| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -t mangle -A PREROUTING -m rpfilter
nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter
# iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--loose
nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter
# ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--invert
nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter
Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m connbytes --connbytes 200 \
--connbytes-dir original --connbytes-mode packets
nft add rule ip filter OUTPUT ct original packets ge 200 counter
# iptables-translate -A OUTPUT -m connbytes ! --connbytes 200 \
--connbytes-dir reply --connbytes-mode packets
nft add rule ip filter OUTPUT ct reply packets lt 200 counter
# iptables-translate -A OUTPUT -m connbytes --connbytes 200:600 \
--connbytes-dir both --connbytes-mode bytes
nft add rule ip filter OUTPUT ct bytes 200-600 counter
# iptables-translate -A OUTPUT -m connbytes ! --connbytes 200:600 \
--connbytes-dir both --connbytes-mode bytes
nft add rule ip filter OUTPUT ct bytes != 200-600 counter
# iptables-translate -A OUTPUT -m connbytes --connbytes 200:200 \
--connbytes-dir both --connbytes-mode avgpkt
nft add rule ip filter OUTPUT ct avgpkt 200 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The first:
```
iptables/extensions/libebt_limit.c:21:26: fatal error: iptables/nft.h: No such file or directory
#include "iptables/nft.h"
```
The second:
```
/data/keno/sandbox/iptables/iptables/xtables-config-parser.y:19:32: fatal error: libiptc/linux_list.h: No such file or directory
#include <libiptc/linux_list.h>
^
```
Simply fixed by adding the relevant `-I` directives.
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exercise the new kernel feature introduced in commit 2c16d6033264
("netfilter: xt_bpf: support ebpf") to load pinned eBPF programs.
The new interface allows instantiating a bpf match using
-m bpf --object-pinned ${PATH}
where ${PATH} points to a node in a bpf virtual filesystem. See
also the revised man page.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -j LOG --log-uid
nft add rule ip filter OUTPUT counter log flags skuid
# iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \
--log-tcp-options
nft add rule ip filter OUTPUT counter log flags tcp sequence,options
# iptables-translate -A OUTPUT -j LOG --log-level debug --log-uid
nft add rule ip filter OUTPUT counter log level debug flags skuid
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags ip options flags ether
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-uid \
--log-tcp-sequence --log-tcp-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags all
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes TCP flags matches:
| $ iptables-translate -A invalid -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
| nft add rule ip filter invalid tcp flags & fin|syn == fin|syn counter drop
Although the generated rule is syntactically correct and accepted by
nft, it will be interpreted in a different way than expected since
binary AND takes precedence over OR.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is actually a limitation of ip6tables:
| # ip6tables -A INPUT -p ah -j ACCEPT
| Warning: never matched protocol: ah. use extension match instead.
The working alternative is like so:
| # ip6tables -A INPUT -m ah -j ACCEPT
But upon translating, this statement gets ignored:
| $ ip6tables-translate -A INPUT -m ah -j ACCEPT
| nft add rule ip6 filter INPUT counter accept
This patch (ab)uses the 'space' variable to check if a parameter to the
'ah' match was present and if not translates the match into an extension
header check:
| $ ip6tables-translate -A INPUT -m ah -j ACCEPT
| add rule ip6 filter INPUT meta l4proto ah counter accept
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Clang's static analyzer flagged the shift this patch removes as
shifting a garbage value. Looks like `m` isn't used at all anyway, so
we can simply remove it.
Signed-off-by: George Burgess IV <gbiv@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
The email address has changed, let's update it.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Pablo suggested to print full config file path for connlabel.conf
parsing errors.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
--packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
# iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
--packet 5
nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter
Note, mode random is not completely supported in nft, so:
# iptables-translate -A OUTPUT -m statistic --mode random \
--probability 0.1
nft # -A OUTPUT -m statistic --mode random --probability 0.1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -j DSCP --set-dscp 1
nft add rule ip filter OUTPUT counter ip dscp set 0x01
# ip6tables-translate -A OUTPUT -j DSCP --set-dscp 6
nft add rule ip6 filter OUTPUT counter ip6 dscp set 0x06
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m quota --quota 111
nft add rule ip filter OUTPUT quota 111 bytes counter
# iptables-translate -A OUTPUT -m quota ! --quota 111
nft add rule ip filter OUTPUT quota over 111 bytes counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When translate to nft rules, ipcompspi range is not supported, so:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1-2 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3-30 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup default counter
Apply this patch:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup != default counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT != ip6 saddr 2003::1-2003::3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT ip daddr != 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip6 saddr != 2003::1-2003::3 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft will complain the syntax error if we use "ip saddr" or "ip daddr" in
ip6 family, so the current translation is wrong:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip saddr 2003::1-2003::3 counter
^^
Apply this patch:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip6 saddr 2003::1-2003::3 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We missed a blank space when do translate to nft, so if rt_realm can be
mapped to name, the result looks ugly:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassidcosmos counter
^
Apply this patch:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassid cosmos counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2
and xt_hashlimit_mtinfo2 and also create newer versions of all the
functions for match, checkentry and destory.
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Joshua Hunt <johunt@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
I am planning to add a revision 2 for the hashlimit xtables module to
support higher packets per second rates. This patch renames all the
functions and variables related to revision 1 by adding _v1 at the
end of the names.
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Joshua Hunt <johunt@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
is specified
It is better to add square brackets to ip6 address in nft translation
output when the port is specified. This is keep consistent with the
nft syntax.
Before this patch:
# ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
[123::4]:1
nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to 123::4 :1
# ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
[123::4-123::8]:1
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to 123::4-123::8 :1
Apply this patch:
# ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
[123::4]:1
nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to [123::4]:1
# ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
[123::4-123::8]:1
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to [123::4]-[123::8]:1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After commit "parser_bison: redirect to :port for consistency with
nat/masq statement" in nftables tree, we should recommend the end
user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to 1
Apply this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to :1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After commit "src: add 'to' for snat and dnat" in nftables tree,
we should recommend the end user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
nft add rule ip nat POSTROUTING counter snat 1.1.1.1
# ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
2001::1
nft add rule ip6 nat PREROUTING counter dnat 2001::1
Apply this patch:
# iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
nft add rule ip nat POSTROUTING counter snat to 1.1.1.1
# ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
2001::1
nft add rule ip6 nat PREROUTING counter dnat to 2001::1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When I want to translate SNAT target to nft rule, an error message
was printed out:
# iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
iptables-translate v1.6.0: OOM
Because ipt_natinfo{} started with a xt_entry_target{}, so when we
get the ipt_natinfo pointer, we should use the target itself,
not its data pointer. Yes, it is a little tricky and it's different
with other targets.
Fixes: 7a0992da44cf ("src: introduce struct xt_xlate_{mt,tg}_params")
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The comment_xlate function was not supporting this option that is
necessary in some situations.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For examples:
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0
nft add rule ip filter OUTPUT counter meta priority set none
# iptables-translate -A OUTPUT -j CLASSIFY --set-class ffff:ffff
nft add rule ip filter OUTPUT counter meta priority set root
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 1:234
nft add rule ip filter OUTPUT counter meta priority set 1:234
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The xt_bpf module applies BPF bytecode to the packet. Depending on
where the module is invoked, the kernel may pass a packet with or
without link layer header. Iptables has no such header.
A common `tcpdump -ddd <string>` compilation command may revert to
a physical device that generates code for packets starting from the
mac layer up (e.g., E10MB data link type: Ethernet).
Clarify in the man page that when using this tool for code generation,
a suitable target device must be chosen.
Netfilter Bugzilla Bug #1048
Reported-by: Lorenzo Pistone <blaffablaffa@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The footnote clarification to option argument documentation, so keep the
indentation level same as for the arguments.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some translations included escaped quotes when they were called from
nft:
$ sudo nft list ruleset
table ip mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
ct helper \"ftp\" counter packets 0 bytes 0
^^ ^^
}
}
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add some unit tests for connlabel match extension:
# ./iptables-test.py extensions/libxt_connlabel.t
extensions/libxt_connlabel.t: OK
1 test files, 7 unit tests, 7 passed
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
"--nflog-size 0" is valid and we must display it appropriately.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The nflog-size was introduced by commit 7070b1f3c88a ("extensions:
libxt_NFLOG: nflog-range does not truncate packets"). Then make
the nflog-range become deprecated, because it has no effect from
the beginning.
So when we do translation, nft log snaplen is translated only if the
nflog-size is specified.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following iptables rules have the different semantics:
# iptables -A INPUT -j NFLOG
# iptables -A INPUT -j NFLOG --nflog-size 0
But they are all displayed as "-A INPUT -j NFLOG", so if
the user input the following commands, the original semantics
will be broken.
# iptables-save | iptables-restore
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for connlabel to nftables.
For examples:
# iptables-translate -A INPUT -m connlabel --label bit40
nft add rule ip filter INPUT ct label bit40 counter
# iptables-translate -A INPUT -m connlabel ! --label bit40 --set
nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connlabel.conf is empty, nfct_labelmap_new will return NULL and
set errno to 0. So we will miss to check this situation, and cause NULL
deference in nfct_labelmap_get_bit.
Input the following commands will reproduce this crash:
# echo > /etc/xtables/connlabel.conf
# iptables -A INPUT -m connlabel --label abc
Segmentation fault (core dumped)
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is to ensure that the correct AR is run in cross-compile jobs.
Often a cross-compile build will succeed without this change but it
fails on my Gentoo Linux system when I have binutils installed with the
"multitarget" USE flag.
This change substitues AR with the autotools-supplied AR for the
extensions subdirectory.
Signed-off-by: Jordan Yelloz <jordan@yelloz.me>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The option --nflog-range has never worked, but we cannot just fix this
because users might be using this feature option and their behavior would
change. Instead add a new option --nflog-size. This option works the same
way nflog-range should have, and both of them are mutually exclusive. When
someone uses --nflog-range we print a warning message informing them that
this feature has no effect.
To indicate the kernel that the user has set --nflog-size we have to pass a
new flag XT_NFLOG_F_COPY_LEN.
Also updated the man page to reflect the new option and added tests to
extensions/libxt_NFLOG.t
Reported-by: Joe Dollard <jdollard@akamai.com>
Reviewed-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
# iptables-translate -A INPUT -m realm --realm 1/0xf
nft add rule ip filter INPUT rtclassid and 0x1 == 0xf counter
Apply this patch:
# iptables-translate -A INPUT -m realm --realm 1/0xf
nft add rule ip filter INPUT rtclassid and 0xf == 0x1 counter
Cc: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation of the ecn match to nftables.
Examples:
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn not-ect counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn ect1 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn ect0 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn ce counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn != not-ect counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn != ect1 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn != ect0 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn != ce counter
Signed-off-by: Roberto García <rodanber@gmail.com>
Reviewed-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation of conntrack to nftables.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT
nft add rule ip filter INPUT ct state new,related counter accept
$ sudo ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
nft add rule ip6 filter INPUT ct state != new,related counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct proto 17 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct proto != 17 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.0.0/255.255.0.0 -j ACCEPT
nft add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigdst 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctreplsrc 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctrepldst 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT
nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
nft add rule ip filter INPUT ct status != confirmed counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
nft add rule ip filter INPUT ct expiration 3 counter accept
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctdir ORIGINAL -j ACCEPT
nft add rule ip filter INPUT ct direction original counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Extra space was printed by iprange_xlate:
# iptables-translate -A INPUT -m iprange --src-range \
192.168.25.149-192.168.25.151 -j ACCEPT
nft add rule ip filter INPUT ip saddr 192.168.25.149-192.168.25...
^^
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix translation of MARK target's --set-xmark option.
Before:
#iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf
After:
# iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark and 0xffffff50 \
xor 0x64
Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for the CONNMARK target to nftables.
The following options have no available translation:
--save-mark [--nfmask nfmask] [--ctmask ctmask]
--restore-mark [--nfmask nfmask] [--ctmask ctmask]
Examples:
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-xmark 0x16/0x12
nft add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and
0xffffffed
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --and-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --or-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark
nft add rule ip mangle PREROUTING counter ct mark set mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
nft add rule ip mangle PREROUTING counter meta mark set ct mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12
Signed-off-by: Roberto García <rodanber@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for revision 1 of the MARK target to nft.
Examples:
# iptables-translate -t mangle -A PREROUTING -j MARK --set-mark 0x64
nft add rule ip mangle PREROUTING counter meta mark set 0x64
# iptables-translate -t mangle -A PREROUTING -j MARK --and-mark 0x64
nft add rule ip mangle PREROUTING counter meta mark set mark and 0x64
# iptables-translate -t mangle -A PREROUTING -j MARK --or-mark 0x64
nft add rule ip mangle PREROUTING counter meta mark set mark or 0x64
Signed-off-by: Roberto García <rodanber@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NETMAP_print is also used by its .save hook so this change
broke iptables-save output.
Revert the patch, rename NETMAP_print to __NETMAP_print and
use that as the workhorse for both xtables -L and xtables-save.
The addition of the 'to' prefix is done in the .print hook only.
Reported-by: Shivani Bhardwaj <shivanib134@gmail.com>
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fixes: 90becf12bd5823b6d59d32d ("extensions: NETMAP: add ' to:' prefix when printing NETMAP target")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for the MARK target to nftables.
Examples:
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64
nft add rule ip mangle OUTPUT counter meta mark set 0x40
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-xmark 0x40/0x32
nft add rule ip mangle OUTPUT counter meta mark set mark xor 0x40 and 0x32
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --or-mark 64
nft add rule ip mangle OUTPUT counter meta mark set mark or 0x40
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --and-mark 64
nft add rule ip mangle OUTPUT counter meta mark set mark and 0x40
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --xor-mark 64
nft add rule ip mangle OUTPUT counter meta mark set mark xor 0x40
Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for cgroup to nft. Path parameter not supported in nft
yet.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT
nft add rule ip filter INPUT meta cgroup 0 counter accept
$ sudo iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT
nft add rule ip filter INPUT meta cgroup != 0 counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
