summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: xlate: Support testing multiple individual filesHEADmasterPhil Sutter3 days1-8/+13
| | | | | | | | | | Simple use-case: run xlate-test for ebtables-nft: | % ./xlate-test.py extensions/libebt_*.txlate The script interpreted all parameters as a single file. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-translate: Print flush command after parsing is finishedPhil Sutter3 days1-7/+7
| | | | | | | Otherwise, bad calls like 'ebtables-translate -F -F' produce wrong output instead of an error message. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-translate: Ignore '-j CONTINUE'Phil Sutter3 days1-1/+3
| | | | | | | It is default behaviour. Does not hurt here, but reducing diff to xtables-eb.c can't hurt. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-translate: Use OPT_* from xshared.hPhil Sutter3 days1-18/+9
| | | | | | | Same as commit db420e268735e ("ebtables: Merge OPT_* flags with xshared ones") but also introduce 'table_set' as a replacement for OPT_TABLE. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-translate: Drop exec_stylePhil Sutter3 days1-8/+0
| | | | | | | Apply the changes from commit 816bd1fdecb63 ("ebtables-nft: remove exec_style") to ebtables-translate, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Refuse unselected targets' optionsPhil Sutter3 days8-39/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | Unlike legacy, ebtables-nft would allow e.g.: | -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be While the result is correct, it may mislead users into believing multiple targets are possible per rule. Better follow legacy's behaviour and reject target options unless they have been "enabled" by a previous '-j' option. To achieve this, one needs to distinguish targets from watchers also attached to 'xtables_targets' and otherwise behaving like regular matches. Introduce XTABLES_EXT_WATCHER to mark the two. The above works already, but error messages are misleading when using the now unsupported syntax since target options have been merged already. Solve this by not pre-loading the targets at all, code will just fall back to loading ad '-j' parsing time as iptables does. Note how this also fixes for 'counter' statement being in wrong position of ebtables-translate output. Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Proper fix for "unknown argument" error messagePhil Sutter3 days4-15/+50
| | | | | | | | | | | | | | | | While commit 1b8210f848631 kind of fixed the corner-case of invalid short-options packed with others, it broke error reporting for long-options. Revert it and deploy a proper solution: When passing an invalid short-option, e.g. 'iptables -vaL', getopt_long sets the variable 'optopt' to the invalid character's value. Use it for reporting instead of optind if set. To distinguish between invalid options and missing option arguments, ebtables-translate optstring needs adjustment. Fixes: 1b8210f848631 ("ebtables: Fix error message for invalid parameters") Signed-off-by: Phil Sutter <phil@nwl.cc>
* etc: Drop xtables.confPhil Sutter2023-01-183-76/+1
| | | | | | | | | | | | | | The file is not used since the commit this one fixes. Also it wasn't installed until recently, when commit 3822a992bc277 ("Makefile: Fix for 'make distcheck'") added it in the wrong spot in an attempt to reduce differences between tarballs generated by 'make tarball' and 'make dist'. While being at it, drop stale xtables_config_main() prototype from xtables-multi.h. Fixes: 06fd5e46d46f7 ("xtables: Drop support for /etc/xtables.conf") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: NAT: Fix for -Werror=format-securityPhil Sutter2023-01-121-1/+1
| | | | | | | Have to pass either a string literal or format string to xt_xlate_add(). Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE") Signed-off-by: Phil Sutter <phil@nwl.cc>
* configure: Bump version for 1.8.9 releasev1.8.9Phil Sutter2023-01-101-3/+3
| | | | Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Replace brace expansionPhil Sutter2023-01-101-2/+3
| | | | | | | | | According to bash(1), it is not supported by "historical versions of sh". Dash seems to be such a historical version. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Fixes: 3822a992bc277 ("Makefile: Fix for 'make distcheck'") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-translate: Install symlinkPhil Sutter2022-12-223-7/+13
| | | | | | | | Make this officially a tool, we have enough test coverage in place. Also update xtables-translate.8 to mention it at least and generate ebtables-translate.8 which points to it. Signed-off-by: Phil Sutter <phil@nwl.cc>
* gitignore: Ignore generated ip6tables man pagesPhil Sutter2022-12-221-0/+4
| | | | | Fixes: 127eadee563e4 ("Makefile: Generate ip6tables man pages on the fly") Signed-off-by: Phil Sutter <phil@nwl.cc>
* gitignore: Ignore utils/nfsynproxyPhil Sutter2022-12-221-0/+1
| | | | | Fixes: 9e6928f037823 ("utils: add nfsynproxy tool") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Reject tcp/udp extension without proper protocol matchPhil Sutter2022-12-223-0/+12
| | | | | | | | | Internally, 'th' expression is used, which works but matches both protocols. Since users won't expect '-m tcp --dport 1' to match UDP packets, catch missing/wrong '-p' argument. Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Make rule parsing errors fatalPhil Sutter2022-12-201-1/+3
| | | | | | | Finish parsing the rule, thereby printing all potential problems and abort the program. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Increase rule parser strictnessPhil Sutter2022-12-205-12/+37
| | | | | | Catch more unexpected conditions. Signed-off-by: Phil Sutter <phil@nwl.cc>
* arptables: Check the mandatory ar_pln matchPhil Sutter2022-12-201-1/+6
| | | | | | | | | This match is added by nft_arp_add() to every rule with same value, so when parsing just check it is as expected and otherwise ignore it. This allows to treat matches on all other offsets/lengths as error. Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Parse icmp header matchesPhil Sutter2022-12-202-3/+77
| | | | | | These were previously ignored. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile.am: Integrate testsuitesPhil Sutter2022-12-142-0/+14
| | | | | | | | Support calling 'make check' in topdir to run all three testsuites. While updating .gitignore, also add 'configure~' my autotools create and the tags file. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: Adjust testsuite return codes to automake guidelinesPhil Sutter2022-12-143-3/+5
| | | | | | | | | | | | | As per the manual[1]: "When no test protocol is in use, an exit status of 0 from a test script will denote a success, an exit status of 77 a skipped test, an exit status of 99 a hard error, and any other exit status will denote a failure." [1] https://www.gnu.org/software/automake/manual/html_node/Scripts_002dbased-Testsuites.html Signed-off-by: Phil Sutter <phil@nwl.cc>
* include/Makefile: xtables-version.h is generatedPhil Sutter2022-12-141-3/+3
| | | | | | | | | | | List it in nodist_include_HEADERS so it is installed but not distributed - configure generates it from xtables-version.h.in. While being at it, list xtables.h in plain include_HEADERS. It doesn't sit in a sub-dir, so the nobase prefix does not make a difference. Fixes: df60a301bf24c ("build: separate AC variable replacements from xtables.h") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Generate .tar.xz archive with 'make dist'Phil Sutter2022-12-141-1/+1
| | | | | | Instead of the default .tar.gz one. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Fix for 'make distcheck'Phil Sutter2022-12-147-6/+28
| | | | | | | | | Since extensions/ directory does not use automake, some targets have to be added manually. Apart from that, several Makefiles either missed to specify relevant files or did not specify them correctly for 'make dist' to add them to the tarball. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables/Makefile: Split nft-variant man page listPhil Sutter2022-12-141-11/+7
| | | | | | | | Some of them are not generated and must therefore be distributed. Hence add them to a 'dist_man_MANS' variable. This leaves only generated entries in the non-dist one, so use that to reduce the CLEANFILES list. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables/Makefile: Reorg variable assignmentsPhil Sutter2022-12-141-26/+32
| | | | | | | | Introduce helper variables holding SOURCES, LDADD and CFLAGS used by both legacy and nft builds. Specify also internal header files, builds should depend on them. Doing that, reorder lists for clarity. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: Makefile: Merge initext targetsPhil Sutter2022-12-141-92/+14
| | | | | | | Abstract initext*.c and .initext*.dd stamp file recipes so a single one serves for all variants. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Generate ip6tables man pages on the flyPhil Sutter2022-12-145-4/+3
| | | | | | No need to drag them around, creating them is simple. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Drop libiptc/linux_stddef.hPhil Sutter2022-12-141-39/+0
| | | | | | | This header was never included anywhere. Fixes: aae69bed01982 ("complete libiptc rewrite. Time to load 10k rules goes down from 2.20 minutes to 1.255 seconds (!). Might still contain bugs, use with caution.") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Drop INCOMPATIBILITIES filePhil Sutter2022-12-141-14/+0
| | | | | | The problems described in there were relevant 17 years ago. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Create LZMA-compressed dist-filesPhil Sutter2022-12-091-1/+1
| | | | | | | | Use a more modern alternative to bzip2. Suggested-by: Jan Engelhardt <jengelh@inai.de> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Fix MAC address match translationPhil Sutter2022-12-022-4/+4
| | | | | | | If a mask was present, ebtables-translate would emit illegal syntax. Fixes: 5e2b473a64bc7 ("xtables-compat: extend generic tests for masks and wildcards") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: Fix for interfaces with asterisk mid-stringPhil Sutter2022-12-022-8/+10
| | | | | | | | | | | | | For nft, asterisk is special at end of the interface name only. Escaping it mid-string makes the escape char part of the interface name, so avoid this. In the test case, also drop the ticks around interface names in *-translate command - since there's no shell involved which would eat them, they become part of the interface name. Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Recognize INVAL/D interface namePhil Sutter2022-12-021-0/+19
| | | | | | | | It is just a hack to translate '! -i +' into a never matching nft rule, but recognize it anyway for completeness' sake and to make xlate replay test pass. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix match generator for '! -i +'Phil Sutter2022-12-021-0/+6
| | | | | | | | | | | | | It's actually nonsense since it will never match, but iptables accepts it and the resulting nftables rule must behave identically. Reuse the solution implemented into xtables-translate (by commit e179e87a1179e) and turn the above match into 'iifname INVAL/D'. The commit this fixes merely ignored the fact that "any interface" match might be inverted. Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix for comparing ifname matches against nft-generated onesPhil Sutter2022-12-021-1/+1
| | | | | | | | | Since nft adds the interface name as fixed-size string of 16 bytes, filling a mask based on the length value will not match the mask nft set. Fixes: 652b98e793711 ("xtables-compat: fix wildcard detection") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: xlate: Use --check to verify replayPhil Sutter2022-12-021-28/+18
| | | | | | | | | | | After applying the translated rule using nft, pass the untranslated rule to --check instead of dumping the ruleset and performing a string search. This fixes for mandatory match reordering (e.g. addresses before interfaces) and minor differences like /32 netmasks or even just whitespace changes. Fixes: 223e34b057b95 ("tests: xlate-test: Replay results for reverse direction testing") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Implement --check commandPhil Sutter2022-12-021-3/+9
| | | | | | | | | Sadly, '-C' is in use already for --change-counters (even though ebtables-nft does not implement this), so add a long-option only. It is needed for xlate testsuite in replay mode, which will use '--check' instead of '-C'. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libiptc: Eliminate garbage accessPhil Sutter2022-12-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | When adding a rule, valgrind prints: Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s) at 0x4A8165A: setsockopt (in /lib64/libc.so.6) by 0x4857A48: iptc_commit (libiptc.c:2676) by 0x10E4BB: iptables_main (iptables-standalone.c:61) by 0x49A3349: (below main) (in /lib64/libc.so.6) Address 0x4b63788 is 40 bytes inside a block of size 1,448 alloc'd at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x4857654: iptc_commit (libiptc.c:2564) by 0x10E4BB: iptables_main (iptables-standalone.c:61) by 0x49A3349: (below main) (in /lib64/libc.so.6) This is because repl->counters is not initialized upon allocation. Since the field is an array, make use of calloc() which implicitly does the initialization. Fixes: e37c0dc100c51 ("Revert the recent addition of memset()'s to TC_COMMIT. One of them is bogus and the other one needs more investigation to why valgrind is complaining.") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Free data after printing helpPhil Sutter2022-12-021-0/+3
| | | | | | | This is merely to make valgrind happy, but less noise means less real issues missed. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables: Properly clear iptables_command_state objectPhil Sutter2022-12-022-4/+2
| | | | | | | | | | | | | | | | | | | | | | When adding a rule with a target which defines a udata_size, valgrind prints: 8 bytes in 1 blocks are definitely lost in loss record 1 of 1 at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x486B128: xtables_calloc (xtables.c:434) by 0x1128B4: xs_init_target (xshared.c:238) by 0x113CD3: command_jump (xshared.c:877) by 0x114969: do_parse (xshared.c:1644) by 0x10EEB9: do_command4 (iptables.c:691) by 0x10E45B: iptables_main (iptables-standalone.c:59) by 0x49A2349: (below main) (in /lib64/libc.so.6) It is not sufficient to free cs.target->t, so call xtables_clear_iptables_command_state() which takes care of all the details. Fixes: 2dba676b68ef8 ("extensions: support for per-extension instance "global" variable space") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Introduce xtables_clear_iptables_command_state()Phil Sutter2022-12-029-23/+27
| | | | | | | | | | This is nft_clear_iptables_command_state() but in a location reachable by legacy iptables, too. Changes callers in non-family-specific code to use clear_cs callback instead of directly calling it - ebtables still has a custom variant. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables: Plug memleaks in print_firewall()Phil Sutter2022-12-022-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When adding a rule in verbose mode, valgrind prints: 192 bytes in 1 blocks are definitely lost in loss record 1 of 2 at 0x48417E5: malloc (vg_replace_malloc.c:381) by 0x486B158: xtables_malloc (xtables.c:446) by 0x486C1F6: xtables_find_match (xtables.c:826) by 0x10E684: print_match (iptables.c:115) by 0x10E684: print_firewall (iptables.c:169) by 0x10FC0C: print_firewall_line (iptables.c:196) by 0x10FC0C: append_entry (iptables.c:221) by 0x10FC0C: do_command4 (iptables.c:776) by 0x10E45B: iptables_main (iptables-standalone.c:59) by 0x49A2349: (below main) (in /lib64/libc.so.6) 200 bytes in 1 blocks are definitely lost in loss record 2 of 2 at 0x48417E5: malloc (vg_replace_malloc.c:381) by 0x486B158: xtables_malloc (xtables.c:446) by 0x486BBD6: xtables_find_target (xtables.c:956) by 0x10E579: print_firewall (iptables.c:145) by 0x10FC0C: print_firewall_line (iptables.c:196) by 0x10FC0C: append_entry (iptables.c:221) by 0x10FC0C: do_command4 (iptables.c:776) by 0x10E45B: iptables_main (iptables-standalone.c:59) by 0x49A2349: (below main) (in /lib64/libc.so.6) If the match/target was cloned, it needs to be freed. Basically a bug since day 1. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Plug memleak in nft_rule_zero_counters()Phil Sutter2022-12-021-2/+3
| | | | | | | | | | | | | | | | | | | | | | | When zeroing a specific rule, valgrind reports: 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x48DE128: xtables_calloc (xtables.c:434) by 0x11C7C6: nft_parse_immediate (nft-shared.c:1071) by 0x11C7C6: nft_rule_to_iptables_command_state (nft-shared.c:1236) by 0x119AF5: nft_rule_zero_counters (nft.c:2877) by 0x11A3CA: nft_prepare (nft.c:3445) by 0x11A7A8: nft_commit (nft.c:3479) by 0x114258: xtables_main.isra.0 (xtables-standalone.c:94) by 0x1142D9: xtables_ip6_main (xtables-standalone.c:118) by 0x49F2349: (below main) (in /lib64/libc.so.6) Have to free the matches/target in populated iptables_command_state object again. While being at it, call the proper family_ops callbacks since this is family-agnostic code. Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule") Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-xml: Free allocated chain stringsPhil Sutter2022-12-021-5/+5
| | | | | | | | | Freeing only if 'created' is non-zero is wrong - the data was still allocated. In fact, the field is supposed to prevent only the call to openChain(). Fixes: 8d3eccb19a9c6 ("Add iptables-xml tool (Amin Azez <azez@ufomechanic.net>)") Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-restore: Free handle with --test alsoPhil Sutter2022-12-021-2/+2
| | | | | | | | | | | | | | | | | | When running 'iptables-restore -t', valgrind reports: 1,496 (160 direct, 1,336 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 at 0x48417E5: malloc (vg_replace_malloc.c:381) by 0x4857A46: alloc_handle (libiptc.c:1279) by 0x4857A46: iptc_init (libiptc.c:1342) by 0x1167CE: create_handle (iptables-restore.c:72) by 0x1167CE: ip46tables_restore_main (iptables-restore.c:229) by 0x116DAE: iptables_restore_main (iptables-restore.c:388) by 0x49A2349: (below main) (in /lib64/libc.so.6) Free the handle pointer before parsing the next table. Fixes: 1c9015b2cb483 ("libiptc: remove indirections") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Fix valgrind mode for 0008-unprivileged_0Phil Sutter2022-12-021-1/+2
| | | | | | | Valgrind is run as user nobody, let everyone write into the temporary directory. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: add xt_statistics random mode translationFlorian Westphal2022-12-012-2/+8
| | | | | | | Use meta random and bitops to replicate what xt_statistics is doing. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-bridge: work around recent "among" decode breakageFlorian Westphal2022-12-011-0/+5
| | | | | | | | | | | | | | | | ebtables-nft-save will fail with "unknown meta key" when decoding "among" emulation with ipv4 or ipv6 addresses included. This is because "meta protocol ip" is used as a dependency, but its never decoded anywhere. Skip this for now to restore the "ebtables/0006-flush_0" test case. Fixes: 25883ce88bfb ("nft: check for unknown meta keys") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* xlate-test: avoid shell entanglementsFlorian Westphal2022-11-301-9/+9
| | | | | | | | | | | | | | | | Feed the nft expected output found in the .txlate test files to nft -f via pipe/stdin directly without the shell mangling it. The shell step isn't needed anymore because xtables-translate no longer escapes quotes. We only need to remove the "nft '" and trailing "'" because nft doesn't expect those. v3: handle multi-line expectations such as libxt_connlimmit.txlate (Phil Sutter) Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc>