summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* nft: Remove useless functionTomasz Bursztyka2013-12-301-27/+0
| | | | | | | Likely to be a leftover from the initial bootstrap. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Do not dump before command parsing has been finishedTomasz Bursztyka2013-12-301-2/+8
| | | | | | | | On xtables-save.c, -d will not output right away but after the full command line hase been parsed. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: load only the tables of the current familyGiuseppe Longo2013-12-302-1/+19
| | | | | | | | | | | This changes nft_xtables_config_load() permit to load only the tables of the current family. [ This patch includes a fix for the configuration parser that I detected while testing this patch --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* etc: add default IPv6 table and chain definitionsPablo Neira Ayuso2013-12-301-3/+37
| | | | | | Add definition of table and chains to the optional xtables.conf file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix family operation lookupGiuseppe Longo2013-12-301-1/+1
| | | | | | | | xtables-restore -6 was using the IPv4 family, instead of IPv6 as it should be. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix match revision lookup for IPv6Pablo Neira Ayuso2013-12-301-1/+2
| | | | | | IPT_SO_GET_REVISION_MATCH != IP6T_SO_GET_REVISION_MATCH, thus, the revision infrastructure was looking for targets instead matches.
* xtables: fix typo in add_entry for the IPv6 casePablo Neira Ayuso2013-12-301-1/+1
| | | | | | It should pass zero, instead of the 'append' boolean. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: associate table configuration to handle via nft_initGiuseppe Longo2013-12-306-30/+37
| | | | | | | | | We need family dependent built-in table/chain configuration. This patch is a step forward making nft family independent in order to support arptables and ebtables compatibility layers. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: no need for rule lookup if no position specified via -IPablo Neira Ayuso2013-12-301-17/+15
| | | | | | | Improve (dc3d8a6 xtables: add -I chain rulenum) to avoid a look up for the rule if no rule number is specified via -I. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: remove bogus comment regarding rule replacementPablo Neira Ayuso2013-12-301-1/+0
| | | | | | We support rule replacement since quite some time, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add -I chain rulenumPablo Neira Ayuso2013-12-303-46/+144
| | | | | | | | | | | | This patch adds the nft_rule_insert function, which allows us to insert rules at a given position. The function nft_rule_add has been renamed to nft_rule_append. This is possible thanks to Eric Leblond's (netfilter: nf_tables: add insert operation) kernel patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix selective chain display via -SPablo Neira Ayuso2013-12-301-4/+6
| | | | | | | | | | | | | | | | | | Before: % xtables -S INPUT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -p tcp -j ACCEPT After: $ xtables -S INPUT -P INPUT ACCEPT -A INPUT -p tcp -j ACCEPT Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: break chain listing if only one if looked forPablo Neira Ayuso2013-12-301-0/+8
| | | | | | | | | Break looping on the chain list if it finds the chain that the user requested. Based on patch from Tomasz Bursztyka. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use nft_*_list_add_tailPablo Neira Ayuso2013-12-302-3/+9
| | | | | | | Adapt it to the semantic fix that has been applied to libnftable nft_*_list_add now inserts nodes, instead of appending them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix built-in chain ordering of the nat tablePablo Neira Ayuso2013-12-302-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Should be: % iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination instead of: % xtables -L -n -t nat Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* xtables-events: fix missing newline in table and chain eventsPablo Neira Ayuso2013-12-301-2/+2
| | | | | | Add missing newline while printing table and chain events. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-events: print usage on wrong argumentsPablo Neira Ayuso2013-12-301-0/+4
| | | | | | | | | | Set opterr to zero to skip getopt_long error reporting. This also fixes the following compilation warning: xtables-events.c:148:13: warning: ‘print_usage’ defined but not used [-Wunused-function] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix small memory leaksTomasz Bursztyka2013-12-301-0/+4
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: add function to test for a builtin chainTomasz Bursztyka2013-12-301-12/+10
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Remove useless parameter to nft_chain_list_findTomasz Bursztyka2013-12-303-4/+4
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Handle error on adding rule expressionsTomasz Bursztyka2013-12-301-25/+53
| | | | | | | | If adding one of match/target/jumpto/verdit/counters fails, adding a rule will return an error. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* nft: Set the rule family when creating a new oneTomasz Bursztyka2013-12-301-0/+1
| | | | | | | | | | Fixes the debug output from (in case of ipv4 rule): DEBUG: rule: arp filter INPUT 0 to: DEBUG: rule: ip filter INPUT 0 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* xtables: nft: display rule number via -SPablo Neira Ayuso2013-12-302-5/+7
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft: display rule by number via -LGiuseppe Longo2013-12-302-14/+16
| | | | | | | | | | This patch fixes the display of rule by number. [ Mangled this patch not to display the header, to mimic iptables --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix missing afinfo configurationPablo Neira Ayuso2013-12-303-0/+3
| | | | | | | I noticed that the iprange match in IPv6 was broken, fix it by overriding the default family (IPv4) if -6 is passed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: do not proceed if nft_init failsPablo Neira Ayuso2013-12-304-4/+26
| | | | | | | Fix a crash if nft_init fails, it happens if nfnetlink support is not available in your Linux kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix another memleak in nft_rule_list_cbGiuseppe Longo2013-12-301-0/+1
| | | | | Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: print counter issuesGiuseppe Longo2013-12-301-4/+12
| | | | | | | | The patch fixes the counter print, missing line, and delete warnings. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: break loop after found matching chainGiuseppe Longo2013-12-301-0/+7
| | | | | | | | This patch breaks looping in nft_chain_user_del, nft_chain_zero_counters and nft_rule_flush after the chain is found. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft: remove lots of useless debugging messagesPablo Neira Ayuso2013-12-301-109/+43
| | | | | | While at it, fix several memleaks of list objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: remove bogus comment on chain renamePablo Neira Ayuso2013-12-301-1/+0
| | | | | | | No longer true since Patrick added the chain rename approach back in September 2012. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: allow to zero chains via -ZGiuseppe Longo2013-12-303-20/+71
| | | | | Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix leaks in nft_xtables_config_loadPablo Neira Ayuso2013-12-301-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix leak of chain iterator in nft_rule_listGiuseppe Longo2013-12-301-0/+1
| | | | | Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix leak of rule and chain iteratorsGiuseppe Longo2013-12-301-0/+4
| | | | | | | This patch fixes the leak of chain and rule iterators. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix -p protocolPablo Neira Ayuso2013-12-302-3/+9
| | | | | | | | The protocol field in both IPv4 and IPv6 headers are 8 bits long, so we have to compare 8 bits. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: output the same error message that iptables-restore usesPablo Neira Ayuso2013-12-302-14/+3
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: don't call nft_init in nft_xtables_config_loadPablo Neira Ayuso2013-12-302-2/+2
| | | | | | Otherwise we keep initializing the handle over and over again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix compilation due to missing autogenerated headerPablo Neira Ayuso2013-12-301-1/+1
| | | | | | | | | | | | Fix compilation: nft.c:51:35: fatal error: xtables-config-parser.h: File or directory doesn't exist xtables-config-parser.h was generated after compiling nft.c. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Tested-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: policy can be changed only on builtin chainTomasz Bursztyka2013-12-301-9/+2
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: initialize xtables defaults even on listing rulesTomasz Bursztyka2013-12-301-0/+4
| | | | | | | Output of the tool should be the same as for iptables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: remove unused leftover definitionsPablo Neira Ayuso2013-12-301-16/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add new nft_ops->post_parse hookPablo Neira Ayuso2013-12-304-131/+139
| | | | | | | Move specific layer 3 protocol post argument parsing code to the respective nft-ipv[4|6].c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add new container xtables_args structurePablo Neira Ayuso2013-12-302-136/+145
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: update .gitignorePablo Neira Ayuso2013-12-301-0/+3
| | | | | | Ignore xtables-config-* generated by flex and bison. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-config-parser: fix compilation warningPablo Neira Ayuso2013-12-301-1/+1
| | | | | | | xtables-config-parser.y: In function ‘xtables_config_parse’: xtables-config-parser.y:216:4: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix missing protocol and invflagsPablo Neira Ayuso2013-12-304-1/+6
| | | | | | | | xtables -I INPUT -p tcp --dport 22 -j ACCEPT iptables: Target problem. Run `dmesg' for more information x_tables: ip_tables: tcp match: only valid for protocol Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: fix compilation when lib[mnl|nftables] are not in standard pathNicolas Dichtel2013-12-302-3/+3
| | | | | | | | | | There was several problems: a typo in the configure option a typo in CFLAGS addon for libmnl and libnftables paths to lib were missing on link Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-config: fix off by one in parsed strings from /etc/xtables.confPablo Neira Ayuso2013-12-301-5/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: support family in /etc/xtables.conf filePablo Neira Ayuso2013-12-303-27/+60
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>