| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If kernel tells revision isn't found/supported at the moment we should
keep entity in pending list, not register or bail to do so later.
Kernel might still load module for entity we asking it for and this
could be slow on some embedded devices.
Catch double registration attempts by checking me->next being non-NULL
in xtables_register_match() and xtables_register_target().
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are number of places where argument is in val[/mask] format
printed in extensions and some of them may print corresponding symbolic
name.
By introducing common function for this task we eliminate custom code
parts in extensions to perform printing of arguments in required
formats.
Use xtables_print_mark_mask() helper for extensions without
symbolic name for val[/mask].
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a couple of places in both core and extensions where arguments
in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32).
In some cases symbolic name might be used which is mapped in code to
numeric value.
Introduce common function to handle both cases where value given is
either val[/mask] or symbolic name.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxt_devgroup and libipt_realm currently unable to display symbolic
names in save/print commands because linear mapping is not initialized.
It looks bit confusing as linear mapping initialization is done in init()
of extension, which is expected to be called before any other function of
extension.
However init is called only when '-m' option specified on command line,
that is true only for insert, append, replace and destroy iptables
commands.
Move initialization to extension _init() function before calling
any function in extension.
Before:
-------
... src-group 0x1 dst-group 0x2
... src-group 0x2 dst-group 0x1
After:
------
... src-group grp1 dst-group grp2
... src-group grp2 dst-group grp1
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
ULOG target was removed in 3.17, so this always fails now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
not needed as we won't be installing any rules.
So just assume kernel supports everything.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Its not supported anymore as of 4.13, and it did not work
before this either (arp packets cannot be routed).
This unbreaks arptables-compat -- without this fix kernel rejects the
incoming ruleset skeleton.
filtering forwarded arp packets on a bridge can be done either via
'netdev' or 'bridge' families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
This function is only used from iptables/nft.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release existing list and restart in case that netlink dump hits EINTR.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
tos translation to dscp yielded incorrect value.
icmp inserted extra "ip" keyword, remove it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Was added to ebtables recently, so backport this to ebt-compat.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
it its good practice as interface names can be virtually any
identifier and could clash with nft keywords.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
libebt_ip will get icmp support soon, unify icmp name
mapping a bit so we can re-use this code from libebt_ip.c.
It doesn't seem to be too useful to move to libxtables
(as its icmp specific), so add a hedaer file for this to reduce
copy & paste needs.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
|
| |
|
|
|
|
| |
Will be used from eb-translate parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Mask needs to be all-ones, else we print
<macaddr>/ff:ff:ff:ff:ff:ff
but such a mask is redundant, we can omit the mask.
ebtables does this correctly.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
This needs to first check if pent is NULL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
ebtables sitll allows intra-postitioned negations, e.g.
--ip-src ! 1.2.3.4
support this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
nft-bridge.h:121:48: warning: 'struct nftnl_rule' declared inside parameter list will not be visible outside ..
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
nft xlate needs the full name, for ebtables it makes no difference,
'minute' would work too.
Also fixup ' ' placement in xlate.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
nft_init() should rollback all changes it made during init
when something goes wrong, callers should NOT call nft_fini()
on error.
Note that this change is irrelevant at the moment, all users
call exit() on failure.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
avoids a compiler warning in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
add translations for ip, limit, log, mark, mark_m, nflog.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field and
is not modified anywhere.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Its already there but it did not work because it wasn't loaded.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
We will fail later when we can't parse the option, but that
failure only happens if the is actually used.
So in some cases things will work fine even if an extension
doesn't exist.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
gcc warned here:
libxt_comment.c:62 output may be truncated before the last format character [-Wformat-truncation=]
snprintf(comment, XT_MAX_COMMENT_LEN, "\"%s\"" ...
It tells us that the '"' might not fit anymore, so increase output
buffer size to make room for "" escapes too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.
Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of not listing anything at all if an unknown table name
exists, just skip them. Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.
Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
proto is u16 in the data structure, so this gave:
nft-ipv6.c:422:44: warning: '__builtin___snprintf_chk' output may be truncated before the last format character [-Wformat-truncation=]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Makes no sense, fail in such a case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add a few tests to catch regressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new manpage describes how to operate the translation tools for nftables.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kernel 3.18 the union bpf_attr does not have a pathname attribute and
BPF_OBJ_GET is also not defined in these versions.
This was added in Linux commit b2197755b263 ("bpf: add support for
persistent maps/progs"). Check for the BPF_FS_MAGIC define which was
also added in this Linux commit and only activate this code in case we
find that define.
This fixes a build problem with Linux 3.18.
Netfilter bug: #1231
Fixes: f17f9ace8a8 ("extensions: libxt_bpf: support ebpf pinned objects")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
nft can match tcp flags, so add ece/cwr translation.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This patch adds test for ipcomp flow match specified by its SPI value
and move tests for ipcomp protocol to libxt_policy.t
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows one to force a subsystem that one does not wish to modify
(e.g. libvirt) to use the ebtables compatibility layer.
ebtables-compat was already a symlink to xtables-compat-multi but ebtables was a
stand-alone program. So one could move it out of the way before making the
symlink as below:
lrwxrwxrwx 1 root root 20 Feb 24 11:03 ebtables -> xtables-compat-multi
-rwxr-xr-x 1 root root 75176 Feb 24 11:03 ebtables.orig
With this patch, kernel modules ebtable_filter & ebtables are no longer loaded.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Copied back from the downstream Debian package.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... and return 0 so output reflects that no translation was performed.
iptables-translate -A I -j CONNMARK --save-mark --mask 0xff
nft # -A I -j CONNMARK --save-mark --mask 0xff
The translation that was performed:
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0xff
will clear (zero) most bits:
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ]
[ ct set mark with reg 1 ]
The xtables module however does this:
newmark = (ct->mark & ~info->ctmask) ^
(skb->mark & info->nfmask);
I.e., for ctmark mask defines what to clear,
for nfmark what to keep, i.e. we're supposed to only alter the lower
bits of the ctmark.
nftables can't do this at the moment because bitwise operator RHS
requires immediate values.
same is true for 'restore'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
adding a test case for MARK --set-mark 0 fails with
exp: nft add rule ip mangle OUTPUT counter meta mark set 0x0
res: nft add rule ip mangle OUTPUT counter meta mark set mark and 0x0
This translation isn't wrong, but unneccessarily complex, so
change order to first check if mask bits are all ones.
In that case we can simply use an immediate value without
need for logical operators.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Currently defaulted to 0, it should reflect the one from xtables
to get the right ordering.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
