summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* Fixed some man pages typos ('This modules' -> 'This module')HEADmasterÁlvaro Santos8 days3-3/+3
| | | | | Signed-off-by: Álvaro Santos <aa.santos@campus.fct.unl.pt> Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: AUDIT: fix man-page typo.Jeremy Sowden2019-12-301-1/+1
| | | | | | | | | | A recent commit fixed uses of "allows to" in man-pages. There was one instance where the "to" was removed but the "allows" was left behind. Remove that as well. Fixes: 3b9b515618c6 ("iptables: cleanup "allows to" usage") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: among: Check call to fstat()Phil Sutter2019-12-061-1/+5
| | | | | | If this fails, a bogus length value may be passed to mmap(). Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
* extensions: cluster: Avoid undefined shiftPhil Sutter2019-12-061-1/+1
| | | | | | | Value 1 is signed by default and left-shifting by 31 is undefined for those. Fix this by marking the value as unsigned. Fixes: 64a0e09894e52 ("extensions: libxt_cluster: Add translation to nft")
* extensions: time: Avoid undefined shiftPhil Sutter2019-12-061-1/+1
| | | | | | | Value 1 is signed by default and left-shifting by 31 is undefined for those. Fix this by marking the value as unsigned. Fixes: ad326ef9f734a ("Add the libxt_time iptables match")
* extensions: libxt_sctp: add manpage descriptionLaurence J. Lane2019-12-051-0/+1
| | | | | | | | | | | | Add manpage description. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: manpages: cleanup hyphensLaurence J. Lane2019-12-059-10/+10
| | | | | | | | | | | | Cleanup, scape hyphens so they are not interpreted by the manpage generator. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: cleanup "allows to" usageLaurence J. Lane2019-12-057-7/+7
| | | | | | | | | | | | Gramatical cleanup. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: CLUSTERIP: Mark as deprecated in man pagePhil Sutter2019-12-041-0/+3
| | | | | | | Kernel even warns if being used, reflect its state in man page, too. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: bridge: Rudimental among extension supportPhil Sutter2019-11-252-0/+259
| | | | | | | | | Support among match as far as possible given the limitations of nftables sets, namely limited to homogeneous MAC address only or MAC and IP address only matches. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_SYNPROXY: add xlate methodJose M. Guisado Gomez2019-10-012-0/+25
| | | | | | | | This adds translation capabilities when encountering SYNPROXY inside iptables rules. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: fix iptables-{nft,translate} with conntrack EXPECTEDQuentin Armitage2019-09-202-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED outputs: nft add rule ip filter INPUT ct status expected,assured counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED produces nft list output: chain INPUT { ct status expected,assured counter packets 0 bytes 0 accept } which are correct. However, iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft # -A INPUT -m conntrack --ctstatus EXPECTED and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { counter packets 0 bytes 0 accept } neither of which is what is desired. Commit 6223ead0d - "extensions: libxt_conntrack: Add translation to nft" included the following code in _conntrack3_mt_xlate(): if (sinfo->match_flags & XT_CONNTRACK_STATUS) { if (sinfo->status_mask == 1) return 0; ... If the intention had been not to produce output when status_mask == 1, it would have been written as: if (sinfo->status_mask == IPS_EXPECTED) return 0; so it looks as though this is debugging code accidently left in the original patch. Removing the lines: if (sinfo->status_mask == 1) return 0; resolves the problems, and iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft add rule ip filter INPUT ct status expected counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { ct status expected counter packets 0 bytes 0 accept } This commit also includes an additional txlate test to check when only the status EXPECTED is specified. Fixes: 6223ead0d06b ("extensions: libxt_conntrack: Add translation to nft") Signed-off-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: fix over-eager -o checks on custom chainsFlorian Westphal2019-09-121-0/+17
| | | | | | | | | | | | | | | | Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal <fw@strlen.de>
* netfilter: hashlimit: prefer PRIu64 to avoid warnings on 32bit platformsDuncan Roe2019-09-121-1/+1
| | | | | | | I found this patch attached to an older BZ, apply this finally... Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1107 Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Note REDIRECT case of no IP addressJoseph C. Sible2019-08-211-1/+2
| | | | | | | | | | If an IP packet comes in on an interface that lacks a corresponding IP address (which happens on, e.g., the veth's that Project Calico creates), attempting to use REDIRECT on it will cause it to be dropped. Take note of this in REDIRECT's documentation. Signed-off-by: Joseph C. Sible <josephcsible@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: nfacct: Fix alignment mismatch in xt_nfacct_match_infoJuliana Rodrigueiro2019-08-201-12/+28
| | | | | | | | | | | | | | | | When running a 64-bit kernel with a 32-bit iptables binary, the size of the xt_nfacct_match_info struct diverges. kernel: sizeof(struct xt_nfacct_match_info) : 40 iptables: sizeof(struct xt_nfacct_match_info)) : 36 This patch is the userspace fix of the memory misalignment. It introduces a v1 ABI with the correct alignment and stays compatible with unfixed revision 0 kernels. Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions/libxt_MASQUERADE.man: random and random-fully are now identicalFlorian Westphal2019-07-111-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_owner: Add supplementary groups optionLukasz Pawelczyk2019-06-193-7/+25
| | | | | | | | The --suppl-groups option causes GIDs specified with --gid-owner to be also checked in the supplementary groups of a process. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: SYNPROXY: should not be needed anymore on current kernelsFlorian Westphal2019-05-081-0/+2
| | | | | | | SYN packets do not require taking the listener socket lock anymore as of 4.4 kernel, i.e. this target should not be needed anymore. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_osf.: Typo in manpageSam Banks2019-04-051-1/+1
| | | | | Signed-off-by: Sam Banks <sam.banks.nz@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: Install symlinks as suchPhil Sutter2019-04-031-4/+11
| | | | | | | | | | | | Fake shared objects which are actually symlinks to others are installed using 'install' tool which follows them and therefore installs a copy of the file they point at. Fix this by introducing special handling for them in install target. Reported-by: Wenle Chen <solachenclever@hotmail.com> Fixes: 269655d54e22f ("build: remove symlink-only extensions from static object list") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: connlabel: Fallback on missing connlabel.confPhil Sutter2019-03-083-32/+48
| | | | | | | | | | | | If connlabel.conf was not found, fall back to manually parsing arguments as plain numbers. If nfct_labelmap_new() has failed, nfct_labelmap_get_name() segfaults. Therefore make sure it is not called in connlabel_get_name() if that's the case. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: Add testcase for libxt_ipvsPhil Sutter2019-02-221-0/+20
| | | | | | | Given that it is fixed now, make it stay. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: Fix ipvs vproto option printingPhil Sutter2019-02-221-1/+1
| | | | | | | | | This was broken since day 1: vproto option was printed as 'proto' which in turn iptables wouldn't accept anymore. Fixes: c36d05e424069 ("libxt_ipvs: user-space lib for netfilter matcher xt_ipvs") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: Fix ipvs vproto parsingPhil Sutter2019-02-221-4/+1
| | | | | | | | | | | | | | This was broken by integration into guided option parser: * Make 'vproto' option XTTYPE_PROTOCOL, otherwise its arguments are parsed as garbage only. * Drop O_VPROTO case from ipvs_mt_parse(), due to XTOPT_POINTER() and above change there is nothing to do for it in there. Fixes: 372203af4c70f ("libxt_ipvs: use guided option parser") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: AUDIT: Document ineffective --type optionPhil Sutter2019-02-221-2/+4
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Revert "ebtables: use extrapositioned negation consistently"Phil Sutter2019-02-0516-67/+59
| | | | | | | | | | | | | | | | | | | | | | | This reverts commit 5f508b76a0cebaf91965ffa678089222e2d47964. While attempts at unifying syntax between arp-, eb- and iptables-nft increase the opportunity for more code-sharing, they are problematic when it comes to compatibility. Accepting the old syntax on input helps, but due to the fact that neither arptables nor ebtables support --check command we must expect for users to test existence of a rule by comparing input with output. If that happens in a script, deviating from the old syntax in output has a high chance of breaking it. Therefore revert Florian's patch changing inversion character position in output and review the old code for consistency - the only thing changed on top of the actual revert is ebtables' own copy of print_iface() to make it adhere to the intrapositioned negation scheme used throughout ebtables. Added extension tests by the reverted commit have been kept. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: Fix arptables extension testsPhil Sutter2019-02-014-10/+10
| | | | | | | | | | | With changes to arptables-nft output, many of these tests fail because rules are not printed as expected anymore. Since most of the tests with explicitly defined output did so just because of added --h-length and --h-type options, adjust input a little more (typically reordering of arguments) to make output match input. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables-nft: Fix CLASSIFY target printingPhil Sutter2019-01-311-13/+46
| | | | | | | | | In legacy arptables, CLASSIFY target is not printed with fixed hex number lengths. Counter this by introducing a dedicated target definition for NFPROTO_ARP only having own print/save callbacks. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables-nft: Fix MARK target parsing and printingPhil Sutter2019-01-311-0/+95
| | | | | | | | | | | | | Legacy arptables parses mark values in hex no matter if prefixed with '0x' or not. Sadly, this is not easily achievable with guided option parser. Hence fall back to the old 'parse' callback. The introduced target definition is valid only for revision 2, but that's consistent with legacy arptables. When printing, use --set-mark option instead of --set-xmark. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: TRACE: Point at xtables-monitor in documentationPhil Sutter2018-12-181-7/+14
| | | | | | | | With iptables-nft, logging of trace events is different from legacy. Explain why and hint at how to receive events in this case. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libipt_realm: Document allowed realm valuesPhil Sutter2018-12-031-0/+2
| | | | | | | | | Older versions of iptables allowed for negative realm values by accident (they would be cast to unsigned). While this was clearly a bug, document the fixed behaviour. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Don't use native nftables commentsPhil Sutter2018-11-271-0/+2
| | | | | | | | | | | | | | | The problem with converting libxt_comment into nftables comment is that rules change when parsing from kernel due to comment match being moved to the end of the match list. And since match ordering matters, the rule may not be found anymore when checking or deleting. Apart from that, iptables-nft didn't support multiple comments per rule anymore. This is a compatibility issue without technical reason. Leave conversion from nftables comment to libxt_comment in place so we don't break running systems during an update. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_mh: fix bogus translation errorPablo Neira Ayuso2018-11-191-2/+2
| | | | | | | | | libip6t_mh.txlate: Fail src: ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT exp: nft add rule ip6 filter INPUT meta l4proto 135 mh type 1 counter accept res: nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* arptables-nft: use generic expression parsing functionFlorian Westphal2018-11-181-2/+2
| | | | | | | | | | | | | | | | | since commit d9c6a5d0977a6d8bbe772dbc31a2c4f58eec1708 ("xtables: merge {ip,arp}tables_command_state structs") arptables uses the shared representation. With only minor changes (e.g., use generic counters in command_state), in print/save functions we can use the shared nftnl expression parser too. arptables-legacy prints (-L) the jump target first, i.e.: -j MARK -d 0.0.0.0/8 --h-length 6 ... ... so keep that here too. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: format-security fixes in libip[6]t_icmpAdam Gołębiowski2018-11-142-3/+3
| | | | | | | | | | | commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") introduced support for gcc feature to check format string against passed argument. This commit adds missing bits to extenstions's libipt_icmp.c and libip6t_icmp6.c that were causing build to fail. Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: vlan: fix userspace/kernel headers collisionBaruch Siach2018-11-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | Build with musl libc fails because of conflicting struct ethhdr definitions: In file included from .../sysroot/usr/include/net/ethernet.h:10:0, from ../iptables/nft-bridge.h:8, from libebt_vlan.c:18: .../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’ struct ethhdr { ^~~~~~ In file included from libebt_vlan.c:16:0: .../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here struct ethhdr { ^~~~~~ Include the userspace header first for the definition suppression logic to do the right thing. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add 'printf' attribute to xlate_addFlorian Westphal2018-11-124-13/+13
| | | | | | | | | | | | | | This allows gcc to check format string vs. passed arguments. Fix the fallout from this as well, typical warning produced is: libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=] xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ... ~^ ~~~~~~~~~~ so add the required casts or fixup format strings as needed. libxt_conntrack also passed an unneeded argument (port), so remove that. Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: add test casesFlorian Westphal2018-11-124-0/+27
| | | | | | | | | | | | | | | | Unicast being shown as '00:00:00:00:00:00/01:00:00:00:00:00' looks like broken output, however, arptables classic did not pretty-print either. Also add test cases for all targets supported by the original arptables tool: -j CLASSIFY -j MARK -j mangle [ yes, mangle target is lower-case 8-( ] Signed-off-by: Florian Westphal <fw@strlen.de>
* arptables: use ->save for arptables-save, like xtablesFlorian Westphal2018-11-122-34/+19
| | | | | | | | | | | | | arptables-save will show -A OUTPUT --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0xffffffff as --h-length 6 --h-type Ethernet -j MARK MARK set 0x1 Because it uses ->print() instead of ->save(). Switch it to use ->save, we can then also drop special handling of CLASSIFY target. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: test protocol and interface negationFlorian Westphal2018-11-122-0/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: use extrapositioned negation consistentlyFlorian Westphal2018-11-1216-49/+79
| | | | | | | | | | | | | | in the iptables universe, we enforce extrapositioned negation: ! -i foo "-i ! foo" is not even supported anymore. At least make sure that ebtables prints the former syntax everywhere as well so we don't have a mix of both ways. Parsing of --option ! 42 will still work for backwards compat reasons. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: add and use mac print helpersFlorian Westphal2018-11-0711-74/+21
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libebt_ip: fix tos negationFlorian Westphal2018-11-052-3/+7
| | | | | | | | passing ->tos as uintmax_t will clear adjacent fields in the structure, including invflags. Fixes: 49479aa12a15 ("ebtables-compat: add 'ip' match extension") Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libebt_ip6: fix ip6-dport negationFlorian Westphal2018-11-052-1/+2
| | | | | Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-tests: add % to run iptables commandsPablo Neira Ayuso2018-11-031-4/+4
| | | | | | | Lines starting by % allows you to run iptables commands, use it for rateest test. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables-nft: add arpreply targetFlorian Westphal2018-11-032-0/+110
| | | | | | Unfortunately no nft translation available so far. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: add redirect test caseFlorian Westphal2018-11-032-1/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: add test casesFlorian Westphal2018-11-0311-0/+89
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables: relax -t table restriction, add snat/dnat test casesFlorian Westphal2018-11-032-0/+9
| | | | | | | | | | | | | | Its artificial and prevents test cases that need to add rules to a different table from working. The test script generates: -A PREROUTING -t nat ... which works fine for iptables and ip6tables. Just accept it for ebtables too and add test cases for snat and dnat. Signed-off-by: Florian Westphal <fw@strlen.de>