summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_devgroup.c
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libxt_devgroup: handle the invert flag properly in translationLiping Zhang2016-10-141-2/+3
| | | | | | | | | | | | | | We forgot to put "!=" when devgroup can be mapped to name, so translation is wrong: # iptables-translate -A OUTPUT -m devgroup ! --dst-group 0 nft add rule ip filter OUTPUT oifgroup default counter Apply this patch: # iptables-translate -A OUTPUT -m devgroup ! --dst-group 0 nft add rule ip filter OUTPUT oifgroup != default counter Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-3/+3
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: fix multiple spaces issuePablo M. Bermudo Garay2016-07-091-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a multiple spaces issue. The problem arises when a rule set loaded through iptables-compat-restore is listed in nft. Before this commit, two spaces were printed after every match translation: $ sudo iptables-save *filter :INPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT COMMIT $ sudo iptables-compat-restore iptables-save $ sudo nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ct state related,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_devgroup: Fix order of mask and idShivani Bhardwaj2016-06-021-2/+2
| | | | | | | | | The order of mask and id in the translated code is not apt so fix it. This patch follows commit 8548dd by Liping Zhang. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()Pablo Neira Ayuso2016-03-091-1/+1
| | | | | | | The multiport match needs it, this basically leaves ->xlate() indirection with almost the same interface as ->print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-11/+11
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_devgroup: Add translation to nftShivani Bhardwaj2016-02-161-0/+53
| | | | | | | | | | | | | | | | | | | | | | | | | Add translation for device group to nftables. Examples: $ sudo iptables-translate -A FORWARD -m devgroup --src-group 0x2 -j ACCEPT nft add rule ip filter FORWARD iifgroup 0x2 counter accept $ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept $ sudo iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept $ sudo iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 -j ACCEPT nft add rule ip filter FORWARD iifgroup != 0x2 counter accept Signed-off-by : Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: devgroup: fix showing and saving of dst-groupAna Rey2014-11-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Closes bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=985 The --dst-group parameter in devgroup extensions lists and saves incorrectly its value. --dst-group always shows "0x0/0x0". This is an example: # iptables -I FORWARD -m devgroup --dst-group 200 -j ACCEPT # iptables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere src-group 0x64 dst-group 0x0/0x0 # iptables -S FORWARD -P FORWARD ACCEPT -A FORWARD -m devgroup --dst-group 0x0/0x0 -j ACCEPT Reporte-by: Axinchan <axinchan@cnrouter.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_devgroup: Fix the path of the group mappings fileAna Rey2014-09-191-2/+2
| | | | | | | | Use "/etc/iproute2/group" as the default path to the mapping file instead of "/etc/iproute2/group_map". Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_devgroup: guard against negative numbersJan Engelhardt2012-07-311-4/+6
| | | | | | More corrections of the strtoul kind. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_devgroup: consolidate devgroup specification parsingJan Engelhardt2012-07-311-40/+30
| | | | | | | This is a small cleanup, reducing the two copies of X/Y parsing to one. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flagsLutz Jaenicke2011-05-231-0/+2
| | | | | Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_devgroup: use guided option parserJan Engelhardt2011-04-131-160/+41
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_devgroup: option whitespace update following v1.4.10-49-g7386635Jan Engelhardt2011-02-161-7/+7
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add extension for devgroup matchPatrick McHardy2011-02-031-0/+297
Signed-off-by: Patrick McHardy <kaber@trash.net>