summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * | extensions: libxt_NOTRACK: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_sctp: add unit testPablo Neira Ayuso2013-10-071-0/+32
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_REJECT: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_mark: add unit testPablo Neira Ayuso2013-10-071-0/+7
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_nfacct: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_rateest: add unit testPablo Neira Ayuso2013-10-071-0/+16
| | | | | | | | | | | | | | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_string: add unit testPablo Neira Ayuso2013-10-071-0/+18
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_state: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_CT: add unit testPablo Neira Ayuso2013-10-071-0/+20
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_pkttype: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_ttl.t: add unit testPablo Neira Ayuso2013-10-071-0/+15
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_NFQUEUE: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_icmp: add unit testPablo Neira Ayuso2013-10-071-0/+15
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_helper: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_esp: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_dccp: add unit testPablo Neira Ayuso2013-10-071-0/+30
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_NFLOG: add unit testPablo Neira Ayuso2013-10-071-0/+19
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_tos: add unit testPablo Neira Ayuso2013-10-071-0/+13
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_tcp: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_udp: add unit testPablo Neira Ayuso2013-10-071-0/+22
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_length: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | | | | | | | | | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_time: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | | | | | | | | | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_hashlimit: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | | | | | | | | | | | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_CONNMARK: add unit testPablo Neira Ayuso2013-10-071-0/+7
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_connmark: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_connlimit: add unit testPablo Neira Ayuso2013-10-071-0/+16
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_connbytes: add unit testPablo Neira Ayuso2013-10-071-0/+21
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_CLASSIFY: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_CHECKSUM: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_AUDIT: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_comment: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_cluster: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libip6t_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_addrtype: add unit testPablo Neira Ayuso2013-10-071-0/+17
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libip6t_ah: add unit testPablo Neira Ayuso2013-10-071-0/+14
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_ah: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | add iptables unit test infrastructurePablo Neira Ayuso2013-10-071-0/+311
| | | | | | | | | | | | | | | | | | This patch adds a python script to verify unit test cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | iptables-compat: get rid of error reporting via perrorPablo Neira Ayuso2014-09-303-85/+35
| | | | | | | | | | | | | | | | | | The compat layer should report problems in the iptables way instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | iptables-compat: fix use after free in the batch send pathPablo Neira Ayuso2014-09-301-8/+19
| | | | | | | | | | | | | | | | | | Release the batch pages once they have been sent via sendmsg(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnlPablo Neira Ayuso2014-09-301-21/+5
| | | | | | | | | | | | | | | | | | Use the existing functions in libnftnl to begin and end a batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | iptables-compat: fix address prefixPablo Neira Ayuso2014-09-305-111/+196
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes: # iptables-compat -I INPUT -s 1.2.3.0/24 generates this bytecode: ip filter INPUT 20 [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x00030201 ] [ counter pkts 0 bytes 0 ] and it displays: # iptables-compat-save ... -A INPUT -s 1.2.3.0/24 ip6tables-compat and arptables-compat are also fixed. This patch uses the new context structure to annotate payload, meta and bitwise, so it interprets the cmp expression based on the context. This provides a rudimentary way to delinearize the iptables-compat rule-set, but it should be enough for the built-in xtables selectors since we still use the xtables extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | extensions: libxt_devgroup: Fix the path of the group mappings fileAna Rey2014-09-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Use "/etc/iproute2/group" as the default path to the mapping file instead of "/etc/iproute2/group_map". Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | extensions: libxt_connlabel: do not open config file from _init hookFlorian Westphal2014-09-051-7/+20
| | | | | | | | | | | | | | | | | | | | | | | | else, static builds will print this for every iptables invocation, even 'iptables -L'. Delay open until we need to translate a mapping. Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* | | libxtables: fix two off-by-one memory corruption bugsRonald Wahl2014-09-051-2/+3
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The LSB of xtables_pending_matches was overwritten with zero that lead to segmentation fault. But simply adding an additional variable in the code or changing compilation options modified the behaviour so that no segmentation fault happens so it is rather subtle. (1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); In case of bits % 8 == 0 we write the byte behind *p (2) p[bits/8] = 0xff << (8 - (bits & 7)); In case of bits == 128 we write the byte behind *p Closes bug 943. Signed-off-by: Florian Westphal <fw@strlen.de>
* | nft: add nft_xt_ctx structGiuseppe Longo2014-08-243-50/+69
| | | | | | | | | | | | | | | | This patch provides the context used to transfer information between different nft_parse_* function calls. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft: compare layer 4 protocol in first placeGiuseppe Longo2014-08-242-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the protocol is tested after the ip address, this fixes the order testing the protocol before the ip address. Now the code generated is incorrect: ip filter INPUT 16 [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] With this patch, the code generated is: ip filter INPUT 16 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft-arp: remove wrong conditionsGiuseppe Longo2014-08-111-6/+0
| | | | | | | | | | | | | | | | | | | | | | Removes wrong conditions in flags translating functions that doesn't permit to delete rule with inverse flags set. For instance, the following command doesn't remove the rule: arptables-compat -D INPUT -i ! eth1 -j ACCEPT Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | include: add linux/filter.hWillem de Bruijn2014-07-301-0/+139
| | | | | | | | | | | | | | | | xt_bpf.h includes linux/filter.h for the definition of sock_filter. add that file to the repository Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: add optional [seconds] argument to -wJiri Popelka2014-07-256-22/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds an optional numeric argument to -w option (added with 93587a0) so one can specify how long to wait for an exclusive lock. If the value isn't specified it works as before, i.e. program waits indefinitely. If user specifies it, program exits after the given time interval passes. This patch also adds the -w/--wait to nftables compat code, so the parser doesn't complain. [ In the original patch, iptables-compat -w X was not working, I have fixed by adding the dummy code not to break scripts using the new optional argument --pablo ] Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>