summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* nft: Extract cache routines into nft-cache.cPhil Sutter2019-10-107-361/+404
| | | | | | | | The amount of code dealing with caching only is considerable and hence deserves an own source file. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Avoid nested cache fetchingPhil Sutter2019-10-101-2/+1
| | | | | | | | | Don't call fetch_table_cache() from within fetch_chain_cache() but instead from __nft_build_cache(). Since that is the only caller of fetch_chain_cache(), this change should not have any effect in practice. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Pass nft_handle to flush_cache()Phil Sutter2019-10-101-17/+11
| | | | | | | | | This allows to call nft_table_builtin_find() and hence removes the only real user of __nft_table_builtin_find(). Consequently remove the latter by integrating it into its sole caller. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_SYNPROXY: add xlate methodJose M. Guisado Gomez2019-10-012-0/+25
| | | | | | | | This adds translation capabilities when encountering SYNPROXY inside iptables rules. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: Minimize caching when flushingPhil Sutter2019-09-303-2/+23
| | | | | | | | | | | | | | Unless --noflush was given, xtables-restore merely needs the list of tables to decide whether to delete it or not. Introduce nft_fake_cache() function which populates table list, initializes chain lists (so nft_chain_list_get() returns an empty list instead of NULL) and sets 'have_cache' to turn any later calls to nft_build_cache() into nops. If --noflush was given, call nft_build_cache() just once instead of for each table line in input. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: Make nftnl_table_list_get() fetch only tablesPhil Sutter2019-09-301-1/+2
| | | | | | | No need for a full cache to serve the list of tables. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: Fix for add and delete of same rule in single batchPhil Sutter2019-09-302-5/+16
| | | | | | | | | | | | | | | Another corner-case found when extending restore ordering test: If a delete command in a dump referenced a rule added earlier within the same dump, kernel would reject the resulting NFT_MSG_DELRULE command. Catch this by assigning the rule to delete a RULE_ID value if it doesn't have a handle yet. Since __nft_rule_del() does not duplicate the nftnl_rule object when creating the NFT_COMPAT_RULE_DELETE command, this RULE_ID value is added to both NEWRULE and DELRULE commands - exactly what is needed to establish the reference. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* tests: shell: Support running for legacy/nft onlyPhil Sutter2019-09-301-8/+20
| | | | | | | | | After some changes, one might want to test a single variant only. Allow this by supporting -n/--nft and -l/--legacy parameters, each disabling the other variant. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* tests/shell: Speed up ipt-restore/0004-restore-race_0Phil Sutter2019-09-261-2/+2
| | | | | | | | | | | This test tended to cause quite excessive load on my system, sometimes taking longer than all other tests combined. Even with the reduced numbers, it still fails reliably after reverting commit 58d7de0181f61 ("xtables: handle concurrent ruleset modifications"). Fixes: 4000b4cf2ea38 ("tests: add test script for race-free restore") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: Get rid of NFT_COMPAT_EXPR_MAX definePhil Sutter2019-09-261-4/+2
| | | | | | | | Instead simply use ARRAY_SIZE() macro to not overstep supported_exprs array. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix typo in nft_parse_limit() error messagePhil Sutter2019-09-261-1/+1
| | | | | | | Seems like a trivial copy'n'paste bug. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables_error() does not returnPhil Sutter2019-09-255-43/+19
| | | | | | | | | It's a define which resolves into a callback which in turn is declared with noreturn attribute. It will never return, therefore drop all explicit exit() calls or other dead code immediately following it. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: Fix add_bitwise_u16() on Big EndianPhil Sutter2019-09-232-2/+2
| | | | | | | | | | | | | | | | | | | | | Type used for 'mask' and 'xor' parameters was wrong, 'int' is four bytes on 32 or 64 bit architectures. After casting a uint16_t to int, on Big Endian the first two bytes of data are (the leading) zero which libnftnl then copies instead of the actual value. This problem was noticed when using '--fragment' option: | # iptables-nft -A FORWARD --fragment -j ACCEPT | # nft list ruleset | grep frag-off | ip frag-off & 0 != 0 counter packets 0 bytes 0 accept With this fix in place, the resulting nft rule is correct: | ip frag-off & 8191 != 0 counter packets 0 bytes 0 accept Fixes: 2f1fbab671576 ("iptables: nft: add -f support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft Increase mnl_talk() receive buffer sizePhil Sutter2019-09-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | This improves cache population quite a bit and therefore helps when dealing with large rulesets. A simple hard to improve use-case is listing the last rule in a large chain. These are the average program run times depending on number of rules: rule count | legacy | nft old | nft new --------------------------------------------------------- 50,000 | .052s | .611s | .406s 100,000 | .115s | 2.12s | 1.24s 150,000 | .265s | 7.63s | 4.14s 200,000 | .411s | 21.0s | 10.6s So while legacy iptables is still magnitudes faster, this simple change doubles iptables-nft performance in ideal cases. Note that using a larger buffer than 32KB doesn't further improve performance since linux kernel won't transmit more data at once. This limit was set (actually extended from 16KB) in kernel commit d35c99ff77ecb ("netlink: do not enter direct reclaim from netlink_dump()"). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Introduce nft_bridge_commit()Phil Sutter2019-09-234-4/+9
| | | | | | | | No need to check family value from nft_commit() if we can have a dedicated callback for bridge family. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Use nftnl_*_set_str() functionsPhil Sutter2019-09-231-14/+14
| | | | | | | | | | Although it doesn't make a difference in practice, they are the correct API functions to use when assigning string attributes. While doing so, also drop the needless casts to non-const. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* DEBUG: Print to stderr to not disturb iptables-savePhil Sutter2019-09-231-1/+1
| | | | | | | | This way there's at least a chance to get meaningful results from testsuite with debugging being turned on. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Make ebtables-basic test more verbosePhil Sutter2019-09-231-12/+16
| | | | | | | Print expected entries count if it doesn't match. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: fix iptables-{nft,translate} with conntrack EXPECTEDQuentin Armitage2019-09-202-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED outputs: nft add rule ip filter INPUT ct status expected,assured counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED produces nft list output: chain INPUT { ct status expected,assured counter packets 0 bytes 0 accept } which are correct. However, iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft # -A INPUT -m conntrack --ctstatus EXPECTED and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { counter packets 0 bytes 0 accept } neither of which is what is desired. Commit 6223ead0d - "extensions: libxt_conntrack: Add translation to nft" included the following code in _conntrack3_mt_xlate(): if (sinfo->match_flags & XT_CONNTRACK_STATUS) { if (sinfo->status_mask == 1) return 0; ... If the intention had been not to produce output when status_mask == 1, it would have been written as: if (sinfo->status_mask == IPS_EXPECTED) return 0; so it looks as though this is debugging code accidently left in the original patch. Removing the lines: if (sinfo->status_mask == 1) return 0; resolves the problems, and iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft add rule ip filter INPUT ct status expected counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { ct status expected counter packets 0 bytes 0 accept } This commit also includes an additional txlate test to check when only the status EXPECTED is specified. Fixes: 6223ead0d06b ("extensions: libxt_conntrack: Add translation to nft") Signed-off-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ipables: xtables-restore: output filename option in help textFlorian Westphal2019-09-162-2/+2
| | | | | Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1341 Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: silence two comiler warningsFlorian Westphal2019-09-161-2/+2
| | | | | | | | | | | | | | | | | avoid hyptothetical truncation by leaving space for triling zero byte. silcences: In file included from libip4tc.c:113: libiptc.c: In function ‘iptcc_alloc_chain_head’: libiptc.c:163:2: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] 163 | strncpy(c->name, name, TABLE_MAXNAMELEN); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ libiptc.c: In function ‘iptc_rename_chain’: libiptc.c:2388:2: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] 2388 | strncpy(c->name, newname, sizeof(IPT_CHAINLABEL)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: axe non-building debug codeFlorian Westphal2019-09-163-365/+1
| | | | | | | hasn't built with IPTC_DEBUG=1 since at least 2004, so remove it. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1275 Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-test: Support testing host binariesPhil Sutter2019-09-151-2/+6
| | | | | | | | Introduce --host parameter to run the testsuite against host's binaries instead of built ones. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* ebtables: fix over-eager -o checks on custom chainsFlorian Westphal2019-09-123-2/+41
| | | | | | | | | | | | | | | | Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal <fw@strlen.de>
* netfilter: hashlimit: prefer PRIu64 to avoid warnings on 32bit platformsDuncan Roe2019-09-121-1/+1
| | | | | | | I found this patch attached to an older BZ, apply this finally... Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1107 Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Note REDIRECT case of no IP addressJoseph C. Sible2019-08-211-1/+2
| | | | | | | | | | If an IP packet comes in on an interface that lacks a corresponding IP address (which happens on, e.g., the veth's that Project Calico creates), attempting to use REDIRECT on it will cause it to be dropped. Take note of this in REDIRECT's documentation. Signed-off-by: Joseph C. Sible <josephcsible@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: nfacct: Fix alignment mismatch in xt_nfacct_match_infoJuliana Rodrigueiro2019-08-202-12/+33
| | | | | | | | | | | | | | | | When running a 64-bit kernel with a 32-bit iptables binary, the size of the xt_nfacct_match_info struct diverges. kernel: sizeof(struct xt_nfacct_match_info) : 40 iptables: sizeof(struct xt_nfacct_match_info)) : 36 This patch is the userspace fix of the memory misalignment. It introduces a v1 ABI with the correct alignment and stays compatible with unfixed revision 0 kernels. Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Drop stale include directivePhil Sutter2019-08-011-1/+0
| | | | | | | | This is a leftover, the file does not exist in fresh clones. Fixes: 06fd5e46d46f7 ("xtables: Drop support for /etc/xtables.conf") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Install ip{6,}tables-restore-translate.8 man pagesPhil Sutter2019-07-292-1/+4
| | | | | | | | | Just like in b738ca3677785 ("doc: Install ip{6,}tables-translate.8 manpages"), create man pages for *-restore-translate tools as semantic links to xtables-translate.8. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Install nft-variant man pages only if enabledPhil Sutter2019-07-291-6/+6
| | | | | | | | Man pages relevant for nftables backend only (xtables-*, *-translate.8) were installed even if --disable-nftables was given at configure time. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Drop support for /etc/xtables.confPhil Sutter2019-07-297-498/+9
| | | | | | | | As decided upon at NFWS2019, drop support for configurable nftables base chains to use with iptables-nft. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Set errno in nft_rule_flush()Phil Sutter2019-07-291-1/+3
| | | | | | | | | | | When trying to flush a non-existent chain, errno gets set in nft_xtables_config_load(). That is an unintended side-effect and when support for xtables.conf is later removed, iptables-nft will emit the generic "Incompatible with this kernel." error message instead of "No chain/target/match by that name." as it should. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* restore legacy behaviour of iptables-restore when rules start with -4/-6Adel Belhouane2019-07-293-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | v2: moved examples to testcase files Legacy implementation of iptables-restore / ip6tables-restore allowed to insert a -4 or -6 option at start of a rule line to ignore it if not matching the command's protocol. This allowed to mix specific ipv4 and ipv6 rules in a single file, as still described in iptables 1.8.3's man page in options -4 and -6. The implementation over nftables doesn't behave correctly in this case: iptables-nft-restore accepts both -4 or -6 lines and ip6tables-nft-restore throws an error on -4. There's a distribution bug report mentioning this problem: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925343 Restore the legacy behaviour: - let do_parse() return and thus not add a command in those restore special cases - let do_commandx() ignore CMD_NONE instead of bailing out I didn't attempt to fix all minor anomalies, but just to fix the regression. For example in the line below, iptables should throw an error instead of accepting -6 and then adding it as ipv4: % iptables-nft -6 -A INPUT -p tcp -j ACCEPT Signed-off-by: Adel Belhouane <bugs.a.b@free.fr> Signed-off-by: Florian Westphal <fw@strlen.de>
* utils: nfnl_osf: fix snprintf -Wformat-truncation warningFernando Fernandez Mancera2019-07-251-6/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fedora 30 uses very recent gcc (version 9.1.1 20190503 (Red Hat 9.1.1-1)), osf produces following warnings: -Wformat-truncation warning have been introduced in the version 7.1 of gcc. Also, remove a unneeded address check of "tmp + 1" in nf_osf_strchr(). nfnl_osf.c: In function ‘nfnl_osf_load_fingerprints’: nfnl_osf.c:346:33: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 128 [-Wformat-truncation=] 346 | snprintf(obuf, sizeof(obuf), "%s,", pbeg); | ^~ nfnl_osf.c:346:3: note: ‘snprintf’ output between 2 and 1025 bytes into a destination of size 128 346 | snprintf(obuf, sizeof(obuf), "%s,", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:354:40: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 354 | snprintf(f.genre, sizeof(f.genre), "%s", pbeg); | ^~ nfnl_osf.c:354:4: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 354 | snprintf(f.genre, sizeof(f.genre), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:363:43: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 363 | snprintf(f.version, sizeof(f.version), "%s", pbeg); | ^~ nfnl_osf.c:363:3: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 363 | snprintf(f.version, sizeof(f.version), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:370:47: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 370 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); | ^~ nfnl_osf.c:370:7: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 370 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-save: Merge into xtables_save_main()Phil Sutter2019-07-231-110/+13
| | | | | | | | The only thing missing was handling of EBTABLES_SAVE_COUNTER env var, but that can be done after parsing parameters in bridge-specific code. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* arptables-save: Merge into xtables_save_main()Phil Sutter2019-07-231-60/+3
| | | | | | | | With all preparations in place, xtables_save_main() can replace it with not further changes. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-save: Pass format flags to do_output()Phil Sutter2019-07-231-4/+6
| | | | | | | | Let callers define the flags to pass to nft_rule_save() instead of just setting the counters boolean. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-save: Make COMMIT line optionalPhil Sutter2019-07-231-1/+4
| | | | | | | | | | Explicit commits are not used by either arp- nor ebtables-save. In order to share code between all the different *-save tools without inducing changes to ruleset dump contents, allow for callers of do_output() to turn COMMIT lines on or off. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-save: Pass optstring/longopts to xtables_save_main()Phil Sutter2019-07-231-7/+13
| | | | | | | | | | | Introduce variables for the different optstrings so short and long options live side-by-side. In order to make xtables_save_main() more versatile, pass optstring and longopts via parameter. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-save: Avoid mixed code and declarationsPhil Sutter2019-07-231-4/+4
| | | | | | | Also move time() calls to where they are used. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Make nft_for_each_table() more versatilePhil Sutter2019-07-233-14/+21
| | | | | | | Support passing arbitrary data (via void pointer) to the callback. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-save: Fix table compatibility checkPhil Sutter2019-07-231-3/+4
| | | | | | | | | | | | | | The builtin table check guarding the 'is incompatible' warning was wrong: The idea was to print the warning only for incompatible tables which are builtin, not for others. Yet the code would print the warning only for non-builtin ones. Also reorder the checks: nft_table_builtin_find() is fast and therefore a quick way to bail for uninteresting tables. The compatibility check is needed for the remaining tables, only. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-save: Unify *-save header/footer commentsPhil Sutter2019-07-237-33/+23
| | | | | | | | | Make eb- and arptables-save print both header and footer comments, too. Also print them for each table separately - the timing information is worth the extra lines in output. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-save: Fix counter formattingPhil Sutter2019-07-234-30/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial problem was 'ebtables-save -c' printing iptables-style counters but at the same time not disabling ebtables-style counter output (which was even printed in wrong format for ebtables-save). The code around counter output was complicated enough to motivate a larger rework: * Make FMT_C_COUNTS indicate the appended counter style for ebtables. * Use FMT_EBT_SAVE to distinguish between '-c' style counters and the legacy pcnt/bcnt ones. Consequently, ebtables-save sets format to: FMT_NOCOUNTS - for no counters FMT_EBT_SAVE - for iptables-style counters FMT_EBT_SAVE | FMT_C_COUNTS - for '-c' style counters For regular ebtables, list_rules() always sets FMT_C_COUNTS (iptables-style counters are never used there) and FMT_NOCOUNTS if no counters are requested. The big plus is if neither FMT_NOCOUNTS nor FMT_C_COUNTS is set, iptables-style counters are to be printed - both in iptables and ebtables. This allows to drop the ebtables-specific 'save_counters' callback. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Fix error message for invalid parametersPhil Sutter2019-07-231-1/+1
| | | | | | | | | | | | | | | | | | With empty ruleset, ebtables-nft would report the wrong argv: | % sudo ./install/sbin/ebtables-nft -vnL | ebtables v1.8.3 (nf_tables): Unknown argument: './install/sbin/ebtables-nft' | Try `ebtables -h' or 'ebtables --help' for more information. After a (successful) call to 'ebtables-nft -L', this would even segfault: | % sudo ./install/sbin/ebtables-nft -vnL | zsh: segmentation fault sudo ./install/sbin/ebtables-nft -vnL Fixes: acde6be32036f ("ebtables-translate: Fix segfault while parsing extension options") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-save: Use argv[0] as program namePhil Sutter2019-07-181-10/+11
| | | | | | | | Don't hard-code program names. This also fixes for bogus 'xtables-save' name which is no longer used. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: exit in case we can't fetch current genidFlorian Westphal2019-07-151-2/+8
| | | | | | | | | | | When running iptables -nL as non-root user, iptables would loop indefinitely. With this change, it will fail with iptables v1.8.3 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root) Reported-by: Amish <anon.amish@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions/libxt_MASQUERADE.man: random and random-fully are now identicalFlorian Westphal2019-07-111-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: Move send/receive buffer sizes into nft_handlePhil Sutter2019-07-032-10/+9
| | | | | | | | | Store them next to the mnl_socket pointer. While being at it, add a comment to mnl_set_rcvbuffer() explaining why the buffer size is changed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Pass nft_handle down to mnl_batch_talk()Phil Sutter2019-07-031-23/+18
| | | | | | | | | >From there, pass it along to mnl_nft_socket_sendmsg() and further down to mnl_set_{snd,rcv}buffer(). This prepares the code path for keeping stored socket buffer sizes in struct nft_handle. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>