| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
libebt_ip will get icmp support soon, unify icmp name
mapping a bit so we can re-use this code from libebt_ip.c.
It doesn't seem to be too useful to move to libxtables
(as its icmp specific), so add a hedaer file for this to reduce
copy & paste needs.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
|
| |
|
|
|
|
| |
Will be used from eb-translate parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Mask needs to be all-ones, else we print
<macaddr>/ff:ff:ff:ff:ff:ff
but such a mask is redundant, we can omit the mask.
ebtables does this correctly.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
This needs to first check if pent is NULL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
ebtables sitll allows intra-postitioned negations, e.g.
--ip-src ! 1.2.3.4
support this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
nft-bridge.h:121:48: warning: 'struct nftnl_rule' declared inside parameter list will not be visible outside ..
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
nft xlate needs the full name, for ebtables it makes no difference,
'minute' would work too.
Also fixup ' ' placement in xlate.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
nft_init() should rollback all changes it made during init
when something goes wrong, callers should NOT call nft_fini()
on error.
Note that this change is irrelevant at the moment, all users
call exit() on failure.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
avoids a compiler warning in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
add translations for ip, limit, log, mark, mark_m, nflog.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field and
is not modified anywhere.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Its already there but it did not work because it wasn't loaded.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
We will fail later when we can't parse the option, but that
failure only happens if the is actually used.
So in some cases things will work fine even if an extension
doesn't exist.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
gcc warned here:
libxt_comment.c:62 output may be truncated before the last format character [-Wformat-truncation=]
snprintf(comment, XT_MAX_COMMENT_LEN, "\"%s\"" ...
It tells us that the '"' might not fit anymore, so increase output
buffer size to make room for "" escapes too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.
Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of not listing anything at all if an unknown table name
exists, just skip them. Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.
Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
proto is u16 in the data structure, so this gave:
nft-ipv6.c:422:44: warning: '__builtin___snprintf_chk' output may be truncated before the last format character [-Wformat-truncation=]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Makes no sense, fail in such a case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add a few tests to catch regressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new manpage describes how to operate the translation tools for nftables.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kernel 3.18 the union bpf_attr does not have a pathname attribute and
BPF_OBJ_GET is also not defined in these versions.
This was added in Linux commit b2197755b263 ("bpf: add support for
persistent maps/progs"). Check for the BPF_FS_MAGIC define which was
also added in this Linux commit and only activate this code in case we
find that define.
This fixes a build problem with Linux 3.18.
Netfilter bug: #1231
Fixes: f17f9ace8a8 ("extensions: libxt_bpf: support ebpf pinned objects")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
nft can match tcp flags, so add ece/cwr translation.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This patch adds test for ipcomp flow match specified by its SPI value
and move tests for ipcomp protocol to libxt_policy.t
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows one to force a subsystem that one does not wish to modify
(e.g. libvirt) to use the ebtables compatibility layer.
ebtables-compat was already a symlink to xtables-compat-multi but ebtables was a
stand-alone program. So one could move it out of the way before making the
symlink as below:
lrwxrwxrwx 1 root root 20 Feb 24 11:03 ebtables -> xtables-compat-multi
-rwxr-xr-x 1 root root 75176 Feb 24 11:03 ebtables.orig
With this patch, kernel modules ebtable_filter & ebtables are no longer loaded.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Copied back from the downstream Debian package.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... and return 0 so output reflects that no translation was performed.
iptables-translate -A I -j CONNMARK --save-mark --mask 0xff
nft # -A I -j CONNMARK --save-mark --mask 0xff
The translation that was performed:
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0xff
will clear (zero) most bits:
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ]
[ ct set mark with reg 1 ]
The xtables module however does this:
newmark = (ct->mark & ~info->ctmask) ^
(skb->mark & info->nfmask);
I.e., for ctmark mask defines what to clear,
for nfmark what to keep, i.e. we're supposed to only alter the lower
bits of the ctmark.
nftables can't do this at the moment because bitwise operator RHS
requires immediate values.
same is true for 'restore'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
adding a test case for MARK --set-mark 0 fails with
exp: nft add rule ip mangle OUTPUT counter meta mark set 0x0
res: nft add rule ip mangle OUTPUT counter meta mark set mark and 0x0
This translation isn't wrong, but unneccessarily complex, so
change order to first check if mask bits are all ones.
In that case we can simply use an immediate value without
need for logical operators.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Currently defaulted to 0, it should reflect the one from xtables
to get the right ordering.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following test:
# python xlate-test.py extensions/libxt_hashlimit.txlate
extensions/libxt_hashlimit.txlate: Fail
src: iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 -m state --state NEW -j DROP
exp: nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop
res: nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop
1 test file, 2 tests, 1 tests passed, 1 tests failed, 0 errors
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After nft v0.8.1 "flow table" is renamed as meter.
This should reflect in iptables to nftables translation.
Before this patch:
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
After this patch:
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3
--hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and
255.255.255.0 limit rate 200/second } counter drop
Signed-off-by: shyam saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds test cases for iptables to nft translation of cluster match
This adds all test cases including corner cases.
Run these test cases like:
$ ./xlate-test.py extensions/libxt_cluster.txlate
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is fixing the detection of multiple '--to-destination' in a
DNAT rule and '--to-source' in SNAT rule for IPv6. Currently, when
defining multiple values for these, only the last will be used and
others ignored silently.
The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the
flags are never set before. It seems to be a copy-paste artefact since
introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.
I also removed the kernel_version checks because they seem useless.
Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1. That
seems only added since kernel version 3.7-rc1 and therefore the check
for > v2.6.10 will always return true. The check is probably also
coming from the IPv4 copy-paste.
Add tests to cover this too, including the IPv4 side.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for cluster to nft
$ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
--cluster-total-nodes 7 --cluster-local-node 5 --cluster-hash-seed
0xdeadbeef -j MARK --set-mark 0xffff
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set
0xffff
$ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
--cluster-total-nodes 7 --cluster-local-nodemask 5 --cluster-hash-seed
0xdeadbeef -j MARK --set-mark 0xffff
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta
mark set 0xffff
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds a new exetension to iptables to supprt 'srh' match
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
shows:
nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
which prints burst twice, this is not correct.
Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not print timeout and burst in case default values are used.
For e.g.
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated.
https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes
This patch fixes the following warning:
warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
_DEFAULT_SOURCE" [-Wcpp]
# warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
# _DEFAULT_SOURCE"
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning:
warning: initialization discards ‘const’ qualifier from pointer target
type [-Wdiscarded-qualifiers]
.orig_opts = original_opts,
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Max Laverse <max@laverse.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Description
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared. If -pie is provided after -shared, the linker throws an
error shown below as example.
-------------------------------------------------------------------------
/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
+ ./libxt_SYNPROXY.man
make[4]: *** [libxt_TCPOPTSTRIP.so] Error 1
+ ./libip6t_mh.man
/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
undefined reference to `main'
/host/lib/gcc/powerpc-buildroot-linux-gnu + ./libxt_TCPMSS.man
/6.4.0/../../../../powerpc-buildroot-linux-gnu/bin/ld:
BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
-------------------------------------------------------------------------
Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
