summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* xtables-compat: also check tg2->userspacesizeFlorian Westphal2018-05-051-1/+3
| | | | | | memcmp uses tg1->userspacesize, make sure its same as tg2 first. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: avoid unneeded bitwise opsFlorian Westphal2018-05-052-5/+23
| | | | | | no need to and with all-ones mask. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: restore: sync options with iptables-restoreFlorian Westphal2018-05-051-2/+13
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add xlate test for ipables -fFlorian Westphal2018-05-051-0/+6
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: output -s,d first during save, just like iptablesFlorian Westphal2018-05-052-10/+10
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-compat: chains are purge out already from table flushPablo Neira Ayuso2018-05-053-52/+0
| | | | | | | Remove dead code that uses the ancient non-batch netlink API. Chains are already purged out from table flush. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: do not fail on restore if user chain existsPablo Neira Ayuso2018-05-054-4/+32
| | | | | | | | | | | | The following snippet fails if user chain FOO exists, but it should not fail: iptables-compat -F iptables-compat -N FOO iptables-compat-save > foo iptables-compat-restore < foo Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: remove non-batching routinesPablo Neira Ayuso2018-05-052-153/+7
| | | | | | | This is only needed by 3.16, which was released 8 months after nftables was merged upstream. That kernel version supports a reduced featureset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables.conf: fix hook skeletonsFlorian Westphal2018-05-041-6/+5
| | | | | | | nat prio for in/out were inverted. arp no longer has a forward chain. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: fall back to comment match in case name is too longFlorian Westphal2018-05-043-5/+13
| | | | | | | ... or when using multiple --comment lines. This is more of a 'cosmetic' fix to handle the test suite case. Signed-off-by: Florian Westphal <fw@strlen.de>
* xlate-test: use locally installed xlate toolsFlorian Westphal2018-05-041-1/+3
| | | | | | | same as iptables-test: use the translate tools in the current working directory, not the system-wide ones. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: ebtables: handle mac masks properlyFlorian Westphal2018-05-043-1/+17
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: nft-arp: fix warning wrt. sprintf-out-of-boundsFlorian Westphal2018-05-031-2/+2
| | | | | | | nft-arp.c:112:3: note: 'sprintf' output between 2 and 21 bytes into a destination of size 20 sprintf(buf, "/%s", addr_to_dotted(mask)); Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: truncate comments to 254 bytesFlorian Westphal2018-04-291-1/+3
| | | | | | | Kernel clamps udata size at 256 bytes, udata size however also includes internal bookkeeping which brings us over this limit. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libipt_DNAT: support shifted portmap rangesThierry Du Tre2018-04-293-51/+423
| | | | | | | | | | | | | | | | | | | | | | | | | | This is a proposal patch for iptables DNAT extension to support shifted portmap ranges. It is related to the kernel patch proposed in earlier message '[PATCH v5] netfilter : add NAT support for shifted portmap ranges'. A new struct nf_nat_range2 was added as extension for existing struct nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with older kernels is not impacted. The syntax for shifted portmaps uses an extra value in '--to-destination' for setting the base port which determines the offset in the redirect port range for incoming connections. i.e. : iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000' The base port value is totally optional, so current behavior is not impacted in any way. The use of slash '/' as separator is an arbitrary choice, all other suggestions are valid of course (original proposal used semicolon but this was not practical for commandline use) Another approach using an additional option seems also possible (i.e. '--base-port 5000'). However, that would mean more parsing logic with extra lines of code and thus increased risk for regression. Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-test: add nft switch and test binaries from gitFlorian Westphal2018-04-281-3/+14
| | | | | | | | | instead of testing the system-wide installed iptables, test the version from git instead. Also add a --nftables switch to feed the test cases to xt-compat. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: only fetch revisions for ip/ip6Florian Westphal2018-04-281-6/+19
| | | | | | | Only ip and ip6tables have revision retrieval support; pretend ebtables and arptables are always ok. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix rules print/save after iptables updateSerhey Popovych2018-04-274-46/+134
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updating iptables from 1.4.x to 1.6.x brokes rules print/save output and causes rules load after reboot to fail. Here is example from iptables-save(8) output after update: -A CHAIN1 -m set [unsupported revision] -j DROP -A CHAIN1 -m set [unsupported revision] -j DROP Similar output could be obtained via iptables -L CHAIN1. While issue reproduced with xt_set match it is not specific to any match or target module: it is related on how xtables handles revisions. In this particular case we have following situation: 1) Kernel supports revisions from 1 to 4. 2) Rules configured with iptables 1.4.x supporting only revisions from 1 to 3. Choosen highest possible revision 3. 3) Rules printed/saved with iptables 1.6.x supporting revisions from 1 to 4. 4) Xtables registers matches/targets with highest supported revision by the kernel. This is 4 in our case after update to iptables 1.6.x. 5) When printing/saving kernel submits match/target with revision it is configured (3), while iptables thinks that rules configured with highest supported (4). That's causes revision mismatch in during print and "[unsupported revision]" output. To fix this issue we now store all supported by kernel and xtables revisions in xt_matches/xt_targets list sorted in descending order. Introduce helper routines to find match/target with given revision and use them to find right revision to print submitted by kernel entry. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Register all match/target revisions supported by us and kernelSerhey Popovych2018-04-271-24/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Keep the order of matches by appending them; keep order between revisions of same match from most to least recent. All of this keeps xtables_find_match() happy to find most recent supported by kernel revision in the given order. Apply the same for targets, except prepend targets; order between revisions preserved too. All this needed to fix nasty bug related to iptables package update and broken print/save output. After this change all supported revisions of match/target stored in corresponding list with following pattern: xt_matches xt_targets ========== ========== m1 m2 m3 mN tN t1 t2 t3 +-----+--+---+---~~~---+ +---~~~---+---+----+--+ |43210|10|210|revisions| |revisions|210|3210|10| +-----+--+---+---~~~---+ +---~~~---+---+----+--+ Where new [m]atches added to the list tail and new [t]argets added to the list head to preserve previous behaviour. Multiple revisions of single match/target type are grouped together and sorted in descending order. Both this ensures xtables_find_match() and xtables_find_target() behaviour remains the same after change: find highest supported match/target revision given by it's name. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Check match/target size vs XT_ALIGN(size) at register timeSerhey Popovych2018-04-271-14/+16
| | | | | | | | Size is known at xtables_register_match()/xtables_register_target() calls: no need to defer it to final registration steps. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Do not register matches/targets with incompatible revisionSerhey Popovych2018-04-271-24/+42
| | | | | | | | | | | | | | If kernel tells revision isn't found/supported at the moment we should keep entity in pending list, not register or bail to do so later. Kernel might still load module for entity we asking it for and this could be slow on some embedded devices. Catch double registration attempts by checking me->next being non-NULL in xtables_register_match() and xtables_register_target(). Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to print val[/mask] argumentsSerhey Popovych2018-04-276-64/+48
| | | | | | | | | | | | | | | | There are number of places where argument is in val[/mask] format printed in extensions and some of them may print corresponding symbolic name. By introducing common function for this task we eliminate custom code parts in extensions to perform printing of arguments in required formats. Use xtables_print_mark_mask() helper for extensions without symbolic name for val[/mask]. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to parse val[/mask] argumentsSerhey Popovych2018-04-275-72/+77
| | | | | | | | | | | | | | There are a couple of places in both core and extensions where arguments in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32). In some cases symbolic name might be used which is mapped in code to numeric value. Introduce common function to handle both cases where value given is either val[/mask] or symbolic name. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: Initialize linear mapping of symbols in _init() of extensionSerhey Popovych2018-04-272-21/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | libxt_devgroup and libipt_realm currently unable to display symbolic names in save/print commands because linear mapping is not initialized. It looks bit confusing as linear mapping initialization is done in init() of extension, which is expected to be called before any other function of extension. However init is called only when '-m' option specified on command line, that is true only for insert, append, replace and destroy iptables commands. Move initialization to extension _init() function before calling any function in extension. Before: ------- ... src-group 0x1 dst-group 0x2 ... src-group 0x2 dst-group 0x1 After: ------ ... src-group grp1 dst-group grp2 ... src-group grp2 dst-group grp1 Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: ULOG: remove testFlorian Westphal2018-04-271-19/+0
| | | | | | ULOG target was removed in 3.17, so this always fails now. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-translate: turn off useless compat queriesFlorian Westphal2018-04-271-0/+6
| | | | | | | not needed as we won't be installing any rules. So just assume kernel supports everything. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: arptables: remove obsolete forward hook definitionFlorian Westphal2018-04-271-6/+0
| | | | | | | | | | | | Its not supported anymore as of 4.13, and it did not work before this either (arp packets cannot be routed). This unbreaks arptables-compat -- without this fix kernel rejects the incoming ruleset skeleton. filtering forwarded arp packets on a bridge can be done either via 'netdev' or 'bridge' families. Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-compat: statify nft_restart()Pablo Neira Ayuso2018-04-242-2/+1
| | | | | | This function is only used from iptables/nft.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: handle netlink dump EINTR errorsPablo Neira Ayuso2018-04-242-2/+41
| | | | | | Release existing list and restart in case that netlink dump hits EINTR. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-compat: add 'vlan' match extensionFlorian Westphal2018-04-223-0/+238
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-compat: add 'pkttype' match extensionFlorian Westphal2018-04-223-0/+140
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-translate: update table name on -tFlorian Westphal2018-04-221-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-compat: add 'ip6' match extensionFlorian Westphal2018-04-193-0/+666
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* libebt_ip: fix translations for tos and icmpFlorian Westphal2018-04-192-7/+7
| | | | | | | tos translation to dscp yielded incorrect value. icmp inserted extra "ip" keyword, remove it. Signed-off-by: Florian Westphal <fw@strlen.de>
* libebt_ip: add icmp supportFlorian Westphal2018-04-192-2/+304
| | | | | | Was added to ebtables recently, so backport this to ebt-compat. Signed-off-by: Florian Westphal <fw@strlen.de>
* xt-translate: quote interface names in translated outputFlorian Westphal2018-04-1910-30/+30
| | | | | | | it its good practice as interface names can be virtually any identifier and could clash with nft keywords. Signed-off-by: Florian Westphal <fw@strlen.de>
* icmp: split icmp type printing to header fileFlorian Westphal2018-04-193-58/+35
| | | | | | | | | | | libebt_ip will get icmp support soon, unify icmp name mapping a bit so we can re-use this code from libebt_ip.c. It doesn't seem to be too useful to move to libxtables (as its icmp specific), so add a hedaer file for this to reduce copy & paste needs. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-translate: add initial test casesFlorian Westphal2018-04-139-6/+81
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xt-compat: add ebtables-translateFlorian Westphal2018-04-135-1/+804
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xlate-translate: split common parts into helperFlorian Westphal2018-04-131-33/+26
|
* xtables-eb: export 3 functionsFlorian Westphal2018-04-132-5/+10
| | | | | | Will be used from eb-translate parser. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-bridge: add eb-translate backend functionsFlorian Westphal2018-04-131-0/+136
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-bridge: fix mac address printingFlorian Westphal2018-04-131-1/+1
| | | | | | | | | | Mask needs to be all-ones, else we print <macaddr>/ff:ff:ff:ff:ff:ff but such a mask is redundant, we can omit the mask. ebtables does this correctly. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: fix crash when getprotobynumber() returns 0Florian Westphal2018-04-132-12/+17
| | | | | | This needs to first check if pent is NULL. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-compat: support intra-positioned negationsFlorian Westphal2018-04-131-1/+1
| | | | | | | | | | ebtables sitll allows intra-postitioned negations, e.g. --ip-src ! 1.2.3.4 support this. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-bridge: add forward declaration for struct nftnl_ruleFlorian Westphal2018-04-131-0/+1
| | | | | | nft-bridge.h:121:48: warning: 'struct nftnl_rule' declared inside parameter list will not be visible outside .. Signed-off-by: Florian Westphal <fw@strlen.de>
* libebt_limit: print 'minute' and 'seconds', not 'min' and 'secs'Florian Westphal2018-04-131-3/+3
| | | | | | | | | nft xlate needs the full name, for ebtables it makes no difference, 'minute' would work too. Also fixup ' ' placement in xlate. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: make nft_init self-containedFlorian Westphal2018-04-132-2/+3
| | | | | | | | | | | nft_init() should rollback all changes it made during init when something goes wrong, callers should NOT call nft_fini() on error. Note that this change is irrelevant at the moment, all users call exit() on failure. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-translate: rm duplicate includesFlorian Westphal2018-04-131-5/+0
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xt-compat: constify a few struct membersFlorian Westphal2018-04-131-3/+3
| | | | | | avoids a compiler warning in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>