summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ebtables: add test casesFlorian Westphal2018-11-0311-0/+89
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: relax -t table restriction, add snat/dnat test casesFlorian Westphal2018-11-033-3/+9
| | | | | | | | | | | | | | Its artificial and prevents test cases that need to add rules to a different table from working. The test script generates: -A PREROUTING -t nat ... which works fine for iptables and ip6tables. Just accept it for ebtables too and add test cases for snat and dnat. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: fix -j CONTINUE handling for add/deleteFlorian Westphal2018-11-033-27/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -j CONTINUE can be added, but it can't be removed: extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE) This problem stems from silly ambiguity in ebtables-nft vs. iptables. In iptables, you can do iptables -A INPUT (no -j) in ebtables, you can do either ebtables -A INPUT or ebtables -A INPUT -j CONTINUE both are *supposed* to be the same (and they do the same even in ebtables-nft on netlink side). However, the temprary binary representation within ebtables-nft is not the same: when parsing -j CONTINUE, we add a standard target, then omit it later in _add_target(). When translating netlink representation to ebt binary one, we do not add a standard target and instead just print '-j CONTINUE' when listing rules. So when doing -I INPUT -j CONTINUE -D INPUT -j CONTINUE the -D operation fails because it has a standard target in the binary representation, whereas the rule we obtained from translating nftables netlink back to ebtables' binary represenation doesn't. Fix it by ignoring 'CONTINUE' on parser side. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add basic ebtables test supportFlorian Westphal2018-11-032-3/+16
| | | | | | | now that we have ebtables-save, lets add test cases for ebtables-nft as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-nft: fix bogus handling of zero saddr/daddrFlorian Westphal2018-11-034-5/+18
| | | | | | | | | | | | | rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check mask (or negation, for that matter). Fix this and add test cases too. This also revealed an ip6tables-nft-save bug, it would print ' !-d', not '! -d'. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287 Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-test: fix netns testTaehee Yoo2018-11-011-13/+9
| | | | | | | | | | | | | | | | The libxt_rateest test always fails because dependent command is not executed in netns. (@iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval \ 250.0ms --rateest-ewmalog 500.0ms) After this path, adding netns command is executed first. Then test commands are executed. Fixes: 0123183f43a9 ("iptables-test: add -N option to exercise netns removal path") Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Fix for matching rules with wildcard interfacesPhil Sutter2018-11-012-1/+5
| | | | | | | | | | | | | | Due to xtables_parse_interface() and parse_ifname() being misaligned regarding interface mask setting, rules containing a wildcard interface added with iptables-nft could neither be checked nor deleted. As suggested, introduce extensions/iptables.t to hold checks for built-in selectors. This file is picked up by iptables-test.py as-is. The only limitation is that iptables is being used for it, so no ip6tables-specific things can be tested with it (for now). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: limit: unbreak build without libnftnlFlorian Westphal2018-10-242-1/+1
| | | | | | | | | | Lars Wendler reported 1.8.1 build failure when trying to build without nft backend: In file included from ../iptables/nft.h:5, from libxt_limit.c:18: libnftnl/rule.h: No such file or directory Reported-by: Lars Wendler <polynomial-c@gentoo.org> Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c") Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix for spurious errors from iptables-translatePhil Sutter2018-10-233-3/+5
| | | | | | | | | | | | When aligning iptables-nft error messages with legacy ones, I missed that translate tools shouldn't check for missing or duplicated chains. Introduce a boolean in struct nft_xt_cmd_parse indicating we're "just" translating and do_parse() should skip the checks. Fixes: b6a06c1a215f8 ("xtables: Align return codes with legacy iptables") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump versions for 1.8.1 releasev1.8.1Florian Westphal2018-10-221-3/+3
| | | | | | | | this release also adds xtables_getether* functions to libxtables, so current and age are incremented as well. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-test: add -N option to exercise netns removal pathPablo Neira Ayuso2018-10-201-6/+32
| | | | | | | We are getting bug reports lately from the netns path, add a new option to exercise this path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: expose new etherdb lookup function through libxtables APIPablo Neira Ayuso2018-10-208-57/+19
| | | | | | | | | | This is used from extensions and included in libxtables, so we have to make them public. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: prefix exported new functions for etherdb lookupsPablo Neira Ayuso2018-10-207-41/+29
| | | | | | | | | | To avoid symbol pollution, place them under the xt_ and xtables_ prefix name. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* Revert "extensions: libxt_quota: Allow setting the remaining quota"Pablo Neira Ayuso2018-10-192-28/+5
| | | | | | | This reverts commit 0a8f2bcadff157489a737f8cc8846adcb750b91f. Google folks are reporting some issues with 32-bits arch, let's revert this until we have a new version for this.
* xtables: Remove target_maxnamelen fieldPhil Sutter2018-10-156-8/+3
| | | | | | | | | | | | This is a partial revert of commit 9f075031a1973 ("Combine parse_target() and command_jump() implementations"): Upstream prefers to reduce max chain name length of arptables by two characters instead of the introduced struct xtables_globals field which requires to bump library API version. Fixes: 9f075031a1973 ("Combine parse_target() and command_jump() implementations") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: cgroup: fix option parsing for v2Pablo Neira Ayuso2018-10-091-1/+19
| | | | | | | | Structure layout is different, therefore a new struct xt_option_entry is needed. Fixes: f9efc8cb79c0 ("extensions: add cgroup revision 2") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_quota: Allow setting the remaining quotaChenbo Feng2018-10-092-5/+28
| | | | | | | | | | | | | | | | The current xt_quota module cannot track the current remaining quota of a specific rule. Everytime an unrelated rule is updated in the same iptables table, the quota will be reset. This is not a very useful function for iptables that get changed at run time. This patch fixes the above problem by adding a new field in the struct that records the current remaining quota. Fixed a print out bug in verbose print out wrt. inversion. Signed-off-by: Chenbo Feng <fengc@google.com> Suggested-by: Maciej Żenczykowski <maze@google.com> Reviewed-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-shared: Use xtables_calloc()Phil Sutter2018-09-251-11/+2
| | | | | | | | This simplifies code a bit since it takes care of checking for out-of-memory conditions. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: Use the shared nft_ipv46_parse_target()Phil Sutter2018-09-251-8/+1
| | | | | | | | No point in having a dedicated implementation for 'parse_target' callback since it is identical with the shared one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Combine parse_target() and command_jump() implementationsPhil Sutter2018-09-257-249/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | Merge these two functions from xtables, iptables, ip6tables and arptables. Both functions were basically identical in the first three, only the last one required a bit more attention. To eliminate access to 'invflags' in variant-specific location, move the call to set_option() into callers. This is actually consistent with parsing of other options in them. As with command_match(), use xt_params instead of the different *_globals objects to refer to 'opts' and 'orig_opts'. It was necessary to rename parse_target() as it otherwise clashes with a static function of same name in libxt_SET. In arptables, the maximum allowed target name is a bit larger, so introduce xtables_globals.target_maxnamelen defining the value. It is used in the shared xt_parse_target() implementation. Implementation of command_jump() in arptables diverted from the others for no obvious reason. The call to parse_target() was done outside of it and a pointer to cs->arp was passed but not used inside. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Combine command_match() implementationsPhil Sutter2018-09-255-108/+40
| | | | | | | | | | This merges the basically identical implementations of command_match() from xtables, iptables and ip6tables into one. The only required adjustment was to make use of xt_params instead of the different *_globals objects. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: NULL-terminate errornamePhil Sutter2018-09-251-1/+2
| | | | | | | | | | In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence copying its content into 'error_name' field of struct xt_error_target which is two bytes shorter may overflow. Make sure this doesn't happen by using strncpy() and set the last byte to zero. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Check extension real_name lengthPhil Sutter2018-09-251-0/+12
| | | | | | | Just like with 'name', if given check 'real_name' to not exceed max length. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables: Gitignore xtables-{legacy, nft}-multi scriptsPhil Sutter2018-09-241-0/+2
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Drop pointless checkPhil Sutter2018-09-241-1/+1
| | | | | | | | All commands this block handles set p->chain. Also the pointer is dereferenced before, so no point in checking for it to be non-NULL. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: Fix incorrect strcmp() in nft_arp_rule_find()Phil Sutter2018-09-241-1/+1
| | | | | | | | | Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to strcmp() may be passed a NULL pointer. Therefore check if the pointer is valid before doing so. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Don't read garbage in nft_ipv4_parse_payload()Phil Sutter2018-09-241-0/+1
| | | | | | | | | The problem here is that get_frag() does not set 'inv' in any case, so when later checking its value, garbage may be read. Sanitize this case by setting 'inv' to false before calling get_frag(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Use posix_spawn() instead of vfork()Phil Sutter2018-09-241-10/+5
| | | | | | | | | According to covscan, vfork() may lead to a deadlock in the parent process. It suggests to use posix_spawn() instead. Since the latter combines vfork() and exec() calls, use it for xtables_insmod(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Fix a few cases of pointless assignmentsPhil Sutter2018-09-249-23/+14
| | | | | | | | This gets rid of a number of assignments which are either redundant or not used afterwards. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libebt_ip{, 6}: Drop pointless error checkingPhil Sutter2018-09-242-8/+0
| | | | | | | | | Since info->protocol is of type __u8, its value will never become -1. Apart from that, xtables_parse_protocol() calls xt_params->exit_err() in case of error, so this code is dead anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-arp: Drop ineffective conditionalPhil Sutter2018-09-241-3/+0
| | | | | | | | Since fw->arp.arhln is of type __u8, its value will never become less than zero. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables: Use print_ifaces() from xtablesPhil Sutter2018-09-246-99/+31
| | | | | | | | | | Move the function to xshared.c for common use between legacy and xtables sources. While being at it, silence a covscan warning triggered by that function as it couldn't verify input buffers won't exceed IFNAMSIZ. Therefore use snprintf() when writing to the local buffer. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Share print_ipv{4,6}_addr() from xtablesPhil Sutter2018-09-246-119/+73
| | | | | | | | | | | | | | | | These functions contain code which occurs in legacy's print_firewall() functions, so use them there. Rename them to at least make clear they print more than a single address. Also introduce ipv{4,6}_addr_to_string() which take care of converting an address/netmask pair into string representation in a way which doesn't upset covscan (since that didn't detect that 'buf' may not be exceeded by the strings written into it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-apply: Replace signal numbers by namesPhil Sutter2018-09-241-1/+2
| | | | | | | | As covscan stated: "Trapping signals by number is not well defined. Prefer signal names." Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-apply: Quote strings passed to echoPhil Sutter2018-09-241-3/+3
| | | | | | | | Not a real problem here, but covscan got confused by one string containing 'then' keyword. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()Phil Sutter2018-09-241-1/+1
| | | | | | | This eliminates the deprecation warning when compiling the sources. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Don't read garbage in xtables_strtoui()Phil Sutter2018-09-241-1/+1
| | | | | | | | | If xtables_strtoul() fails, it returns false and data pointed to by parameter 'value' is undefined. Hence avoid copying that data in xtables_strtoui() if the call failed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Avoid calling memcpy() with NULL sourcePhil Sutter2018-09-242-8/+16
| | | | | | | | | | Both affected functions check if 'oldopts' is NULL once but later seem to ignore that possibility. To catch up on that, increment the pointer only if it isn't NULL, also don't copy its content into the merged options buffer in that case. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: Simplify alloc_handle() function signaturePhil Sutter2018-09-241-7/+7
| | | | | | | | | | | This change originated from covscan complaining about the strcpy() call with an unknown size source buffer. But in fact, the size is known (and equal to the destination size), so pass a pointer to STRUCT_GETINFO to alloc_handle() instead of it's fields separately. Hopefully this will silence covscan. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_time: Drop initialization of variable 'year'Phil Sutter2018-09-241-4/+4
| | | | | | | | | The variable is not read before being assigned the return value of strtoul(), thefore the initialization is useless. And since after this change parameter 'end' becomes unused, drop it as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_ipvs: Avoid potential buffer overrunPhil Sutter2018-09-241-10/+12
| | | | | | | | | Just like with libxt_conntrack, get rid of the temporary buffer. The comment even states that it was copied from there, so just make them identical again. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: Avoid potential buffer overrunPhil Sutter2018-09-241-7/+7
| | | | | | | | | | In print_addr(), a resolved hostname is written into a buffer without size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an issue, though covscan complained about it. Fix the code by using conntrack_dump_addr() as an example. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTIONPhil Sutter2018-09-241-8/+0
| | | | | | | | | | Since sinfo->flags is only 8 bytes large, checking for XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return false, so drop this dead code. Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_LED: Avoid string overrun while parsing led-trigger-idPhil Sutter2018-09-241-2/+1
| | | | | | | | Instead of using strcat() and assuming the name will fit, print into the buffer using snprintf() which truncates the string as needed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Remove unused variable in nft_is_table_compatible()Phil Sutter2018-09-241-1/+1
| | | | | | | | This is a leftover from previous cleanup. Fixes: 098ee2e91756c ("xtables-save: Ignore uninteresting tables") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* ip{, 6}tables-restore: Fix for uninitialized array 'curtable'Phil Sutter2018-09-242-2/+2
| | | | | | | | | | When reading sufficiently malformed input, parser might hit end of loop without having written the current table name into curtable and therefore calling strcmp() with uninitialized buffer. Avoid this by setting curtable to zero upon declaration. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Mark fall through cases in switch() statementsPhil Sutter2018-09-243-15/+19
| | | | | | | | | | | | Typical covscan complaint, non-empty fall throughs should be marked as such. There was but a single case which should break instead, namely in libebt_log.c: It is not critical, since the next case merely asserts 'invert' being zero (which can't be as it was checked before). But while being at it, introduce log_chk_inv() to consolidate the semantically equal cases for the various log types. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Integrate getethertype.c from xtables corePhil Sutter2018-09-245-144/+4
| | | | | | | | | | | | | | This moves getethertype.c into libxtables so that both extensions and xtables-nft-multi may use the implementations therein. New users are libebt_arp and libebt_vlan which drop their own duplicated implementations of getethertypebyname() for the shared one. This change originated from a covscan report of extensions' implementations not checking fopen() return value which should be implicitly fixed by this as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix for wrong assert() in __nft_table_flush()Phil Sutter2018-09-241-1/+1
| | | | | | | | | | The code obviously tries to assert that nft_table_builtin_find() returned a valid pointer before dereferencing it, but the wrong argument was given. Assume this is just a typo and insert the missing underscore. Fixes: 9b896224e0bfc ("xtables: rework rule cache logic") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* nfnl_osf: Drop pointless check in xt_osf_strchr()Phil Sutter2018-09-241-1/+1
| | | | | | | | | | Although it remains unclear what the original intention behind the affected code was, but 'tmp + 1' always evaluates true since 'tmp' is a pointer value. Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>