| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
libxt_conntrack.c:1292: warning: the comparison will always evaluate as
false for the address of origsrc_addr will never be NULL [-Waddress]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
There are new chunks added in Linux SCTP not being traced by iptables.
This patch introduces the following chunks for tracing:
I_DATA, I_FORWARD_TSN (RFC8260), RE_CONFIG(RFC6525) and PAD(RFC4820)
Signed-off-by: Yuxuan Luo <luoyuxuan.carl@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The library "owns" this structure and maintains 'afinfo' pointer to
instances of it. With libxt_set, there's even an extension making use of
the data.
To avoid impact on library users, guard it by XTABLES_INTERNAL.
To eliminate the xshared.h include by libxt_set, DEBUGP has to be
redefined. Other extensions have similar defines, fix this later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Some minor fixes were necessary:
* --algo is printed after the pattern
* Second long string test must fail, that string is 129 chars long
* --from 0 and --to 65535 are not printed (default values)
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Compare against sizeof(info->pattern) which is more clear than having
to know that this buffer is of size XT_STRING_MAX_PATTERN_SIZE
* Invert the check and error early to reduce indenting
* Pass info->patlen to memcpy() to avoid reading past end of 's'
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Default value is UINT16_MAX, not 0. Fix the conditional printing.
Fixes: c6fbf41cdd157 ("update string match to reflect new kernel implementation (Pablo Neira)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
These weren't used anywhere before. At least ensure they are only
allowed where claimed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
A little convenience to prepare a build for analysis with gcov/gprof.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Gcc complains about missing types. Some commits introduced u_int* instead
of uint*. Use uint treewide.
Fixes errors in the form of:
In file included from xtables-legacy-multi.c:5:
xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
| ^~~~~~~~~
| uint16_t
make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
Avoid libipq API breakage by adjusting libipq.h include accordingly. For
arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
Signed-off-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Help text already contains it, so no update needed there.
Fixes: 127647892c7ca ("extensions: libipt_LOG/libip6t_LOG: support macdecode option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Stating the option again in the first (single?) sentence is pointless.
Get rid of that initial half-sentence in MASQUERADE options and unify
the texts a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Have a versatile __NAT_print() function providing enough flexibility for
DNAT and REDIRECT, IPv4 and IPv6 and 'print' and 'save' output. Then
define macros to simplify calling it.
As a side effect, this fixes ip6tables DNAT revision 1 print output.
Fixes: 14d77c8aa29a7 ("extensions: Merge IPv4 and IPv6 DNAT targets")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
It will be referenced by xtables_printhelp() if printing for arptables
and therefore must be present in legacy as well even if unused.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: f4b737fb0c52a ("libxt_MARK r2")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Unless as part of a range, service names may be used. Point this out to
avoid confusion.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Code is very similar, join them to reuse parsing code at least.
As a side-effect, this enables parsing of service names for ports in
DNAT as well as using port number 0 as that's what REDIRECT allows.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Make parse_to() family-aware so it serves for both IPv4 and IPv6. Have a
core _DNAT_parse() function which parses into the most modern
(nf_nat_range2) data structure and a bunch of wrappers to copy into
legacy data structures if needed. Treat other callbacks analogous.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Prepare for merge of libipt and libip6t DNAT extensions, allow for
better code review.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Make use of the new sprint_range() to introduce a common inner function
for both v1 and v2 xlate functions.
Also abort translation with shifted port ranges to not hide the missing
feature in nftables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Turn print_range() function into sprint_range() so it becomes more
versatile. Make it accept the new nf_nat_range2 data structure and
make v1 callers convert their nf_nat_ipv4_multi_range_compat structs
to that.
This allows to introduce an inner __DNAT_print() which acts for v1 and
v2 and prints either 'print' or 'save' syntax.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use v2 parser for both and copy field values into v1 data structure if
needed.
While being at it:
* Introduce parse_ports() function similar to the one in
libipt_REDIRECT.c.
* Use xtables_strtoui() in the above instead of atoi() for integrated
range checking.
* Parse IP addresses using inet_pton(), writing directly into
struct nf_nat_range2 fields.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit f25b2355e889290879c8cecad3dd24ec0c384fb8.
The workaround is not needed anymore since commit 30b178b9bf11e
("extensions: *NAT: Kill multiple IPv4 range support").
While being at it, drop the same hidden flag logic from
libip6t_[SD]NAT extensions as well and just don't set XTOPT_MULTI so
guided option parser will reject multiple parameters automatically.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
This wasn't mentioned anywhere.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
iptables-legacy and iptable-nft have different results for these tests.
Now that it is possible to specify the expected results correctly, we
can enable the tests.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some test results are not consistent between variants:
* CLUSTERIP is not supported with nft_compat, so all related tests fail
with iptables-nft.
* iptables-legacy mandates TCPMSS be combined with SYN flag match,
iptables-nft does not care. (Or precisely, xt_TCPMSS.ko can't validate
match presence.)
Introduce an optional fourth test spec field to specify the variant it
applies to. Consequently, the opposite result is expected with the other
variant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
The deprecation warning for `--nflog-range` contains a spelling mistake.
Fix it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When printing out NFLOG targets an extra space was inserted between
`--nflog-prefix` and the prefix itself:
$ sudo /usr/sbin/iptables -A INPUT -j NFLOG --nflog-prefix test
$ sudo /usr/sbin/iptables-save | grep NFLOG
-A INPUT -j NFLOG --nflog-prefix test
^^
Fixes: 73866357e4a7 ("iptables: do not print trailing whitespaces")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The `iptables-save` includes an extra space between `--nflog-prefix` and
the prefix.
The maximum length of prefixes includes the trailing NUL character.
NFLOG silently truncates prefixes which exceed the maximum length.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft has no equivalent to `--nflog-range`, so we cannot emulate it and
the Python unit-tests for it fail. However, since `--nflog-range` is
broken and doesn't do anything, the tests are not testing anything
useful.
Signed-off-by: Kyle Bowman <kbowman@cloudflare.com>
Signed-off-by: Alex Forster <aforster@cloudflare.com>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replaces the use of xt_NFLOG with the nft built-in log statement.
This additionally adds support for using longer log prefixes of 128
characters in size. Until now NFLOG has truncated the log-prefix to the
64-character limit supported by iptables-legacy. We now use the struct
xtables_target's udata member to store the longer 128-character prefix
supported by iptables-nft.
Signed-off-by: Kyle Bowman <kbowman@cloudflare.com>
Signed-off-by: Alex Forster <aforster@cloudflare.com>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is the year of the great revolution, nobody cares about kernel
versions below 2.6.11 anymore. Time to get rid of the cruft.
While being at it, drop the explicit duplicate argument check and
instead just remove XTOPT_MULTI flag from the respective
xt_option_entry.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In an attempt to fix for failing hashlimit tests with HZ=100, the
expected failures were changed so they are expected to pass and the
parameters changed to seemingly fix them. Yet while the new parameters
worked on HZ=100 systems, with higher tick rates they didn't so the
observed problem moved from the test failing on HZ=100 to failing on
HZ=1000 instead.
Kernel's error message "try lower: 864000000/5" turned out to be a red
herring: The burst value does not act as a dividor but a multiplier
instead, so in order to lower the overflow-checked value, a lower burst
value must be chosen. Inded, using a burst value of 1 makes the kernel
accept the rule in both HZ=100 and HZ=1000 configurations.
Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Just a few minor language fixes.
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Listing the extension using 'iptables -L', there was no space between
'MAC' and the following Address.
Reported-by: Adam Wójcik <a.wojcik@hyp.home.pl>
Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
With the kernel ticking at 100Hz, a limit of 1/day with burst 5 does not
overflow in kernel, making the test unstable depending on kernel config.
Change it to not overflow with 1000Hz either by increasing the burst
value by a factor of 100.
Fixes: fcf9f6f25db11 ("extensions: libxt_hashlimit: add unit test")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Here is the problem:
[]# nft -v
nftables v0.9.8 (E.D.S.)
[]# iptables-nft -v
iptables v1.8.7 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.
[]# nft flush ruleset
[]# ip6tables-nft -t nat -A POSTROUTING -j MASQUERADE --random-full
[]# nft list ruleset
table ip6 nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 0 bytes 0 masquerade random-fully
}
}
[]# nft list ruleset > /tmp/ruleset
[]# nft flush ruleset
[]# nft -f /tmp/ruleset
/tmp/ruleset:4:54-54: Error: syntax error, unexpected newline
counter packets 0 bytes 0 masquerade random-fully
That's because nft list ruleset saves "random-fully" which is wrong
format for nft -f, right should be "fully-random".
We face this problem because we run k8s in Virtuozzo container, and k8s
creates those "random-fully" rules by iptables(nft) and then CRIU can't
restore those rules using nft.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Add a translation for -m multiport --ports. Extend the existing testcase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Available since nftables 0.9.9. For example:
# iptables-translate -I INPUT -m state ! --state NEW,INVALID
nft insert rule ip filter INPUT ct state ! invalid,new counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use the new flags match representation available since nftables 0.9.9
to simplify the translation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds a translation for connlimit matches which requires
the definition of a set and the family context (either IPv4 or IPv6)
which is required to display the netmask accordingly.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
If the target buffer does not need to be null-terminated, one may simply
use memcpy() and thereby avoid any compiler warnings.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
This wraps strdup(), checking for errors.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
The code was almost identical and suffered from the same problem as
fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
corruption bugs").
The only functional change this involves is ebt_parse_ip6_address() will
now accept hostnames as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
They are being assigned to but never read.
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The translation is not fully complete as it is not possible to map 'any'
match type into nft syntax with a single rule. Also, 'only' match type
translation is a bit poor as it explicitly lists all chunk types that
are supposed to be missing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
If both sport and dport was present, incorrect nft syntax was generated.
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
The changed data structure for communication with kernel allows to
exclude the field 'secid' which is populated on kernel side. Thus
this fixes the formerly always failing extension comparison breaking
rule check and rule delete by content.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Both functions are obsolete, replace them by equivalent calls to
inet_pton() and inet_ntop().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
They weren't mentioned at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
