| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -j LOG --log-uid
nft add rule ip filter OUTPUT counter log flags skuid
# iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \
--log-tcp-options
nft add rule ip filter OUTPUT counter log flags tcp sequence,options
# iptables-translate -A OUTPUT -j LOG --log-level debug --log-uid
nft add rule ip filter OUTPUT counter log level debug flags skuid
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags ip options flags ether
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-uid \
--log-tcp-sequence --log-tcp-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags all
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some translations included escaped quotes when they were called from
nft:
$ sudo nft list ruleset
table ip mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
ct helper \"ftp\" counter packets 0 bytes 0
^^ ^^
}
}
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Avoid to print the log level in the translation when the level is the
default value.
Example:
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
nft add rule ip filter INPUT icmp type != router-solicitation counter log
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
|
| |
|
|
|
|
|
| |
The multiport match needs it, this basically leaves ->xlate() indirection
with almost the same interface as ->print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for options log-level and log-prefix of LOG target
to nftables.
Full translation of this target awaits the support for the options
log-tcp-sequence, log-tcp-options, log-ip-options, log-uid and
log-macdecode in nftables.
Examples:
$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-level error
nft add rule ip filter FORWARD ip protocol tcp counter log level err
$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix"
nft add rule ip filter FORWARD ip protocol tcp counter log prefix \"Random prefix\" level warn
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
Match and target parse functions now only get option characters they
have defined themselves.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
"u_int" was a non-standardized extension predating C99 on some platforms.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Try to inhibit copypasting old stuff.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
Most touched files do not use anything from ip_tables.h, so
remove that #include. multiport instead, does need it (ipt_entry).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
This also adds a warning that intrapositional negation support
is deprecated.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
This commit also throws out the redundant string_to_number_*.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
All of them are implicitly convertable without any wanted side effects.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
iptables.h and ip6tables.h only include declarations internal to
iptables (specifically iptables.c and ip6tables.c), as most of the
public API has been moved to xtables.h a few months ago.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Resync netfilter.h from the latest kernel and make use of the new
NFPROTO_ constants that have been introduced.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
A number of comments are redundant, some outdated and others outright
wrong in their own way. Remove and fixup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt targets unique names (2/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
| |
Constify more data structures. Make functions static.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
|
| |
Deletes empty ->final_check() functions, and makes ip[6]tables
checks for NULL on these.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
|
|
|
| |
This changes the type of arguments as follows
- ipt_ip * -> void *
- ipt_entry * -> void *
This patch doesn't change multiport, DNAT, SNAT, MASQUERADE, REDIRECT
because these need more changes (casting void * variable with intended type)
|
| | |
|
| |
|
|
|
|
| |
<vapier@gentoo.org>)
Bugzilla #516
|
| | |
|
| |
|
|
| |
Fixes build with conntrack event patch for 2.6
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
by Thomas Woerner <twoerner@redhat.com>
|
| |
|
|
| |
numeric value. (Michael Schwendt)
|
| |
|
|
| |
naming
|
| | |
|
| | |
|
| | |
|
