summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* iptables: masquerade: add randomize-full supportMax Laverse2017-12-045-2/+40
| | | | | Signed-off-by: Max Laverse <max@laverse.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: patch to correct linker flag sequenceYogesh Prasad2017-12-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Description This patch will correct the sequence of -pie and -shared options. When used together, -pie should be provided to the linker before -shared. If -pie is provided after -shared, the linker throws an error shown below as example. ------------------------------------------------------------------------- /host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../.. /powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923 collect2: error: ld returned 1 exit status + ./libxt_SYNPROXY.man make[4]: *** [libxt_TCPOPTSTRIP.so] Error 1 + ./libip6t_mh.man /host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4): undefined reference to `main' /host/lib/gcc/powerpc-buildroot-linux-gnu + ./libxt_TCPMSS.man /6.4.0/../../../../powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923 collect2: error: ld returned 1 exit status ------------------------------------------------------------------------- Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcpmss: Add test case for invalid ranges.Varsha Rao2017-11-301-0/+1
| | | | | | | This patch adds test case for invalid MSS range. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: xtables-eb: Remove const qualifier from struct optionVarsha Rao2017-11-301-1/+1
| | | | | | | | | | | | | | As opts is reassigned multiple times, it cannot be made constant. So remove const qualifier from structure option. This patch fixes the following warning. xtables-eb.c: In function ‘ebt_load_match_extensions’: xtables-eb.c:653:7: warning: assignment discards ‘const’ qualifier from pointer target type opts = ebt_original_options; Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: extensions: Fix MARK target helpMart Frauenlob2017-11-271-1/+1
| | | | | | | A typo in the help output of: iptables -j MARK -h. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_sctp: fix array out of range in print_chunkhuaibin Wang2017-11-132-7/+4
| | | | | | | | | | | | | | | | | For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type is not equal to the corresponding index in sctp_chunk_names[]. Using this field leads to a segmentation fault (index out of range). Example $ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT $ iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Segmentation fault Signed-off-by: huaibin Wang <huaibin.wang@6wind.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add tests for ipcomp protocolHarsha Sharma2017-10-241-0/+5
| | | | | | | This patch adds test for ipcomp protocol. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xlate: print output in same way as nft-test.pyHarsha Sharma2017-10-241-13/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Print errors and total no. of tests, tests passed, failed and errors for testfile argument Remove option "--all" Print file names for which all tests are passed with OK For e.g - sudo ./xlate-test.py generic.txlate: OK libip6t_DNAT.txlate: OK ... libxt_TCPMSS.txlate: Fail src: iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu exp: nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu res: nft # -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ... libxt_connlabel.txlate: Error: iptables-translate failure iptables-translate v1.6.1: Couldn't load match `connlabel':No such file or directory ... 64 test files, 246 tests, 242 tests passed, 2 tests failed, 2 errors sudo ./xlate-test.py extensions/libxt_iprange.txlate 1 test file, 5 tests, 5 tests passed, 0 tests failed, 0 errors sudo ./xlate-test.py extensions/libxt_connlabel.txlate extensions/libxt_connlabel.txlate: Error: iptables-translate failure iptables-translate v1.6.1: Couldn't load match `connlabel':No such file or directory ... 1 test file, 2 tests, 0 tests passed, 0 tests failed, 2 errors Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_recent: Remove ineffective checks for info->namePhil Sutter2017-10-201-2/+2
| | | | | | | | | | | | In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a pointer. So there is no point in comparing it against NULL. Changing the check to make sure it's content is not an empty string is pointless either, since a non-empty default string is used and the argument parser will refuse empty strings as --name argument. So simply get rid of the checks altogether. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_TOS: add tests for translation infrastructureHarsha Sharma2017-10-171-0/+23
| | | | | | | This patch checks that the iptables TOS to nftables translation works fine. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update .gitignoreHarsha Sharma2017-10-171-0/+4
| | | | | | | Add missing files to be ignored. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: iptables-compat translation for TCPMSSAastha Gupta2017-10-171-0/+14
| | | | | | | | Since path mtu support was added, we can now add iptables-compat translation for TCPMSS extension. Signed-off-by: Aastha Gupta <aastha.gupta4104@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcpmss: Detect invalid rangesPhil Sutter2017-10-172-2/+6
| | | | | | | | | | | | Previously, an MSS range of e.g. 65535:1000 was silently accepted but would then never match a packet since the kernel checks whether the MSS value is greater than or equal to the first *and* less than or equal to the second value. Detect this as a parameter problem and update the man page accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: add test file for TCPMSS extensionAastha Gupta2017-10-171-0/+5
| | | | | | | This adds test file for the recently added TCPMSS extension. Signed-off-by: Aastha Gupta <aastha.gupta4104@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: do not allow to delete populated user define chainsPablo Neira Ayuso2017-10-111-2/+8
| | | | | | | | If user chain contains rules, flush needs to happen first to retain iptables semantics. Use NLM_F_NONREC to request non-recursive chain deletion. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: change large file support handlingJuergen Borleis2017-10-041-2/+3
| | | | | | | | | The configure script handles the "--*-largefile" parameter badly. It always disables largefile support if given (and it doesn't matter if 'enable' or 'disable' was used). Signed-off-by: Juergen Borleis <jbe@pengutronix.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Constify option structHarsha Sharma2017-10-044-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The struct of type option is only used to initialise a field inside the xtables_globals struct and is not modified anywhere. Done using following coccinelle semantic patch @r1 disable optional_qualifier@ identifier s,i; position p; @@ static struct option i@p[] ={...}; @ok1@ identifier r1.i; expression e; position p; @@ e = i@p @bad@ position p != {r1.p,ok1.p}; identifier r1.i; @@ e@i@p @depends on !bad disable optional_qualifier@ identifier r1.i; @@ static +const struct option i[] = { ... }; Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip{,6}tables-restore: Don't accept wait-interval without waitPhil Sutter2017-10-042-0/+10
| | | | | | | | If -W <val> was given, error out if -w wasn't since that doesn't make sense. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip{,6}tables-restore: Don't ignore missing wait-interval valuePhil Sutter2017-10-041-1/+1
| | | | | | | | Passing -W without a value doesn't make sense so bail out if none was given. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: Add a man page for nfnl_osfPhil Sutter2017-10-044-1/+74
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: nfnl_osf: Fix synopsis in help textPhil Sutter2017-10-041-1/+1
| | | | | | | | | | * -d is optional * -h is not really a flag, just anything not recognized triggers the help output. * That '<del rules>' bit is rather confusing than helpful. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_bpf: fix missing __NR_bpf declarationRafael Buchbinder2017-09-101-0/+2
| | | | | | | This include is needed to compile the bpf_obj_get function properly, as it brings in the __NR_bpf declaration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-compat-restore: fix translation of mangle's OUTPUTLouis Sautier2017-09-101-0/+2
| | | | | | This chain should be translated as a route chain, not as a filter chain. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netfilter: xt_hashlimit: add rate match modeVishwanath Pai2017-09-084-41/+414
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new feature to hashlimit that allows matching on the current packet/byte rate without rate limiting. This can be enabled with a new flag --hashlimit-rate-match. The match returns true if the current rate of packets is above/below the user specified value. The main difference between the existing algorithm and the new one is that the existing algorithm rate-limits the flow whereas the new algorithm does not. Instead it *classifies* the flow based on whether it is above or below a certain rate. I will demonstrate this with an example below. Let us assume this rule: iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets every second and send 5 packets to "new_chain". But with the new algorithm, as long as the rate of 15/s is sustained, all packets will continue to match and every packet is sent to new_chain. This new functionality will let us classify different flows based on their current rate, so that further decisions can be made on them based on what the current rate is. This is how the new algorithm works: We divide time into intervals of 1 (sec/min/hour) as specified by the user. We keep track of the number of packets/bytes processed in the current interval. After each interval we reset the counter to 0. When we receive a packet for match, we look at the packet rate during the current interval and the previous interval to make a decision: if [ prev_rate < user and cur_rate < user ] return Below else return Above Where cur_rate is the number of packets/bytes seen in the current interval, prev is the number of packets/bytes seen in the previous interval and 'user' is the rate specified by the user. We also provide flexibility to the user for choosing the time interval using the option --hashilmit-interval. For example the user can keep a low rate like x/hour but still keep the interval as small as 1 second. To preserve backwards compatibility we have to add this feature in a new revision, so I've created revision 3 for hashlimit. The two new options we add are: --hashlimit-rate-match --hashlimit-rate-interval I have updated the help text to add these new options. Also added a few tests for the new options. Suggested-by: Igor Lubashev <ilubashe@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-compat: fix memory leak when listingPablo M. Bermudo Garay2017-08-142-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following memory leaks are detected by valgrind when ip[6]tables-compat is used for listing operations: ==1604== 1,064 (120 direct, 944 indirect) bytes in 5 blocks are definitely lost in loss record 21 of 27 ==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==1604== by 0x56ABB78: xtables_malloc (in /usr/local/lib/libxtables.so.12.0.0) ==1604== by 0x56AC7D3: xtables_find_match (in /usr/local/lib/libxtables.so.12.0.0) ==1604== by 0x11F502: nft_parse_match (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x11FC7B: nft_rule_to_iptables_command_state (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x1218C0: nft_ipv4_print_firewall (nft-ipv4.c:301) ==1604== by 0x11CBEB: __nft_rule_list (nft.c:2042) ==1604== by 0x11CEA4: nft_rule_list (nft.c:2126) ==1604== by 0x116A7F: list_entries (xtables.c:592) ==1604== by 0x118B26: do_commandx (xtables.c:1233) ==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi) ==1604== ==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 25 of 27 ==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102) ==1604== by 0x11A311: nft_init (nft.c:777) ==1604== by 0x115A71: xtables_main (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi) ==1604== ==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 26 of 27 ==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102) ==1604== by 0x11910C: mnl_nftnl_batch_page_add (nft.c:122) ==1604== by 0x11D8FE: nft_action (nft.c:2402) ==1604== by 0x11D957: nft_commit (nft.c:2413) ==1604== by 0x11CCB7: nft_rule_list (nft.c:2076) ==1604== by 0x116A7F: list_entries (xtables.c:592) ==1604== by 0x118B26: do_commandx (xtables.c:1233) ==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi) ==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi) Fix these memory leaks. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-compat-restore: fix several memory leaksPablo M. Bermudo Garay2017-08-143-4/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following memory leaks are detected by valgrind when ip[6]tables-compat-restore is executed: valgrind --leak-check=full iptables-compat-restore test-ruleset ==2548== 16 bytes in 1 blocks are definitely lost in loss record 1 of 20 ==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==2548== by 0x4E39D67: __mnl_socket_open (socket.c:110) ==2548== by 0x4E39DDE: mnl_socket_open (socket.c:133) ==2548== by 0x11A48E: nft_init (nft.c:765) ==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463) ==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) ==2548== by 0x12FF39: subcmd_main (xshared.c:211) ==2548== by 0x10F63C: main (xtables-compat-multi.c:41) ==2548== ==2548== 16 bytes in 1 blocks are definitely lost in loss record 2 of 20 ==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874) ==2548== by 0x11B2DB: nftnl_chain_list_get (nft.c:1194) ==2548== by 0x11B377: nft_chain_dump (nft.c:1210) ==2548== by 0x114DF9: get_chain_list (xtables-restore.c:167) ==2548== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217) ==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526) ==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) ==2548== by 0x12FF39: subcmd_main (xshared.c:211) ==2548== by 0x10F63C: main (xtables-compat-multi.c:41) ==2548== ==2548== 40 bytes in 1 blocks are definitely lost in loss record 5 of 20 ==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==2548== by 0x56ABB99: xtables_calloc (xtables.c:291) ==2548== by 0x116DA7: command_jump (xtables.c:623) ==2548== by 0x117D5B: do_parse (xtables.c:923) ==2548== by 0x1188BA: do_commandx (xtables.c:1183) ==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405) ==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526) ==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) ==2548== by 0x12FF39: subcmd_main (xshared.c:211) ==2548== by 0x10F63C: main (xtables-compat-multi.c:41) ==2548== ==2548== 40 bytes in 1 blocks are definitely lost in loss record 6 of 20 ==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==2548== by 0x4E3AE07: mnl_nlmsg_batch_start (nlmsg.c:441) ==2548== by 0x1192B7: mnl_nftnl_batch_alloc (nft.c:106) ==2548== by 0x11931A: mnl_nftnl_batch_page_add (nft.c:122) ==2548== by 0x11DB0C: nft_action (nft.c:2402) ==2548== by 0x11DB65: nft_commit (nft.c:2413) ==2548== by 0x114FBB: xtables_restore_parse (xtables-restore.c:238) ==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526) ==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) ==2548== by 0x12FF39: subcmd_main (xshared.c:211) ==2548== by 0x10F63C: main (xtables-compat-multi.c:41) ==2548== ==2548== 80 bytes in 5 blocks are definitely lost in loss record 8 of 20 ==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==2548== by 0x50496FE: nftnl_table_list_alloc (table.c:433) ==2548== by 0x11DF88: nft_xtables_config_load (nft.c:2539) ==2548== by 0x11B037: nft_rule_append (nft.c:1116) ==2548== by 0x116639: add_entry (xtables.c:429) ==2548== by 0x118A3B: do_commandx (xtables.c:1187) ==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405) ==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526) ==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) ==2548== by 0x12FF39: subcmd_main (xshared.c:211) ==2548== by 0x10F63C: main (xtables-compat-multi.c:41) ==2548== ==2548== 80 bytes in 5 blocks are definitely lost in loss record 9 of 20 ==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874) ==2548== by 0x11DF91: nft_xtables_config_load (nft.c:2540) ==2548== by 0x11B037: nft_rule_append (nft.c:1116) ==2548== by 0x116639: add_entry (xtables.c:429) ==2548== by 0x118A3B: do_commandx (xtables.c:1187) ==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405) ==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526) ==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) ==2548== by 0x12FF39: subcmd_main (xshared.c:211) ==2548== by 0x10F63C: main (xtables-compat-multi.c:41) ==2548== ==2548== 135,168 bytes in 1 blocks are definitely lost in loss record 19 of 20 ==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==2548== by 0x119280: mnl_nftnl_batch_alloc (nft.c:102) ==2548== by 0x11A51F: nft_init (nft.c:777) ==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463) ==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) ==2548== by 0x12FF39: subcmd_main (xshared.c:211) ==2548== by 0x10F63C: main (xtables-compat-multi.c:41) An additional leak occurs if a rule-set already exits: ==2735== 375 (312 direct, 63 indirect) bytes in 3 blocks are definitely lost in loss record 19 of 24 ==2735== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==2735== by 0x504AAE9: nftnl_chain_alloc (chain.c:92) ==2735== by 0x11B1F1: nftnl_chain_list_cb (nft.c:1172) ==2735== by 0x4E3A2E8: __mnl_cb_run (callback.c:78) ==2735== by 0x4E3A4A7: mnl_cb_run (callback.c:162) ==2735== by 0x11920D: mnl_talk (nft.c:70) ==2735== by 0x11B343: nftnl_chain_list_get (nft.c:1203) ==2735== by 0x11B377: nft_chain_dump (nft.c:1210) ==2735== by 0x114DF9: get_chain_list (xtables-restore.c:167) ==2735== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217) ==2735== by 0x115B43: xtables_restore_main (xtables-restore.c:526) ==2735== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534) Fix these memory leaks. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-xml: Fix segfault on jump without a targetOliver Ford2017-06-191-6/+3
| | | | | | | | | | | | | | | | | As reported in Bugzilla #1152, a segfault occurs in iptables-xml if a jump or goto argument lacks a target argument. The following input will segfault: *filter :INPUT ACCEPT [0:0] -A INPUT -p tcp --dport 2200 -j Problem occurs in do_rule_part, where the existsChain() function is called with argv[arg + 1]. If the jump/goto argument is the last argument, then arg + 1 is out of the array bounds. The fix ensures that arg + 1 is within the array bounds before the call to existsChain() is made. Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: fix double space before commentPablo M. Bermudo Garay2017-06-063-7/+8
| | | | | | | | | | | | When a comment translation immediately follows a counter statement, two spaces are printed between "counter" and "comment" keywords. The counter statement is almost always followed by a target, so we need to move the space following "counter" to the beginning of the target translation. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libip6t_icmp6: xlate: remove leftover spacePablo M. Bermudo Garay2017-06-061-2/+0
| | | | | | | | This change should have been included in commit f035be35c749 ("xtables-translate: fix multiple spaces issue"), but was forgotten. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xlate: generalize ownerPablo M. Bermudo Garay2017-06-061-1/+1
| | | | | | | | | The owner name was hard-coded in the owner extension translation test. The translation process requires the user to exist in the system, so this commit replaces it with the usual UID_MIN value (1000). Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Add file output option to iptables-saveOliver Ford2017-05-294-11/+69
| | | | | | | | | | | | | | | Adds an option to output the results of iptables-save, ip6tables-save, and xtables-save save to a file. Updates the man page with this new option. Uses the dup2 call to replace stdout with the specified file. Error output is unchanged. This is a feature requested by a Gentoo developer in Bugzilla #905. Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Fix crash on malformed iptables-restoreOliver Ford2017-05-294-9/+20
| | | | | | | | | | | | | | | | | | | | Fixes the crash reported in Bugzilla #1131 where a malformed parameter that specifies the table option during a restore can create an invalid pointer. It was discovered during fuzz testing that options like '-ftf' can cause a segfault. A parameter that includes a 't' is not currently filtered correctly. Improves the filtering to: Filter a beginning '-' followed by a character other than '-' and then a 't' anywhere in the parameter. This filters parameters like '-ftf'. Filter '--t'. Filter '--table', stopping when the parameter length is reached. Because the getopt_long function allows abbreviations, any unique abbreviation of '--table' will be treated as '--table'. This filters parameters like '--t', '--ta', but not '--ttl' or '--target'. Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: insist that the lock is held.Lorenzo Colitti2017-05-296-37/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, iptables programs will exit with an error if the iptables lock cannot be acquired, but will silently continue if the lock cannot be opened at all. This can cause unexpected failures (with unhelpful error messages) in the presence of concurrent updates, which can be very difficult to find in a complex or multi-administrator system. Instead, refuse to do anything if the lock cannot be acquired. The behaviour is not affected by command-line flags because: 1. In order to reliably avoid concurrent modification, all invocations of iptables commands must follow this behaviour. 2. Whether or not the lock can be opened is typically not a run-time condition but is likely to be a configuration error. Existing systems that depended on things working mostly correctly even if there was no lock might be affected by this change. However, that is arguably a configuration error, and now that the iptables lock is configurable, it is trivial to provide a lock file that is always accessible: if nothing else, the iptables binary itself can be used. The lock does not have to be writable, only readable. Tested by configuring the system to use an xtables.lock file in a non-existent directory and observing that all commands failed. Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Display weird character warning for wildcardsOliver Ford2017-05-081-9/+9
| | | | | | | | | | | Change the scope of the weird character check loop so that it checks for invalid characters when the interface name contains a wildcard. Fixes Bugzilla #1085. Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
* tests: xlate: check if it is being run as rootPablo M. Bermudo Garay2017-04-251-1/+3
| | | | | Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xlate: remove python 3.5 dependencyPablo M. Bermudo Garay2017-04-251-13/+19
| | | | | | | | | | | This commit replaces subprocess.run (introduced in python 3.5) with subprocess.Popen (supported since the first version of python 3). Furthermore, the output has been improved when ip[6]tables-translate exits with non-zero return code. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore/save: exit when given an unknown optionVincent Bernat2017-04-196-15/+27
| | | | | | | | | | | | When an unknown option is given, iptables-restore should exit instead of continue its operation. For example, if `--table` was misspelled, this could lead to an unwanted change. Moreover, exit with a status code of 1. Make the same change for iptables-save. OTOH, exit with a status code of 0 when requesting help. Signed-off-by: Vincent Bernat <vincent@bernat.im> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore.8: document -w/-W optionsDan Williams2017-04-141-4/+21
| | | | | | Fixes: 999eaa241212 ("iptables-restore: support acquiring the lock.") Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore/ip6tables-restore: add --version/-V argumentDan Williams2017-04-143-8/+24
| | | | | | | Prints program version just like iptables/ip6tables. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_hashlimit: fix 64-bit printf formatsJames Cowgill2017-04-141-7/+9
| | | | | | | | | | | | hashlimit was using "%lu" in a lot of printf format specifiers to print 64-bit integers. This is incorrect on 32-bit architectures because "long int" is 32-bits there. On MIPS, it was causing iptables to segfault when printing these integers. Fix by using the correct format specifier. Signed-off-by: James Cowgill <James.Cowgill@imgtec.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: extensions: Remove typedef in struct.Arushi Singhal2017-04-071-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The Linux kernel coding style guidelines suggest not using typedefs for structure. This patch gets rid of the typedefs for "_code". The following Coccinelle semantic patch detects the cases for struct type: @tn@ identifier i; type td; @@ -typedef struct i { ... } -td ; @@ type tn.td; identifier tn.i; @@ -td + struct i Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add regression tests for xtables-translatePablo M. Bermudo Garay2017-04-0763-0/+740
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This test suite is intended to detect regressions in the translation infrastructure. The script checks if ip[6]tables-translate produces the expected output, otherwise it prints the wrong translation and the expected one. ** Arguments --all # Show also passed tests [test] # Run only the specified test file ** Test files structure Test files are located under extensions directory. Every file contains tests about specific extension translations. A test file name must end with ".txlate". Inside the files, every single test is defined by two consecutive lines: ip[6]tables-translate command and expected result. One blank line is left between tests by convention. e.g. $ cat extensions/libxt_cpu.txlate iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_TOS: Add translation to nftGargi Sharma2017-04-071-0/+26
| | | | | | | | | | | | | | Add translation for TOS to nftables. TOS is deprecated ans DSCP is ued in place of it. The first 6 bits of TOS specify the DSCP value. Examples: $ iptables-translate -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 nft add rule ip mangle PREROUTING tcp dport 22 counter ip6 dscp set 0x04 Signed-off-by: Gargi Sharma <gs051095@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Remove unnecessary braces.Varsha Rao2017-04-064-10/+5
| | | | | | | | | | | | | | | | | Remove braces which are not required, to fix the check patch issue. The following coccinelle script was used to fix this issue. @@ expression e; expression e1; @@ if(e) -{ e1; -} Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Remove explicit static variables initalization.Varsha Rao2017-04-067-11/+11
| | | | | | | | Static variables are initialized to zero by default, so remove explicit initalization. This patch fixes the checkpatch issue. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Constify option structGargi Sharma2017-03-274-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The struct of the type option is only used to initialise a field inside the xtables_match struct and is not modified anywhere. Done using Coccinelle: @r1 disable optional_qualifier@ identifier s,i; position p; @@ static struct option i@p[] ={...}; @ok1@ identifier r1.i; expression e; position p; @@ e = i@p @bad@ position p != {r1.p,ok1.p}; identifier r1.i; @@ e@i@p @depends on !bad disable optional_qualifier@ identifier r1.i; @@ static +const struct option i[] = { ... }; Signed-off-by: Gargi Sharma <gs051095@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore: support acquiring the lock.Lorenzo Colitti2017-03-216-33/+122
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, ip[6]tables-restore does not perform any locking, so it is not safe to use concurrently with ip[6]tables. This patch makes ip[6]tables-restore wait for the lock if -w was specified. Arguments to -w and -W are supported in the same was as they are in ip[6]tables. The lock is not acquired on startup. Instead, it is acquired when a new table handle is created (on encountering '*') and released when the table is committed (COMMIT). This makes it possible to keep long-running iptables-restore processes in the background (for example, reading commands from a pipe opened by a system management daemon) and simultaneously run iptables commands. If -w is not specified, then the command proceeds without taking the lock. Tested as follows: 1. Run iptables-restore -w, and check that iptables commands work with or without -w. 2. Type "*filter" into the iptables-restore input. Verify that a) ip[6]tables commands without -w fail with "another app is currently holding the xtables lock...". b) ip[6]tables commands with "-w 2" fail after 2 seconds. c) ip[6]tables commands with "-w" hang until "COMMIT" is typed into the iptables-restore window. 3. With the lock held by an ip6tables-restore process: strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000 shows 11 calls to flock and fails. 4. Run an iptables-restore with -w and one without -w, and check: a) Type "*filter" in the first and then the second, and the second exits with an error. b) Type "*filter" in the second and "*filter" "-S" "COMMIT" into the first. The rules are listed only when the first copy sees "COMMIT". Signed-off-by: Narayan Kamath <narayan@google.com> Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: remove duplicated argument parsing codeLorenzo Colitti2017-03-176-160/+95
| | | | | | | | | | 1. Factor out repeated code to a new xs_has_arg function. 2. Add a new parse_wait_time option to parse the value of -w. 3. Make parse_wait_interval take argc and argv so its callers can be simpler. Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: move XT_LOCK_NAME from CFLAGS to config.h.Lorenzo Colitti2017-03-172-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This slightly simplifies configure.ac and results in more correct dependencies. Tested by running ./configure with --with-xt-lock-name and without, and using strace to verify that the right lock is used. $ make distclean-recursive && ./autogen.sh && ./configure --disable-nftables --prefix /tmp/iptables && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 $ make distclean-recursive && ./autogen.sh && \ ./configure --disable-nftables --prefix /tmp/iptables \ --with-xt-lock-name=/tmp/iptables/run/xtables.lock && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: set the path of the lock file via a configure option.Lorenzo Colitti2017-03-142-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the iptables lock is hardcoded as "/run/xtables.lock". Allow users to change this path using the --with-xt-lock-name option to ./configure option. This is useful on systems like Android which do not have /run. Tested on Ubuntu, as follows: 1. By default, the lock is placed in /run/xtables.lock: $ make distclean-recursive && ./autogen.sh && ./configure --disable-nftables --prefix /tmp/iptables && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 iptables: No chain/target/match by that name. 2. Specifying the lock results in the expected location being used: $ make distclean-recursive && ./autogen.sh && \ ./configure --disable-nftables --prefix /tmp/iptables \ --with-xt-lock-name=/tmp/iptables/run/xtables.lock && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 iptables: No chain/target/match by that name. Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>