| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sven-Haegar Koch reported the issue:
sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.
In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32
which was introduced by the counter extension in ipset.
The patch fixes the alignment issue with introducing a new set match
revision with the fixed underlying 'struct ip_set_counter_match'
structure.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |\
| |
| |
| |
| |
| | |
This provides the ipset skbinfo extension.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.
Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Closes bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=985
The --dst-group parameter in devgroup extensions lists and saves
incorrectly its value. --dst-group always shows "0x0/0x0".
This is an example:
# iptables -I FORWARD -m devgroup --dst-group 200 -j ACCEPT
# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere src-group 0x64 dst-group 0x0/0x0
# iptables -S FORWARD
-P FORWARD ACCEPT
-A FORWARD -m devgroup --dst-group 0x0/0x0 -j ACCEPT
Reporte-by: Axinchan <axinchan@cnrouter.com>
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are some differences between error messages in iptables and
iptables-compat:
# iptables -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: No chain/target/match by that name.
# iptables -N new_chain
# iptables -N new_chain
iptables: Chain already exists.
# iptables-compat -N new_chain
# iptables-compat -N new_chain
iptables: File exists.
Now, iptables-compat shows the same error messages than iptables in
those cases.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame:
357 switch (vfork()) {
358 case 0:
359 argv[0] = (char *)modprobe;
360 argv[1] = (char *)modname;
361 if (quiet) {
362 argv[2] = "-q";
363 argv[3] = NULL;
364 } else {
365 argv[2] = NULL;
366 argv[3] = NULL;
367 }
368 execv(argv[0], argv);
369
370 /* not usually reached */
371 exit(1);
modprobe pointed to a non-existant program /sbin/modprobe, so execv()
always failed. Not a problem in itself on our platform, as the kernel
modules are pre-loaded before iptables-restore is run, but it took a
bit of headscratching to track this down, as a stack frame was
corrupted, leading to failures quite a while after the function
containing this code had returned!
Relevant caution in man 2 vfork:
"The vfork() function has the same effect as fork(2), except that
the behavior is undefined if the process created by vfork() either
modifies any data ... or calls any other function before
successfully calling _exit(2) or one of the exec(3) family of
functions."
Apparently this has not been a problem for us in earlier versions of
glibc, maybe because vfork was more like fork, maybe because the
stack corruption was innocuous. Ours is a corner case anyway, as
it might not have been a problem had modprobe existed or had
modprobe been a symlink to /bin/true. But it seems odd to disregard
man page cautions, and our problem goes away if they are heeded.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
# iptables-compat -L
# iptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Note that the second (and follow up) invocations after the first one
display the chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove
extra unused chain parameter and rename nft_chain_builtin_init to
nft_xt_builtin_init too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
The functions that allows you to create built-in table and chains are
required out of the scope of nft.c
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Initialize built-in tables/chains if they don't exists, otherwise
simply skip.
This avoids the chain policy reset to NF_ACCEPT by when you call
iptables -L -n.
Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Ana Rey <anarey@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The offset variable (undefined) is passed to DEBUGP function,
so you get a compilation error if you try to build iptables
with debug enabled
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
This fixes a syntax error, remove ; in an if statement
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
There is not native arptables-save. The original author provides
perl scripts to implement arptables-save and arptables-restore.
We should use them to mimic arptables behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
# arptables-compat -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination <--
This header is not shown by arptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
arptables allows this:
# arptables -I INPUT
however, arptables-compat says:
arptables v1.4.21: No target provided or initalization failed
Try `arptables -h' or 'arptables --help' for more information.
the compat utility must mimic the same behaviour.
Fix this by introducing the arptables_command_state abstraction that
is already available in ip{6}tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
# arptables-compat -D INPUT -j ACCEPT
arptables: Bad rule (does a matching rule exist in that chain?)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes
# iptables-compat -X test4345
iptables: No chain/target/match by that name.
# iptables-compat -N test4345
# iptables-compat -N test4345
iptables: File exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Add the glue code to use the chain batching for user chain commands.
Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ \
| | |
| | |
| | |
| | | |
This merges the iptables-test.py script and the corresponding
test files.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Do not include all our .t test files in releases. Skip
iptables-tests.py script as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
based on tests/options-most.rules
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
