summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* nft: fix bad length when comparing extension data areaPablo Neira Ayuso2013-12-301-4/+2
| | | | | | | | | | | | | | | | Use ->userspacesize to compare the extension data area, otherwise we also compare the internal private pointers which are only meaningful to the kernelspace. This fixes: xtables -4 -D INPUT -m connlimit \ --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr But it also fixes many other matches/targets which use internal private data. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: pass ipt_entry to ->save_firewall hookPablo Neira Ayuso2013-12-302-5/+7
| | | | | | | | | | | | The extension needs the ipt_entry not to crash. Since cs->fw actually points to an union that also contains cs->fw6, just pass cs->fw to make it work. This fixes: -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix missing ipt_entry for MASQUERADE targetPablo Neira Ayuso2013-12-304-12/+37
| | | | | | | | | | | | | | | | | The MASQUERADE target relies on the ipt_entry information that is set in ->post_parse, which is too late. Add a new hook called ->pre_parse, that sets the protocol information accordingly. Thus: xtables -4 -A POSTROUTING -t nat -p tcp \ -j MASQUERADE --to-ports 1024 works again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: arp: add parse_target to nft_family_ops_arpGiuseppe Longo2013-12-301-0/+1
| | | | | | | | | | | | This patch adds parse_target for arp family, fixing segfaults for xtables-arp -L after rules like: xtables-arp -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7 xtables-arp -A OUTPUT -o eth1 --h-length 6 \ -j mangle --mangle-mac-s 01:00:5e:00:01:01 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: arp: initialize flags in nft_arp_parse_metaGiuseppe Longo2013-12-301-1/+1
| | | | | | | | This small patch initialize the flags in nft_arp_parse_meta, now the nft_arp_rule_find is working properly. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong target sizeTomasz Bursztyka2013-12-301-2/+5
| | | | | | | The allocated area was not aligned. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: Parse properly target optionsTomasz Bursztyka2013-12-301-2/+4
| | | | | | | Target never gets its options parsed. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Header inclusion missingTomasz Bursztyka2013-12-301-0/+1
| | | | | | | | | | | | Fixes compilation issues. nft-shared.c: In function ‘nft_ipv46_rule_find’: nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration] nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function) nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_mangle: Fixes option issuesTomasz Bursztyka2013-12-301-15/+14
| | | | | | | | Fix option IDs and remove irrelevant flags on setting options mandatory. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add arptables' libxt_mangle.c for xtables-arpTomasz Bursztyka2013-12-301-0/+389
| | | | | | | | | | This is a porting of the original mangle target in arptables. This also adapts original code so functions fits with libxtables. This is needed by the xtables-arp compatibility tool for nftables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: Store target entry properly and compare them relevantlyTomasz Bursztyka2013-12-303-29/+27
| | | | | | | Fixes a segfault issue when deleting a rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: batch rule-set updates into one single netlink messagePablo Neira Ayuso2013-12-307-163/+328
| | | | | | | | With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: zeroing chain countersGiuseppe Longo2013-12-301-3/+2
| | | | | | | This small patch permit to reset the chain counters. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: add delete operationGiuseppe Longo2013-12-301-5/+28
| | | | | | | | The following patch permit to delete the rules specifying an entry or a rule number. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: adapt nft_rule_expr_get to use uint32_t instead of size_tPablo Neira Ayuso2013-12-301-4/+4
| | | | | | | According to libnftables change 437d610, now the length obtained via getter function is uint32_t, not size_t anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: cache netfilter_arp kernel headersPablo Neira Ayuso2013-12-303-0/+249
| | | | | | | To ensure that compilation does not break if Linux kernel headers are not installed in the system. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: add rule replacement supportGiuseppe Longo2013-12-301-4/+18
| | | | | | | The following patch permit to replace rule in xtables-arp. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_* functions to support ARPPablo Neira Ayuso2013-12-303-167/+22
| | | | | | | | | | | | This should help to avoid code duplication to support ARP. As a result, we have a common generic infrastructure for IPv4, IPv6 and ARP. This patch removes nft_arp_rule_append and nft_arp_rule_insert, which were very similar to their original nft_rule_append and nft_rule_insert. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_new to support ARPPablo Neira Ayuso2013-12-305-92/+90
| | | | | | | | This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_find for ARP, IPv4 and IPv6Pablo Neira Ayuso2013-12-306-180/+168
| | | | | | | | | This patch kills nft_arp_rule_find, which is almost a copy and paste of the original nft_rule_find function. Refactor this function to move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft-arp: implements is_same op for ARP familyGiuseppe Longo2013-12-307-10/+76
| | | | | | | | The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft-arp: fix endianess in nft_arp_parse_payloadPablo Neira Ayuso2013-12-301-6/+6
| | | | | | | | nft_arp_print_firewall already handles endianess appropriately. This fixes the output of the option that allows you to match ARP header fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: bootstrap ARP compatibility layer for nftablesGiuseppe Longo2013-12-3011-25/+2466
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: skip unset tables on table configuration emulationTomasz Bursztyka2013-12-301-0/+3
| | | | | | | | The ARP family has less tables, so skip iteration once we find a null one. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: generalize rule addition family hookPablo Neira Ayuso2013-12-303-3/+6
| | | | | | | | | | This should help Giuseppe with his ARP support works, this change was missing in (618309c nft: refactoring parse operations for more genericity). Based on patch from Giuseppe. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix a minor compilation warningTomasz Bursztyka2013-12-301-1/+1
| | | | | | | | | | | | nft-shared.c: In function ‘nft_rule_to_iptables_command_state’: nft-shared.c:454:22: warning: ‘jumpto’ may be used uninitialized in this function [-Wmaybe-uninitialized] nft-shared.c:432:14: note: ‘jumpto’ was declared here All verdicts are managed and jumpto has to get a value, but since the compiler complains, let's fix it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: refactoring parse operations for more genericityGiuseppe Longo2013-12-304-32/+72
| | | | | | | | This allows to reuse the nft_parse_* function for the bridge and arp family (not yet supported). Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: allow to reset the counters of an existing ruleTomasz Bursztyka2013-12-303-8/+43
| | | | | | | | | Now that we convert nft rules to native xt command structure, it's easier to reset the counters by replacing the existing rule by a new one with all counters set to zero. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: use xtables_print_numPablo Neira Ayuso2013-12-303-31/+6
| | | | | | So we can kill our own implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong flags handling in print_firewall_detailsPablo Neira Ayuso2013-12-304-38/+53
| | | | | | | | | | | | | | Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: convert rule into a command state structureTomasz Bursztyka2013-12-307-661/+303
| | | | | | | | This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: use xtables_rule_matches_freePablo Neira Ayuso2013-12-301-22/+1
| | | | | | | Thus, we can kill clear_rule_matches. Not required since we are based upon 1.4.19.1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Print unknown target data only when relevantTomasz Bursztyka2013-12-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Bug is: xtables -N test xtables -A FORWARD -j test xtables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination test all -- anywhere anywhere [0 bytes of unknown target data] Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain test (1 references) target prot opt source destination "[0 bytes of unknown target data]" should not be printed in this case. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Generalize nft_rule_list() against current familyTomasz Bursztyka2013-12-305-264/+315
| | | | | | | | | | Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Remove useless test on rulenum in nft_rule_list()Tomasz Bursztyka2013-12-301-3/+2
| | | | | | | Rulenum is already handled before the loop, making this test useless. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Make internal rule listing callback more genericTomasz Bursztyka2013-12-301-12/+8
| | | | | | | | This will be useful for reusing nft_rule_list in other tools such as xtables-arptables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Optimize rule listing when chain and rulenum are providedTomasz Bursztyka2013-12-301-4/+10
| | | | | | | | Thus, we can save some cycles by not dumping the entire chain list and looping on it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Remove useless functionTomasz Bursztyka2013-12-301-27/+0
| | | | | | | Likely to be a leftover from the initial bootstrap. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Do not dump before command parsing has been finishedTomasz Bursztyka2013-12-301-2/+8
| | | | | | | | On xtables-save.c, -d will not output right away but after the full command line hase been parsed. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: load only the tables of the current familyGiuseppe Longo2013-12-302-1/+19
| | | | | | | | | | | This changes nft_xtables_config_load() permit to load only the tables of the current family. [ This patch includes a fix for the configuration parser that I detected while testing this patch --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* etc: add default IPv6 table and chain definitionsPablo Neira Ayuso2013-12-301-3/+37
| | | | | | Add definition of table and chains to the optional xtables.conf file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix family operation lookupGiuseppe Longo2013-12-301-1/+1
| | | | | | | | xtables-restore -6 was using the IPv4 family, instead of IPv6 as it should be. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix match revision lookup for IPv6Pablo Neira Ayuso2013-12-301-1/+2
| | | | | | IPT_SO_GET_REVISION_MATCH != IP6T_SO_GET_REVISION_MATCH, thus, the revision infrastructure was looking for targets instead matches.
* xtables: fix typo in add_entry for the IPv6 casePablo Neira Ayuso2013-12-301-1/+1
| | | | | | It should pass zero, instead of the 'append' boolean. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: associate table configuration to handle via nft_initGiuseppe Longo2013-12-306-30/+37
| | | | | | | | | We need family dependent built-in table/chain configuration. This patch is a step forward making nft family independent in order to support arptables and ebtables compatibility layers. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: no need for rule lookup if no position specified via -IPablo Neira Ayuso2013-12-301-17/+15
| | | | | | | Improve (dc3d8a6 xtables: add -I chain rulenum) to avoid a look up for the rule if no rule number is specified via -I. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: remove bogus comment regarding rule replacementPablo Neira Ayuso2013-12-301-1/+0
| | | | | | We support rule replacement since quite some time, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add -I chain rulenumPablo Neira Ayuso2013-12-303-46/+144
| | | | | | | | | | | | This patch adds the nft_rule_insert function, which allows us to insert rules at a given position. The function nft_rule_add has been renamed to nft_rule_append. This is possible thanks to Eric Leblond's (netfilter: nf_tables: add insert operation) kernel patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix selective chain display via -SPablo Neira Ayuso2013-12-301-4/+6
| | | | | | | | | | | | | | | | | | Before: % xtables -S INPUT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -p tcp -j ACCEPT After: $ xtables -S INPUT -P INPUT ACCEPT -A INPUT -p tcp -j ACCEPT Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: break chain listing if only one if looked forPablo Neira Ayuso2013-12-301-0/+8
| | | | | | | | | Break looping on the chain list if it finds the chain that the user requested. Based on patch from Tomasz Bursztyka. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>