summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* iptables: nft: remove unused codePablo Neira Ayuso2014-06-102-55/+4
| | | | | | | Remove code to set table in dormant state, this is not required from the iptables over nft compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: generalize batch infrastructurePablo Neira Ayuso2014-06-092-43/+43
| | | | | | Prepare inclusion of tables and chain objects in the batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next-3.14'Pablo Neira Ayuso2014-05-1610-13/+274
|\
| * iptables: add libxt_cgroup frontendDaniel Borkmann2014-01-043-0/+93
| | | | | | | | | | | | | | | | | | This patch adds the user space extension/frontend for process matching based on cgroups from the kernel patch entitled "netfilter: xtables: lightweight process control group matching". Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: snat: add randomize-full supportDaniel Borkmann2014-01-044-13/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides the userspace part for snat in order to make randomize-full support available in {ip,nf}tables. It allows for enabling full port randomization that was motivated in [1] and introduced to the kernel in [2]. Joint work between Hannes Frederic Sowa and Daniel Borkmann. [1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf [2] http://patchwork.ozlabs.org/patch/304306/ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: Add IPv4/6 IPcomp match supportfan.du2013-12-243-0/+139
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables user to set iptables ACTIONs for IPcomp flow specified by its SPI value. For example: iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP IPcomp packet with spi as 0x12 will be dropped. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables.8: --policy is either ACCEPT or DROPFlorian Westphal2014-04-171-4/+2
| | | | | | | | | | | | its enforced by both by libiptc and kernel. Signed-off-by: Florian Westphal <fw@strlen.de>
* | nft: replace nft_rule_attr_get_u8Giuseppe Longo2014-03-244-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the family declaration has been modified in libnftnl, from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16 the assertion is failed for {ip,ip6,arp}tables-compat when printing rules. iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 ip6tables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables-save: actually parse -M/--modprobe optionJiri Popelka2014-03-174-4/+4
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables-{save,restore}: warn that -b/--binary isn't implementedJiri Popelka2014-03-176-15/+18
| | | | | | | | | | | | see also 296dca39be Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables-restore.8: file to read from can be specified as argumentJiri Popelka2014-03-141-4/+5
| | | | | | | | | | | | | | original bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1022228 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables-restore.8: missing -T in synopsisJiri Popelka2014-03-141-0/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: missing bracket in iptables-save(8)Jiri Popelka2014-03-131-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | update FSF address in license textJiri Popelka2014-03-136-6/+6
| | | | | | | | | | | | | | http://www.gnu.org/licenses/gpl-2.0.html http://www.fsf.org/about/contact/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables.8: update coreteam members from manpagePablo Neira Ayuso2014-03-071-3/+4
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: fix version in iptables(8)Jiri Popelka2014-03-071-1/+1
| | | | | | | | | | Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft-arp: wrong condition in parse_payloadGiuseppe Longo2014-03-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the current condition doesn't permit to parse ip addresses when they should be. Obviously they are not printed. arptables-compat -A INPUT -s 1.1.1.1 -i eth0 -j ACCEPT arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination -j ACCEPT -i eth0 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft-arp: fix is_same_interfaces argumentsGiuseppe Longo2014-03-071-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wrong arguments are passed to is_same_interfaces that causes sometimes to delete a wrong rule. See the example below: arptables-compat -A INPUT -i eth0 -j ACCEPT arptables-compat -A INPUT -i eth1 -j ACCEPT arptables-compat -A INPUT -i eth2 -j ACCEPT arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination -j ACCEPT -i eth0 -j ACCEPT -i eth1 -j ACCEPT -i eth2 arptables-compat -D INPUT -i eth2 -j ACCEPT arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination -j ACCEPT -i eth1 -j ACCEPT -i eth2 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables-events: prints arp rulesGiuseppe Longo2014-02-251-8/+15
| | | | | | | | | | | | | | | | This patch permits to print arp rules, avoiding the segfault that you got currently. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft-arp: adds nft_arp_save_firewallGiuseppe Longo2014-02-251-63/+109
| | | | | | | | | | | | | | | | Adds nft_arp_save_firewall to arp family. (Avoids the segfault in xtables-events) Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'nft-compat'Pablo Neira Ayuso2014-02-1337-5/+10937
|\ \ | | | | | | | | | | | | This merges the branch that contains the iptables over nftables compatibility layer into master.
| * | nft: Pass a line after printing out a debug messageTomasz Bursztyka2014-02-121-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | In this specific places, libnftnl gives back a string on which iptables should not assume any line break, thus it's up to iptables to add it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: Remove useless error messageTomasz Bursztyka2014-02-121-40/+5
| | | | | | | | | | | | | | | | | | | | | These are not helpful. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: Initialize a table only onceTomasz Bursztyka2014-02-122-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | This helps to remove some runtime overhead, especially when running xtables-restore. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: A builtin chain might be created when restoringTomasz Bursztyka2014-02-123-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | nft_chain_set() is directly used in xtables-restore.c, however at that point no builtin chains have been created yet thus the need to request to build it relevantly. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: Add useful debug output when a builtin table is createdTomasz Bursztyka2014-02-121-0/+8
| | | | | | | | | | | | | | | | | | | | | This is useful to know if a builtin table is requested to be created. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft-compat: fix wrong protocol context in initializationPablo Neira Ayuso2014-02-112-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes matches/targets that are dependent on that IPv4/Ipv6 context, eg. # ip6tables-compat -I INPUT -j REJECT --reject-with icmp6-addr-unreachable # ip6tables-compat-save ... -A INPUT -j REJECT --reject-with icmp6-port-unreachable Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft-compat: fix IP6T_F_GOTO flag handlingPablo Neira Ayuso2014-02-115-13/+20
| | | | | | | | | | | | | | | | | | | | | IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: adds save_matches_and_targetGiuseppe Longo2014-02-116-39/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | xtables: Add backward compatibility with -w optionTomasz Bursztyka2014-02-114-4/+14
| | | | | | | | | | | | | | | | | | | | | Just to keep aligned with iptables legacy tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | xtables: add xtables-compat-multi for the nftables compatibility layerPablo Neira Ayuso2014-02-048-38/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch should allow distributors to switch to the iptables over nftables compatibility layer in a transparent way by updating symbolic links from: lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-multi to: lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-compat-multi Same thing with iptables-save, iptables-restore, ip6tables, ip6tables-save, ip6tables-restore and arptables. Note that, after this patch, the following new symlinks are installed: * iptables-compat * iptables-compat-save * iptables-compat-restore * ip6tables-compat * ip6tables-compat-save * ip6tables-compat-restore * arptables-compat which point to the new binary xtables-compat-multi. The idea is to keep both native and compatibility tools installed in the system, which should also make it easier for testing purposes. The iptables over nftables compatibility layer is enabled by default and it requires the libmnl and libnftnl libraries. If you don't want to compile the compatibility layer, you can still disable it through --disable-nftables. This patch also includes changes to adapt the existing code to this approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | xtables-restore: remove dependency with libip4tcPablo Neira Ayuso2014-02-041-1/+5
| | | | | | | | | | | | | | | | | | | | | Add a new operation structure, we don't actually need the libip4tc definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | configure: conditional dependencies for nftables-compatPablo Neira Ayuso2014-02-041-36/+37
| | | | | | | | | | | | | | | | | | | | | Depend on libmnl, libnftnl, flex and bison if only if the nftables compatibility is enabled. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | configure: rename --disable-xtables to --disable-nftablesPablo Neira Ayuso2014-02-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | The compat utility name is xtables, the name used for the compatibility binary. Better explicitly refer to the compatibility later as nftables-compat. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | configure: fix wrong reference to the conntrack-toolsPablo Neira Ayuso2014-02-041-2/+2
| | | | | | | | | | | | | | | Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: Use new libnftnl library name against former libnftablesTomasz Bursztyka2014-01-209-20/+20
| | | | | | | | | | | | | | | | | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEYPablo Neira Ayuso2014-01-102-9/+9
| | | | | | | | | | | | | | | | | | | | | We have to use uint32_t instead uint8_t to adapt this to the libnftables changes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | include: Update nftables API header in sync with kernel's oneTomasz Bursztyka2013-12-301-7/+296
| | | | | | | | | | | | | | | | | | | | | Many changes were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: fix wrong function to release iteratorPablo Neira Ayuso2013-12-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft.c: In function ‘nft_xtables_config_load’: nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default] In file included from nft.c:41:0: /usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’ Introduced in (12eb85b nft: fix memory leaks in nft_xtables_config_load) but that was my fault indeed since Ana sent a v2 patch that I have overlook. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | iptables: nft: fix memory leaks in nft_finiAna Rey2013-12-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) ==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) These objects are allocated from nft_init but they were not released appropriately in the exit path. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: fix memory leaks in nft_xtables_config_loadAna Rey2013-12-301-10/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with the valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5955B02: nft_table_list_alloc (table.c:425) ==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888) ==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) Fix these leaks and consolidate error handling in the exit path of nft_xtables_config_load Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | xtables-standalone: call nft_fini in the error pathAna Rey2013-12-301-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This error is shown with valgrind tools: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x574CC76: mnl_socket_open (socket.c:117) ==7377== by 0x417495: nft_init (nft.c:598) ==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64) ==7377== by 0x5B87994: (below main) (libc-start.c:260) This patch calls nft_fini to release the objects that have been allocated in nft_init. This function was not used so far. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: fix out of bound memory copyPablo Neira Ayuso2013-12-301-9/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports an invalid read after a memory block: ==11114== Invalid read of size 8 ==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877) ==11114== by 0x41788E: add_match (nft.c:781) ==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72) ==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945) ==11114== by 0x418ACE: nft_rule_append (nft.c:1000) ==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424) ==11114== by 0x4152DE: do_commandx (xtables.c:1184) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) ==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd ==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==11114== by 0x52448C8: xtables_calloc (xtables.c:272) ==11114== by 0x410AC2: command_default (xshared.c:150) ==11114== by 0x4149A2: do_commandx (xtables.c:1075) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) m->u.match_size also contains the size of the xt_entry_match structure. Fix also the target path which is very similar. Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: fix inversion of built-in selectorsPablo Neira Ayuso2013-12-302-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (0ab045f xtables: fix missing ipt_entry for MASQUERADE target) broke inversion of built-in selectors, such as -s, -d, etc. We need to refresh the invflags if -p is used or set it for first time if -p is not used, otherwise inversion is ignored. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | xtables-events: fix compilation due change in libnftablesPablo Neira Ayuso2013-12-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | The patch (989b793 src: unify parse and output types) changed the table and chain type definitions, adapt this code to use the new ones. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be usedTomasz Bursztyka2013-12-301-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a temporary workaround mechanism until variable interface hardware address length can be handled through nftables. This defaults on the length of EUI-64 mac address, which should be the most common usage until this is appropriately fixed for all type of layer 2 addresses. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | xtables: arp: Fix a compilation warningTomasz Bursztyka2013-12-301-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes such warning: xtables-arp.c: In function ‘check_inverse’: xtables-arp.c:561:54: attention : declaration of ‘optind’ shadows a global declaration [-Wshadow] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: arp: fix possible string overflowGiuseppe Longo2013-12-302-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch replaces strcat with strncat and strcpy with strncpy fixing possible string overflow. Based on the original patch: http://patchwork.ozlabs.org/patch/279672/ from Jaromír Končický via Jiri Popelka. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: fix interface wildcard matchingPablo Neira Ayuso2013-12-301-22/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In (73ea1cc nft: convert rule into a command state structure), the interface wildcard matching got broken. The previous handling was flawed by the use of ifnametoindex in scenario where the interface may vanished after a rule was added. This approach relies on the trailing '\0' to identify if this is an exact or wildcard matching, based on discussion with Florian. Based on initial patch from Anand Raj Manickam. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | nft: fix bad length when comparing extension data areaPablo Neira Ayuso2013-12-301-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use ->userspacesize to compare the extension data area, otherwise we also compare the internal private pointers which are only meaningful to the kernelspace. This fixes: xtables -4 -D INPUT -m connlimit \ --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr But it also fixes many other matches/targets which use internal private data. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>