| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
* -d is optional
* -h is not really a flag, just anything not recognized triggers the
help output.
* That '<del rules>' bit is rather confusing than helpful.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This include is needed to compile the bpf_obj_get function properly,
as it brings in the __NR_bpf declaration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This chain should be translated as a route chain, not as a filter chain.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new feature to hashlimit that allows matching on the
current packet/byte rate without rate limiting. This can be enabled
with a new flag --hashlimit-rate-match. The match returns true if the
current rate of packets is above/below the user specified value.
The main difference between the existing algorithm and the new one is
that the existing algorithm rate-limits the flow whereas the new algorithm
does not. Instead it *classifies* the flow based on whether it is above or
below a certain rate. I will demonstrate this with an example below. Let
us assume this rule:
iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain
If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets
every second and send 5 packets to "new_chain".
But with the new algorithm, as long as the rate of 15/s is sustained, all
packets will continue to match and every packet is sent to new_chain.
This new functionality will let us classify different flows based on their
current rate, so that further decisions can be made on them based on what
the current rate is.
This is how the new algorithm works:
We divide time into intervals of 1 (sec/min/hour) as specified by
the user. We keep track of the number of packets/bytes processed in the
current interval. After each interval we reset the counter to 0.
When we receive a packet for match, we look at the packet rate
during the current interval and the previous interval to make a decision:
if [ prev_rate < user and cur_rate < user ]
return Below
else
return Above
Where cur_rate is the number of packets/bytes seen in the current
interval, prev is the number of packets/bytes seen in the previous
interval and 'user' is the rate specified by the user.
We also provide flexibility to the user for choosing the time
interval using the option --hashilmit-interval. For example the user can
keep a low rate like x/hour but still keep the interval as small as 1
second.
To preserve backwards compatibility we have to add this feature in a new
revision, so I've created revision 3 for hashlimit. The two new options
we add are:
--hashlimit-rate-match
--hashlimit-rate-interval
I have updated the help text to add these new options. Also added a few
tests for the new options.
Suggested-by: Igor Lubashev <ilubashe@akamai.com>
Reviewed-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following memory leaks are detected by valgrind when
ip[6]tables-compat is used for listing operations:
==1604== 1,064 (120 direct, 944 indirect) bytes in 5 blocks are definitely lost in loss record 21 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x56ABB78: xtables_malloc (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x56AC7D3: xtables_find_match (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x11F502: nft_parse_match (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x11FC7B: nft_rule_to_iptables_command_state (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x1218C0: nft_ipv4_print_firewall (nft-ipv4.c:301)
==1604== by 0x11CBEB: __nft_rule_list (nft.c:2042)
==1604== by 0x11CEA4: nft_rule_list (nft.c:2126)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 25 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11A311: nft_init (nft.c:777)
==1604== by 0x115A71: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 26 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11910C: mnl_nftnl_batch_page_add (nft.c:122)
==1604== by 0x11D8FE: nft_action (nft.c:2402)
==1604== by 0x11D957: nft_commit (nft.c:2413)
==1604== by 0x11CCB7: nft_rule_list (nft.c:2076)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following memory leaks are detected by valgrind when
ip[6]tables-compat-restore is executed:
valgrind --leak-check=full iptables-compat-restore test-ruleset
==2548== 16 bytes in 1 blocks are definitely lost in loss record 1 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x4E39D67: __mnl_socket_open (socket.c:110)
==2548== by 0x4E39DDE: mnl_socket_open (socket.c:133)
==2548== by 0x11A48E: nft_init (nft.c:765)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 16 bytes in 1 blocks are definitely lost in loss record 2 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11B2DB: nftnl_chain_list_get (nft.c:1194)
==2548== by 0x11B377: nft_chain_dump (nft.c:1210)
==2548== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2548== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 5 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x56ABB99: xtables_calloc (xtables.c:291)
==2548== by 0x116DA7: command_jump (xtables.c:623)
==2548== by 0x117D5B: do_parse (xtables.c:923)
==2548== by 0x1188BA: do_commandx (xtables.c:1183)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 6 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x4E3AE07: mnl_nlmsg_batch_start (nlmsg.c:441)
==2548== by 0x1192B7: mnl_nftnl_batch_alloc (nft.c:106)
==2548== by 0x11931A: mnl_nftnl_batch_page_add (nft.c:122)
==2548== by 0x11DB0C: nft_action (nft.c:2402)
==2548== by 0x11DB65: nft_commit (nft.c:2413)
==2548== by 0x114FBB: xtables_restore_parse (xtables-restore.c:238)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 8 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x50496FE: nftnl_table_list_alloc (table.c:433)
==2548== by 0x11DF88: nft_xtables_config_load (nft.c:2539)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 9 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11DF91: nft_xtables_config_load (nft.c:2540)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 135,168 bytes in 1 blocks are definitely lost in loss record 19 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x119280: mnl_nftnl_batch_alloc (nft.c:102)
==2548== by 0x11A51F: nft_init (nft.c:777)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
An additional leak occurs if a rule-set already exits:
==2735== 375 (312 direct, 63 indirect) bytes in 3 blocks are definitely lost in loss record 19 of 24
==2735== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2735== by 0x504AAE9: nftnl_chain_alloc (chain.c:92)
==2735== by 0x11B1F1: nftnl_chain_list_cb (nft.c:1172)
==2735== by 0x4E3A2E8: __mnl_cb_run (callback.c:78)
==2735== by 0x4E3A4A7: mnl_cb_run (callback.c:162)
==2735== by 0x11920D: mnl_talk (nft.c:70)
==2735== by 0x11B343: nftnl_chain_list_get (nft.c:1203)
==2735== by 0x11B377: nft_chain_dump (nft.c:1210)
==2735== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2735== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2735== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2735== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported in Bugzilla #1152, a segfault occurs in iptables-xml if a
jump or goto argument lacks a target argument. The following input will
segfault:
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 2200 -j
Problem occurs in do_rule_part, where the existsChain() function is called
with argv[arg + 1]. If the jump/goto argument is the last argument, then
arg + 1 is out of the array bounds. The fix ensures that arg + 1 is within
the array bounds before the call to existsChain() is made.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a comment translation immediately follows a counter statement, two
spaces are printed between "counter" and "comment" keywords.
The counter statement is almost always followed by a target, so we need
to move the space following "counter" to the beginning of the target
translation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This change should have been included in commit f035be35c749
("xtables-translate: fix multiple spaces issue"), but was forgotten.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The owner name was hard-coded in the owner extension translation test.
The translation process requires the user to exist in the system, so
this commit replaces it with the usual UID_MIN value (1000).
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an option to output the results of iptables-save,
ip6tables-save, and xtables-save save to a file.
Updates the man page with this new option.
Uses the dup2 call to replace stdout with the specified file.
Error output is unchanged.
This is a feature requested by a Gentoo developer in
Bugzilla #905.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
specifies the table option during a restore can create an invalid pointer.
It was discovered during fuzz testing that options like '-ftf'
can cause a segfault. A parameter that includes a 't' is not currently
filtered correctly.
Improves the filtering to:
Filter a beginning '-' followed by a character other than '-' and then a 't'
anywhere in the parameter. This filters parameters like '-ftf'.
Filter '--t'.
Filter '--table', stopping when the parameter length is reached. Because the
getopt_long function allows abbreviations, any unique abbreviation of '--table'
will be treated as '--table'. This filters parameters like '--t', '--ta', but not
'--ttl' or '--target'.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, iptables programs will exit with an error if the
iptables lock cannot be acquired, but will silently continue if
the lock cannot be opened at all. This can cause unexpected
failures (with unhelpful error messages) in the presence of
concurrent updates, which can be very difficult to find in a
complex or multi-administrator system.
Instead, refuse to do anything if the lock cannot be acquired.
The behaviour is not affected by command-line flags because:
1. In order to reliably avoid concurrent modification, all
invocations of iptables commands must follow this behaviour.
2. Whether or not the lock can be opened is typically not
a run-time condition but is likely to be a configuration
error.
Existing systems that depended on things working mostly correctly
even if there was no lock might be affected by this change.
However, that is arguably a configuration error, and now that the
iptables lock is configurable, it is trivial to provide a lock
file that is always accessible: if nothing else, the iptables
binary itself can be used. The lock does not have to be writable,
only readable.
Tested by configuring the system to use an xtables.lock file in
a non-existent directory and observing that all commands failed.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Change the scope of the weird character check loop so that
it checks for invalid characters when the interface name
contains a wildcard.
Fixes Bugzilla #1085.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
| |
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit replaces subprocess.run (introduced in python 3.5) with
subprocess.Popen (supported since the first version of python 3).
Furthermore, the output has been improved when ip[6]tables-translate
exits with non-zero return code.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When an unknown option is given, iptables-restore should exit instead of
continue its operation. For example, if `--table` was misspelled, this
could lead to an unwanted change. Moreover, exit with a status code of
1. Make the same change for iptables-save.
OTOH, exit with a status code of 0 when requesting help.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fixes: 999eaa241212 ("iptables-restore: support acquiring the lock.")
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Prints program version just like iptables/ip6tables.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
hashlimit was using "%lu" in a lot of printf format specifiers to print
64-bit integers. This is incorrect on 32-bit architectures because
"long int" is 32-bits there. On MIPS, it was causing iptables to
segfault when printing these integers.
Fix by using the correct format specifier.
Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Linux kernel coding style guidelines suggest not using typedefs for
structure. This patch gets rid of the typedefs for "_code".
The following Coccinelle semantic patch detects the cases for struct
type:
@tn@
identifier i;
type td;
@@
-typedef
struct i { ... }
-td
;
@@
type tn.td;
identifier tn.i;
@@
-td
+ struct i
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test suite is intended to detect regressions in the translation
infrastructure. The script checks if ip[6]tables-translate produces the
expected output, otherwise it prints the wrong translation and the
expected one.
** Arguments
--all # Show also passed tests
[test] # Run only the specified test file
** Test files structure
Test files are located under extensions directory. Every file contains
tests about specific extension translations. A test file name must end
with ".txlate".
Inside the files, every single test is defined by two consecutive lines:
ip[6]tables-translate command and expected result. One blank line is left
between tests by convention.
e.g.
$ cat extensions/libxt_cpu.txlate
iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept
iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for TOS to nftables. TOS is deprecated
ans DSCP is ued in place of it. The first 6 bits of
TOS specify the DSCP value.
Examples:
$ iptables-translate -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
nft add rule ip mangle PREROUTING tcp dport 22 counter ip6 dscp set 0x04
Signed-off-by: Gargi Sharma <gs051095@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove braces which are not required, to fix the check patch issue.
The following coccinelle script was used to fix this issue.
@@
expression e;
expression e1;
@@
if(e)
-{
e1;
-}
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Static variables are initialized to zero by default, so remove explicit
initalization. This patch fixes the checkpatch issue.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The struct of the type option is only used to initialise a field
inside the xtables_match struct and is not modified anywhere.
Done using Coccinelle:
@r1 disable optional_qualifier@
identifier s,i;
position p;
@@
static struct option i@p[] ={...};
@ok1@
identifier r1.i;
expression e;
position p;
@@
e = i@p
@bad@
position p != {r1.p,ok1.p};
identifier r1.i;
@@
e@i@p
@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
static
+const
struct option i[] = { ... };
Signed-off-by: Gargi Sharma <gs051095@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, ip[6]tables-restore does not perform any locking, so it
is not safe to use concurrently with ip[6]tables.
This patch makes ip[6]tables-restore wait for the lock if -w
was specified. Arguments to -w and -W are supported in the same
was as they are in ip[6]tables.
The lock is not acquired on startup. Instead, it is acquired when
a new table handle is created (on encountering '*') and released
when the table is committed (COMMIT). This makes it possible to
keep long-running iptables-restore processes in the background
(for example, reading commands from a pipe opened by a system
management daemon) and simultaneously run iptables commands.
If -w is not specified, then the command proceeds without taking
the lock.
Tested as follows:
1. Run iptables-restore -w, and check that iptables commands work
with or without -w.
2. Type "*filter" into the iptables-restore input. Verify that
a) ip[6]tables commands without -w fail with "another app is
currently holding the xtables lock...".
b) ip[6]tables commands with "-w 2" fail after 2 seconds.
c) ip[6]tables commands with "-w" hang until "COMMIT" is
typed into the iptables-restore window.
3. With the lock held by an ip6tables-restore process:
strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000
shows 11 calls to flock and fails.
4. Run an iptables-restore with -w and one without -w, and check:
a) Type "*filter" in the first and then the second, and the
second exits with an error.
b) Type "*filter" in the second and "*filter" "-S" "COMMIT"
into the first. The rules are listed only when the first
copy sees "COMMIT".
Signed-off-by: Narayan Kamath <narayan@google.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
1. Factor out repeated code to a new xs_has_arg function.
2. Add a new parse_wait_time option to parse the value of -w.
3. Make parse_wait_interval take argc and argv so its callers
can be simpler.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This slightly simplifies configure.ac and results in more
correct dependencies.
Tested by running ./configure with --with-xt-lock-name and
without, and using strace to verify that the right lock is used.
$ make distclean-recursive && ./autogen.sh &&
./configure --disable-nftables --prefix /tmp/iptables &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
$ make distclean-recursive && ./autogen.sh && \
./configure --disable-nftables --prefix /tmp/iptables \
--with-xt-lock-name=/tmp/iptables/run/xtables.lock &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the iptables lock is hardcoded as "/run/xtables.lock".
Allow users to change this path using the --with-xt-lock-name
option to ./configure option. This is useful on systems like
Android which do not have /run.
Tested on Ubuntu, as follows:
1. By default, the lock is placed in /run/xtables.lock:
$ make distclean-recursive && ./autogen.sh &&
./configure --disable-nftables --prefix /tmp/iptables &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
2. Specifying the lock results in the expected location being
used:
$ make distclean-recursive && ./autogen.sh && \
./configure --disable-nftables --prefix /tmp/iptables \
--with-xt-lock-name=/tmp/iptables/run/xtables.lock &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
$ iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
nft
This extra 'nft' print is incorrect, just print it if there are more
rules to be printed.
Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Tested-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
ares->ai_canonname is never used, so there is no point in requesting
that piece of information with AI_CANONNAME.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The error path already terminally returns from the function, so there
is no point in having an explicit else block.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to print nft at the very beginning for each rule that rules from
the expansion, otherwise the output is not correct:
# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
insert rule ip filter INPUT ip saddr 98.138.253.109 counter
insert rule ip filter INPUT ip saddr 98.139.183.24 counter
After this patch:
# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This originally came up when accidentally calling iptables-translate as
unprivileged user - nft_compatible_revision() then fails every time,
making the translator fall back to using revision 0 only which often
leads to failed translations (due to missing xlate callback).
The bottom line is there is no need to check what revision of a given
iptables match the kernel supports when it is only to be translated into
an nftables equivalent. So just assign a dummy callback returning good
for any revision being asked for.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Translate addrtype match into fib expression:
$ iptables-translate -A INPUT -m addrtype --src-type LOCAL
nft add rule ip filter INPUT fib saddr type local counter
$ iptables-translate -A INPUT -m addrtype --dst-type LOCAL
nft add rule ip filter INPUT fib daddr type local counter
$ iptables-translate -A INPUT -m addrtype ! --dst-type ANYCAST,LOCAL
nft add rule ip filter INPUT fib daddr type != { local, anycast } counter
$ iptables-translate -A INPUT -m addrtype --limit-iface-in --dst-type ANYCAST,LOCAL
nft add rule ip filter INPUT fib daddr . iif type { local, anycast } counter
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The musl libc exposes some struct tcphdr field only when _GNU_SOURCE is
defined. Fix the following build failure:
nfsynproxy.c: In function ‘parse_packet’:
nfsynproxy.c:34:9: error: ‘const struct tcphdr’ has no member named ‘syn’
if (!th->syn || !th->ack)
^
nfsynproxy.c:34:21: error: ‘const struct tcphdr’ has no member named ‘ack’
if (!th->syn || !th->ack)
^
nfsynproxy.c:42:8: error: ‘const struct tcphdr’ has no member named ‘res2’
if (th->res2 == 0x1)
^
nfsynproxy.c:45:13: error: ‘const struct tcphdr’ has no member named ‘doff’
length = th->doff * 4 - sizeof(*th);
^
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking a rule that includes a jump to a module-based target currently
sets the "changed" flag on the handle, which then causes TC_COMMIT() to
run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This
seems wrong for simply checking rules, an operation which is documented
as "...does not alter the existing iptables configuration..." but yet
it clearly could do so.
Fix that by ensuring that rule check operations for module targets
don't set the changed flag, and thus exit early from TC_COMMIT().
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hashlimit has similar functionality to flow tables in nftables. Some
usage examples are:
$ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \
--hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip \
--hashlimit-name https --hashlimit-dstmask 24 -m state --state NEW \
-j DROP
nft add rule ip filter OUTPUT tcp dport 443 flow table https { ip \
daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second \
burst 1 mbytes} ct state new counter drop
$ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \
--hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode \
srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 \
-m state --state NEW -j DROP
nft add rule ip filter OUTPUT tcp dport 443 flow table https { ip \
daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} \
ct state new counter drop
The translation isn't supported when --hashlimit-mode isn't specified.
Also, the following options don't apply to flow tables:
--hashlimit-htable-size
--hashlimit-htable-max
--hashlimit-htable-gcinterval
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using "-w" to avoid concurrent instances, we try to do flock() every
one second until it success. But one second maybe too long in some
situations, and it's hard to select a suitable interval time. So when
using "iptables -w" to wait indefinitely, it's better to block until
it become success.
Now do some performance tests. First, flush all the iptables rules in
filter table, and run "iptables -w -S" endlessly:
# iptables -F
# iptables -X
# while : ; do
iptables -w -S >&- &
done
Second, after adding and deleting the iptables rules 100 times, measure
the time cost:
# time for i in $(seq 100); do
iptables -w -A INPUT
iptables -w -D INPUT
done
Before this patch:
real 1m15.962s
user 0m0.224s
sys 0m1.475s
Apply this patch:
real 0m1.830s
user 0m0.168s
sys 0m1.130s
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After running the following commands, some confusing messages was printed
out:
# while : ; do
iptables -A INPUT &
iptables -D INPUT &
done
[...]
Another app is currently holding the xtables lock; still -9s 0us time
ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still -29s 0us time
ahead to have a chance to grab the lock...
If "-w" option is not specified, the "wait" will be zero, so we should
check whether the timer_left is less than wait_interval before we call
select to sleep.
Also remove unused "BASE_MICROSECONDS" and "struct timeval waited_time"
introduced by commit e8f857a5a151 ("xtables: Add an interval option for
xtables lock wait").
Fixes: e8f857a5a151 ("xtables: Add an interval option for xtables lock wait")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
commit ad5b55761956427f61ed9c96961bf9c5cd4f92dc
Author: Alban Browaeys <alban.browaeys@gmail.com>
Date: Mon Feb 6 23:50:33 2017 +0100
netfilter: xt_hashlimit: Fix integer divide round to zero.
http://patchwork.ozlabs.org/patch/724800/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Sync with latest OpenBSD release.
Changelog: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix wrong appending of jump verdict after the comment
For example:
$ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
Note that even without comment with double-quotes (i.e. --comment
"foobar"), it will add quotes:
$ iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment
nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"singlecomment\"drop
Attempting to apply the translated/generated rule will result to:
$ nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
<cmdline>:1:111-114: Error: syntax error, unexpected jump, expecting endof file or newline or semicolon
add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment "foobar"jump LONGNACCEPT
After this patch
$ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\"
which is correct translation
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Reviewed-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -t mangle -A PREROUTING -m rpfilter
nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter
# iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--loose
nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter
# ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--invert
nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter
Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m connbytes --connbytes 200 \
--connbytes-dir original --connbytes-mode packets
nft add rule ip filter OUTPUT ct original packets ge 200 counter
# iptables-translate -A OUTPUT -m connbytes ! --connbytes 200 \
--connbytes-dir reply --connbytes-mode packets
nft add rule ip filter OUTPUT ct reply packets lt 200 counter
# iptables-translate -A OUTPUT -m connbytes --connbytes 200:600 \
--connbytes-dir both --connbytes-mode bytes
nft add rule ip filter OUTPUT ct bytes 200-600 counter
# iptables-translate -A OUTPUT -m connbytes ! --connbytes 200:600 \
--connbytes-dir both --connbytes-mode bytes
nft add rule ip filter OUTPUT ct bytes != 200-600 counter
# iptables-translate -A OUTPUT -m connbytes --connbytes 200:200 \
--connbytes-dir both --connbytes-mode avgpkt
nft add rule ip filter OUTPUT ct avgpkt 200 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The first:
```
iptables/extensions/libebt_limit.c:21:26: fatal error: iptables/nft.h: No such file or directory
#include "iptables/nft.h"
```
The second:
```
/data/keno/sandbox/iptables/iptables/xtables-config-parser.y:19:32: fatal error: libiptc/linux_list.h: No such file or directory
#include <libiptc/linux_list.h>
^
```
Simply fixed by adding the relevant `-I` directives.
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
