --h-length 6 ...
... so keep that here too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 7c8791edac3 ("xtables-monitor: fix build with older glibc")
changed the code to use GNU style tcphdr fields. Unfortunately, musl
libc requires _GNU_SOURCE definition to expose these fields.
Fix the following build failure:
xtables-monitor.c: In function ‘trace_print_packet’:
xtables-monitor.c:406:43: error: ‘const struct tcphdr’ has no member named ‘source’
printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
^~
xtables-monitor.c:406:64: error: ‘const struct tcphdr’ has no member named ‘dest’
printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
^~
...
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 672accf1530 (include: update kernel netfilter header files)
updated linux/netfilter.h and brought with it the update from kernel
commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
from netns headers). This triggers conflict of headers that is fixed in
kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
netinet/in.h) included in kernel version 4.2. For earlier kernel headers
we need a workaround that prevents the headers conflict.
Fixes the following build failure:
In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
from ../include/libiptc/ipt_kernel_headers.h:8,
from ../include/libiptc/libiptc.h:6,
from libip4tc.c:29:
.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
IPPROTO_IP = 0, /* Dummy protocol for TCP */
^
.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
IPPROTO_IP = 0, /* Dummy protocol for TCP. */
^~~~~~~~~~
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Being able to omit the previously obligatory table name check when
iterating over the chain cache might help restore performance with large
rulesets in xtables-save and -restore.
There is one subtle quirk in the code: flush_chain_cache() did free the
global chain cache if not called with a table name but didn't if a table
name was given even if it emptied the chain cache. In other places,
chain_cache being non-NULL prevented a cache update from happening, so
this patch establishes the same behaviour (for each individual chain
cache) since otherwise unexpected cache updates lead to weird problems.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc older than 2.19 only expose BSD style fields of struct tcphdr when
_BSD_SOURCE is define. Current glibc however, warn that _BSD_SOURCE is
deprecated. Migrate to the GNU style of tcphdr fields to make the code
compatible with any glibc version.
Fix the following build failure:
xtables-monitor.c: In function 'trace_print_packet':
xtables-monitor.c:406:43: error: 'const struct tcphdr' has no member named 'th_sport'
printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
^
xtables-monitor.c:406:66: error: 'const struct tcphdr' has no member named 'th_dport'
printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
^
...
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
introduced support for gcc feature to check format string against passed
argument. This commit adds missing bits to extenstions's libipt_icmp.c
and libip6t_icmp6.c that were causing build to fail.
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Build with musl libc fails because of conflicting struct ethhdr
definitions:
In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
from ../iptables/nft-bridge.h:8,
from libebt_vlan.c:18:
.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
struct ethhdr {
^~~~~~
In file included from libebt_vlan.c:16:0:
.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
struct ethhdr {
^~~~~~
Include the userspace header first for the definition suppression logic
to do the right thing.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Both implementations were very similar already. Differences were mostly
in which libiptc functions were called. Therefore introduce struct
iptables_save_cb to point to the right functions for each variant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Introduce struct iptables_restore_cb and merge ip6tables-restore with
iptables-restore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Add a few more callbacks used by iptables-save.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
this release also adds xtables_print_mac* functions to libxtables, so
current and age are incremented again.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows gcc to check format string vs. passed arguments.
Fix the fallout from this as well, typical warning produced is:
libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=]
xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ...
~^ ~~~~~~~~~~
so add the required casts or fixup format strings as needed.
libxt_conntrack also passed an unneeded argument (port), so remove that.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Doesn't affect iptables-xlate, but nft (when built w. xtables support).
Without this, nft can print random content if an extension doesn't
add anything to the output xlate buffer, e.g.
-p mh -m mh
can cause nft to print random data after "meta l4proto mobility",
as mh ->xlate doesn't do anything in this case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
forgot to squash this before pushing arptables fixes.
Fixes: 5aecb2d8bfd ("arptables: pre-init hlen and ethertype")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
old: arptables vlibxtables.so.12 (nf_tables)
now: arptables 1.8.1 (nf_tables)
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
You can run 'arptables-legacy -t foobar' and commands work fine,
as it still operates on filter table (the only table that exists).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unicast being shown as '00:00:00:00:00:00/01:00:00:00:00:00' looks like
broken output, however, arptables classic did not pretty-print either.
Also add test cases for all targets supported by the original
arptables tool:
-j CLASSIFY
-j MARK
-j mangle
[ yes, mangle target is lower-case 8-( ]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:
base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)
In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the correct location, but we cannot
do this in nf_tables, at least not at this time (we need a fixed offset
value).
code does:
op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ...
but if user did not provide "--h-length 6" argument, then this won't
work even for ethernet, as the payload expression will be told to load
the first 4 bytes of arp header source mac address (sender hw address).
Fix this by pre-initialising arhlen to 6.
We also need to set up arhrd. Otherwise, src/dst mac can't be used:
arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66
arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT
This means that matching won't work for AX25, NETROM etc, however,
arptables "classic" can't parse non-ethernet addresses, and makes
ETH_ALEN assumptions in several spots, so this should be fine from
compatibility point of view.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
1. check both address and mask, not just first byte of mac
2. use add_addr() for this so mask is also handled via bitwise expr.
3. use the correct offsets.
4. add dissector so we can reverse translate the payload expressions
generated for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--dst-ip checks the first four octets of the target mac.
Format of ipv4 arp is:
arphdr (htype, ptype...)
src mac
src ip
target mac
target ip
So we need to add hlen (6 bytes) a second time
(arphdr + 6 + 4 + 6) to get correct offset.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
also handle negations in other cases.
Still to be resolved: mask handling for other options such as hlen.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
arptables -D fails most of the time, as we compared
source mask with target mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This isn't a missing feature in the -nft version,
neither plen and -m were ever implemented in arptables-legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
arptables classic doesn't have arptables-save, it only has a perl
script that attempts to emulate iptables-save. It supports no options,
and thus has no way to dump counters. Add -c option, like iptables to
enable this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
arptables-save will show
-A OUTPUT --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0xffffffff
as
--h-length 6 --h-type Ethernet -j MARK MARK set 0x1
Because it uses ->print() instead of ->save().
Switch it to use ->save, we can then also drop special handling of
CLASSIFY target.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
If the chain to rename wasn't found, the function would return -1 which
got interpreted as success.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Trying to delete a rule by index from a non-existent chain leads to a
somewhat confusing error message:
| # iptables-nft -D foobar 1
| iptables: Index of deletion too big.
Fix this by performing chain existence checks for CMD_DELETE_NUM, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
