| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
no more external callers.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
way too generic name.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
These definitions should be const, propagate this to all existing users.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Move this to the structure that stores, stateful information. Introduce
nft_table_initialized() and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Place this back into the structure that stores the state information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use enum nft_table_type to set the new type field in the structure that
define tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
since commit d9c6a5d0977a6d8bbe772dbc31a2c4f58eec1708
("xtables: merge {ip,arp}tables_command_state structs") arptables
uses the shared representation.
With only minor changes (e.g., use generic counters in command_state),
in print/save functions we can use the shared nftnl expression parser
too.
arptables-legacy prints (-L) the jump target first, i.e.:
-j MARK -d 0.0.0.0/8 --h-length 6 ...
... so keep that here too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 7c8791edac3 ("xtables-monitor: fix build with older glibc")
changed the code to use GNU style tcphdr fields. Unfortunately, musl
libc requires _GNU_SOURCE definition to expose these fields.
Fix the following build failure:
xtables-monitor.c: In function ‘trace_print_packet’:
xtables-monitor.c:406:43: error: ‘const struct tcphdr’ has no member named ‘source’
printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
^~
xtables-monitor.c:406:64: error: ‘const struct tcphdr’ has no member named ‘dest’
printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
^~
...
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 672accf1530 (include: update kernel netfilter header files)
updated linux/netfilter.h and brought with it the update from kernel
commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
from netns headers). This triggers conflict of headers that is fixed in
kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
netinet/in.h) included in kernel version 4.2. For earlier kernel headers
we need a workaround that prevents the headers conflict.
Fixes the following build failure:
In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
from ../include/libiptc/ipt_kernel_headers.h:8,
from ../include/libiptc/libiptc.h:6,
from libip4tc.c:29:
.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
IPPROTO_IP = 0, /* Dummy protocol for TCP */
^
.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
IPPROTO_IP = 0, /* Dummy protocol for TCP. */
^~~~~~~~~~
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Being able to omit the previously obligatory table name check when
iterating over the chain cache might help restore performance with large
rulesets in xtables-save and -restore.
There is one subtle quirk in the code: flush_chain_cache() did free the
global chain cache if not called with a table name but didn't if a table
name was given even if it emptied the chain cache. In other places,
chain_cache being non-NULL prevented a cache update from happening, so
this patch establishes the same behaviour (for each individual chain
cache) since otherwise unexpected cache updates lead to weird problems.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc older than 2.19 only expose BSD style fields of struct tcphdr when
_BSD_SOURCE is define. Current glibc however, warn that _BSD_SOURCE is
deprecated. Migrate to the GNU style of tcphdr fields to make the code
compatible with any glibc version.
Fix the following build failure:
xtables-monitor.c: In function 'trace_print_packet':
xtables-monitor.c:406:43: error: 'const struct tcphdr' has no member named 'th_sport'
printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
^
xtables-monitor.c:406:66: error: 'const struct tcphdr' has no member named 'th_dport'
printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
^
...
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
introduced support for gcc feature to check format string against passed
argument. This commit adds missing bits to extenstions's libipt_icmp.c
and libip6t_icmp6.c that were causing build to fail.
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Build with musl libc fails because of conflicting struct ethhdr
definitions:
In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
from ../iptables/nft-bridge.h:8,
from libebt_vlan.c:18:
.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
struct ethhdr {
^~~~~~
In file included from libebt_vlan.c:16:0:
.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
struct ethhdr {
^~~~~~
Include the userspace header first for the definition suppression logic
to do the right thing.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Both implementations were very similar already. Differences were mostly
in which libiptc functions were called. Therefore introduce struct
iptables_save_cb to point to the right functions for each variant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Introduce struct iptables_restore_cb and merge ip6tables-restore with
iptables-restore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Add a few more callbacks used by iptables-save.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
this release also adds xtables_print_mac* functions to libxtables, so
current and age are incremented again.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows gcc to check format string vs. passed arguments.
Fix the fallout from this as well, typical warning produced is:
libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=]
xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ...
~^ ~~~~~~~~~~
so add the required casts or fixup format strings as needed.
libxt_conntrack also passed an unneeded argument (port), so remove that.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Doesn't affect iptables-xlate, but nft (when built w. xtables support).
Without this, nft can print random content if an extension doesn't
add anything to the output xlate buffer, e.g.
-p mh -m mh
can cause nft to print random data after "meta l4proto mobility",
as mh ->xlate doesn't do anything in this case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
forgot to squash this before pushing arptables fixes.
Fixes: 5aecb2d8bfd ("arptables: pre-init hlen and ethertype")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
old: arptables vlibxtables.so.12 (nf_tables)
now: arptables 1.8.1 (nf_tables)
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
You can run 'arptables-legacy -t foobar' and commands work fine,
as it still operates on filter table (the only table that exists).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unicast being shown as '00:00:00:00:00:00/01:00:00:00:00:00' looks like
broken output, however, arptables classic did not pretty-print either.
Also add test cases for all targets supported by the original
arptables tool:
-j CLASSIFY
-j MARK
-j mangle
[ yes, mangle target is lower-case 8-( ]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:
base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)
In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the correct location, but we cannot
do this in nf_tables, at least not at this time (we need a fixed offset
value).
code does:
op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + ...
but if user did not provide "--h-length 6" argument, then this won't
work even for ethernet, as the payload expression will be told to load
the first 4 bytes of arp header source mac address (sender hw address).
Fix this by pre-initialising arhlen to 6.
We also need to set up arhrd. Otherwise, src/dst mac can't be used:
arptables -A INPUT -i lo --destination-mac 11:22:33:44:55:66
arptables v1.8.1 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT
This means that matching won't work for AX25, NETROM etc, however,
arptables "classic" can't parse non-ethernet addresses, and makes
ETH_ALEN assumptions in several spots, so this should be fine from
compatibility point of view.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
1. check both address and mask, not just first byte of mac
2. use add_addr() for this so mask is also handled via bitwise expr.
3. use the correct offsets.
4. add dissector so we can reverse translate the payload expressions
generated for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--dst-ip checks the first four octets of the target mac.
Format of ipv4 arp is:
arphdr (htype, ptype...)
src mac
src ip
target mac
target ip
So we need to add hlen (6 bytes) a second time
(arphdr + 6 + 4 + 6) to get correct offset.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
also handle negations in other cases.
Still to be resolved: mask handling for other options such as hlen.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
arptables -D fails most of the time, as we compared
source mask with target mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This isn't a missing feature in the -nft version,
neither plen and -m were ever implemented in arptables-legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
arptables classic doesn't have arptables-save, it only has a perl
script that attempts to emulate iptables-save. It supports no options,
and thus has no way to dump counters. Add -c option, like iptables to
enable this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
arptables-save will show
-A OUTPUT --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0xffffffff
as
--h-length 6 --h-type Ethernet -j MARK MARK set 0x1
Because it uses ->print() instead of ->save().
Switch it to use ->save, we can then also drop special handling of
CLASSIFY target.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
If the chain to rename wasn't found, the function would return -1 which
got interpreted as success.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Trying to delete a rule by index from a non-existent chain leads to a
somewhat confusing error message:
| # iptables-nft -D foobar 1
| iptables: Index of deletion too big.
Fix this by performing chain existence checks for CMD_DELETE_NUM, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
This checks p->chain for existence, not cs->jumpto. Fixes this bogus
error message:
| # iptables-nft -t nat -A FORWARD -j ACCEPT
| iptables v1.8.1 (nf_tables): Chain 'ACCEPT' does not exist
Fixes: b6a06c1a215f8 ("xtables: Align return codes with legacy iptables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
in the iptables universe, we enforce extrapositioned negation:
! -i foo
"-i ! foo" is not even supported anymore.
At least make sure that ebtables prints the former syntax everywhere as
well so we don't have a mix of both ways.
Parsing of --option ! 42 will still work for backwards compat reasons.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
The 'original' ebtables-save was a perl script that supported no option.
Add minimal options, like ip(6)tables save.
Retain the old way of formatiing counters via environment variable,
but allow overriding this using the -c option.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
So we can remove nft_chain_dump() and replace nftnl_chain_get_list().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This needs to be passed in network byte order.
Reported-by: Arno van Amersfoort <arnova@rocky.eld.leidenuniv.nl>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1292
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This changes ebtables-nft to consistently print mac
address with two characters, i.e.
00:01:02:03:04:0a, not 0:1:2:3:4:a.
Will require another bump of vcurrent/vage.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
passing ->tos as uintmax_t will clear adjacent fields in the structure,
including invflags.
Fixes: 49479aa12a15 ("ebtables-compat: add 'ip' match extension")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
-Z doesn't just zero base counters, it zeroes out all rule
counters, or, optionally, all counters of a chain (-Z FOO).
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1286
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Lines starting by % allows you to run iptables commands, use it for
rateest test.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Lines starting by @ can be used to invoke an external command of any
kind. Do not add xtables-multi here since we may want to execute a
non-iptables command.
Fixes: 9ff99156b63e ("iptables-test: fix netns test")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Unfortunately no nft translation available so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
