summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libxt_multiport: add translation for -m multiport --portsPablo Neira Ayuso2021-06-252-8/+33
| | | | | | Add a translation for -m multiport --ports. Extend the existing testcase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_conntrack: simplify translation using negationPablo Neira Ayuso2021-06-072-37/+17
| | | | | | | | | Available since nftables 0.9.9. For example: # iptables-translate -I INPUT -m state ! --state NEW,INVALID nft insert rule ip filter INPUT ct state ! invalid,new counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcp: rework translation to use flags match representationPablo Neira Ayuso2021-06-073-10/+10
| | | | | | | Use the new flags match representation available since nftables 0.9.9 to simplify the translation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlimit: add translationPablo Neira Ayuso2021-06-072-0/+64
| | | | | | | | This patch adds a translation for connlimit matches which requires the definition of a set and the family context (either IPv4 or IPv6) which is required to display the netmask accordingly. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xlate-test: support multiline expectationPablo Neira Ayuso2021-06-071-2/+12
| | | | | | | | | | Extend translation test to deal with multiline translation, e.g. iptables-translate -A INPUT -m connlimit --connlimit-above 2 nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; } nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: extend xlate infrastructurePablo Neira Ayuso2021-06-074-28/+93
| | | | | | | | | | | | | | This infrastructure extends the existing xlate infrastructure: - Extensions can define set dependencies through .xlate. The resulting set definition can be obtained through xt_xlate_set_get(). - Add xl_xlate_set_family() and xl_xlate_get_family() to store/fetch the family. The first client of this new xlate API is the connlimit extension, which is added in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_string: Avoid buffer size warning for strncpy()Phil Sutter2021-06-071-1/+1
| | | | | | | If the target buffer does not need to be null-terminated, one may simply use memcpy() and thereby avoid any compiler warnings. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter2021-06-0726-73/+60
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Use xtables_ip6parse_any()Phil Sutter2021-06-071-64/+10
| | | | | | | | | | | The code was almost identical and suffered from the same problem as fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory corruption bugs"). The only functional change this involves is ebt_parse_ip6_address() will now accept hostnames as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-apply: Drop unused variablePhil Sutter2021-06-071-1/+0
| | | | | | | It was assigned to but never read. Fixes: b45b4e3903414 ("iptables-apply: script and manpage update") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Avoid buffer size warnings copying iface namesPhil Sutter2021-06-072-4/+4
| | | | | | | | | The call to strncpy() is actually not needed: source buffer is only IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to avoid compiler warnings due to size parameter matching the destination buffer size by performing the copy using (dumb) memcpy() instead. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Avoid memleak in error path of nft_cmd_new()Phil Sutter2021-06-071-1/+3
| | | | | | | | If rule allocation fails, free the allocated 'cmd' before returning to caller. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Fix memleak in xtopt_parse_hostmask()Phil Sutter2021-06-071-0/+1
| | | | | | | The allocated hostmask duplicate needs to be freed again. Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Drop unused variablesPhil Sutter2021-06-071-4/+2
| | | | | | | They are being assigned to but never read. Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()Phil Sutter2021-06-071-2/+1
| | | | | | | Variable 'err' was only used in removed debug code, so drop it as well. Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Translate --chunk-types optionPhil Sutter2021-05-192-19/+78
| | | | | | | | | The translation is not fully complete as it is not possible to map 'any' match type into nft syntax with a single rule. Also, 'only' match type translation is a bit poor as it explicitly lists all chunk types that are supposed to be missing. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Fix nftables translationPhil Sutter2021-05-192-11/+9
| | | | | | | If both sport and dport was present, incorrect nft syntax was generated. Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Use proto_to_name() from xshared in more placesPhil Sutter2021-05-176-38/+16
| | | | | | | | | | Share the common proto name lookup code. While being at it, make proto number variable 16bit, values may exceed 256. This aligns iptables-nft '-p' argument printing with legacy iptables. In practice, this should make a difference only in corner cases. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-translate: Use shared ebt_get_current_chain() functionPhil Sutter2021-05-171-17/+1
| | | | | | | | | | | | | | | | | | | | Drop the local reimplementation. It was barely different enough to be buggy: | % ebtables-nft -A foo -o eth0 -j ACCEPT | % xtables-nft-multi ebtables-translate -A foo -o eth0 -j ACCEPT | ebtables-translate v1.8.5 (nf_tables): Use -o only in OUTPUT, FORWARD and POSTROUTING chains | Try `ebtables-translate -h' or 'ebtables-translate --help' for more information. With this change, output is as expected: | % xtables-nft-multi ebtables-translate -A foo -o eth0 -j ACCEPT | nft add rule bridge filter foo oifname "eth0" counter accept This is roughly the same issue fixed in commit e1ccd979e6849 ("ebtables: fix over-eager -o checks on custom chains"). Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Merge invflags handling codePhil Sutter2021-05-177-199/+88
| | | | | | | | | | Join invflags handling between iptables, ip6tables, xtables and arptables. Ebtables still has its own code which differs quite a bit. In order to use a shared set_option() routine, iptables and ip6tables need to provide a local 'invflags' variable which is 16bits wide. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Eliminate iptables_command_state->invertPhil Sutter2021-05-177-133/+113
| | | | | | | | | This field is not used by routines working with struct iptables_command_state: It is merely a temporary flag used by parsers to carry the '!' prefix until invflags have been populated (or error checking done if unsupported). Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Make invflags 16bit widePhil Sutter2021-05-172-3/+3
| | | | | | | | | | | | | This is needed to merge with xtables-arp which has more builtin options and hence needs more bits in invflags. The only adjustment needed is the set_option() call for option '-j' which passed a pointer to cs->fw.ip.invflags. That field can't be changed, it belongs to uAPI. Though using args->invflags instead works fine, aside from that '-j' doesn't support inverting so this is merely a sanity check and no real invflag value assignment will happen. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: SECMARK: Implement revision 1Phil Sutter2021-05-043-20/+80
| | | | | | | | | The changed data structure for communication with kernel allows to exclude the field 'secid' which is populated on kernel side. Thus this fixes the formerly always failing extension comparison breaking rule check and rule delete by content. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-arp: Make use of ipv4_addr_to_string()Phil Sutter2021-04-303-94/+14
| | | | | | | This eliminates quite a bit of redundant code apart from also dropping use of obsolete function gethostbyaddr(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* Eliminate inet_aton() and inet_ntoa()Phil Sutter2021-04-302-11/+18
| | | | | | | Both functions are obsolete, replace them by equivalent calls to inet_pton() and inet_ntop(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Explain match types in man pagePhil Sutter2021-04-291-0/+11
| | | | | | They weren't mentioned at all. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Increase BATCH_PAGE_SIZE to support huge rulesetsPhil Sutter2021-04-101-5/+7
| | | | | | | | | | | | | | In order to support the same ruleset sizes as legacy iptables, the kernel's limit of 1024 iovecs has to be overcome. Therefore increase each iovec's size from 128KB to 2MB. While being at it, add a log message for failing sendmsg() call. This is not supposed to happen, even if the transaction fails. Yet if it does, users are left with only a "line XXX failed" message (with line number being the COMMIT line). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: cache: Sort chains on demand onlyPhil Sutter2021-04-065-13/+73
| | | | | | | | | Mandatory sorted insert of chains into cache significantly slows down restoring of large rulesets. Since the sorted list of user-defined chains is needed for listing and verbose output only, introduce nft_cache_sort_chains() and call it where needed. Signed-off-by: Phil Sutter <phil@nwl.cc>
* fix build for missing ETH_ALEN definitionMaciej ┼╗enczykowski2021-04-031-0/+1
| | | | | | | (this is needed at least with bionic) Signed-off-by: Maciej ┼╗enczykowski <maze@google.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_conntrack: use bitops for status negationAlexander Mikhalitsyn2021-04-022-10/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At the moment, status_xlate_print function prints statusmask as comma-separated sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus condition then we have to use more complex expression (if more than one flag enabled) because nft not supports syntax like "ct status != expected,assured". Examples: ! --ctstatus CONFIRMED,ASSURED should be translated as ct status & (assured|confirmed) == 0 ! --ctstatus CONFIRMED can be translated as ct status & confirmed == 0 See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference). Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_conntrack: use bitops for state negationAlexander Mikhalitsyn2021-04-022-14/+29
| | | | | | | | | | | | | | | | | | | | | Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled statemask flags. But if we have inverted conntrack ctstate condition then we have to use more complex expression because nft not supports syntax like "ct state != related,established". Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Simplify xtables_ipmask_to_cidr() a bitPhil Sutter2021-03-091-10/+5
| | | | | | | Reduce the whole mask matching into a single for-loop. No need for a shortcut, /32 masks will match in the first iteration. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: Fix translation of odd netmasksPhil Sutter2021-03-094-15/+106
| | | | | | | | | Iptables supports netmasks which are not prefixes to match on (or ignore) arbitrary bits in an address. Yet nftables' prefix notation is available for real prefixes only, so translation is not as trivial - print bitmask syntax for those cases. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix bitwise expression avoidance detectionPhil Sutter2021-03-092-1/+27
| | | | | | | | | Byte-boundary prefix detection was too sloppy: Any data following the first zero-byte was ignored. Add a follow-up loop making sure there are no stray bits in the designated host part. Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-nft: fix -Z optionFlorian Westphal2021-02-242-1/+65
| | | | | | | | | it zeroes the rule counters, so it needs fully populated cache. Add a test case to cover this. Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* include: Drop libipulog.hPhil Sutter2021-02-171-39/+0
| | | | | | | | The file is not included anywhere, also it seems outdated compared to the one in libnetfilter_log (which also holds the implementation). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Exit gracefully on invalid table namesPhil Sutter2021-01-281-4/+4
| | | | | | | | | | | | | | | | | | | | | | Users are able to cause program abort by passing a table name that doesn't exist: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. | Aborted Avoid this by checking table existence just like iptables-nft does upon parsing '-t' optarg. Since the list of tables is known and fixed, checking the given name's length is pointless. So just drop that check in return. With this patch in place, output looks much better: | # ebtables-nft -t dummy -P INPUT ACCEPT | ebtables v1.8.7 (nf_tables): table 'dummy' does not exist | Perhaps iptables or your kernel needs to be upgraded. Signed-off-by: Phil Sutter <phil@nwl.cc>
* configure: bump version for 1.8.7 releasev1.8.7Pablo Neira Ayuso2021-01-151-3/+3
| | | | | | | | | | Update libtool version for libxtables since two new interfaces have been added: - xtables_parse_mac_and_mask() - xtables_print_well_known_mac_and_mask() Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Fix nft-only/0009-needless-bitwise_0Phil Sutter2021-01-151-1/+8
| | | | | | | | | For whatever reason, stored expected output contains false handles. To overcome this, filter the rule data lines from both expected and stored output before comparing. Fixes: 81a2e12851283 ("tests/shell: Add test for bitwise avoidance fixes") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Avoid pointless table/chain creationPhil Sutter2020-12-213-18/+82
| | | | | | | | | | | | | | | | | Accept a chain name in nft_xt_builtin_init() to limit the base chain creation to that specific chain only. Introduce nft_xt_builtin_table_init() to create just the table for situations where no builtin chains are needed but the command may still succeed in an empty ruleset, particularly when creating a custom chain, restoring base chains or adding a set for ebtables among match. Introduce nft_xt_fake_builtin_chains(), a function to call after cache has been populated to fill empty base chain slots. This keeps ruleset listing output intact if some base chains do not exist (or even the whole ruleset is completely empty). Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Drop any dump sorting in placePhil Sutter2020-12-213-18/+5
| | | | | | | With iptables-nft-save output now sorted just like legacy one, no sorting to unify them is needed anymore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Sort custom chains by namePhil Sutter2020-12-212-3/+14
| | | | | | | | | | | | | | With base chains no longer residing in the tables' chain lists, they can easily be sorted upon insertion. This on one hand aligns custom chain ordering with legacy iptables and on the other makes it predictable, which is very helpful when manually comparing ruleset dumps for instance. Adjust the one ebtables-nft test case this change breaks (as wrong ordering is expected in there). The manual output sorting done for tests which apply to legacy as well as nft is removed in a separate patch. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Introduce a dedicated base chain arrayPhil Sutter2020-12-213-2/+45
| | | | | | | | | Preparing for sorted chain output, introduce a per-table array holding base chains indexed by nf_inet_hooks value. Since the latter is ordered correctly, iterating over the array will return base chains in expected order. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Introduce struct nft_chainPhil Sutter2020-12-217-66/+212
| | | | | | | | | Preparing for ordered output of user-defined chains, introduce a local datatype wrapping nftnl_chain. In order to maintain the chain name hash table, introduce nft_chain_list as well and use it instead of nftnl_chain_list. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Move nft_chain_find() overPhil Sutter2020-12-213-17/+17
| | | | | | It is basically just a cache lookup, hence fits better in here. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Implement nft_chain_foreach()Phil Sutter2020-12-215-96/+46
| | | | | | | | | | | | | | This is just a fancy wrapper around nftnl_chain_list_foreach() with the added benefit of detecting invalid table names or uninitialized chain lists. This in turn allows to drop the checks in flush_rule_cache() and ignore the return code of nft_chain_foreach() as it fails only if the dropped checks had failed, too. Since this wrapper does the chain list lookup by itself, use of nft_chain_list_get() shrinks down to a single place, namely inside nft_chain_find(). Therefore fold it into the latter. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Introduce nft_cache_add_chain()Phil Sutter2020-12-213-12/+19
| | | | | | | This is a convenience function for adding a chain to cache, for now just a simple wrapper around nftnl_chain_list_add_tail(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix selective chain compatibility checksPhil Sutter2020-12-211-0/+6
| | | | | | | | | | | | | | Since commit 80251bc2a56ed ("nft: remove cache build calls"), 'chain' parameter passed to nft_chain_list_get() is no longer effective. Before, it was used to fetch only that single chain from kernel when populating the cache. So the returned list of chains for which compatibility checks are done would contain only that single chain. Re-establish the single chain compat checking by introducing a dedicated code path to nft_is_chain_compatible() doing so. Fixes: 80251bc2a56ed ("nft: remove cache build calls") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-monitor:Florian Westphal2020-12-141-0/+3
| | | | | | 'LL=0x304' is not very convenient, print LOOPBACK instead. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-monitor: print packet firstFlorian Westphal2020-12-141-11/+23
| | | | | | | | | | | The trace mode should first print the packet that was received and then the rule/verdict. Furthermore, the monitor did sometimes print an extra newline. After this patch, output is more consistent with nft monitor. Signed-off-by: Florian Westphal <fw@strlen.de>