summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* refresh nf_tables.h cached copyPablo Neira Ayuso2014-10-091-1/+76
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add linux/filter.hWillem de Bruijn2014-07-301-0/+139
| | | | | | | | xt_bpf.h includes linux/filter.h for the definition of sock_filter. add that file to the repository Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next-3.14'Pablo Neira Ayuso2014-05-163-4/+35
|\
| * iptables: add libxt_cgroup frontendDaniel Borkmann2014-01-041-0/+11
| | | | | | | | | | | | | | | | | | This patch adds the user space extension/frontend for process matching based on cgroups from the kernel patch entitled "netfilter: xtables: lightweight process control group matching". Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: snat: add randomize-full supportDaniel Borkmann2014-01-041-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides the userspace part for snat in order to make randomize-full support available in {ip,nf}tables. It allows for enabling full port randomization that was motivated in [1] and introduced to the kernel in [2]. Joint work between Hannes Frederic Sowa and Daniel Borkmann. [1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf [2] http://patchwork.ozlabs.org/patch/304306/ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: Add IPv4/6 IPcomp match supportfan.du2013-12-241-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables user to set iptables ACTIONs for IPcomp flow specified by its SPI value. For example: iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP IPcomp packet with spi as 0x12 will be dropped. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | update FSF address in license textJiri Popelka2014-03-131-1/+1
| | | | | | | | | | | | | | http://www.gnu.org/licenses/gpl-2.0.html http://www.fsf.org/about/contact/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | include: Update nftables API header in sync with kernel's oneTomasz Bursztyka2013-12-301-7/+296
| | | | | | | | | | | | | | Many changes were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables: batch rule-set updates into one single netlink messagePablo Neira Ayuso2013-12-302-47/+4
| | | | | | | | | | | | | | | | With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | include: cache netfilter_arp kernel headersPablo Neira Ayuso2013-12-303-0/+249
| | | | | | | | | | | | | | To ensure that compilation does not break if Linux kernel headers are not installed in the system. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables: nft: add protocol and flags for xtables over nf_tablesPablo Neira Ayuso2013-12-301-0/+14
| | | | | | | | | | | | Add protocol and flags for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables-restore: support atomic commitPablo Neira Ayuso2013-12-301-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | Use new services in nf_tables to support atomic commit. Commit per table, although we support global commit at once, call commit for each table to emulate iptables-restore behaviour by now. Keep table dormant/wake up code in iptables/nft.c as it can be used in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft: adapt chain rename to recent Patrick's updatesPablo Neira Ayuso2013-12-301-1/+2
| | | | | | | | | | | | | | This patch gets existing code in sync with Patrick's chain renaming new approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables-restore: add support for dormant tablesPablo Neira Ayuso2013-12-301-0/+10
| | | | | | | | | | | | This patch adds support for dormant tables for xtables-restore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | headers: remove unused compatibility definitionsPablo Neira Ayuso2013-12-301-18/+0
| | | | | | | | | | | | They belong to nf_tables_compat.h Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | nft: Add support for chain rename options (-E)Tomasz Bursztyka2013-12-301-0/+1
| | | | | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
* | headers: Make nf_tables.h up to dateTomasz Bursztyka2013-12-301-0/+2
| | | | | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
* | use nf_tables and nf_tables compatibility interfacePablo Neira Ayuso2013-12-305-0/+543
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_set, libxt_SET: check the set family tooJozsef Kadlecsik2013-11-181-0/+9
| | | | | | | | | | | Do not accept silently sets with wrong protocol family but reject them with an error message. It makes straightforward to catch user errors. [ Use afinfo instead to avoid a binary interface update --pablo ] Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add SYNPROXY extensionPatrick McHardy2013-11-181-0/+16
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* xtables: trivial spelling fixstephen hemminger2013-08-071-2/+2
| | | | | Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xt_socket: add --nowildcard flagEric Dumazet2013-08-061-0/+7
| | | | | | | | | | | | | | | | | | | | | xt_socket module can be a nice replacement to conntrack module in some cases (SYN filtering for example) But it lacks the ability to match the 3rd packet of TCP handshake (ACK coming from the client). Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism The wildcard is the legacy socket match behavior, that ignores LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent) iptables -I INPUT -p tcp --syn -j SYN_CHAIN iptables -I INPUT -m socket -j ACCEPT Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: Add the "NOTRACK" aliasJozsef Kadlecsik2013-07-241-1/+4
| | | | | | | Available since Linux kernel 3.8. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip{6}tables-restore: fix breakage due to new locking approachPablo Neira Ayuso2013-07-082-2/+2
| | | | | | | | | | | | | | | | Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances), ip{6}tables-restore does not work anymore: iptables-restore < x Another app is currently holding the xtables lock. Perhaps you want to use the -w option? do_command{6}(...) is called from ip{6}tables-restore for every iptables command contained in the rule-set file. Thus, hitting the lock error after the second command. Fix it by bypassing the locking in the ip{6}tables-restore path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Introduce a new revision for the set match with the counters supportJozsef Kadlecsik2013-06-072-10/+51
| | | | | | | | The revision add the support of matching the packet/byte counters if the set was defined with the extension. Also, a new flag is introduced to suppress updating the packet/byte counters if required. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameterholger@eitzenberger.org2013-05-291-0/+9
| | | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add connlabel matchFlorian Westphal2013-05-061-0/+12
| | | | | | | | | | | | | | allows to "tag" connections with up to 128 label names. Labels are defined in /etc/xtables/connlabel.conf, example: 0 from eth0 1 via eth0 Labels can then be attached to flows, e.g. -A PREROUTING -i eth0 -m connlabel --label "from eth0" --set Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add libxt_bpf extensionWillem de Bruijn2013-04-021-0/+17
| | | | | | | | | | | | | | | | | | Add user-space code to support the new BPF iptables extension. Pablo has mangled the original patch to: * include a copy of include/linux/netfilter/xt_bpf.h in the tree. * I have also remove the --bytecode-file option. The original proposal was to accept BPF code in a file in human readable format. Now, with the nfbpf_compile utility, it's very easy to generate the filter using tcpdump-like syntax. * I have remove the trailing comma in the backtick format, the parser works just fine for me here. * Fix error message if --bytecode is missing. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependencyPablo Neira Ayuso2013-03-291-3/+0
| | | | | | | | | This patch changes the NETMAP target extension (IPv6 side) to use the xtables_ip6mask_to_cidr available in libxtables. As a side effect, we get rid of the libip6tc dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Add the "state" alias to the "conntrack" matchJozsef Kadlecsik2013-01-281-0/+1
|
* Introduce match/target aliasesJozsef Kadlecsik2013-01-281-0/+16
| | | | | The match/target alias allows us to support the syntax of matches, targets targets merged into other matches/targets.
* libxtables: add xtables_print_numPablo Neira Ayuso2013-01-041-0/+16
| | | | | | | | This function is used both by iptables and ip6tables, and refactorize to avoid longer than 80-chars per column lines of code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_rule_matches_freePablo Neira Ayuso2013-01-041-0/+2
| | | | | | This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next' branch that contains new features scheduled forPablo Neira Ayuso2012-10-257-170/+78
|\ | | | | | | Linux kernel 3.7
| * libxt_time: add support to ignore day transitionFlorian Westphal2012-09-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, if you want to do something like: "match Monday, starting 23:00, for two hours" You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00. The rule --weekdays Mo --timestart 23:00 --timestop 01:00 looks correct, but it will first match on monday from midnight to 1 a.m. and then again for another hour from 23:00 onwards. This permits userspace to explicitly ignore the day transition and match for a single, continuous time period instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add NPT extensionPatrick McHardy2012-09-101-0/+16
| | | | | | | | | | | | | | | | Add extensions for the SNPT and DNPT stateless IPv6-to-IPv6 Network Prefix Translation targets. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * extensions: add IPv6 MASQUERADE extensionPatrick McHardy2012-09-101-0/+8
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * Convert the NAT targets to use the kernel supplied nf_nat.h headerPatrick McHardy2012-09-105-170/+53
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'master' of git://git.inai.de/iptablesJan Engelhardt2012-09-303-3/+8
|\ \
| * | iptables: support for match aliasesJan Engelhardt2012-09-291-0/+1
| | | | | | | | | | | | | | | | | | | | | This patch allows for match names listed on the command line to be rewritten to new names and revisions, like we did for targets before. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | iptables: support for target aliasesJan Engelhardt2012-09-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
| * | build: separate AC variable replacements from xtables.hJan Engelhardt2012-08-313-3/+4
| |/ | | | | | | | | | | | | It was/is a bit annoying that modifying xtables.h.in causes configure to rerun. Split the @foo@ things into a separate file to bypass this. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* / New set match revision with --return-nomatch flag supportJozsef Kadlecsik2012-09-211-0/+2
|/
* include: add missing linux/netfilter_ipv4/ip_queue.hPablo Neira Ayuso2012-08-031-0/+72
| | | | | | | | | | | | | | | This patch fixes compilation of libipq with headers from Linux kernel 3.5: In file included from libipq.c:34:0: ../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory ip_queue is gone since Linux kernel 3.5. However, you can still use new iptables versions with old Linux kernels. We have to keep libipq in this tree for a while (1.5-2 years should be OK). Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_recent: add --mask netmaskDenys Fedoryshchenko2012-07-311-0/+10
| | | | | | | | | | This new option will be available in the Linux kernel 3.5 [ Pablo fixed coding-style issues and cleaned up this. Added manpages as well ] Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_hashlimit: add support for byte-based operationFlorian Westphal2012-07-141-1/+5
| | | | | | | | | | | | | | allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ] to make hashlimit match when X bytes/second are exceeded; optionally, Y bytes will not be matched (i.e. bursted). [ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ] libxt_hashlimit.c: In function ‘parse_bytes’: libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add HMARK targetHans Schillstrom2012-07-141-0/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The target allows you to set mark packets based Jenkins' hash calculation: h(t, rnd) = x mark = (x % mod) + offset where: * t is a tuple that is used for the hashing: t = [ src, dst, proto, sport, dport ] Note that you can customize the tuple, thus, removing some component that you don't want to use for the calculation. You can also use spi instead of sport and dport, btw. * rnd is the random seed that is explicitly passed via --hmark-rnd * mod is the modulus, to determine the range of possible marks * offset determines where the mark starts from This target only works for the "raw" and "mangle" tables. This can be used to distribute flows between a cluster of systems and uplinks. Initially based on work from Hans Schillingstrom. Pablo took it over and introduced several improvements. Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_ip[6]mask_to_cidrPablo Neira Ayuso2012-07-141-0/+2
| | | | | | | | | | | | | | This patch adds generic functions to return the mask in CIDR notation whenever is possible. This patch also simplifies xtables_ip[6]mask_to_numeric, that now use these new two functions. This patch also bumps libxtables_vcurrent and libxtables_vage since we added a couple new interfaces (thanks to Jan Engelhardt for his little reminder on this). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_CT: add --timeout optionPablo Neira Ayuso2012-04-021-0/+12
| | | | | | | | | | | | | | | | | | | | This patch adds the --timeout option to allow to attach timeout policy objects to flows, eg. iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \ -j CT --timeout custom-tcp-policy You need the nfct(8) tool which is available at: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git To define the cttimeout policies. Example of usage: nfct timeout add custom-tcp-policy inet tcp established 1000 The new nfct tool also requires libnetfilter_cttimeout: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add nfacct matchPablo Neira Ayuso2012-03-271-0/+17
| | | | | | | | | | | | | | This patch provides the user-space iptables support for the nfacct match. This can be used as it follows: nfacct add http-traffic iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic nfacct get http-traffic See also man nfacct(8) for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>