summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* treewide: use uint* instead of u_int*HEADmasterNick Hainke2 days8-11/+11
| | | | | | | | | | | | | | | | | | | | Gcc complains about missing types. Some commits introduced u_int* instead of uint*. Use uint treewide. Fixes errors in the form of: In file included from xtables-legacy-multi.c:5: xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'? 83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, | ^~~~~~~~~ | uint16_t make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1 Avoid libipq API breakage by adjusting libipq.h include accordingly. For arpt_mangle.h kernel uAPI header, apply same change as in kernel commit e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t"). Signed-off-by: Nick Hainke <vincent@systemli.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Fix build for -Werror=format-securityPhil Sutter7 days1-1/+1
| | | | | | Gcc complains about the omitted format string. Signed-off-by: Phil Sutter <phil@nwl.cc>
* configure: bump version for 1.8.8 releasev1.8.8Pablo Neira Ayuso7 days1-3/+3
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix EPERM handling for extensions without rev 0Phil Sutter9 days2-4/+13
| | | | | | | | | | Treating revision 0 as compatible in EPERM case works fine as long as there is a revision 0 of that extension defined in DSO. Fix the code for others: Extend the EPERM handling to all revisions and keep the existing warning for revision 0. Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: LOG: Document --log-macdecode in man pagePhil Sutter9 days1-0/+3
| | | | | | | Help text already contains it, so no update needed there. Fixes: 127647892c7ca ("extensions: libipt_LOG/libip6t_LOG: support macdecode option") Signed-off-by: Phil Sutter <phil@nwl.cc>
* man: *NAT: Review --random* option descriptionsPhil Sutter9 days4-20/+6
| | | | | | | | Stating the option again in the first (single?) sentence is pointless. Get rid of that initial half-sentence in MASQUERADE options and unify the texts a bit. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: DNAT: Merge core printing functionsPhil Sutter9 days1-31/+27
| | | | | | | | | | | Have a versatile __NAT_print() function providing enough flexibility for DNAT and REDIRECT, IPv4 and IPv6 and 'print' and 'save' output. Then define macros to simplify calling it. As a side effect, this fixes ip6tables DNAT revision 1 print output. Fixes: 14d77c8aa29a7 ("extensions: Merge IPv4 and IPv6 DNAT targets") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Revert change to struct xtables_pprotPhil Sutter9 days1-1/+1
| | | | | | | | | | | | While protocol values may exceed eight bits, the data structure is indeed used only to store the static list of name/value pairs for faster lookups. None of those has such a value and if one is added in future, the compiler will complain about it. So restore the old field type to retain binary compatibility. Fixes: 556f704458cdb ("Use proto_to_name() from xshared in more places") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Drop xtables_globals 'optstring' fieldPhil Sutter9 days8-8/+20
| | | | | | | | | | | Define the different optstrings in xshared.h instead, they are not relevant for other libxtables users. This is a partial revert of commit 65b150ae382a8 ("xshared: Store optstring in xtables_globals") to avoid breaking libxtables' ABI compatibility. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Extend xtables_printhelp() for arptablesPhil Sutter9 days7-119/+43
| | | | | | | | | | | | | | | | | | | | | | | | The function checks afinfo->family already to cover ip6tables specifics, doing the same for arptables does not make things much worse. This changes arptables-nft help output slightly: * List possible negations extrapositioned, which is preferred anyway (arptables-nft supports both) * List --out-interface option at lexically sorted position * Print --wait option, it's ignored just like with iptables * Restore default target option printing as with legacy arptables (not sure if arptables-nft ever did this) by explicitly loading them. While being at it, add --set-counters short option '-c' to help output for ip(6)tables. This effectively removes the need for (and all users of) xtables_global's 'print_help' callback, thus effectively reverts commit fe83b12fc910e ("libxtables: Introduce xtables_globals print_help callback") which broke libxtables' ABI compatibility. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Move arp_opcodes into shared spacePhil Sutter9 days8-29/+21
| | | | | | | It will be referenced by xtables_printhelp() if printing for arptables and therefore must be present in legacy as well even if unused. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: MARK: Drop extra newline at end of helpPhil Sutter9 days1-2/+1
| | | | | Fixes: f4b737fb0c52a ("libxt_MARK r2") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: split gen_payload() to allocate register and initialize expressionPablo Neira Ayuso2022-05-021-4/+14
| | | | | | Add __gen_payload(), in preparation for the dynamic register allocation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: prepare for dynamic register allocationPablo Neira Ayuso2022-05-026-94/+137
| | | | | | | | | Store the register that has been allocated and pass it on to the next expression. NFT_REG_1 is still used. No functional changes are expected. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: pass handle to helper functions to build netlink payloadPablo Neira Ayuso2022-05-027-66/+73
| | | | | | | Pass struct nft_handle to helper functions in preparation for the dynamic register allocation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: native mark matching supportPablo Neira Ayuso2022-05-022-0/+59
| | | | | | Use meta mark + bitwise + cmp instead of nft_compat mark match. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: pass struct nft_xt_ctx to parse_meta()Pablo Neira Ayuso2022-05-026-10/+10
| | | | | | In preparation for native mark match support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-shared: update context register for bitwise expressionPablo Neira Ayuso2022-05-021-0/+2
| | | | | | | | Update the destination register, otherwise nft_parse_cmp() gives up on interpreting the cmp expression when bitwise sreg != dreg. Fixes: 2c4a34c30cb4 ("iptables-compat: fix address prefix") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: man: Document service name support in DNAT and REDIRECTPhil Sutter2022-04-082-0/+3
| | | | | | | Unless as part of a range, service names may be used. Point this out to avoid confusion. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: Merge REDIRECT into DNATPhil Sutter2022-04-0812-380/+204
| | | | | | | | | Code is very similar, join them to reuse parsing code at least. As a side-effect, this enables parsing of service names for ports in DNAT as well as using port number 0 as that's what REDIRECT allows. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: Merge IPv4 and IPv6 DNAT targetsPhil Sutter2022-04-085-468/+218
| | | | | | | | | Make parse_to() family-aware so it serves for both IPv4 and IPv6. Have a core _DNAT_parse() function which parses into the most modern (nf_nat_range2) data structure and a bunch of wrappers to copy into legacy data structures if needed. Treat other callbacks analogous. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: DNAT: Rename from libipt to libxtPhil Sutter2022-04-081-0/+0
| | | | | | | Prepare for merge of libipt and libip6t DNAT extensions, allow for better code review. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: ipt_DNAT: Combine xlate functions alsoPhil Sutter2022-04-081-67/+21
| | | | | | | | | | Make use of the new sprint_range() to introduce a common inner function for both v1 and v2 xlate functions. Also abort translation with shifted port ranges to not hide the missing feature in nftables. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: ipt_DNAT: Merge v1/v2 print/save codePhil Sutter2022-04-081-65/+46
| | | | | | | | | | | Turn print_range() function into sprint_range() so it becomes more versatile. Make it accept the new nf_nat_range2 data structure and make v1 callers convert their nf_nat_ipv4_multi_range_compat structs to that. This allows to introduce an inner __DNAT_print() which acts for v1 and v2 and prints either 'print' or 'save' syntax. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: ipt_DNAT: Merge v1 and v2 parsersPhil Sutter2022-04-081-179/+111
| | | | | | | | | | | | | | | | Use v2 parser for both and copy field values into v1 data structure if needed. While being at it: * Introduce parse_ports() function similar to the one in libipt_REDIRECT.c. * Use xtables_strtoui() in the above instead of atoi() for integrated range checking. * Parse IP addresses using inet_pton(), writing directly into struct nf_nat_range2 fields. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified"Phil Sutter2022-04-084-25/+4
| | | | | | | | | | | | | This reverts commit f25b2355e889290879c8cecad3dd24ec0c384fb8. The workaround is not needed anymore since commit 30b178b9bf11e ("extensions: *NAT: Kill multiple IPv4 range support"). While being at it, drop the same hidden flag logic from libip6t_[SD]NAT extensions as well and just don't set XTOPT_MULTI so guided option parser will reject multiple parameters automatically. Signed-off-by: Phil Sutter <phil@nwl.cc>
* man: DNAT: Describe shifted port range featurePhil Sutter2022-04-081-1/+4
| | | | | | This wasn't mentioned anywhere. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xlate-test: Fix for empty source line on failurePhil Sutter2022-03-311-1/+2
| | | | | | | | The code overwrites 'line' before checking expected output. Save it in a temporary variable. Fixes: 62828a6aff231 ("tests: xlate-test: support multiline expectation") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Boost rule target checks by announcing chain namesPhil Sutter2022-03-174-0/+11
| | | | | | | | | | | | | | | | | When restoring a ruleset, feed libxtables with chain names from respective lines to avoid an extension search. While the user's intention is clear, this effectively disables the sanity check for clashes with target extensions. But: * The check yielded only a warning and the clashing chain was finally accepted. * Users crafting iptables dumps for feeding into iptables-restore likely know what they're doing. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* libxtables: Implement notargets hash tablePhil Sutter2022-03-171-0/+75
| | | | | | | | | Target lookup is relatively costly due to the filesystem access. Avoid this overhead in huge rulesets which contain many chain jumps by caching the failed lookups into a hashtable for later. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: Reject standard targets as chain names when restoringPhil Sutter2022-03-173-7/+4
| | | | | | | | | | | | | Reuse parse_chain() called from do_parse() for '-N' and rename it for a better description of what it does. Note that by itself, this patch will likely kill iptables-restore performance for big rulesets due to the extra extension lookup for chain lines. A following patch announcing those chains to libxtables will alleviate that. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* tests: shell: Fix 0004-return-codes_0 for static buildsPhil Sutter2022-03-151-1/+1
| | | | | | | In static builds, xtables_find_match() returns a slightly different error message if not found - make grep accept both. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Review static extension loadingPhil Sutter2022-03-154-16/+13
| | | | | | | | Combine the init_extensions() call common to all families, do not load IPv6 extensions for iptables and vice versa, drop the outdated comment about "same table". Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Call init_extensions{,a,b}() for static buildsEtienne Champetier2022-03-157-3/+26
| | | | | | | | | | Add calls to arp- and ebtables-specific extension loaders where missing. Also consistently call init_extensions() for them, as some extensions (ebtables 'limit' and arptables 'CLASSIFY' and 'MARK') live in libxt_* files. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* Simplify static build extension loadingPhil Sutter2022-03-1512-29/+9
| | | | | | | | | | Instead of guarding all calls to init_extensions*(), define stubs if not used. While at it, also add the missing prototypes for arp- and ebtables extension initializers. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Fix for warning in xtables_ipmask_to_numericPhil Sutter2022-03-151-1/+1
| | | | | | | | | | | | | | | | | | Gcc complains: | xtables.c: In function 'xtables_ipmask_to_numeric': | xtables.c:1491:34: warning: '__builtin___sprintf_chk' may write a terminating nul past the end of the destination [-Wformat-overflow=] | 1491 | sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask)); | | ^ Indeed, xtables_ipaddr_to_numeric() returns a pointer to a 20 byte buffer and xtables_ipmask_to_numeric() writes its content into a buffer of same size at offset 1. Yet length of returned string is deterministic as it is an IPv4 address. So shrink it to the minimum of 16 bytes which eliminates the warning as well. Fixes: a96166c24eaac ("libxtables: add xtables_ip[6]mask_to_cidr") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Don't pass command state opaque to family ops callbacksPhil Sutter2022-03-108-102/+84
| | | | | | | | | | | There are no family-specific versions of struct iptables_command_state anymore, so no need to hide it behind void pointer. Pass the type as-is and save a few casts. While at it, drop unused callbacks parse_bitwise and parse_cmp. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* xshared: Prefer xtables_chain_protos lookup over getprotoentPhil Sutter2022-03-102-17/+10
| | | | | | | | | | | | | | | | | | | | | | | When dumping a large ruleset, common protocol matches such as for TCP port number significantly slow down rule printing due to repeated calls for getprotobynumber(). The latter does not involve any caching, so /etc/protocols is consulted over and over again. As a simple countermeasure, make functions converting between proto number and name prefer the built-in list of "well-known" protocols. This is not a perfect solution, repeated rules for protocol names libxtables does not cache (e.g. igmp or dccp) will still be slow. Implementing getprotoent() result caching could solve this. As a side-effect, explicit check for pseudo-protocol "all" may be dropped as it is contained in the built-in list and therefore immutable. Also update xtables_chain_protos entries a bit to align with typical /etc/protocols contents. The testsuite assumes those names, so the preferred ones prior to this patch are indeed uncommon nowadays. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: Speed up immediate parsingPhil Sutter2022-03-102-19/+19
| | | | | | | | | | | | | | | | | | | | | | | | | Parsing of rules which jump to a chain pointlessly causes a call to xtables_find_target() despite the code already knowing the outcome. Avoid the significant delay for rulesets with many chain jumps by performing the (standard) target lookup only for accept/drop/return verdicts. From a biased test-case on my VM: | # iptables-nft-save | grep -c -- '-j' | 133943 | # time ./old/iptables-nft-save >/dev/null | real 0m45.566s | user 0m1.308s | sys 0m8.430s | # time ./new/iptables-nft-save >/dev/null | real 0m3.547s | user 0m0.762s | sys 0m2.476s Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: Simplify immediate parsingPhil Sutter2022-03-106-47/+14
| | | | | | | | | | Implementations of parse_immediate callback are mostly trivial, the only relevant part is access to family-specific parts of struct iptables_command_state when setting goto flag for iptables and ip6tables. Refactor them into simple set_goto_flag callbacks. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* Improve error messages for unsupported extensionsPhil Sutter2022-03-022-4/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a given extension was not supported by the kernel, iptables would print a rather confusing error message if extension parameters were given: | # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko | # iptables -A FORWARD -j LOG --log-prefix foo | iptables v1.8.7 (legacy): unknown option "--log-prefix" Avoid this by pretending extension revision 0 is always supported. It is the same hack as used to successfully print extension help texts as unprivileged user, extended to all error codes to serve privileged ones as well. In addition, print a warning if kernel rejected revision 0 and it's not a permissions problem. This helps users find out which extension in a rule the kernel didn't like. Finally, the above commands result in these messages: | Warning: Extension LOG revision 0 not supported, missing kernel module? | iptables: No chain/target/match by that name. Or, for iptables-nft: | Warning: Extension LOG revision 0 not supported, missing kernel module? | iptables v1.8.7 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain FORWARD Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Register only the highest revision extensionPhil Sutter2022-03-021-2/+8
| | | | | | | | | | | | When fully registering extensions, ignore all consecutive ones with same name and family value. Since commit b3ac87038f4e4 ("libxtables: Make sure extensions register in revision order"), one may safely assume the list of pending extensions has highest revision numbers first. Since iptables is only interested in the highest revision the kernel supports, registration and compatibility checks may be skipped once the first matching extension in pending list has validated. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Implement xtables lock timeout using signalsJethro Beekman2022-02-158-77/+36
| | | | | | | | | | | | | | | | | | | | | | | Previously, if a lock timeout is specified using `-wN `, flock() is called using LOCK_NB in a loop with a sleep. This results in two issues. The first issue is that the process may wait longer than necessary when the lock becomes available. For this the `-W` option was added, but this requires fine-tuning. The second issue is that if lock contention is high, invocations using `-w` (without a timeout) will always win lock acquisition from invocations that use `-w N`. This is because invocations using `-w` are actively waiting on the lock whereas those using `-w N` only check from time to time whether the lock is free, which will never be the case. This patch removes the sleep loop and deprecates the `-W` option (making it non-functional). Instead, flock() is always called in a blocking fashion, but the alarm() function is used with a non-SA_RESTART signal handler to cancel the system call. Signed-off-by: Jethro Beekman <jethro@fortanix.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: NFLOG: enable `--nflog-range` testsJeremy Sowden2022-02-131-6/+6
| | | | | | | | | iptables-legacy and iptable-nft have different results for these tests. Now that it is possible to specify the expected results correctly, we can enable the tests. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: support explicit variant test resultJeremy Sowden2022-02-131-5/+13
| | | | | | | | Now that there are more than two test results, add support for explicitly indicating which result to expect if the variants differ. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add `NOMATCH` test resultJeremy Sowden2022-02-131-11/+25
| | | | | | | | | | | | | Currently, there are two supported test results: `OK` and `FAIL`. It is expected that either the iptables command fails, or it succeeds and dumping the rule has the correct output. However, it is possible that the command may succeed but the output may not be correct. Add a `NOMATCH` result to cover this outcome. Make a few white-space improvements at the same time. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: iptables-test: rename variableJeremy Sowden2022-02-131-10/+10
| | | | | | | | "Splitted" hasn't been current since the seventeenth century. Replace it with "tokens". Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables.8: Describe the effect of multiple -v flagsPhil Sutter2022-02-111-1/+5
| | | | | | | Functionality differs between legacy and nft variants, detail the effects a bit. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: iptables-test: Support variant deviationPhil Sutter2022-02-103-3/+28
| | | | | | | | | | | | | | | | Some test results are not consistent between variants: * CLUSTERIP is not supported with nft_compat, so all related tests fail with iptables-nft. * iptables-legacy mandates TCPMSS be combined with SYN flag match, iptables-nft does not care. (Or precisely, xt_TCPMSS.ko can't validate match presence.) Introduce an optional fourth test spec field to specify the variant it applies to. Consequently, the opposite result is expected with the other variant. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Dump rules if debuggingPhil Sutter2022-02-081-2/+16
| | | | | | | | If verbose flag was given twice, dump rules while populating the cache. This not only applies to list commands, but all requiring a rule cache - e.g. insert with position. Signed-off-by: Phil Sutter <phil@nwl.cc>