summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_limit.c
Commit message (Collapse)AuthorAgeFilesLines
* extensions: limit: unbreak build without libnftnlFlorian Westphal2018-10-241-1/+0
| | | | | | | | | | Lars Wendler reported 1.8.1 build failure when trying to build without nft backend: In file included from ../iptables/nft.h:5, from libxt_limit.c:18: libnftnl/rule.h: No such file or directory Reported-by: Lars Wendler <polynomial-c@gentoo.org> Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c") Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-translate: Fix for libebt_limit.txlatePhil Sutter2018-08-241-1/+9
| | | | | | | | | The xlate function sharing here does not quite work since in ebtables-translate, extensions are supposed to append whitespace. Fix this by introducing a simple wrapper. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Merge libebt_limit.c into libxt_limit.cPhil Sutter2018-08-161-14/+88
| | | | | | | | | | | | | | | | | Both extensions were very similar already, but now that they both are translated into native nftables code, their actual difference (i.e. match size) doesn't matter anymore. This change comes with one caveat: Since ebtables limit match is not in its own file anymore, match preloading automatically also loads the NFPROTO_UNSPEC limit match. This is not a problem per se since match lookup will prefer the family-specific one, but when parsing unknown options, a match without 'parse' callback is encountered. Therefore do_commandeb() has to check existence of that callback prior to dereferencing it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: Add macro _DEFAULT_SOURCE.Varsha Rao2017-12-211-0/+1
| | | | | | | | | | | | | | | Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated. https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes This patch fixes the following warning: warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp] # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use # _DEFAULT_SOURCE" Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-3/+3
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: fix multiple spaces issuePablo M. Bermudo Garay2016-07-091-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a multiple spaces issue. The problem arises when a rule set loaded through iptables-compat-restore is listed in nft. Before this commit, two spaces were printed after every match translation: $ sudo iptables-save *filter :INPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT COMMIT $ sudo iptables-compat-restore iptables-save $ sudo nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ct state related,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_limit: fix a wrong translation to nft ruleLiping Zhang2016-05-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The default burst value is 5 in iptables limit extension while it is 0 in nft limit expression, if the burst value is default, it will not be displayed when we dump the rules. But when we do translation from iptables rules to nft rules, we should keep the limit burst value unchanged, even if it is not displayed in iptables rules. And now, if the limit-burst value in the iptables rule is 5 or 0, they are all translated to nft rule without burst, this is wrong: $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 nft add rule ip filter INPUT limit rate 10/second counter $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 nft add rule ip filter INPUT limit rate 10/second burst 0 packets counter Apply this patch, translation will become: $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 nft add rule ip filter INPUT limit rate 10/second burst 5 packets counter $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 nft add rule ip filter INPUT limit rate 10/second counter Fixes: a8dfbe3a3acb ("extensions: libxt_limit: Add translation to nft") Cc: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()Pablo Neira Ayuso2016-03-091-1/+1
| | | | | | | The multiport match needs it, this basically leaves ->xlate() indirection with almost the same interface as ->print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-7/+7
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_limit: Add translation to nftShivani Bhardwaj2016-02-161-0/+39
| | | | | | | | | | | | | | | Add translation for module limit to nftables. Examples: $ sudo iptables-translate -A INPUT -m limit --limit 5/s nft add rule ip filter INPUT limit rate 5/second counter $ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3 nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve compile abort in libxt_limit on RHEL5Jan Engelhardt2012-10-101-0/+2
| | | | | | | | | | | | | | | | | | libxt_limit.c: In function 'print_rate': libxt_limit.c:124: error: 'INFINITY' undeclared (first use in this function) The default mode of glibc-2.15's <features.h> sets "-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However, on ├że olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L". Explicitly draw in the definition of INFINITY by always defining _ISOC99_SOURCE. By doing this, we are moving off of the default set, so _BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is used in xt_hashlimit.h. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_*limit: avoid division by zeroJan Engelhardt2012-07-311-5/+12
| | | | | | | | | | | | It was possible to specify -A mychain -m hashlimit --hashlimit 600059/minute; this would convert to r->avg=0, which subsequently causes a division by zero when printing with -S mychain. 1. Avoid division by zero in print_rate by printing infinity instead. 2. Rewrite the test in parse_rate to properly reject too high rates. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_limit: use guided option parserJan Engelhardt2011-05-091-32/+21
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: do not print trailing whitespacesJan Engelhardt2011-01-311-5/+5
| | | | | | | | | | | | | | | | | Due to the use of printf("foobar "), iptables emits spaces at the end-of-line, which looks odd to some users because it causes the terminal to wrap even if there is seemingly nothing to print. It may also have other points of annoyance, such as mailers interpreting a trailing space as an indicator that the paragraph continues when format=flowed is also on. And git highlights trailing spaces in red, so let's avoid :) Preexisting inconsistencies in outputting spaces in the right spot are also addressed right away. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove no longer necessary default: casesJan Engelhardt2011-01-081-3/+0
| | | | | | | Match and target parse functions now only get option characters they have defined themselves. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use C99/POSIX typesJan Engelhardt2011-01-081-5/+5
| | | | | | "u_int" was a non-standardized extension predating C99 on some platforms. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* all: consistent syntax use in struct optionJan Engelhardt2010-07-231-4/+4
| | | | | | Try to inhibit copypasting old stuff. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables/extensions: make bundled options work againJan Engelhardt2009-11-031-2/+2
| | | | | | | | | | | | | When using a bundled option like "-ptcp", 'argv[optind-1]' would logically point to "-ptcp", but this is obviously not right. 'optarg' is needed instead, which if properly offset to "tcp". Not all places change optind-based access to optarg; where look-ahead is needed, such as for tcp's --tcp-flags option for example, optind is ok. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-2/+2
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: use NFPROTO_UNSPEC for .family fieldJan Engelhardt2009-06-011-1/+1
| | | | | | | | This constant would be the designated one for the .family field; it also, given recent changes, makes grep for NFPROTO_UNSPEC work to finally recollect all manpages. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: replace open-coded sizeof by ARRAY_SIZEJan Engelhardt2009-05-261-2/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add const qualifiers in print/save functionsJan Engelhardt2009-05-261-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-5/+5
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move check_inverse to xtables.cJan Engelhardt2009-01-301-2/+2
| | | | | | | This also adds a warning that intrapositional negation support is deprecated. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - strtouiJan Engelhardt2009-01-271-1/+1
| | | | | | This commit also throws out the redundant string_to_number_*. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: update comments part IIJan Engelhardt2008-09-041-2/+2
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Update commentsJan Engelhardt2008-09-011-6/+0
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use regular includesJan Engelhardt2008-09-011-1/+1
| | | | | | | | iptables ships with all header files and prioritized its own include directory over /usr/include/linux, so just use the normal brackets. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Remove old functions, constantsJan Engelhardt2008-04-151-4/+4
|
* Implement AF_UNSPEC as a wildcard for extensionsJan Engelhardt2008-04-141-16/+1
|
* fix gcc warningsMax Kellermann2008-01-291-1/+1
| | | | Max Kellermann <max@duempel.org>
* Unique symbols 1/6Jan Engelhardt2007-10-041-28/+23
| | | | | | | | | | | Give symbols of libxt matches unique names (1/3). Adds unique prefixes to all functions (most of them - especially the hook functions) so that debugging programs can unambiguously map a symbol to an address. Also unifies the names of the xtables_match/xtables_target structs, (based upon libxt_connmark.c/libip6t_*.c). Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Constify data structuresJan Engelhardt2007-10-041-1/+1
| | | | | | Constify more data structures. Make functions static. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Delete empty ->final_check() functionsJan Engelhardt2007-10-041-7/+0
| | | | | | | Deletes empty ->final_check() functions, and makes ip[6]tables checks for NULL on these. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fix sparse warnings: non-ANSI function declarations, 0 used as pointerPatrick McHardy2007-09-081-3/+3
|
* Remove last vestiges of NFC (Peter Riley <Peter.Riley@hotpop.com>)Peter Riley2007-09-021-2/+1
|
* Make the option structures const.Jan Engelhardt2007-07-301-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Remove the .next=NULL field. This is automatically initialized to zero.Jan Engelhardt2007-07-301-2/+0
| | | | | | | I've kept .print=NULL and .save=NULL so it stands out (since iptables will do the print/save then). Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Unifies libip[6]t_limit.c into libxt_limit.c.Yasuyuki KOZAKAI2007-07-241-0/+214