summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* libxtables: add and use mac print helpersFlorian Westphal2018-11-0711-74/+21
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libebt_ip: fix tos negationFlorian Westphal2018-11-052-3/+7
| | | | | | | | passing ->tos as uintmax_t will clear adjacent fields in the structure, including invflags. Fixes: 49479aa12a15 ("ebtables-compat: add 'ip' match extension") Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libebt_ip6: fix ip6-dport negationFlorian Westphal2018-11-052-1/+2
| | | | | Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-tests: add % to run iptables commandsPablo Neira Ayuso2018-11-031-4/+4
| | | | | | | Lines starting by % allows you to run iptables commands, use it for rateest test. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-nft: add arpreply targetFlorian Westphal2018-11-032-0/+110
| | | | | | Unfortunately no nft translation available so far. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: add redirect test caseFlorian Westphal2018-11-032-1/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: add test casesFlorian Westphal2018-11-0311-0/+89
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: relax -t table restriction, add snat/dnat test casesFlorian Westphal2018-11-032-0/+9
| | | | | | | | | | | | | | Its artificial and prevents test cases that need to add rules to a different table from working. The test script generates: -A PREROUTING -t nat ... which works fine for iptables and ip6tables. Just accept it for ebtables too and add test cases for snat and dnat. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: fix -j CONTINUE handling for add/deleteFlorian Westphal2018-11-031-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -j CONTINUE can be added, but it can't be removed: extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE) This problem stems from silly ambiguity in ebtables-nft vs. iptables. In iptables, you can do iptables -A INPUT (no -j) in ebtables, you can do either ebtables -A INPUT or ebtables -A INPUT -j CONTINUE both are *supposed* to be the same (and they do the same even in ebtables-nft on netlink side). However, the temprary binary representation within ebtables-nft is not the same: when parsing -j CONTINUE, we add a standard target, then omit it later in _add_target(). When translating netlink representation to ebt binary one, we do not add a standard target and instead just print '-j CONTINUE' when listing rules. So when doing -I INPUT -j CONTINUE -D INPUT -j CONTINUE the -D operation fails because it has a standard target in the binary representation, whereas the rule we obtained from translating nftables netlink back to ebtables' binary represenation doesn't. Fix it by ignoring 'CONTINUE' on parser side. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add basic ebtables test supportFlorian Westphal2018-11-031-0/+6
| | | | | | | now that we have ebtables-save, lets add test cases for ebtables-nft as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-nft: fix bogus handling of zero saddr/daddrFlorian Westphal2018-11-032-0/+9
| | | | | | | | | | | | | rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check mask (or negation, for that matter). Fix this and add test cases too. This also revealed an ip6tables-nft-save bug, it would print ' !-d', not '! -d'. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287 Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix for matching rules with wildcard interfacesPhil Sutter2018-11-011-0/+4
| | | | | | | | | | | | | | Due to xtables_parse_interface() and parse_ifname() being misaligned regarding interface mask setting, rules containing a wildcard interface added with iptables-nft could neither be checked nor deleted. As suggested, introduce extensions/iptables.t to hold checks for built-in selectors. This file is picked up by iptables-test.py as-is. The only limitation is that iptables is being used for it, so no ip6tables-specific things can be tested with it (for now). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: limit: unbreak build without libnftnlFlorian Westphal2018-10-241-1/+0
| | | | | | | | | | Lars Wendler reported 1.8.1 build failure when trying to build without nft backend: In file included from ../iptables/nft.h:5, from libxt_limit.c:18: libnftnl/rule.h: No such file or directory Reported-by: Lars Wendler <polynomial-c@gentoo.org> Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c") Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: expose new etherdb lookup function through libxtables APIPablo Neira Ayuso2018-10-202-3/+2
| | | | | | | | | | This is used from extensions and included in libxtables, so we have to make them public. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: prefix exported new functions for etherdb lookupsPablo Neira Ayuso2018-10-202-5/+5
| | | | | | | | | | To avoid symbol pollution, place them under the xt_ and xtables_ prefix name. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* Revert "extensions: libxt_quota: Allow setting the remaining quota"Pablo Neira Ayuso2018-10-191-23/+2
| | | | | | | This reverts commit 0a8f2bcadff157489a737f8cc8846adcb750b91f. Google folks are reporting some issues with 32-bits arch, let's revert this until we have a new version for this.
* extensions: cgroup: fix option parsing for v2Pablo Neira Ayuso2018-10-091-1/+19
| | | | | | | | Structure layout is different, therefore a new struct xt_option_entry is needed. Fixes: f9efc8cb79c0 ("extensions: add cgroup revision 2") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_quota: Allow setting the remaining quotaChenbo Feng2018-10-091-2/+23
| | | | | | | | | | | | | | | | The current xt_quota module cannot track the current remaining quota of a specific rule. Everytime an unrelated rule is updated in the same iptables table, the quota will be reset. This is not a very useful function for iptables that get changed at run time. This patch fixes the above problem by adding a new field in the struct that records the current remaining quota. Fixed a print out bug in verbose print out wrt. inversion. Signed-off-by: Chenbo Feng <fengc@google.com> Suggested-by: Maciej Żenczykowski <maze@google.com> Reviewed-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libebt_ip{, 6}: Drop pointless error checkingPhil Sutter2018-09-242-8/+0
| | | | | | | | | Since info->protocol is of type __u8, its value will never become -1. Apart from that, xtables_parse_protocol() calls xt_params->exit_err() in case of error, so this code is dead anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_time: Drop initialization of variable 'year'Phil Sutter2018-09-241-4/+4
| | | | | | | | | The variable is not read before being assigned the return value of strtoul(), thefore the initialization is useless. And since after this change parameter 'end' becomes unused, drop it as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_ipvs: Avoid potential buffer overrunPhil Sutter2018-09-241-10/+12
| | | | | | | | | Just like with libxt_conntrack, get rid of the temporary buffer. The comment even states that it was copied from there, so just make them identical again. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: Avoid potential buffer overrunPhil Sutter2018-09-241-7/+7
| | | | | | | | | | In print_addr(), a resolved hostname is written into a buffer without size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an issue, though covscan complained about it. Fix the code by using conntrack_dump_addr() as an example. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTIONPhil Sutter2018-09-241-8/+0
| | | | | | | | | | Since sinfo->flags is only 8 bytes large, checking for XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return false, so drop this dead code. Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_LED: Avoid string overrun while parsing led-trigger-idPhil Sutter2018-09-241-2/+1
| | | | | | | | Instead of using strcat() and assuming the name will fit, print into the buffer using snprintf() which truncates the string as needed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Mark fall through cases in switch() statementsPhil Sutter2018-09-242-15/+18
| | | | | | | | | | | | Typical covscan complaint, non-empty fall throughs should be marked as such. There was but a single case which should break instead, namely in libebt_log.c: It is not critical, since the next case merely asserts 'invert' being zero (which can't be as it was checked before). But while being at it, introduce log_chk_inv() to consolidate the semantically equal cases for the various log types. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Integrate getethertype.c from xtables corePhil Sutter2018-09-242-142/+2
| | | | | | | | | | | | | | This moves getethertype.c into libxtables so that both extensions and xtables-nft-multi may use the implementations therein. New users are libebt_arp and libebt_vlan which drop their own duplicated implementations of getethertypebyname() for the shared one. This change originated from a covscan report of extensions' implementations not checking fopen() return value which should be implicitly fixed by this as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_string: Fix array out of bounds checkPhil Sutter2018-09-181-2/+4
| | | | | | | | | | | | | | | | | | Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access") tried to fix parse_hex_string() for overlong strings but the change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE which leads to access of first byte after info->pattern. This is not really a problem because it merely overwrites info->patlen before calling xtables_error() later, but covscan still detects it so it's still worth fixing. The crucial bit here is that 'sindex' has to be incremented at end of the last iteration since its value is used for info->patlen. Hence just move the overflow check to the beginning of the loop. Fixes: 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add cgroup revision 2Pablo Neira Ayuso2018-09-181-0/+76
| | | | | | Just like revision v1, but cgroup path field is smaller. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: REJECT: Merge reject tablesPhil Sutter2018-09-132-111/+112
| | | | | | | | | | | | Initial motivation for this was a covscan report for potential array out of bounds access in REJECT_xlate (a false-positive, because all possible values of reject->with occur in reject_table_xlate). Use reject types as array indices of reject_table so that reject->with serves as array index. Also merge reject_table_xlate into it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_string: Avoid potential array out of bounds accessPhil Sutter2018-09-131-2/+1
| | | | | | | | | | | The pattern index variable 'sindex' is bounds checked before incrementing it, which means in the next loop iteration it might already match the bounds check condition but is used anyway. Fix this by incrementing the index before performing the bounds check. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Improve layout of u32 instructionsJoseph C. Sible2018-09-101-10/+15
| | | | | | | | Make it more clear where the instruction ends, and where what it does begins. Signed-off-by: Joseph C. Sible <josephcsible@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* ip6tables-translate: Fix libip6t_mh.txlate testPhil Sutter2018-08-241-2/+2
| | | | | | | | | Layer 4 protocol name "mobility-header" is not known by nft, so it's neither printed nor accepted on input. Hence fix the test instead of code. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-translate: Fix for libebt_limit.txlatePhil Sutter2018-08-241-1/+9
| | | | | | | | | The xlate function sharing here does not quite work since in ebtables-translate, extensions are supposed to append whitespace. Fix this by introducing a simple wrapper. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libebt_mark: Drop mark_supplied checkPhil Sutter2018-08-241-7/+0
| | | | | | | | | | | | | | | | Use of this static variable causes trouble as it affects all instances of this target. So calling xs_init_target() for one instance invalidates all the others. Moving the variable into target private data seems not possible since that would change the target's size and therefore it wouldn't match anymore with what kernel expects. So just get rid of it entirely. If a user "forgets" to set a mark value, the default value of zero applies. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: AUDIT: Provide translationPhil Sutter2018-08-242-0/+19
| | | | | | | | | With audit logging being supported by nftables as a simple (fake) log level, translating AUDIT target is easy. Especially since xt_AUDIT in kernel doesn't quite care about --type parameter. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Fix for segfault when registering hashlimit extensionHeena Sirwani2018-08-211-0/+1
| | | | | | | | | | | | This patch fixes the crash when registering the hashlimit extension with xtables during init_extensions(when built with static libs) . The option validation function xtables_option_metavalidate has a loop termination condition of the entry name being NULL. The loop does not terminate when validating hashlimit_mt_opts_v2 which causes a crash on derefencing an invalid entry. Signed-off-by: Heena Sirwani <heenasirwani@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: Drop extensions/libxt_mangle.cPhil Sutter2018-08-161-396/+0
| | | | | | | This was merely an outdated duplicate of extensions/libarpt_mangle.c. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Merge libebt_limit.c into libxt_limit.cPhil Sutter2018-08-162-219/+88
| | | | | | | | | | | | | | | | | Both extensions were very similar already, but now that they both are translated into native nftables code, their actual difference (i.e. match size) doesn't matter anymore. This change comes with one caveat: Since ebtables limit match is not in its own file anymore, match preloading automatically also loads the NFPROTO_UNSPEC limit match. This is not a problem per se since match lookup will prefer the family-specific one, but when parsing unknown options, a match without 'parse' callback is encountered. Therefore do_commandeb() has to check existence of that callback prior to dereferencing it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* arptables: Fix for trailing spaces in outputPhil Sutter2018-08-041-24/+16
| | | | | | | | | | | | This changes mangle target to print whitespace before each option, not afterwards. This fixes any cases of trailing or double whitespace in arptables output. While being at it, introduce ipaddr_to() helper in libarpt_mangle.c to simplify arpmangle_print() a bit. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Consolidate DEBUGP macrosPhil Sutter2018-08-042-10/+2
| | | | | | | | | | | | | | | | | | This debug printing macro was defined in various places, always identical. Move it into xshared.h and drop it from sources including that header. There are a few exceptions: * iptables-xml.c did not include xshared.h, which this patch changes. * Sources in extensions and libiptc mostly left alone since they don't include xshared.h (and maybe shouldn't). Only libxt_set.h does, so it's converted, too. This also converts DEBUG define use in libip6t_hbh.c to avoid a compiler warning. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: don't bother to build libebt/libarp extensions if nft backend ↵Florian Westphal2018-07-101-2/+2
| | | | | | | | was disabled Reported-by: Thomas Deutschmann <whissi@gentoo.org> Tested-by: Thomas Deutschmann <whissi@gentoo.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-nft: add stp matchFlorian Westphal2018-07-021-0/+391
| | | | | | Unfortunately no nft translation available so far. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Fix spelling error in hashlimit sectionMajor Hayden2018-06-261-1/+1
| | | | | Signed-off-by: Major Hayden <major@mhtx.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-compat: add arp match extensionFlorian Westphal2018-05-211-0/+490
| | | | | | no translation yet, might be doable with raw payload expressions though. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-compat: add redirect match extensionFlorian Westphal2018-05-211-0/+109
| | | | | | | | | | No translation. The kernel match will alter packet type (meta set pkttype), but also replace dst mac with the bridges' mac address, however nft currently doesn't allow to retrieve this at runtime. So just add this without the xlate part for now. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-compat: add nat match extensionsFlorian Westphal2018-05-214-0/+298
| | | | | | | | adds snat and dnat. Translation for snat isn't complete, the --snat-arp switch isn't supported so far. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: extend generic tests for masks and wildcardsFlorian Westphal2018-05-151-0/+15
| | | | | | This uncovered broken translation of ethernet + mask. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-compat: ip6table-save: fix save of ip6 address masksFlorian Westphal2018-05-111-0/+2
| | | | | | | | ip6tables-save didn't include the masks. Furhermore, mask decoding used the ipv4 struct which caused it to write into parts of ipv6 saddr. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-translate: suppress redundant protocolsFlorian Westphal2018-05-105-26/+26
| | | | | | | | | | | kernel would reject ip, ip6 etc. without -p ip, -p ip6. So add it. On reverse, search the match list to decide if -p has to be translated or not. Also, icmp and icmpv6 also imply l3 protocol, so no need to translate that either. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libip6t_srh.t: Add test cases for psid, nsid, and lsidAhmed Abdelsalam2018-05-091-0/+2
| | | | | | | | This patch add some testcases for psid, nsid, and lsid matches into libip6t_srh.t Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>