summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* libxtables: Introduce xtables_globals print_help callbackPhil Sutter6 days1-0/+1
| | | | | | | | With optstring being stored in struct xtables_globals as well, it is a natural choice to store a pointer to a help printer also which matches the supported options. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Store optstring in xtables_globalsPhil Sutter6 days1-0/+1
| | | | | | | | | | | Preparing for a common option parser, store the string of options for each family inside the respective xtables_globals object. The array of long option definitions sitting in there already indicates it's the right place. While being at it, drop '-m' support from arptables-nft. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: extend xlate infrastructurePablo Neira Ayuso2021-06-071-0/+6
| | | | | | | | | | | | | | This infrastructure extends the existing xlate infrastructure: - Extensions can define set dependencies through .xlate. The resulting set definition can be obtained through xt_xlate_set_get(). - Add xl_xlate_set_family() and xl_xlate_get_family() to store/fetch the family. The first client of this new xlate API is the connlimit extension, which is added in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter2021-06-071-0/+1
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Use proto_to_name() from xshared in more placesPhil Sutter2021-05-171-1/+1
| | | | | | | | | | Share the common proto name lookup code. While being at it, make proto number variable 16bit, values may exceed 256. This aligns iptables-nft '-p' argument printing with legacy iptables. In practice, this should make a difference only in corner cases. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: SECMARK: Implement revision 1Phil Sutter2021-05-041-0/+6
| | | | | | | | | The changed data structure for communication with kernel allows to exclude the field 'secid' which is populated on kernel side. Thus this fixes the formerly always failing extension comparison breaking rule check and rule delete by content. Signed-off-by: Phil Sutter <phil@nwl.cc>
* include: Drop libipulog.hPhil Sutter2021-02-171-39/+0
| | | | | | | | The file is not included anywhere, also it seems outdated compared to the one in libnetfilter_log (which also holds the implementation). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-031-0/+3
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: Fix for failing 'make uninstall'Phil Sutter2020-06-091-0/+5
| | | | | | | | | | | | | | | | | | | | | Support for uninstalling is severely broken: - extensions/GNUmakefile.in defines an 'install' target but lacks a respective 'uninstall' one, causing 'make uninstall' abort with an error message. - iptables/Makefile.am defines an 'install-exec-hook' to create the binary symlinks which are left in place after 'make uninstall'. Fix these problems by defining respective targets containing code copied from automake-generated uninstall targets. While being at it, add a few more uninstall-hooks removing custom directories created by 'make install' if they are empty afterwards. Reported-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Tested-by: Richard Guy Briggs <rgb@redhat.com>
* include: Avoid undefined left-shift in xt_sctp.hPhil Sutter2020-05-291-3/+3
| | | | | | | | | | | | | Pull the fix in kernel commit 164166558aace ("netfilter: uapi: Avoid undefined left-shift in xt_sctp.h") into iptables repository. The original description is: With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is undefined for the signed 32-bit value 1. Avoid this by declaring 1 as unsigned. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Introduce xtables_fini()Phil Sutter2020-05-111-0/+1
| | | | | | | | | | | | Record handles of loaded shared objects in a linked list and dlclose() them from the newly introduced function. While functionally not necessary, this clears up valgrind's memcheck output when also displaying reachable memory. Since this is an extra function that doesn't change the existing API, increment both current and age. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: IDLETIMER: Add alarm timer optionManoj Basapathi2020-04-161-0/+12
| | | | | | | | | | | | | | Introduce "--alarm" option for idletimer rule. If it is present, hardidle-timer is used, else default timer. The default idletimer starts a deferrable timer or in other words the timer will cease to run when cpu is in suspended state. This change introduces the option to start a non-deferrable or alarm timer which will continue to run even when the cpu is in suspended state. Signed-off-by: Manoj Basapathi <manojbm@codeaurora.org> Signed-off-by: Sauvik Saha <ssaha@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: nfacct: Fix alignment mismatch in xt_nfacct_match_infoJuliana Rodrigueiro2019-08-201-0/+5
| | | | | | | | | | | | | | | | When running a 64-bit kernel with a 32-bit iptables binary, the size of the xt_nfacct_match_info struct diverges. kernel: sizeof(struct xt_nfacct_match_info) : 40 iptables: sizeof(struct xt_nfacct_match_info)) : 36 This patch is the userspace fix of the memory misalignment. It introduces a v1 ABI with the correct alignment and stays compatible with unfixed revision 0 kernels. Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_owner: Add supplementary groups optionLukasz Pawelczyk2019-06-191-3/+4
| | | | | | | | The --suppl-groups option causes GIDs specified with --gid-owner to be also checked in the supplementary groups of a process. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace IPTABLES_VERSION by PACKAGE_VERSIONJan Engelhardt2019-05-301-2/+0
| | | | | | | | | | | | | The IPTABLES_VERSION C macro replicates the PACKAGE_VERSION C macro (both have the same definition, "@PACKAGE_VERSION@"). Since IPTABLES_VERSION, being located in internal.h, is not exposed to downstream users in any way, it can just be replaced by PACKAGE_VERSION, which saves a configure-time file substitution. This goes towards eliminating unnecessary rebuilds after rerunning ./configure. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* include: extend the headers conflict workaround to in6.hBaruch Siach2018-12-031-1/+1
| | | | | | | | | | | | | Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2") introduced a kernel/user headers conflict workaround that allows build of iptables with kernel headers older than 4.2. This minor extension allows build with kernel headers older than 3.12, which is the version that introduced explicit IP headers synchronization. Fixes: 8d9d7e4b9ef4 ("include: fix build with kernel headers before 4.2") Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix build with kernel headers before 4.2Baruch Siach2018-11-171-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit 672accf1530 (include: update kernel netfilter header files) updated linux/netfilter.h and brought with it the update from kernel commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h from netns headers). This triggers conflict of headers that is fixed in kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with netinet/in.h) included in kernel version 4.2. For earlier kernel headers we need a workaround that prevents the headers conflict. Fixes the following build failure: In file included from .../sysroot/usr/include/netinet/ip.h:25:0, from ../include/libiptc/ipt_kernel_headers.h:8, from ../include/libiptc/libiptc.h:6, from libip4tc.c:29: .../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’ IPPROTO_IP = 0, /* Dummy protocol for TCP */ ^ .../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here IPPROTO_IP = 0, /* Dummy protocol for TCP. */ ^~~~~~~~~~ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: Extend struct xtc_opsPhil Sutter2018-11-131-0/+5
| | | | | | | Add a few more callbacks used by iptables-save. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: add 'printf' attribute to xlate_addFlorian Westphal2018-11-121-1/+1
| | | | | | | | | | | | | | This allows gcc to check format string vs. passed arguments. Fix the fallout from this as well, typical warning produced is: libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=] xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ... ~^ ~~~~~~~~~~ so add the required casts or fixup format strings as needed. libxt_conntrack also passed an unneeded argument (port), so remove that. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: add and use mac print helpersFlorian Westphal2018-11-071-0/+3
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: expose new etherdb lookup function through libxtables APIPablo Neira Ayuso2018-10-202-45/+12
| | | | | | | | | | This is used from extensions and included in libxtables, so we have to make them public. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: prefix exported new functions for etherdb lookupsPablo Neira Ayuso2018-10-201-17/+5
| | | | | | | | | | To avoid symbol pollution, place them under the xt_ and xtables_ prefix name. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* Revert "extensions: libxt_quota: Allow setting the remaining quota"Pablo Neira Ayuso2018-10-191-5/+3
| | | | | | | This reverts commit 0a8f2bcadff157489a737f8cc8846adcb750b91f. Google folks are reporting some issues with 32-bits arch, let's revert this until we have a new version for this.
* xtables: Remove target_maxnamelen fieldPhil Sutter2018-10-151-1/+0
| | | | | | | | | | | | This is a partial revert of commit 9f075031a1973 ("Combine parse_target() and command_jump() implementations"): Upstream prefers to reduce max chain name length of arptables by two characters instead of the introduced struct xtables_globals field which requires to bump library API version. Fixes: 9f075031a1973 ("Combine parse_target() and command_jump() implementations") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_quota: Allow setting the remaining quotaChenbo Feng2018-10-091-3/+5
| | | | | | | | | | | | | | | | The current xt_quota module cannot track the current remaining quota of a specific rule. Everytime an unrelated rule is updated in the same iptables table, the quota will be reset. This is not a very useful function for iptables that get changed at run time. This patch fixes the above problem by adding a new field in the struct that records the current remaining quota. Fixed a print out bug in verbose print out wrt. inversion. Signed-off-by: Chenbo Feng <fengc@google.com> Suggested-by: Maciej Żenczykowski <maze@google.com> Reviewed-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Combine parse_target() and command_jump() implementationsPhil Sutter2018-09-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Merge these two functions from xtables, iptables, ip6tables and arptables. Both functions were basically identical in the first three, only the last one required a bit more attention. To eliminate access to 'invflags' in variant-specific location, move the call to set_option() into callers. This is actually consistent with parsing of other options in them. As with command_match(), use xt_params instead of the different *_globals objects to refer to 'opts' and 'orig_opts'. It was necessary to rename parse_target() as it otherwise clashes with a static function of same name in libxt_SET. In arptables, the maximum allowed target name is a bit larger, so introduce xtables_globals.target_maxnamelen defining the value. It is used in the shared xt_parse_target() implementation. Implementation of command_jump() in arptables diverted from the others for no obvious reason. The call to parse_target() was done outside of it and a pointer to cs->arp was passed but not used inside. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add cgroup revision 2Pablo Neira Ayuso2018-09-181-3/+20
| | | | | | Just like revision v1, but cgroup path field is smaller. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Fix for wrong counter format in -S outputPhil Sutter2018-08-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant used '[PCNT BCNT]' prefix like with iptables-save. In order to pass the counter format preference along, FMT_C_COUNTS is introduced and related 'format' checks adjusted. Since legacy iptables prints the counters between matches and target, this change affects save_matches_and_target() function. In order to get access to the rule counters, it's declaration is adjusted to receive iptables_command_state pointer instead of match, target and jumpto pointers from the same object. While being at it, integrate jump to user-defined chain into it as well since the related code in both callers was almost identical. Though since different rule flags are used between iptables and ip6tables, pass a 'goto_flag' boolean instead of the actual 'flags' bitfield. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: implement ebtables-{save,restore}Phil Sutter2018-07-191-0/+1
| | | | | | | | | | | | | | | The code for ebtables-restore was derived from legacy code, ebtables-save is actually a new implementation using the existing infrastructure and trying to adhere to legacy perl script output formatting as much as possible. This introduces a new format flag (FMT_EBT_SAVE) to allow nft_bridge_save_rule() to distinguish between ruleset listing (i.e., ebtables -L) and saving via ebtables-save - the two differ in how counters are being formatted. Odd, but that's how it is. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* include: update kernel netfilter header filesFlorian Westphal2018-06-173-8/+703
| | | | | | needed to get the TRACE definition. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-markJack Ma2018-05-081-0/+5
| | | | | | | | | | | | | | | This patch adds a new feature to iptables that allow bitshifting for --restore,set and save-mark operations. This allows existing logic operators (and, or and xor) and mask to co-operate with new bitshift operations. The intention is to provide uses with more fexible uses of skb->mark and ct->mark. For example, users can save extra bits in skb->mark: skb->mark = ct->mark << 8; Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_srh: support matching previous, next and last SIDAhmed Abdelsalam2018-05-081-2/+41
| | | | | | | | This patch extends the libip6t_srh shared library to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_DNAT: support shifted portmap rangesThierry Du Tre2018-04-291-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | This is a proposal patch for iptables DNAT extension to support shifted portmap ranges. It is related to the kernel patch proposed in earlier message '[PATCH v5] netfilter : add NAT support for shifted portmap ranges'. A new struct nf_nat_range2 was added as extension for existing struct nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with older kernels is not impacted. The syntax for shifted portmaps uses an extra value in '--to-destination' for setting the base port which determines the offset in the redirect port range for incoming connections. i.e. : iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000' The base port value is totally optional, so current behavior is not impacted in any way. The use of slash '/' as separator is an arbitrary choice, all other suggestions are valid of course (original proposal used semicolon but this was not practical for commandline use) Another approach using an additional option seems also possible (i.e. '--base-port 5000'). However, that would mean more parsing logic with extra lines of code and thus increased risk for regression. Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Fix rules print/save after iptables updateSerhey Popovych2018-04-271-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updating iptables from 1.4.x to 1.6.x brokes rules print/save output and causes rules load after reboot to fail. Here is example from iptables-save(8) output after update: -A CHAIN1 -m set [unsupported revision] -j DROP -A CHAIN1 -m set [unsupported revision] -j DROP Similar output could be obtained via iptables -L CHAIN1. While issue reproduced with xt_set match it is not specific to any match or target module: it is related on how xtables handles revisions. In this particular case we have following situation: 1) Kernel supports revisions from 1 to 4. 2) Rules configured with iptables 1.4.x supporting only revisions from 1 to 3. Choosen highest possible revision 3. 3) Rules printed/saved with iptables 1.6.x supporting revisions from 1 to 4. 4) Xtables registers matches/targets with highest supported revision by the kernel. This is 4 in our case after update to iptables 1.6.x. 5) When printing/saving kernel submits match/target with revision it is configured (3), while iptables thinks that rules configured with highest supported (4). That's causes revision mismatch in during print and "[unsupported revision]" output. To fix this issue we now store all supported by kernel and xtables revisions in xt_matches/xt_targets list sorted in descending order. Introduce helper routines to find match/target with given revision and use them to find right revision to print submitted by kernel entry. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to print val[/mask] argumentsSerhey Popovych2018-04-271-0/+9
| | | | | | | | | | | | | | | | There are number of places where argument is in val[/mask] format printed in extensions and some of them may print corresponding symbolic name. By introducing common function for this task we eliminate custom code parts in extensions to perform printing of arguments in required formats. Use xtables_print_mark_mask() helper for extensions without symbolic name for val[/mask]. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to parse val[/mask] argumentsSerhey Popovych2018-04-271-0/+11
| | | | | | | | | | | | | | There are a couple of places in both core and extensions where arguments in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32). In some cases symbolic name might be used which is mapped in code to numeric value. Introduce common function to handle both cases where value given is either val[/mask] or symbolic name. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add support for 'srh' matchAhmed Abdelsalam2018-01-121-0/+56
| | | | | | | | | This patch adds a new exetension to iptables to supprt 'srh' match The implementation considers revision 7 of the SRH draft. https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07 Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netfilter: xt_hashlimit: add rate match modeVishwanath Pai2017-09-081-6/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new feature to hashlimit that allows matching on the current packet/byte rate without rate limiting. This can be enabled with a new flag --hashlimit-rate-match. The match returns true if the current rate of packets is above/below the user specified value. The main difference between the existing algorithm and the new one is that the existing algorithm rate-limits the flow whereas the new algorithm does not. Instead it *classifies* the flow based on whether it is above or below a certain rate. I will demonstrate this with an example below. Let us assume this rule: iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets every second and send 5 packets to "new_chain". But with the new algorithm, as long as the rate of 15/s is sustained, all packets will continue to match and every packet is sent to new_chain. This new functionality will let us classify different flows based on their current rate, so that further decisions can be made on them based on what the current rate is. This is how the new algorithm works: We divide time into intervals of 1 (sec/min/hour) as specified by the user. We keep track of the number of packets/bytes processed in the current interval. After each interval we reset the counter to 0. When we receive a packet for match, we look at the packet rate during the current interval and the previous interval to make a decision: if [ prev_rate < user and cur_rate < user ] return Below else return Above Where cur_rate is the number of packets/bytes seen in the current interval, prev is the number of packets/bytes seen in the previous interval and 'user' is the rate specified by the user. We also provide flexibility to the user for choosing the time interval using the option --hashilmit-interval. For example the user can keep a low rate like x/hour but still keep the interval as small as 1 second. To preserve backwards compatibility we have to add this feature in a new revision, so I've created revision 3 for hashlimit. The two new options we add are: --hashlimit-rate-match --hashlimit-rate-interval I have updated the help text to add these new options. Also added a few tests for the new options. Suggested-by: Igor Lubashev <ilubashe@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_bpf: support ebpf pinned objectsWillem de Bruijn2016-12-101-1/+24
| | | | | | | | | | | | | | | Exercise the new kernel feature introduced in commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") to load pinned eBPF programs. The new interface allows instantiating a bpf match using -m bpf --object-pinned ${PATH} where ${PATH} points to a node in a bpf virtual filesystem. See also the revised man page. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_hashlimit: Create revision 2 of xt_hashlimit to support ↵Vishwanath Pai2016-10-041-1/+25
| | | | | | | | | | | | | | | | higher pps rates Create a new revision for the hashlimit iptables extension module. Rev 2 will support higher pps of upto 1 million, Version 1 supports only 10k. To support this we have to increase the size of the variables avg and burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2 and xt_hashlimit_mtinfo2 and also create newer versions of all the functions for match, checkentry and destory. Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: fix issue with quotesPablo M. Bermudo Garay2016-07-271-0/+2
| | | | | | | | | | | | | | | | | | | | | Some translations included escaped quotes when they were called from nft: $ sudo nft list ruleset table ip mangle { chain FORWARD { type filter hook forward priority -150; policy accept; ct helper \"ftp\" counter packets 0 bytes 0 ^^ ^^ } } This behavior is only correct when xlate functions are called from a xtables-translate command. This patch solves that issue using a new parameter (escape_quotes) in the xlate functions. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: xtables: fix struct definitions grepabilityPablo M. Bermudo Garay2016-07-271-4/+2
| | | | | Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-4/+16
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_NFLOG: nflog-range does not truncate packetsVishwanath Pai2016-07-011-1/+5
| | | | | | | | | | | | | | | | | | | | The option --nflog-range has never worked, but we cannot just fix this because users might be using this feature option and their behavior would change. Instead add a new option --nflog-size. This option works the same way nflog-range should have, and both of them are mutually exclusive. When someone uses --nflog-range we print a warning message informing them that this feature has no effect. To indicate the kernel that the user has set --nflog-size we have to pass a new flag XT_NFLOG_F_COPY_LEN. Also updated the man page to reflect the new option and added tests to extensions/libxt_NFLOG.t Reported-by: Joe Dollard <jdollard@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()Pablo Neira Ayuso2016-03-091-4/+4
| | | | | | | The multiport match needs it, this basically leaves ->xlate() indirection with almost the same interface as ->print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* comment: Add translation to nftShivani Bhardwaj2016-02-291-0/+1
| | | | | | | | | | | | | | Add translation for match comment to nftables. This patch also adds the relevant infrastructure for carrying out the translation. Example: $ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block" nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\" Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add xt_xlate_add_comment()Pablo Neira Ayuso2016-02-161-0/+1
| | | | | | | This new function allows us to add comments to the nft rule. This can be used to provide a translation for the comment match. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-8/+8
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: xtables: Add enum for better nft translation codeShivani Bhardwaj2016-02-161-0/+11
| | | | | | | | Add enum xt_op for ease to write cleaner and better code for nft translation. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: xtables: add the infrastructure to translate from iptables to nftPablo Neira Ayuso2016-02-161-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>