summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* libxtables: Move struct xtables_afinfo into xtables.hPhil Sutter5 days2-1/+6
| | | | | | | | | | | | | The library "owns" this structure and maintains 'afinfo' pointer to instances of it. With libxt_set, there's even an extension making use of the data. To avoid impact on library users, guard it by XTABLES_INTERNAL. To eliminate the xshared.h include by libxt_set, DEBUGP has to be redefined. Other extensions have similar defines, fix this later. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: string: Fix and enable testsPhil Sutter2022-06-111-14/+7
| | | | | | | | | | Some minor fixes were necessary: * --algo is printed after the pattern * Second long string test must fail, that string is 129 chars long * --from 0 and --to 65535 are not printed (default values) Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: string: Review parse_string() functionPhil Sutter2022-06-111-7/+6
| | | | | | | | | | | * Compare against sizeof(info->pattern) which is more clear than having to know that this buffer is of size XT_STRING_MAX_PATTERN_SIZE * Invert the check and error early to reduce indenting * Pass info->patlen to memcpy() to avoid reading past end of 's' Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: string: Do not print default --to valuePhil Sutter2022-06-111-2/+2
| | | | | | | Default value is UINT16_MAX, not 0. Fix the conditional printing. Fixes: c6fbf41cdd157 ("update string match to reflect new kernel implementation (Pablo Neira)") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_standard.t: Test logical-{in,out} as wellPhil Sutter2022-06-111-0/+5
| | | | | | | These weren't used anywhere before. At least ensure they are only allowed where claimed. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Add --enable-profiling configure optionPhil Sutter2022-06-111-1/+1
| | | | | | A little convenience to prepare a build for analysis with gcov/gprof. Signed-off-by: Phil Sutter <phil@nwl.cc>
* treewide: use uint* instead of u_int*Nick Hainke2022-05-181-1/+1
| | | | | | | | | | | | | | | | | | | | Gcc complains about missing types. Some commits introduced u_int* instead of uint*. Use uint treewide. Fixes errors in the form of: In file included from xtables-legacy-multi.c:5: xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'? 83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, | ^~~~~~~~~ | uint16_t make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1 Avoid libipq API breakage by adjusting libipq.h include accordingly. For arpt_mangle.h kernel uAPI header, apply same change as in kernel commit e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t"). Signed-off-by: Nick Hainke <vincent@systemli.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: LOG: Document --log-macdecode in man pagePhil Sutter2022-05-111-0/+3
| | | | | | | Help text already contains it, so no update needed there. Fixes: 127647892c7ca ("extensions: libipt_LOG/libip6t_LOG: support macdecode option") Signed-off-by: Phil Sutter <phil@nwl.cc>
* man: *NAT: Review --random* option descriptionsPhil Sutter2022-05-114-20/+6
| | | | | | | | Stating the option again in the first (single?) sentence is pointless. Get rid of that initial half-sentence in MASQUERADE options and unify the texts a bit. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: DNAT: Merge core printing functionsPhil Sutter2022-05-111-31/+27
| | | | | | | | | | | Have a versatile __NAT_print() function providing enough flexibility for DNAT and REDIRECT, IPv4 and IPv6 and 'print' and 'save' output. Then define macros to simplify calling it. As a side effect, this fixes ip6tables DNAT revision 1 print output. Fixes: 14d77c8aa29a7 ("extensions: Merge IPv4 and IPv6 DNAT targets") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Move arp_opcodes into shared spacePhil Sutter2022-05-111-1/+0
| | | | | | | It will be referenced by xtables_printhelp() if printing for arptables and therefore must be present in legacy as well even if unused. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: MARK: Drop extra newline at end of helpPhil Sutter2022-05-111-2/+1
| | | | | Fixes: f4b737fb0c52a ("libxt_MARK r2") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: man: Document service name support in DNAT and REDIRECTPhil Sutter2022-04-082-0/+3
| | | | | | | Unless as part of a range, service names may be used. Point this out to avoid confusion. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: Merge REDIRECT into DNATPhil Sutter2022-04-0812-380/+204
| | | | | | | | | Code is very similar, join them to reuse parsing code at least. As a side-effect, this enables parsing of service names for ports in DNAT as well as using port number 0 as that's what REDIRECT allows. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: Merge IPv4 and IPv6 DNAT targetsPhil Sutter2022-04-085-468/+218
| | | | | | | | | Make parse_to() family-aware so it serves for both IPv4 and IPv6. Have a core _DNAT_parse() function which parses into the most modern (nf_nat_range2) data structure and a bunch of wrappers to copy into legacy data structures if needed. Treat other callbacks analogous. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: DNAT: Rename from libipt to libxtPhil Sutter2022-04-081-0/+0
| | | | | | | Prepare for merge of libipt and libip6t DNAT extensions, allow for better code review. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: ipt_DNAT: Combine xlate functions alsoPhil Sutter2022-04-081-67/+21
| | | | | | | | | | Make use of the new sprint_range() to introduce a common inner function for both v1 and v2 xlate functions. Also abort translation with shifted port ranges to not hide the missing feature in nftables. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: ipt_DNAT: Merge v1/v2 print/save codePhil Sutter2022-04-081-65/+46
| | | | | | | | | | | Turn print_range() function into sprint_range() so it becomes more versatile. Make it accept the new nf_nat_range2 data structure and make v1 callers convert their nf_nat_ipv4_multi_range_compat structs to that. This allows to introduce an inner __DNAT_print() which acts for v1 and v2 and prints either 'print' or 'save' syntax. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: ipt_DNAT: Merge v1 and v2 parsersPhil Sutter2022-04-081-179/+111
| | | | | | | | | | | | | | | | Use v2 parser for both and copy field values into v1 data structure if needed. While being at it: * Introduce parse_ports() function similar to the one in libipt_REDIRECT.c. * Use xtables_strtoui() in the above instead of atoi() for integrated range checking. * Parse IP addresses using inet_pton(), writing directly into struct nf_nat_range2 fields. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified"Phil Sutter2022-04-084-25/+4
| | | | | | | | | | | | | This reverts commit f25b2355e889290879c8cecad3dd24ec0c384fb8. The workaround is not needed anymore since commit 30b178b9bf11e ("extensions: *NAT: Kill multiple IPv4 range support"). While being at it, drop the same hidden flag logic from libip6t_[SD]NAT extensions as well and just don't set XTOPT_MULTI so guided option parser will reject multiple parameters automatically. Signed-off-by: Phil Sutter <phil@nwl.cc>
* man: DNAT: Describe shifted port range featurePhil Sutter2022-04-081-1/+4
| | | | | | This wasn't mentioned anywhere. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: NFLOG: enable `--nflog-range` testsJeremy Sowden2022-02-131-6/+6
| | | | | | | | | iptables-legacy and iptable-nft have different results for these tests. Now that it is possible to specify the expected results correctly, we can enable the tests. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: iptables-test: Support variant deviationPhil Sutter2022-02-102-3/+3
| | | | | | | | | | | | | | | | Some test results are not consistent between variants: * CLUSTERIP is not supported with nft_compat, so all related tests fail with iptables-nft. * iptables-legacy mandates TCPMSS be combined with SYN flag match, iptables-nft does not care. (Or precisely, xt_TCPMSS.ko can't validate match presence.) Introduce an optional fourth test spec field to specify the variant it applies to. Consequently, the opposite result is expected with the other variant. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_NFLOG: fix typoJeremy Sowden2022-01-201-1/+1
| | | | | | | | The deprecation warning for `--nflog-range` contains a spelling mistake. Fix it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_NFLOG: remove extra space when saving targets with prefixesJeremy Sowden2022-01-182-3/+3
| | | | | | | | | | | | | When printing out NFLOG targets an extra space was inserted between `--nflog-prefix` and the prefix itself: $ sudo /usr/sbin/iptables -A INPUT -j NFLOG --nflog-prefix test $ sudo /usr/sbin/iptables-save | grep NFLOG -A INPUT -j NFLOG --nflog-prefix test ^^ Fixes: 73866357e4a7 ("iptables: do not print trailing whitespaces") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-casesJeremy Sowden2022-01-181-4/+2
| | | | | | | | | | | | The `iptables-save` includes an extra space between `--nflog-prefix` and the prefix. The maximum length of prefixes includes the trailing NUL character. NFLOG silently truncates prefixes which exceed the maximum length. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_NFLOG: disable `--nflog-range` Python test-casesKyle Bowman2022-01-181-4/+6
| | | | | | | | | | | | nft has no equivalent to `--nflog-range`, so we cannot emulate it and the Python unit-tests for it fail. However, since `--nflog-range` is broken and doesn't do anything, the tests are not testing anything useful. Signed-off-by: Kyle Bowman <kbowman@cloudflare.com> Signed-off-by: Alex Forster <aforster@cloudflare.com> Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOGKyle Bowman2022-01-181-0/+6
| | | | | | | | | | | | | | | Replaces the use of xt_NFLOG with the nft built-in log statement. This additionally adds support for using longer log prefixes of 128 characters in size. Until now NFLOG has truncated the log-prefix to the 64-character limit supported by iptables-legacy. We now use the struct xtables_target's udata member to store the longer 128-character prefix supported by iptables-nft. Signed-off-by: Kyle Bowman <kbowman@cloudflare.com> Signed-off-by: Alex Forster <aforster@cloudflare.com> Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: *NAT: Kill multiple IPv4 range supportPhil Sutter2022-01-174-202/+106
| | | | | | | | | | | | It is the year of the great revolution, nobody cares about kernel versions below 2.6.11 anymore. Time to get rid of the cruft. While being at it, drop the explicit duplicate argument check and instead just remove XTOPT_MULTI flag from the respective xt_option_entry. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* extensions: tcpmss: add iptables-translate supportFlorian Westphal2021-11-282-0/+27
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: hashlimit: Fix tests with HZ=1000Phil Sutter2021-11-231-2/+2
| | | | | | | | | | | | | | | | | | In an attempt to fix for failing hashlimit tests with HZ=100, the expected failures were changed so they are expected to pass and the parameters changed to seemingly fix them. Yet while the new parameters worked on HZ=100 systems, with higher tick rates they didn't so the observed problem moved from the test failing on HZ=100 to failing on HZ=1000 instead. Kernel's error message "try lower: 864000000/5" turned out to be a red herring: The burst value does not act as a dividor but a multiplier instead, so in order to lower the overflow-checked value, a lower burst value must be chosen. Inded, using a burst value of 1 makes the kernel accept the rule in both HZ=100 and HZ=1000 configurations. Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Fix a few doc typosŠtěpán Němec2021-09-031-1/+1
| | | | | | | Just a few minor language fixes. Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_mac: Fix for missing space in listingPhil Sutter2021-08-311-2/+2
| | | | | | | | | Listing the extension using 'iptables -L', there was no space between 'MAC' and the following Address. Reported-by: Adam Wójcik <a.wojcik@hyp.home.pl> Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: hashlimit: Fix tests with HZ=100Phil Sutter2021-08-101-4/+2
| | | | | | | | | | With the kernel ticking at 100Hz, a limit of 1/day with burst 5 does not overflow in kernel, making the test unstable depending on kernel config. Change it to not overflow with 1000Hz either by increasing the burst value by a factor of 100. Fixes: fcf9f6f25db11 ("extensions: libxt_hashlimit: add unit test") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ip6tables: masquerade: use fully-random so that nft can understand the rulePavel Tikhomirov2021-08-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Here is the problem: []# nft -v nftables v0.9.8 (E.D.S.) []# iptables-nft -v iptables v1.8.7 (nf_tables): no command specified Try `iptables -h' or 'iptables --help' for more information. []# nft flush ruleset []# ip6tables-nft -t nat -A POSTROUTING -j MASQUERADE --random-full []# nft list ruleset table ip6 nat { chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 0 bytes 0 masquerade random-fully } } []# nft list ruleset > /tmp/ruleset []# nft flush ruleset []# nft -f /tmp/ruleset /tmp/ruleset:4:54-54: Error: syntax error, unexpected newline counter packets 0 bytes 0 masquerade random-fully That's because nft list ruleset saves "random-fully" which is wrong format for nft -f, right should be "fully-random". We face this problem because we run k8s in Virtuozzo container, and k8s creates those "random-fully" rules by iptables(nft) and then CRIU can't restore those rules using nft. Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_multiport: add translation for -m multiport --portsPablo Neira Ayuso2021-06-252-8/+33
| | | | | | Add a translation for -m multiport --ports. Extend the existing testcase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_conntrack: simplify translation using negationPablo Neira Ayuso2021-06-072-37/+17
| | | | | | | | | Available since nftables 0.9.9. For example: # iptables-translate -I INPUT -m state ! --state NEW,INVALID nft insert rule ip filter INPUT ct state ! invalid,new counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcp: rework translation to use flags match representationPablo Neira Ayuso2021-06-073-10/+10
| | | | | | | Use the new flags match representation available since nftables 0.9.9 to simplify the translation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlimit: add translationPablo Neira Ayuso2021-06-072-0/+64
| | | | | | | | This patch adds a translation for connlimit matches which requires the definition of a set and the family context (either IPv4 or IPv6) which is required to display the netmask accordingly. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_string: Avoid buffer size warning for strncpy()Phil Sutter2021-06-071-1/+1
| | | | | | | If the target buffer does not need to be null-terminated, one may simply use memcpy() and thereby avoid any compiler warnings. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter2021-06-0719-51/+32
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Use xtables_ip6parse_any()Phil Sutter2021-06-071-64/+10
| | | | | | | | | | | The code was almost identical and suffered from the same problem as fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory corruption bugs"). The only functional change this involves is ebt_parse_ip6_address() will now accept hostnames as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Drop unused variablesPhil Sutter2021-06-071-4/+2
| | | | | | | They are being assigned to but never read. Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Translate --chunk-types optionPhil Sutter2021-05-192-19/+78
| | | | | | | | | The translation is not fully complete as it is not possible to map 'any' match type into nft syntax with a single rule. Also, 'only' match type translation is a bit poor as it explicitly lists all chunk types that are supposed to be missing. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Fix nftables translationPhil Sutter2021-05-192-11/+9
| | | | | | | If both sport and dport was present, incorrect nft syntax was generated. Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: SECMARK: Implement revision 1Phil Sutter2021-05-042-20/+74
| | | | | | | | | The changed data structure for communication with kernel allows to exclude the field 'secid' which is populated on kernel side. Thus this fixes the formerly always failing extension comparison breaking rule check and rule delete by content. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Eliminate inet_aton() and inet_ntoa()Phil Sutter2021-04-301-2/+4
| | | | | | | Both functions are obsolete, replace them by equivalent calls to inet_pton() and inet_ntop(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Explain match types in man pagePhil Sutter2021-04-291-0/+11
| | | | | | They weren't mentioned at all. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_conntrack: use bitops for status negationAlexander Mikhalitsyn2021-04-022-10/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At the moment, status_xlate_print function prints statusmask as comma-separated sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus condition then we have to use more complex expression (if more than one flag enabled) because nft not supports syntax like "ct status != expected,assured". Examples: ! --ctstatus CONFIRMED,ASSURED should be translated as ct status & (assured|confirmed) == 0 ! --ctstatus CONFIRMED can be translated as ct status & confirmed == 0 See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference). Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_conntrack: use bitops for state negationAlexander Mikhalitsyn2021-04-022-14/+29
| | | | | | | | | | | | | | | | | | | | | Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled statemask flags. But if we have inverted conntrack ctstate condition then we have to use more complex expression because nft not supports syntax like "ct state != related,established". Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>