| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| | |
According to libnftables change 437d610, now the length obtained
via getter function is uint32_t, not size_t anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
To ensure that compilation does not break if Linux kernel
headers are not installed in the system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
The following patch permit to replace rule in xtables-arp.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This should help to avoid code duplication to support ARP.
As a result, we have a common generic infrastructure for
IPv4, IPv6 and ARP.
This patch removes nft_arp_rule_append and nft_arp_rule_insert,
which were very similar to their original nft_rule_append and
nft_rule_insert.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This patch removes nft_arp_rule_new, which almost a copy and paste
of the original nft_rule_new. This patch generalizes the
infrastructure to support ARP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The following patch implements the is_same operation
for ARP family needed for searching arp rule.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
nft_arp_print_firewall already handles endianess appropriately.
This fixes the output of the option that allows you to match
ARP header fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The ARP family has less tables, so skip iteration once we find
a null one.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This should help Giuseppe with his ARP support works, this change
was missing in (618309c nft: refactoring parse operations for more
genericity).
Based on patch from Giuseppe.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
nft-shared.c: In function ‘nft_rule_to_iptables_command_state’:
nft-shared.c:454:22: warning: ‘jumpto’ may be used uninitialized in this function [-Wmaybe-uninitialized]
nft-shared.c:432:14: note: ‘jumpto’ was declared here
All verdicts are managed and jumpto has to get a value, but since
the compiler complains, let's fix it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This allows to reuse the nft_parse_* function for the bridge and
arp family (not yet supported).
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Now that we convert nft rules to native xt command structure, it's
easier to reset the counters by replacing the existing rule by a
new one with all counters set to zero.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
So we can kill our own implementation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have
to add an specific function to print the fragment flag, otherwise
xtables -6 misinterprets the protocol flag, ie.
Chain INPUT (policy ACCEPT)
tcp -f ::/0 ::/0
Note that -f should not show up. This problem was likely added with
the IPv6 support for the compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This helps to reduce the code complexity to have one single common path
for printing, saving and looking up for the rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Thus, we can kill clear_rule_matches. Not required since we are based
upon 1.4.19.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bug is:
xtables -N test
xtables -A FORWARD -j test
xtables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
test all -- anywhere anywhere [0 bytes of unknown target data]
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain test (1 references)
target prot opt source destination
"[0 bytes of unknown target data]" should not be printed in this case.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Now, firewall rule printing is done through nft_family_ops
.print_firewall function. This moves generic part for ipv4 and ipv6 into
nft-shared.c, and enables reusing nft_rule_list() for other family such
as ARP which will be useful for arptables compatibility tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Rulenum is already handled before the loop, making this test useless.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This will be useful for reusing nft_rule_list in other tools such as
xtables-arptables.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Thus, we can save some cycles by not dumping the entire chain list
and looping on it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Likely to be a leftover from the initial bootstrap.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
On xtables-save.c, -d will not output right away but after the full
command line hase been parsed.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This changes nft_xtables_config_load() permit to load only
the tables of the current family.
[ This patch includes a fix for the configuration parser
that I detected while testing this patch --pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
Add definition of table and chains to the optional xtables.conf file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
xtables-restore -6 was using the IPv4 family, instead of IPv6
as it should be.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
IPT_SO_GET_REVISION_MATCH != IP6T_SO_GET_REVISION_MATCH, thus,
the revision infrastructure was looking for targets instead
matches.
|
| | |
| |
| |
| |
| |
| | |
It should pass zero, instead of the 'append' boolean.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We need family dependent built-in table/chain configuration. This
patch is a step forward making nft family independent in
order to support arptables and ebtables compatibility layers.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Improve (dc3d8a6 xtables: add -I chain rulenum) to avoid a look
up for the rule if no rule number is specified via -I.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
We support rule replacement since quite some time, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds the nft_rule_insert function, which allows
us to insert rules at a given position.
The function nft_rule_add has been renamed to nft_rule_append.
This is possible thanks to Eric Leblond's (netfilter: nf_tables:
add insert operation) kernel patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before:
% xtables -S INPUT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -j ACCEPT
After:
$ xtables -S INPUT
-P INPUT ACCEPT
-A INPUT -p tcp -j ACCEPT
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Break looping on the chain list if it finds the chain
that the user requested.
Based on patch from Tomasz Bursztyka.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Adapt it to the semantic fix that has been applied to libnftable
nft_*_list_add now inserts nodes, instead of appending them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Should be:
% iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
instead of:
% xtables -L -n -t nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| | |
| |
| |
| |
| |
| | |
Add missing newline while printing table and chain events.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Set opterr to zero to skip getopt_long error reporting.
This also fixes the following compilation warning:
xtables-events.c:148:13: warning: ‘print_usage’ defined but not used [-Wunused-function]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
If adding one of match/target/jumpto/verdit/counters fails, adding a rule will
return an error.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes the debug output from (in case of ipv4 rule):
DEBUG: rule: arp filter INPUT 0
to:
DEBUG: rule: ip filter INPUT 0
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the display of rule by number.
[ Mangled this patch not to display the header, to mimic iptables
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
I noticed that the iprange match in IPv6 was broken, fix it
by overriding the default family (IPv4) if -6 is passed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Fix a crash if nft_init fails, it happens if nfnetlink support
is not available in your Linux kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
