| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
When running iptables -nL as non-root user, iptables would loop indefinitely.
With this change, it will fail with
iptables v1.8.3 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)
Reported-by: Amish <anon.amish@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Store them next to the mnl_socket pointer. While being at it, add a
comment to mnl_set_rcvbuffer() explaining why the buffer size is
changed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
>From there, pass it along to mnl_nft_socket_sendmsg() and further down
to mnl_set_{snd,rcv}buffer(). This prepares the code path for keeping
stored socket buffer sizes in struct nft_handle.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to delete user-defined chains in a large ruleset,
iptables-nft aborts with "No buffer space available". This can be
reproduced using the following script:
| #! /bin/bash
| iptables-nft-restore <(
|
| echo "*filter"
| for i in $(seq 0 200000);do
| printf ":chain_%06x - [0:0]\n" $i
| done
| for i in $(seq 0 200000);do
| printf -- "-A INPUT -j chain_%06x\n" $i
| printf -- "-A INPUT -j chain_%06x\n" $i
| done
| echo COMMIT
|
| )
| iptables-nft -X
The problem seems to be the sheer amount of netlink error messages sent
back to user space (one EBUSY for each chain). To solve this, set
receive buffer size depending on number of commands sent to kernel.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This converts the iptables-test.py file to run on both python2 and
python3. The error regarding out.find() has been fixed by using method
.encode('utf-8') in its argument.
Signed-off-by: Shekhar Sharma <shekhar250198@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The --suppl-groups option causes GIDs specified with --gid-owner to be
also checked in the supplementary groups of a process.
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid referring to wrong or even non-existent commands:
* When calling xtables_restore_main(), pass the actual program name
taken from argv[0].
* Use 'prog_name' in unknown parameter and help output instead of
'xtables-restore' which probably doesn't exist.
* While being at it, fix false whitespace in help text.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The IPTABLES_VERSION C macro replicates the PACKAGE_VERSION C macro
(both have the same definition, "@PACKAGE_VERSION@"). Since
IPTABLES_VERSION, being located in internal.h, is not exposed to
downstream users in any way, it can just be replaced by
PACKAGE_VERSION, which saves a configure-time file substitution.
This goes towards eliminating unnecessary rebuilds after rerunning
./configure.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Despite the presence of --no-as-needed, the libiptc.so library as
produced inside the openSUSE Build Service has no links to
libip4tc.so or libip6tc.so. I have not looked into why --no-as-needed
is ignored in this instance, but likewise, the situation must have
been like that ever since openSUSE made as-needed a distro-wide
default (gcc 4.8 timeframe or so).
Since I am not aware of any problem reports within SUSE/openSUSE
about this whole situation, it seems safe to assume no one in the
larger scope is still using a bare "-liptc" on the linker command
line and that all parties have moved on to using pkg-config.
Therefore, libiptc.la/so is hereby removed, as are all parts
related to the -Wl,--no-as-needed flag.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Bump version dependency on libnftnl since this needs new
nftnl_chain_rule_*() functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit 4b187eeed49dc507d38438affabe90d36847412d.
Having the testsuites available in release tarball is helpful for
SRPM-based CI at least. The other two suites are included already, so
it's actually 2:1 keep or drop.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Last change in 2010, version number hardcoded - strong evidence this
script is not used anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Otherwise, mnl_set_sndbuffer() skips the buffer update after socket
restart. Then, sendmsg() fails with EMSGSIZE later on when sending the
batch to the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Patch ab1cd3b510fa ("nft: ensure cache consistency") already handles
consistency via generation ID.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We need to re-evalute based on the existing cache generation.
Fixes: 58d7de0181f6 ("xtables: handle concurrent ruleset modifications")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
I don't find a scenario that trigger this case.
Fixes: 58d7de0181f6 ("xtables: handle concurrent ruleset modifications")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The commit this fixes added a new parameter to __nft_rule_flush() to
mark a rule flush job as implicit or not. Yet the code added to that
function ignores the parameter and instead always sets batch job's
'implicit' flag to 1.
Fixes: 77e6a93d5c9dc ("xtables: add and set "implict" flag on transaction objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Phil Sutter says:
"The problem is that data in h->obj_list potentially sits in cache, too.
At least rules have to be there so insert with index works correctly. If
the cache is flushed before regenerating the batch, use-after-free
occurs which crashes the program."
This patch keeps around the original cache until we have refreshed the
batch.
Fixes: 862818ac3a0de ("xtables: add and use nft_build_cache")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Check for generation ID before and after fetching the cache to ensure
consistency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
nft_table_find() uses the table list cache to look up for existing
tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This new function takes a struct nft_cache as parameter.
This patch also introduces __nft_table_builtin_find() which is required
to look up for built-in tables without the nft_handle structure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add new structure that encloses the cache and update the code to use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Instead of xtables-translate. Remove old reference to xtables-compat.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two issues fixed:
* XTABLES_LIBDIR was set wrong (CWD is not topdir but tests/). Drop the
export altogether, the testscript does this already.
* $LINES is a variable set by bash, so initial dump sanity check failed
all the time complaining about a spurious initial dump line count. Use
$LINES1 instead.
Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If batch_rule_add() fails, this function leaked the rule iterator
object.
Fixes: 4c54c892443c2 ("xtables: Catch errors when zeroing rule rounters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
SYN packets do not require taking the listener socket lock anymore
as of 4.4 kernel, i.e. this target should not be needed anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Bail out if we go over the boundary, based on patch from Sebastian.
Reported-by: Sebastian Neef <contact@0day.work>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xtables-nft-restore ignores -w, check that we don't add
duplicate rules when parallel restores happen.
With a slightly older iptables-nft version this ususally fails with:
I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0
iptables-restore v1.8.2 (nf_tables):
line 5: CHAIN_USER_ADD failed (File exists): chain UC-0
line 6: CHAIN_USER_ADD failed (File exists): chain UC-1
W: [FAILED] ipt-restore/0004-restore-race_0: expected 0 but got 4
or
I: [EXECUTING] iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0
iptables-restore v1.8.2 (nf_tables):
line 1: TABLE_FLUSH failed (No such file or directory): table filter
or
/tmp/tmp.SItN4URxxF /tmp/tmp.P1y4LIxhTl differ: byte 7159, line 137
As the legacy version should not have such race (due to nature
of full-table-replace), only do one iteration for legacy case.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently race when several xtables-nft-restore processes attempt to
handle rules in parallel. For instance, when no rules are present at
all, then
iptables-nft-restore < X & iptables-nft-restore < X
... can cause rules to be restored twice.
Reason is that both processes might detect 'no rules exist', so
neither issues a flush operation.
We can't unconditionally issue the flush, because it would
cause kernel to fail with -ENOENT unless the to-be-flushed table
exists.
This change passes the generation id that was used to build
the transaction to the kernel.
In case another process changed *any* rule somewhere, the transaction
will now fail with -ERESTART.
We then flush the cache, re-fetch the ruleset and refresh
our transaction.
For example, in the above 'parallel restore' case, the iptables-restore
instance that lost the race would detect that the table has been created
already, and would add the needed flush.
In a similar vein, in case --noflush is used, we will add the flush
op for user-defined chains that were created in the mean-time.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its used to flag the rule flushes that get added in user-defined-chains
that get redefined with --noflush.
IOW, those objects that are added not by explicit instruction but
to keep semantics.
With --noflush, iptables-legacy-restore will behave as if
-F USERCHAIN was given, in case USERCHAIN exists and USERCHAIN gets
redefined, i.e.:
iptables-save v1.8.2 on Thu Apr 18 17:11:05 2019
*filter
:USERCHAIN - [0:0]
COMMIT
... will remove all existing rules from USERCHAIN.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Will be used with the "generation id" infrastructure.
When we're told that the commit failed because someone else made
changes, we can use this to re-initialize the cache and then
revalidate the transaction list (e.g. to detect that we now have
to flush the user-defined chain 'foo' that we wanted to create, but
was added just now by someone else).
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This will be used to skip transaction objects when committing to
kernel. This is needed for example when we restore a table that
doesn't exist yet. In such a case we would already build a flush
operation so we can just enable it when we hit problem with the
generation id and we find that the table/chain was already created
in the mean time.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The idea here is to move the 'flush' decision into the core, rather than
have the decision in the frontend.
This will be required later when "generation id" is passed to kernel.
In this case, we might have to add the flush when re-trying the
transaction.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The script fails on systems where sh is not bash.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Sam Banks <sam.banks.nz@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes a IPv4 only build, where this file would have references to
functions that aren't built in this case. I'm not sure how it ends up
with ENABLE_IPV6 defined without the config.h include, but since this
was clearly missing and fixed my issue, I didn't bother tracking down
the chain.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Using '-t' parameter in iptables-save might lead to kernel module
loading, just like with iptables itself. Copy the hint from iptables.8
to inform users.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fake shared objects which are actually symlinks to others are installed
using 'install' tool which follows them and therefore installs a copy of
the file they point at. Fix this by introducing special handling for
them in install target.
Reported-by: Wenle Chen <solachenclever@hotmail.com>
Fixes: 269655d54e22f ("build: remove symlink-only extensions from static object list")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This obviously doesn't belong there.
Fixes: be70918eab26e ("xtables: rename xt-multi binaries to -nft, -legacy")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Change content to match nft-variant, most notably:
* There is no broute table, drop all references to it
* Comment out description of among and string matches, we don't support
them (yet)
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This is a 1:1 copy from legacy ebtables repository.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Change content to suit the shipped nft-based variant. Most relevant
changes:
* FORWARD chain is not supported
* arptables-nft-save supports a few parameters
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
These are 1:1 copies from legacy arptables repository.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If connlabel.conf was not found, fall back to manually parsing arguments
as plain numbers.
If nfct_labelmap_new() has failed, nfct_labelmap_get_name() segfaults.
Therefore make sure it is not called in connlabel_get_name() if that's
the case.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Given that it is fixed now, make it stay.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
This was broken since day 1: vproto option was printed as 'proto' which
in turn iptables wouldn't accept anymore.
Fixes: c36d05e424069 ("libxt_ipvs: user-space lib for netfilter matcher xt_ipvs")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
