| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a segfault in rules without target.
Now, these two rules are allowed:
% ebtables-compat -A FORWARD -p 0x0600 -j CONTINUE
% ebtables-compat -A FORWARD -p 0x0600
And both are printed:
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-p 0x600 -j CONTINUE
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fix printing of ebt extensions:
% sudo ebtables-compat -L
[...]
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
--802_3-type 0x0012 -j ACCEPT
[...]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch:
% sudo ebtables-compat -L --Lc
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
-j ACCEPT , pcnt = 123 -- bcnt = 123
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Renaming of chains is not working. and ebtables-compat gets:
libnftnl: attribute 0 assertion failed in chain.c:159
This patch brings back the parser code of the original ebtables tool:
http://git.netfilter.org/ebtables.old-history/tree/userspace/ebtables2/ebtables.c#n652
I adapted the original parser code to fit in the new environment. Also tried to
keep original error messages as much as possible.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.
So, with this patch, ebtables-compat ends with:
Command: Result:
-L Always RETURN for user-defined chains
-P builtin RETURN Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP ok
-P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
-N userdefined ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This permits to build extensions for ebtables-compat layer.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This message doesn't exist in the original ebtables tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes inversion of builtin matches by updating the use of add_*()
functions and using nft_invflags2cmp() as well.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previous to this patch, no '!' is printed in payload comparisions.
This patch solves it, so we can print for example inverted protocols:
% ebtables-compat -L
[...]
-p ! 0x800 -j ACCEPT
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This prints the header like ebtables.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
And introduce fake ebt_entry.
This gets the code in sync in other existing compat tools. This
will likely allow to consolidate common infrastructure.
This code is still quite experimental.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds an explicit object update type to rename chains, so we avoid
calling the nf_tables API with NLM_F_EXCL.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ.
The caller must calculate which kind of cmp operation requires.
BTW, this patch solves absence of inversion in some arptables-compat
builtin matches. Thus, translating arptables inv flags is no longer needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Correct trimming of userspacesize to fix deletions.
Fixes: Bugzilla #884.
The rule having TEE target with '--oif' option cannot be deleted by iptables command.
$ iptables -I INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
$ iptables -D INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
iptables: No chain/target/match by that name.
Signed-off-by: Loganaden Velvindron <logan@elandsys.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a difference between error messages in iptables and
iptables-compat:
# iptables -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: Index of replacement too big.
# iptables-compat -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: No chain/target/match by that name.
Now, iptables-compat shows the same error message than iptables in
this case.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\
| |
| |
| |
| |
| | |
This provides the ipset skbinfo extension.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.
Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Closes bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=985
The --dst-group parameter in devgroup extensions lists and saves
incorrectly its value. --dst-group always shows "0x0/0x0".
This is an example:
# iptables -I FORWARD -m devgroup --dst-group 200 -j ACCEPT
# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere src-group 0x64 dst-group 0x0/0x0
# iptables -S FORWARD
-P FORWARD ACCEPT
-A FORWARD -m devgroup --dst-group 0x0/0x0 -j ACCEPT
Reporte-by: Axinchan <axinchan@cnrouter.com>
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are some differences between error messages in iptables and
iptables-compat:
# iptables -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: No chain/target/match by that name.
# iptables -N new_chain
# iptables -N new_chain
iptables: Chain already exists.
# iptables-compat -N new_chain
# iptables-compat -N new_chain
iptables: File exists.
Now, iptables-compat shows the same error messages than iptables in
those cases.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame:
357 switch (vfork()) {
358 case 0:
359 argv[0] = (char *)modprobe;
360 argv[1] = (char *)modname;
361 if (quiet) {
362 argv[2] = "-q";
363 argv[3] = NULL;
364 } else {
365 argv[2] = NULL;
366 argv[3] = NULL;
367 }
368 execv(argv[0], argv);
369
370 /* not usually reached */
371 exit(1);
modprobe pointed to a non-existant program /sbin/modprobe, so execv()
always failed. Not a problem in itself on our platform, as the kernel
modules are pre-loaded before iptables-restore is run, but it took a
bit of headscratching to track this down, as a stack frame was
corrupted, leading to failures quite a while after the function
containing this code had returned!
Relevant caution in man 2 vfork:
"The vfork() function has the same effect as fork(2), except that
the behavior is undefined if the process created by vfork() either
modifies any data ... or calls any other function before
successfully calling _exit(2) or one of the exec(3) family of
functions."
Apparently this has not been a problem for us in earlier versions of
glibc, maybe because vfork was more like fork, maybe because the
stack corruption was innocuous. Ours is a corner case anyway, as
it might not have been a problem had modprobe existed or had
modprobe been a symlink to /bin/true. But it seems odd to disregard
man page cautions, and our problem goes away if they are heeded.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
# iptables-compat -L
# iptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Note that the second (and follow up) invocations after the first one
display the chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove
extra unused chain parameter and rename nft_chain_builtin_init to
nft_xt_builtin_init too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
The functions that allows you to create built-in table and chains are
required out of the scope of nft.c
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Initialize built-in tables/chains if they don't exists, otherwise
simply skip.
This avoids the chain policy reset to NF_ACCEPT by when you call
iptables -L -n.
Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Ana Rey <anarey@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The offset variable (undefined) is passed to DEBUGP function,
so you get a compilation error if you try to build iptables
with debug enabled
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
This fixes a syntax error, remove ; in an if statement
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
There is not native arptables-save. The original author provides
perl scripts to implement arptables-save and arptables-restore.
We should use them to mimic arptables behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
# arptables-compat -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination <--
This header is not shown by arptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
arptables allows this:
# arptables -I INPUT
however, arptables-compat says:
arptables v1.4.21: No target provided or initalization failed
Try `arptables -h' or 'arptables --help' for more information.
the compat utility must mimic the same behaviour.
Fix this by introducing the arptables_command_state abstraction that
is already available in ip{6}tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
# arptables-compat -D INPUT -j ACCEPT
arptables: Bad rule (does a matching rule exist in that chain?)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes
# iptables-compat -X test4345
iptables: No chain/target/match by that name.
# iptables-compat -N test4345
# iptables-compat -N test4345
iptables: File exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Add the glue code to use the chain batching for user chain commands.
Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ \
| | |
| | |
| | |
| | | |
This merges the iptables-test.py script and the corresponding
test files.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Do not include all our .t test files in releases. Skip
iptables-tests.py script as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
