| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are number of places where argument is in val[/mask] format
printed in extensions and some of them may print corresponding symbolic
name.
By introducing common function for this task we eliminate custom code
parts in extensions to perform printing of arguments in required
formats.
Use xtables_print_mark_mask() helper for extensions without
symbolic name for val[/mask].
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a couple of places in both core and extensions where arguments
in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32).
In some cases symbolic name might be used which is mapped in code to
numeric value.
Introduce common function to handle both cases where value given is
either val[/mask] or symbolic name.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxt_devgroup and libipt_realm currently unable to display symbolic
names in save/print commands because linear mapping is not initialized.
It looks bit confusing as linear mapping initialization is done in init()
of extension, which is expected to be called before any other function of
extension.
However init is called only when '-m' option specified on command line,
that is true only for insert, append, replace and destroy iptables
commands.
Move initialization to extension _init() function before calling
any function in extension.
Before:
-------
... src-group 0x1 dst-group 0x2
... src-group 0x2 dst-group 0x1
After:
------
... src-group grp1 dst-group grp2
... src-group grp2 dst-group grp1
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We missed a blank space when do translate to nft, so if rt_realm can be
mapped to name, the result looks ugly:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassidcosmos counter
^
Apply this patch:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassid cosmos counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
# iptables-translate -A INPUT -m realm --realm 1/0xf
nft add rule ip filter INPUT rtclassid and 0x1 == 0xf counter
Apply this patch:
# iptables-translate -A INPUT -m realm --realm 1/0xf
nft add rule ip filter INPUT rtclassid and 0xf == 0x1 counter
Cc: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The multiport match needs it, this basically leaves ->xlate() indirection
with almost the same interface as ->print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for routing realm to nftables.
Examples:
$ sudo iptables-translate -A PREROUTING -m realm --realm 4
nft add rule ip filter PREROUTING rtclassid 0x4 counter
$ sudo iptables-translate -A PREROUTING -m realm --realm 5/5
nft add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter
$ sudo iptables-translate -A PREROUTING -m realm ! --realm 50
nft add rule ip filter PREROUTING rtclassid != 0x32 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Command used:
git grep -f <(pcregrep -hior
'(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/)
and then fix all occurrences.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
Match and target parse functions now only get option characters they
have defined themselves.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Try to inhibit copypasting old stuff.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Save a little disk space, they are initialized to zero anyway.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
This also adds a warning that intrapositional negation support
is deprecated.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
All of them are implicitly convertable without any wanted side effects.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
iptables.h and ip6tables.h only include declarations internal to
iptables (specifically iptables.c and ip6tables.c), as most of the
public API has been moved to xtables.h a few months ago.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Resync netfilter.h from the latest kernel and make use of the new
NFPROTO_ constants that have been introduced.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
A number of comments are redundant, some outdated and others outright
wrong in their own way. Remove and fixup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt matches unique names (2/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
| |
Constify more data structures. Make functions static.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
|
| |
Mixing member accessors (non-named vs named) is not good.
Remove stray NULL.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
|
|
|
| |
This changes the type of arguments as follows
- ipt_ip * -> void *
- ipt_entry * -> void *
This patch doesn't change multiport, DNAT, SNAT, MASQUERADE, REDIRECT
because these need more changes (casting void * variable with intended type)
|
| | |
|
| |
|
|
| |
Optionally read realm values from /etc/iproute2/rt_realms
|
| | |
|
| |
|
|
| |
Fixes build with conntrack event patch for 2.6
|
| | |
|
| | |
|
| |
|
|
| |
(I removed the revision stuff for the moment, but this needs to go in before the code moves too much --RR)
|
| | |
|
| |
|
|
| |
naming
|
| | |
|
| | |
|
| |
|
