| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
When matching mac and ip addresses, the ip address needs to be placed
into then 2nd 32bit register, the switch to dynamic register allocation
instead re-uses reg1, this partially clobbers the mac address, so
set lookup comes up empty even though it should find a match.
Fixes: 7e38890c6b4fb ("nft: prepare for dynamic register allocation")
Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
This is much trickier than expected: On one hand, proto_to_name() is
used to lookup protocol extensions so must resolve despite FMT_NUMERIC
being set. On the other, --verbose implies --numeric but changing the
output there is probably a bad idea. Luckily the latter situation is
identified by FMT_NOTABLE bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Format string ensured a minimum field width of five characters, but
allowed for longer strings to eat the column delimiting white space.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Adjust captured output, ip6tables prints '--' instead of spaces since
the commit in Fixes: tag.
Fixes: 6e41c2d8747b2 ("iptables: xshared: Ouptut '--' in the opt field in ipv6's fake mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fact that the 'opt' table field reports spaces instead of '--' for
IPv6 as it would have been the case with IPv4 has a bit of an
unfortunate side effect that it completely confuses the 'jc' JSON
formatter tool (which has an iptables formatter module).
Consider:
# ip6tables -L test
Chain test (0 references)
target prot opt source destination
ACCEPT all a:b:c:: anywhere MAC01:02:03:04:05:06
Then:
# ip6tables -L test | jc --iptables
[{"chain":"test",
"rules":[
{"target":"ACCEPT",
"prot":"all",
"opt":"a:b:c::",
"source":"anywhere",
"destination":"MAC01:02:03:04:05:06"
}]
}]
which as you can see is wrong simply because whitespaces are considered
as a column delimiter.
[ Florian: added 'Link' for more background info.
The '--' difference exists for > 20 years, but changing it
appears to be least intrusive option. ]
Link: https://lore.kernel.org/netfilter-devel/bb391c763171f0c5511f73e383e1b2e6a53e2014.1658322396.git.eskultet@redhat.com/t/#u
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
libxt_conntrack.c:1292: warning: the comparison will always evaluate as
false for the address of origsrc_addr will never be NULL [-Waddress]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
There are new chunks added in Linux SCTP not being traced by iptables.
This patch introduces the following chunks for tracing:
I_DATA, I_FORWARD_TSN (RFC8260), RE_CONFIG(RFC6525) and PAD(RFC4820)
Signed-off-by: Yuxuan Luo <luoyuxuan.carl@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some extensions are not supported in revision 0 by user space anymore,
for those the warning in xtables_compatible_revision() does not print as
no revision 0 is tried.
To fix this, one has to track if none of the user space supported
revisions were accepted by the kernel. Therefore add respective logic to
xtables_find_{target,match}().
Note that this does not lead to duplicated warnings for unsupported
extensions that have a revision 0 because xtables_compatible_revision()
returns true for them to allow for extension's help output.
For the record, these ip6tables extensions are affected: set/SET,
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
for both families.
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Since libxt_NFLOG is now using the UAPI version of nf_log.h, it should
be bundled alongside the other netfilter kernel headers.
This copy of nf_log.h was taken from Linux 5.18.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This is the last symbol in xshared.h used by libxtables, move it over.
Again, treat this as "implementation detail" and hence put it behind
XTABLES_INTERNAL-curtains.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The library "owns" this structure and maintains 'afinfo' pointer to
instances of it. With libxt_set, there's even an extension making use of
the data.
To avoid impact on library users, guard it by XTABLES_INTERNAL.
To eliminate the xshared.h include by libxt_set, DEBUGP has to be
redefined. Other extensions have similar defines, fix this later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
when printing the ID and OPTs in iptables/xtables-monitor.c, a space is
missing after the string, thereby concatenating the number with the next
item in the printed PACKET line.
Fixes: d26c538b9a549 ("xtables: add xtables-monitor")
Signed-off-by: Anton Luka Šijanec <anton@sijanec.eu>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
In some code-paths, 'reg' pointer remaining uninitialized is used later
so at least minimal error checking is necessary. Given that a call to
nftnl_alloc_expr() with sane argument should never fail, complain and
exit if it happens.
Fixes: 7e38890c6b4fb ("nft: prepare for dynamic register allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Some minor fixes were necessary:
* --algo is printed after the pattern
* Second long string test must fail, that string is 129 chars long
* --from 0 and --to 65535 are not printed (default values)
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
* Compare against sizeof(info->pattern) which is more clear than having
to know that this buffer is of size XT_STRING_MAX_PATTERN_SIZE
* Invert the check and error early to reduce indenting
* Pass info->patlen to memcpy() to avoid reading past end of 's'
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Default value is UINT16_MAX, not 0. Fix the conditional printing.
Fixes: c6fbf41cdd157 ("update string match to reflect new kernel implementation (Pablo Neira)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Allowing this segfaults the program. The deny is in line with legacy
ebtables, so no point in implementing support for that.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
These weren't used anywhere before. At least ensure they are only
allowed where claimed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Test zeroing a single rule's counters as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Call with --combine as well, even though output doesn't differ. Also
there's no need to skip for xtables-nft-multi, it provides the same
functionality.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
This increases coverage of function print_match() from 0 to 86.6%.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
A little convenience to prepare a build for analysis with gcov/gprof.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
With all ip(6)tables variants using the same do_parse() function, quite
a bunch of functions are not used outside of xshared.c anymore. Make them
static.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The header is included unconditionally first, so no point in doing it a
second time of ENABLE_NFTABLES is defined.
Fixes: be70918eab26e ("xtables: rename xt-multi binaries to -nft, -legacy")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Legacy arptables accepts but ignores the flag. Yet there are remains of
the functionality in sources, like OPT_EXPANDED define and a print_num()
function which acts on FMT_KILOMEGAGIGA flag being set or not. So
instead of mimicking legacy behaviour by explicitly ignoring -x flag for
arptables, just enable the feature for it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions are used for static builds to initialize extensions after
libxtables init. Regular library users should not need them, but the
empty declarations introduced in #else case (and therefore present in
user's env) may clash with existing symbol names.
Avoid problems and guard the whole block declaring the function
prototypes and mangling extensions' _init functions by XTABLES_INTERNAL.
Reported-by: Nick Hainke <vincent@systemli.org>
Fixes: 6c689b639cf8e ("Simplify static build extension loading")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Some repeated calls have been reduced recently, assert this in a test
evaluating strace output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following error:
../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory
52 | #include <libiptc/linux_list.h>
Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table")
Signed-off-by: Ben Brown <ben@demerara.io>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke
compiling against musl libc. Might be a bug in the latter, but for the
time being try to please both by avoiding the include and instead
defining ETH_ALEN if unset.
While being at it, move netinet/ether.h include up.
Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Gcc complains about missing types. Some commits introduced u_int* instead
of uint*. Use uint treewide.
Fixes errors in the form of:
In file included from xtables-legacy-multi.c:5:
xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
| ^~~~~~~~~
| uint16_t
make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
Avoid libipq API breakage by adjusting libipq.h include accordingly. For
arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
Signed-off-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Gcc complains about the omitted format string.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Treating revision 0 as compatible in EPERM case works fine as long as
there is a revision 0 of that extension defined in DSO. Fix the code for
others: Extend the EPERM handling to all revisions and keep the existing
warning for revision 0.
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Help text already contains it, so no update needed there.
Fixes: 127647892c7ca ("extensions: libipt_LOG/libip6t_LOG: support macdecode option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Stating the option again in the first (single?) sentence is pointless.
Get rid of that initial half-sentence in MASQUERADE options and unify
the texts a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Have a versatile __NAT_print() function providing enough flexibility for
DNAT and REDIRECT, IPv4 and IPv6 and 'print' and 'save' output. Then
define macros to simplify calling it.
As a side effect, this fixes ip6tables DNAT revision 1 print output.
Fixes: 14d77c8aa29a7 ("extensions: Merge IPv4 and IPv6 DNAT targets")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
While protocol values may exceed eight bits, the data structure is
indeed used only to store the static list of name/value pairs for faster
lookups. None of those has such a value and if one is added in future,
the compiler will complain about it.
So restore the old field type to retain binary compatibility.
Fixes: 556f704458cdb ("Use proto_to_name() from xshared in more places")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Define the different optstrings in xshared.h instead, they are not
relevant for other libxtables users.
This is a partial revert of commit 65b150ae382a8 ("xshared: Store
optstring in xtables_globals") to avoid breaking libxtables' ABI
compatibility.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function checks afinfo->family already to cover ip6tables specifics,
doing the same for arptables does not make things much worse.
This changes arptables-nft help output slightly:
* List possible negations extrapositioned, which is preferred anyway
(arptables-nft supports both)
* List --out-interface option at lexically sorted position
* Print --wait option, it's ignored just like with iptables
* Restore default target option printing as with legacy arptables (not
sure if arptables-nft ever did this) by explicitly loading them.
While being at it, add --set-counters short option '-c' to help output
for ip(6)tables.
This effectively removes the need for (and all users of)
xtables_global's 'print_help' callback, thus effectively reverts commit
fe83b12fc910e ("libxtables: Introduce xtables_globals print_help
callback") which broke libxtables' ABI compatibility.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
It will be referenced by xtables_printhelp() if printing for arptables
and therefore must be present in legacy as well even if unused.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
| |
Fixes: f4b737fb0c52a ("libxt_MARK r2")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Add __gen_payload(), in preparation for the dynamic register allocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Store the register that has been allocated and pass it on to the next
expression. NFT_REG_1 is still used.
No functional changes are expected.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Pass struct nft_handle to helper functions in preparation for the
dynamic register allocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use meta mark + bitwise + cmp instead of nft_compat mark match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
In preparation for native mark match support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Update the destination register, otherwise nft_parse_cmp() gives up on
interpreting the cmp expression when bitwise sreg != dreg.
Fixes: 2c4a34c30cb4 ("iptables-compat: fix address prefix")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Unless as part of a range, service names may be used. Point this out to
avoid confusion.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Code is very similar, join them to reuse parsing code at least.
As a side-effect, this enables parsing of service names for ports in
DNAT as well as using port number 0 as that's what REDIRECT allows.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|