| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
With iptables-nft, logging of trace events is different from legacy.
Explain why and hint at how to receive events in this case.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Older versions of iptables allowed for negative realm values by accident
(they would be cast to unsigned). While this was clearly a bug, document
the fixed behaviour.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem with converting libxt_comment into nftables comment is that
rules change when parsing from kernel due to comment match being moved
to the end of the match list. And since match ordering matters, the rule
may not be found anymore when checking or deleting. Apart from that,
iptables-nft didn't support multiple comments per rule anymore. This is
a compatibility issue without technical reason.
Leave conversion from nftables comment to libxt_comment in place so we
don't break running systems during an update.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
libip6t_mh.txlate: Fail
src: ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
exp: nft add rule ip6 filter INPUT meta l4proto 135 mh type 1 counter accept
res: nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
since commit d9c6a5d0977a6d8bbe772dbc31a2c4f58eec1708
("xtables: merge {ip,arp}tables_command_state structs") arptables
uses the shared representation.
With only minor changes (e.g., use generic counters in command_state),
in print/save functions we can use the shared nftnl expression parser
too.
arptables-legacy prints (-L) the jump target first, i.e.:
-j MARK -d 0.0.0.0/8 --h-length 6 ...
... so keep that here too.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
introduced support for gcc feature to check format string against passed
argument. This commit adds missing bits to extenstions's libipt_icmp.c
and libip6t_icmp6.c that were causing build to fail.
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Build with musl libc fails because of conflicting struct ethhdr
definitions:
In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
from ../iptables/nft-bridge.h:8,
from libebt_vlan.c:18:
.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
struct ethhdr {
^~~~~~
In file included from libebt_vlan.c:16:0:
.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
struct ethhdr {
^~~~~~
Include the userspace header first for the definition suppression logic
to do the right thing.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows gcc to check format string vs. passed arguments.
Fix the fallout from this as well, typical warning produced is:
libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=]
xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ...
~^ ~~~~~~~~~~
so add the required casts or fixup format strings as needed.
libxt_conntrack also passed an unneeded argument (port), so remove that.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unicast being shown as '00:00:00:00:00:00/01:00:00:00:00:00' looks like
broken output, however, arptables classic did not pretty-print either.
Also add test cases for all targets supported by the original
arptables tool:
-j CLASSIFY
-j MARK
-j mangle
[ yes, mangle target is lower-case 8-( ]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
arptables-save will show
-A OUTPUT --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0xffffffff
as
--h-length 6 --h-type Ethernet -j MARK MARK set 0x1
Because it uses ->print() instead of ->save().
Switch it to use ->save, we can then also drop special handling of
CLASSIFY target.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in the iptables universe, we enforce extrapositioned negation:
! -i foo
"-i ! foo" is not even supported anymore.
At least make sure that ebtables prints the former syntax everywhere as
well so we don't have a mix of both ways.
Parsing of --option ! 42 will still work for backwards compat reasons.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changes ebtables-nft to consistently print mac
address with two characters, i.e.
00:01:02:03:04:0a, not 0:1:2:3:4:a.
Will require another bump of vcurrent/vage.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
passing ->tos as uintmax_t will clear adjacent fields in the structure,
including invflags.
Fixes: 49479aa12a15 ("ebtables-compat: add 'ip' match extension")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Lines starting by % allows you to run iptables commands, use it for
rateest test.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Unfortunately no nft translation available so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its artificial and prevents test cases that need to add rules
to a different table from working.
The test script generates:
-A PREROUTING -t nat
... which works fine for iptables and ip6tables.
Just accept it for ebtables too and add test cases
for snat and dnat.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-j CONTINUE can be added, but it can't be removed:
extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE)
This problem stems from silly ambiguity in ebtables-nft vs. iptables.
In iptables, you can do
iptables -A INPUT
(no -j)
in ebtables, you can do either
ebtables -A INPUT
or
ebtables -A INPUT -j CONTINUE
both are *supposed* to be the same (and they do the same even
in ebtables-nft on netlink side).
However, the temprary binary representation within ebtables-nft is not
the same: when parsing -j CONTINUE, we add a standard target, then omit
it later in _add_target().
When translating netlink representation to ebt binary one,
we do not add a standard target and instead just print '-j CONTINUE'
when listing rules.
So when doing
-I INPUT -j CONTINUE
-D INPUT -j CONTINUE
the -D operation fails because it has a standard target in the binary
representation, whereas the rule we obtained from translating
nftables netlink back to ebtables' binary represenation doesn't.
Fix it by ignoring 'CONTINUE' on parser side.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
now that we have ebtables-save, lets add test cases for ebtables-nft
as well.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check
mask (or negation, for that matter).
Fix this and add test cases too.
This also revealed an ip6tables-nft-save bug, it would print
' !-d', not '! -d'.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to xtables_parse_interface() and parse_ifname() being misaligned
regarding interface mask setting, rules containing a wildcard interface
added with iptables-nft could neither be checked nor deleted.
As suggested, introduce extensions/iptables.t to hold checks for
built-in selectors. This file is picked up by iptables-test.py as-is.
The only limitation is that iptables is being used for it, so no
ip6tables-specific things can be tested with it (for now).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Lars Wendler reported 1.8.1 build failure when trying to build without nft backend:
In file included from ../iptables/nft.h:5, from libxt_limit.c:18: libnftnl/rule.h: No such file or directory
Reported-by: Lars Wendler <polynomial-c@gentoo.org>
Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
This is used from extensions and included in libxtables, so we have to
make them public.
Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
To avoid symbol pollution, place them under the xt_ and xtables_ prefix
name.
Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This reverts commit 0a8f2bcadff157489a737f8cc8846adcb750b91f.
Google folks are reporting some issues with 32-bits arch, let's revert
this until we have a new version for this.
|
|
|
|
|
|
|
|
| |
Structure layout is different, therefore a new struct xt_option_entry is
needed.
Fixes: f9efc8cb79c0 ("extensions: add cgroup revision 2")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current xt_quota module cannot track the current remaining quota
of a specific rule. Everytime an unrelated rule is updated in the same
iptables table, the quota will be reset. This is not a very useful
function for iptables that get changed at run time. This patch fixes the
above problem by adding a new field in the struct that records the
current remaining quota.
Fixed a print out bug in verbose print out wrt. inversion.
Signed-off-by: Chenbo Feng <fengc@google.com>
Suggested-by: Maciej Żenczykowski <maze@google.com>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Since info->protocol is of type __u8, its value will never become -1.
Apart from that, xtables_parse_protocol() calls xt_params->exit_err() in
case of error, so this code is dead anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
The variable is not read before being assigned the return value of
strtoul(), thefore the initialization is useless. And since after this
change parameter 'end' becomes unused, drop it as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Just like with libxt_conntrack, get rid of the temporary buffer. The
comment even states that it was copied from there, so just make them
identical again.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
In print_addr(), a resolved hostname is written into a buffer without
size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an
issue, though covscan complained about it. Fix the code by using
conntrack_dump_addr() as an example.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Since sinfo->flags is only 8 bytes large, checking for
XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return
false, so drop this dead code.
Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Instead of using strcat() and assuming the name will fit, print into the
buffer using snprintf() which truncates the string as needed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Typical covscan complaint, non-empty fall throughs should be marked as
such. There was but a single case which should break instead, namely in
libebt_log.c: It is not critical, since the next case merely asserts
'invert' being zero (which can't be as it was checked before). But while
being at it, introduce log_chk_inv() to consolidate the semantically
equal cases for the various log types.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves getethertype.c into libxtables so that both extensions and
xtables-nft-multi may use the implementations therein. New users are
libebt_arp and libebt_vlan which drop their own duplicated
implementations of getethertypebyname() for the shared one.
This change originated from a covscan report of extensions'
implementations not checking fopen() return value which should be
implicitly fixed by this as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds
access") tried to fix parse_hex_string() for overlong strings but the
change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE
which leads to access of first byte after info->pattern. This is not
really a problem because it merely overwrites info->patlen before
calling xtables_error() later, but covscan still detects it so it's
still worth fixing.
The crucial bit here is that 'sindex' has to be incremented at end of
the last iteration since its value is used for info->patlen. Hence just
move the overflow check to the beginning of the loop.
Fixes: 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Just like revision v1, but cgroup path field is smaller.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initial motivation for this was a covscan report for potential array out
of bounds access in REJECT_xlate (a false-positive, because all possible
values of reject->with occur in reject_table_xlate).
Use reject types as array indices of reject_table so that reject->with
serves as array index. Also merge reject_table_xlate into it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
The pattern index variable 'sindex' is bounds checked before
incrementing it, which means in the next loop iteration it might already
match the bounds check condition but is used anyway.
Fix this by incrementing the index before performing the bounds check.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Make it more clear where the instruction ends, and where
what it does begins.
Signed-off-by: Joseph C. Sible <josephcsible@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Layer 4 protocol name "mobility-header" is not known by nft, so it's
neither printed nor accepted on input. Hence fix the test instead of
code.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The xlate function sharing here does not quite work since in
ebtables-translate, extensions are supposed to append whitespace. Fix
this by introducing a simple wrapper.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use of this static variable causes trouble as it affects all instances
of this target. So calling xs_init_target() for one instance invalidates
all the others.
Moving the variable into target private data seems not possible since
that would change the target's size and therefore it wouldn't match
anymore with what kernel expects.
So just get rid of it entirely. If a user "forgets" to set a mark value,
the default value of zero applies.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
With audit logging being supported by nftables as a simple (fake) log
level, translating AUDIT target is easy. Especially since xt_AUDIT in
kernel doesn't quite care about --type parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the crash when registering the hashlimit extension
with xtables during init_extensions(when built with static libs) .
The option validation function xtables_option_metavalidate has a
loop termination condition of the entry name being NULL. The loop
does not terminate when validating hashlimit_mt_opts_v2 which causes
a crash on derefencing an invalid entry.
Signed-off-by: Heena Sirwani <heenasirwani@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This was merely an outdated duplicate of extensions/libarpt_mangle.c.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both extensions were very similar already, but now that they both are
translated into native nftables code, their actual difference (i.e.
match size) doesn't matter anymore.
This change comes with one caveat: Since ebtables limit match is not in
its own file anymore, match preloading automatically also loads the
NFPROTO_UNSPEC limit match. This is not a problem per se since match
lookup will prefer the family-specific one, but when parsing unknown
options, a match without 'parse' callback is encountered. Therefore
do_commandeb() has to check existence of that callback prior to
dereferencing it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|