summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libxt_conntrack: simplify translation using negationHEADmasterPablo Neira Ayuso10 days2-37/+17
| | | | | | | | | Available since nftables 0.9.9. For example: # iptables-translate -I INPUT -m state ! --state NEW,INVALID nft insert rule ip filter INPUT ct state ! invalid,new counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcp: rework translation to use flags match representationPablo Neira Ayuso10 days3-10/+10
| | | | | | | Use the new flags match representation available since nftables 0.9.9 to simplify the translation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlimit: add translationPablo Neira Ayuso10 days2-0/+64
| | | | | | | | This patch adds a translation for connlimit matches which requires the definition of a set and the family context (either IPv4 or IPv6) which is required to display the netmask accordingly. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_string: Avoid buffer size warning for strncpy()Phil Sutter11 days1-1/+1
| | | | | | | If the target buffer does not need to be null-terminated, one may simply use memcpy() and thereby avoid any compiler warnings. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter11 days19-51/+32
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Use xtables_ip6parse_any()Phil Sutter11 days1-64/+10
| | | | | | | | | | | The code was almost identical and suffered from the same problem as fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory corruption bugs"). The only functional change this involves is ebt_parse_ip6_address() will now accept hostnames as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Drop unused variablesPhil Sutter11 days1-4/+2
| | | | | | | They are being assigned to but never read. Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Translate --chunk-types optionPhil Sutter2021-05-192-19/+78
| | | | | | | | | The translation is not fully complete as it is not possible to map 'any' match type into nft syntax with a single rule. Also, 'only' match type translation is a bit poor as it explicitly lists all chunk types that are supposed to be missing. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Fix nftables translationPhil Sutter2021-05-192-11/+9
| | | | | | | If both sport and dport was present, incorrect nft syntax was generated. Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: SECMARK: Implement revision 1Phil Sutter2021-05-042-20/+74
| | | | | | | | | The changed data structure for communication with kernel allows to exclude the field 'secid' which is populated on kernel side. Thus this fixes the formerly always failing extension comparison breaking rule check and rule delete by content. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Eliminate inet_aton() and inet_ntoa()Phil Sutter2021-04-301-2/+4
| | | | | | | Both functions are obsolete, replace them by equivalent calls to inet_pton() and inet_ntop(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: sctp: Explain match types in man pagePhil Sutter2021-04-291-0/+11
| | | | | | They weren't mentioned at all. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_conntrack: use bitops for status negationAlexander Mikhalitsyn2021-04-022-10/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At the moment, status_xlate_print function prints statusmask as comma-separated sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus condition then we have to use more complex expression (if more than one flag enabled) because nft not supports syntax like "ct status != expected,assured". Examples: ! --ctstatus CONFIRMED,ASSURED should be translated as ct status & (assured|confirmed) == 0 ! --ctstatus CONFIRMED can be translated as ct status & confirmed == 0 See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference). Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_conntrack: use bitops for state negationAlexander Mikhalitsyn2021-04-022-14/+29
| | | | | | | | | | | | | | | | | | | | | Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled statemask flags. But if we have inverted conntrack ctstate condition then we have to use more complex expression because nft not supports syntax like "ct state != related,established". Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables-translate: Fix translation of odd netmasksPhil Sutter2021-03-092-0/+60
| | | | | | | | | Iptables supports netmasks which are not prefixes to match on (or ignore) arbitrary bits in an address. Yet nftables' prefix notation is available for real prefixes only, so translation is not as trivial - print bitmask syntax for those cases. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: dccp: Fix for DCCP type 'INVALID'Phil Sutter2020-12-092-25/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | Support for matching on invalid DCCP type field values was pretty broken: While RFC4340 declares any type value from 10 to 15 invalid, the extension's type name 'INVALID' mapped to type value 10 only. Fix this by introduction of INVALID_OTHER_TYPE_MASK which has the remaining invalid type's bits set and apply it if bit 10 is set after parsing the type list. When printing, stop searching type names after printing 'INVALID' - unless numeric output was requested. The latter prints all actual type values. Since parsing types in numeric form is not supported, changing the output should not break existing scripts. When translating into nftables syntax, the code returned prematurely if 'INVALID' was among the list of types - thereby emitting invalid syntax. Instead print a real match for invalid types by use of a range expression. While being at it, fix syntax of translator output: If only '--dccp-types' was translated, the output contained an extra 'dccp'. On the other hand, if '--sport' and '--dport' was present, a required 'dccp' between the translations of both was missing. Fixes: e40b11d7ef827 ("add support for new 'dccp' protocol match") Fixes: c94a998724143 ("extensions: libxt_dccp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-034-126/+12
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libipt_icmp: Fix translation of type 'any'Phil Sutter2020-10-062-0/+8
| | | | | | | | | | | | | By itself, '-m icmp --icmp-type any' is a noop, it matches any icmp types. Yet nft_ipv4_xlate() does not emit an 'ip protocol' match if there's an extension with same name present in the rule. Luckily, legacy iptables demands icmp match to be prepended by '-p icmp', so we can assume this is present and just emit the 'ip protocol' match from icmp xlate callback. Fixes: aa158ca0fda65 ("extensions: libipt_icmp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_conntrack: provide translation for DNAT and SNAT --ctstatePablo Neira Ayuso2020-07-242-5/+20
| | | | | | | iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT nft add rule ip filter INPUT ct status dnat counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Fix for failing 'make uninstall'Phil Sutter2020-06-091-1/+14
| | | | | | | | | | | | | | | | | | | | | Support for uninstalling is severely broken: - extensions/GNUmakefile.in defines an 'install' target but lacks a respective 'uninstall' one, causing 'make uninstall' abort with an error message. - iptables/Makefile.am defines an 'install-exec-hook' to create the binary symlinks which are left in place after 'make uninstall'. Fix these problems by defining respective targets containing code copied from automake-generated uninstall targets. While being at it, add a few more uninstall-hooks removing custom directories created by 'make install' if they are empty afterwards. Reported-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Tested-by: Richard Guy Briggs <rgb@redhat.com>
* doc: document danger of applying REJECT to INVALID CTsJan Engelhardt2020-06-082-0/+40
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libxt_MARK: OUTPUT chain is fine, tooPhil Sutter2020-05-271-2/+2
| | | | | | | | | In order to route packets originating from the host itself based on fwmark, mangle table's OUTPUT chain must be used. Mention this chain as alternative to PREROUTING. Fixes: c9be7f153f7bf ("doc: libxt_MARK: no longer restricted to mangle table") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libip6t_srh.t: switch to lowercase, add /128 suffix, require successMaciej Żenczykowski2020-05-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | This looks like an oversight which is easy to fix. Furthermore: git grep ';;OK' does not find any other matches, so this is the last unverified test case. Test: [root@f32vm IPT]# uname -r 5.6.10-300.fc32.x86_64 [root@f32vm IPT]# md5sum extensions/libip6t_srh.t b98864bdd6c39a0dd96022c47e652edb extensions/libip6t_srh.t [root@f32vm IPT]# ./iptables-test.py extensions/libip6t_srh.t extensions/libip6t_srh.t: OK 1 test files, 27 unit tests, 27 passed Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-test: Don't choke on empty linesPhil Sutter2020-05-111-1/+0
| | | | | | | | | | | | | | | | | | | | The script code wasn't expecting empty lines: | Traceback (most recent call last): | File "./iptables-test.py", line 380, in <module> | main() | File "./iptables-test.py", line 370, in main | file_tests, file_passed = run_test_file(filename, args.netns) | File "./iptables-test.py", line 265, in run_test_file | if item[1] == "=": | IndexError: list index out of range Fix this by ignoring empty lines or those consisting of whitespace only. While being at it, remove the empty line from libxt_IDLETIMER.t which exposed the problem. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxt_IDLETIMER: fix target v1 help alignment and docMaciej Żenczykowski2020-04-281-1/+1
| | | | | Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: include strings.h for the definition of ffs()Maciej Żenczykowski2020-04-282-0/+2
| | | | | | | | | | | | | | | | | | This resolves clang compiler warnings: extensions/libext4_srcs/gen/gensrcs/external/iptables/extensions/libipt_ULOG.c:89:32: error: implicit declaration of function 'ffs' is invalid in C99 [-Werror,-Wimplicit-function-declaration] printf(" --ulog-nlgroup %d", ffs(loginfo->nl_group)); ^ extensions/libext4_srcs/gen/gensrcs/external/iptables/extensions/libipt_ULOG.c:105:9: error: implicit declaration of function 'ffs' is invalid in C99 [-Werror,-Wimplicit-function-declaration] ffs(loginfo->nl_group)); ^ extensions/libext_srcs/gen/gensrcs/external/iptables/extensions/libxt_addrtype.c:263:14: error: implicit declaration of function 'ffs' is invalid in C99 [-Werror,-Wimplicit-function-declaration] int first = ffs(val); ^ Test: builds with less warnings Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: IDLETIMER: Add alarm timer optionManoj Basapathi2020-04-162-13/+88
| | | | | | | | | | | | | | Introduce "--alarm" option for idletimer rule. If it is present, hardidle-timer is used, else default timer. The default idletimer starts a deferrable timer or in other words the timer will cease to run when cpu is in suspended state. This change introduces the option to start a non-deferrable or alarm timer which will continue to run even when the cpu is in suspended state. Signed-off-by: Manoj Basapathi <manojbm@codeaurora.org> Signed-off-by: Sauvik Saha <ssaha@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-shared: skip check for jumpto if cs->target is unsetPablo Neira Ayuso2020-04-151-2/+1
| | | | | | | | | The command_jump() function leaves cs->target unset if the target is not found. Let's check if the jumpto string mismatches only in this case. https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Tested-by: Etienne Champetier <etienne.champetier@anevia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_CT: add translation for NOTRACKPablo Neira Ayuso2020-04-152-0/+18
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: open eBPF programs in read only modeMaciej Żenczykowski2020-04-151-7/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adjust the mode eBPF programs are opened in so 0400 pinned bpf programs work without requiring CAP_DAC_OVERRIDE. This matches Linux 5.2's: commit e547ff3f803e779a3898f1f48447b29f43c54085 Author: Chenbo Feng <fengc@google.com> Date: Tue May 14 19:42:57 2019 -0700 bpf: relax inode permission check for retrieving bpf program For iptable module to load a bpf program from a pinned location, it only retrieve a loaded program and cannot change the program content so requiring a write permission for it might not be necessary. Also when adding or removing an unrelated iptable rule, it might need to flush and reload the xt_bpf related rules as well and triggers the inode permission check. It might be better to remove the write premission check for the inode so we won't need to grant write access to all the processes that flush and restore iptables rules. kernel/bpf/inode.c: - int ret = inode_permission(inode, MAY_READ | MAY_WRITE); + int ret = inode_permission(inode, MAY_READ); In practice, AFAICT, the xt_bpf match .fd field isn't even used by new kernels, but I believe it might be needed for compatibility with old ones (though I'm pretty sure table modifications on them will outright fail). Test: builds, passes Android test suite (albeit on an older iptables base), git grep bpf_obj_get - finds no other users Cc: Chenbo Feng <fengc@google.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* connlabel: Allow numeric labels even if connlabel.conf existsPhil Sutter2020-03-061-5/+2
| | | | | | | | | | | | | | | | | | Existing code is a bit quirky: If no connlabel.conf was found, the local function connlabel_value_parse() is called which tries to interpret given label as a number. If the config exists though, nfct_labelmap_get_bit() is called instead which doesn't care about "undefined" connlabel names. So unless installed connlabel.conf contains entries for all possible numeric labels, rules added by users may stop working if a connlabel.conf is created. Related man page snippet states: "Using a number always overrides connlabel.conf", so try numeric parsing and fall back to nfct only if that failed. Fixes: 51340f7b6a110 ("extensions: libxt_connlabel: use libnetfilter_conntrack") Fixes: 3a3bb480a738a ("extensions: connlabel: Fallback on missing connlabel.conf") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: among: Support mixed MAC and MAC/IP entriesPhil Sutter2020-02-182-6/+2
| | | | | | | | | | | | | | Powered by Stefano's support for concatenated ranges, a full among match replacement can be implemented. The trick is to add MAC-only elements as a concatenation of MAC and zero-length prefix, i.e. a range from 0.0.0.0 till 255.255.255.255. Although not quite needed, detection of pure MAC-only matches is left in place. For those, no implicit 'meta protocol' match is added (which is required otherwise at least to keep nft output correct) and no concat type is used for the set. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: Fix for iface++Phil Sutter2020-02-141-0/+4
| | | | | | | | | In legacy iptables, only the last plus sign remains special, any previous ones are taken literally. Therefore xtables-translate must not replace all of them with asterisk but just the last one. Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: Fix for interface name corner-casesPhil Sutter2020-02-111-0/+12
| | | | | | | | | | | | | | | | | | There are two special situations xlate_ifname() didn't cover for: * Interface name containing '*': This went unchanged, creating a command nft wouldn't accept. Instead translate into '\*' which doesn't change semantics. * Interface name being '+': Can't translate into nft wildcard character as nft doesn't accept asterisk-only interface names. Instead decide what to do based on 'invert' value: Skip match creation if false, match against an invalid interface name if true. Also add a test to make sure future changes to this behaviour are noticed. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: time: add translation and testsJose M. Guisado Gomez2020-02-042-0/+98
| | | | | | | | | | | | | | | | | | | | Translation capabilities for xtables time match. Different time values (hour and datetime) are translated into ranges. These time match options can be translated now --timestart value --timestop value [!] --weekdays listofdays --datestart date --datestop date The option --monthdays can't be translated into nft as of now. Examples can be found inside libxt_time.txlate Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* Fixed some man pages typos ('This modules' -> 'This module')Álvaro Santos2020-01-163-3/+3
| | | | | Signed-off-by: Álvaro Santos <aa.santos@campus.fct.unl.pt> Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: AUDIT: fix man-page typo.Jeremy Sowden2019-12-301-1/+1
| | | | | | | | | | A recent commit fixed uses of "allows to" in man-pages. There was one instance where the "to" was removed but the "allows" was left behind. Remove that as well. Fixes: 3b9b515618c6 ("iptables: cleanup "allows to" usage") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: among: Check call to fstat()Phil Sutter2019-12-061-1/+5
| | | | | | If this fails, a bogus length value may be passed to mmap(). Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
* extensions: cluster: Avoid undefined shiftPhil Sutter2019-12-061-1/+1
| | | | | | | Value 1 is signed by default and left-shifting by 31 is undefined for those. Fix this by marking the value as unsigned. Fixes: 64a0e09894e52 ("extensions: libxt_cluster: Add translation to nft")
* extensions: time: Avoid undefined shiftPhil Sutter2019-12-061-1/+1
| | | | | | | Value 1 is signed by default and left-shifting by 31 is undefined for those. Fix this by marking the value as unsigned. Fixes: ad326ef9f734a ("Add the libxt_time iptables match")
* extensions: libxt_sctp: add manpage descriptionLaurence J. Lane2019-12-051-0/+1
| | | | | | | | | | | | Add manpage description. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: manpages: cleanup hyphensLaurence J. Lane2019-12-059-10/+10
| | | | | | | | | | | | Cleanup, scape hyphens so they are not interpreted by the manpage generator. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: cleanup "allows to" usageLaurence J. Lane2019-12-057-7/+7
| | | | | | | | | | | | Gramatical cleanup. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: CLUSTERIP: Mark as deprecated in man pagePhil Sutter2019-12-041-0/+3
| | | | | | | Kernel even warns if being used, reflect its state in man page, too. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* nft: bridge: Rudimental among extension supportPhil Sutter2019-11-252-0/+259
| | | | | | | | | Support among match as far as possible given the limitations of nftables sets, namely limited to homogeneous MAC address only or MAC and IP address only matches. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_SYNPROXY: add xlate methodJose M. Guisado Gomez2019-10-012-0/+25
| | | | | | | | This adds translation capabilities when encountering SYNPROXY inside iptables rules. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: fix iptables-{nft,translate} with conntrack EXPECTEDQuentin Armitage2019-09-202-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED outputs: nft add rule ip filter INPUT ct status expected,assured counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED,ASSURED produces nft list output: chain INPUT { ct status expected,assured counter packets 0 bytes 0 accept } which are correct. However, iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft # -A INPUT -m conntrack --ctstatus EXPECTED and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { counter packets 0 bytes 0 accept } neither of which is what is desired. Commit 6223ead0d - "extensions: libxt_conntrack: Add translation to nft" included the following code in _conntrack3_mt_xlate(): if (sinfo->match_flags & XT_CONNTRACK_STATUS) { if (sinfo->status_mask == 1) return 0; ... If the intention had been not to produce output when status_mask == 1, it would have been written as: if (sinfo->status_mask == IPS_EXPECTED) return 0; so it looks as though this is debugging code accidently left in the original patch. Removing the lines: if (sinfo->status_mask == 1) return 0; resolves the problems, and iptables-translate -A INPUT -m conntrack --ctstatus EXPECTED outputs: nft add rule ip filter INPUT ct status expected counter and iptables-nft -A INPUT -m conntrack --ctstatus EXPECTED produces nft list output: chain INPUT { ct status expected counter packets 0 bytes 0 accept } This commit also includes an additional txlate test to check when only the status EXPECTED is specified. Fixes: 6223ead0d06b ("extensions: libxt_conntrack: Add translation to nft") Signed-off-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: fix over-eager -o checks on custom chainsFlorian Westphal2019-09-121-0/+17
| | | | | | | | | | | | | | | | Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal <fw@strlen.de>
* netfilter: hashlimit: prefer PRIu64 to avoid warnings on 32bit platformsDuncan Roe2019-09-121-1/+1
| | | | | | | I found this patch attached to an older BZ, apply this finally... Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1107 Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Note REDIRECT case of no IP addressJoseph C. Sible2019-08-211-1/+2
| | | | | | | | | | If an IP packet comes in on an interface that lacks a corresponding IP address (which happens on, e.g., the veth's that Project Calico creates), attempting to use REDIRECT on it will cause it to be dropped. Take note of this in REDIRECT's documentation. Signed-off-by: Joseph C. Sible <josephcsible@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>