summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libebt_ip: Include kernel headerPhil Sutter14 days1-3/+12
| | | | | | | Update the local copy of linux/netfilter_bridge/ebt_ip.h and include it instead of keeping the local copy of struct ebt_ip_info et al. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: un-break among match with concatenationFlorian Westphal2022-09-221-8/+475
| | | | | | | | | | The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags") breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but doesn't set the CONCAT flag. Update uapi header and also set CONCAT. Signed-off-by: Florian Westphal <fw@strlen.de>
* netfilter: add nf_log.hMarkus Mayer2022-06-281-0/+15
| | | | | | | | | | Since libxt_NFLOG is now using the UAPI version of nf_log.h, it should be bundled alongside the other netfilter kernel headers. This copy of nf_log.h was taken from Linux 5.18. Signed-off-by: Markus Mayer <mmayer@broadcom.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Define XT_OPTION_OFFSET_SCALE in xtables.hPhil Sutter2022-06-231-0/+3
| | | | | | | | This is the last symbol in xshared.h used by libxtables, move it over. Again, treat this as "implementation detail" and hence put it behind XTABLES_INTERNAL-curtains. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Move struct xtables_afinfo into xtables.hPhil Sutter2022-06-231-0/+22
| | | | | | | | | | | | | The library "owns" this structure and maintains 'afinfo' pointer to instances of it. With libxt_set, there's even an extension making use of the data. To avoid impact on library users, guard it by XTABLES_INTERNAL. To eliminate the xshared.h include by libxt_set, DEBUGP has to be redefined. Other extensions have similar defines, fix this later. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Unexport init_extensions*() declarationsPhil Sutter2022-06-071-22/+22
| | | | | | | | | | | | | | The functions are used for static builds to initialize extensions after libxtables init. Regular library users should not need them, but the empty declarations introduced in #else case (and therefore present in user's env) may clash with existing symbol names. Avoid problems and guard the whole block declaring the function prototypes and mangling extensions' _init functions by XTABLES_INTERNAL. Reported-by: Nick Hainke <vincent@systemli.org> Fixes: 6c689b639cf8e ("Simplify static build extension loading") Signed-off-by: Phil Sutter <phil@nwl.cc>
* treewide: use uint* instead of u_int*Nick Hainke2022-05-183-6/+6
| | | | | | | | | | | | | | | | | | | | Gcc complains about missing types. Some commits introduced u_int* instead of uint*. Use uint treewide. Fixes errors in the form of: In file included from xtables-legacy-multi.c:5: xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'? 83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, | ^~~~~~~~~ | uint16_t make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1 Avoid libipq API breakage by adjusting libipq.h include accordingly. For arpt_mangle.h kernel uAPI header, apply same change as in kernel commit e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t"). Signed-off-by: Nick Hainke <vincent@systemli.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Revert change to struct xtables_pprotPhil Sutter2022-05-111-1/+1
| | | | | | | | | | | | While protocol values may exceed eight bits, the data structure is indeed used only to store the static list of name/value pairs for faster lookups. None of those has such a value and if one is added in future, the compiler will complain about it. So restore the old field type to retain binary compatibility. Fixes: 556f704458cdb ("Use proto_to_name() from xshared in more places") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Drop xtables_globals 'optstring' fieldPhil Sutter2022-05-111-1/+0
| | | | | | | | | | | Define the different optstrings in xshared.h instead, they are not relevant for other libxtables users. This is a partial revert of commit 65b150ae382a8 ("xshared: Store optstring in xtables_globals") to avoid breaking libxtables' ABI compatibility. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Extend xtables_printhelp() for arptablesPhil Sutter2022-05-111-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | The function checks afinfo->family already to cover ip6tables specifics, doing the same for arptables does not make things much worse. This changes arptables-nft help output slightly: * List possible negations extrapositioned, which is preferred anyway (arptables-nft supports both) * List --out-interface option at lexically sorted position * Print --wait option, it's ignored just like with iptables * Restore default target option printing as with legacy arptables (not sure if arptables-nft ever did this) by explicitly loading them. While being at it, add --set-counters short option '-c' to help output for ip(6)tables. This effectively removes the need for (and all users of) xtables_global's 'print_help' callback, thus effectively reverts commit fe83b12fc910e ("libxtables: Introduce xtables_globals print_help callback") which broke libxtables' ABI compatibility. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Boost rule target checks by announcing chain namesPhil Sutter2022-03-171-0/+3
| | | | | | | | | | | | | | | | | When restoring a ruleset, feed libxtables with chain names from respective lines to avoid an extension search. While the user's intention is clear, this effectively disables the sanity check for clashes with target extensions. But: * The check yielded only a warning and the clashing chain was finally accepted. * Users crafting iptables dumps for feeding into iptables-restore likely know what they're doing. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* Simplify static build extension loadingPhil Sutter2022-03-151-0/+9
| | | | | | | | | | Instead of guarding all calls to init_extensions*(), define stubs if not used. While at it, also add the missing prototypes for arp- and ebtables extension initializers. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_globals print_help callbackPhil Sutter2021-10-201-0/+1
| | | | | | | | With optstring being stored in struct xtables_globals as well, it is a natural choice to store a pointer to a help printer also which matches the supported options. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Store optstring in xtables_globalsPhil Sutter2021-10-201-0/+1
| | | | | | | | | | | Preparing for a common option parser, store the string of options for each family inside the respective xtables_globals object. The array of long option definitions sitting in there already indicates it's the right place. While being at it, drop '-m' support from arptables-nft. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: extend xlate infrastructurePablo Neira Ayuso2021-06-071-0/+6
| | | | | | | | | | | | | | This infrastructure extends the existing xlate infrastructure: - Extensions can define set dependencies through .xlate. The resulting set definition can be obtained through xt_xlate_set_get(). - Add xl_xlate_set_family() and xl_xlate_get_family() to store/fetch the family. The first client of this new xlate API is the connlimit extension, which is added in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter2021-06-071-0/+1
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Use proto_to_name() from xshared in more placesPhil Sutter2021-05-171-1/+1
| | | | | | | | | | Share the common proto name lookup code. While being at it, make proto number variable 16bit, values may exceed 256. This aligns iptables-nft '-p' argument printing with legacy iptables. In practice, this should make a difference only in corner cases. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: SECMARK: Implement revision 1Phil Sutter2021-05-041-0/+6
| | | | | | | | | The changed data structure for communication with kernel allows to exclude the field 'secid' which is populated on kernel side. Thus this fixes the formerly always failing extension comparison breaking rule check and rule delete by content. Signed-off-by: Phil Sutter <phil@nwl.cc>
* include: Drop libipulog.hPhil Sutter2021-02-171-39/+0
| | | | | | | | The file is not included anywhere, also it seems outdated compared to the one in libnetfilter_log (which also holds the implementation). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-031-0/+3
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: Fix for failing 'make uninstall'Phil Sutter2020-06-091-0/+5
| | | | | | | | | | | | | | | | | | | | | Support for uninstalling is severely broken: - extensions/GNUmakefile.in defines an 'install' target but lacks a respective 'uninstall' one, causing 'make uninstall' abort with an error message. - iptables/Makefile.am defines an 'install-exec-hook' to create the binary symlinks which are left in place after 'make uninstall'. Fix these problems by defining respective targets containing code copied from automake-generated uninstall targets. While being at it, add a few more uninstall-hooks removing custom directories created by 'make install' if they are empty afterwards. Reported-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Tested-by: Richard Guy Briggs <rgb@redhat.com>
* include: Avoid undefined left-shift in xt_sctp.hPhil Sutter2020-05-291-3/+3
| | | | | | | | | | | | | Pull the fix in kernel commit 164166558aace ("netfilter: uapi: Avoid undefined left-shift in xt_sctp.h") into iptables repository. The original description is: With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is undefined for the signed 32-bit value 1. Avoid this by declaring 1 as unsigned. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Introduce xtables_fini()Phil Sutter2020-05-111-0/+1
| | | | | | | | | | | | Record handles of loaded shared objects in a linked list and dlclose() them from the newly introduced function. While functionally not necessary, this clears up valgrind's memcheck output when also displaying reachable memory. Since this is an extra function that doesn't change the existing API, increment both current and age. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: IDLETIMER: Add alarm timer optionManoj Basapathi2020-04-161-0/+12
| | | | | | | | | | | | | | Introduce "--alarm" option for idletimer rule. If it is present, hardidle-timer is used, else default timer. The default idletimer starts a deferrable timer or in other words the timer will cease to run when cpu is in suspended state. This change introduces the option to start a non-deferrable or alarm timer which will continue to run even when the cpu is in suspended state. Signed-off-by: Manoj Basapathi <manojbm@codeaurora.org> Signed-off-by: Sauvik Saha <ssaha@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: nfacct: Fix alignment mismatch in xt_nfacct_match_infoJuliana Rodrigueiro2019-08-201-0/+5
| | | | | | | | | | | | | | | | When running a 64-bit kernel with a 32-bit iptables binary, the size of the xt_nfacct_match_info struct diverges. kernel: sizeof(struct xt_nfacct_match_info) : 40 iptables: sizeof(struct xt_nfacct_match_info)) : 36 This patch is the userspace fix of the memory misalignment. It introduces a v1 ABI with the correct alignment and stays compatible with unfixed revision 0 kernels. Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_owner: Add supplementary groups optionLukasz Pawelczyk2019-06-191-3/+4
| | | | | | | | The --suppl-groups option causes GIDs specified with --gid-owner to be also checked in the supplementary groups of a process. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace IPTABLES_VERSION by PACKAGE_VERSIONJan Engelhardt2019-05-301-2/+0
| | | | | | | | | | | | | The IPTABLES_VERSION C macro replicates the PACKAGE_VERSION C macro (both have the same definition, "@PACKAGE_VERSION@"). Since IPTABLES_VERSION, being located in internal.h, is not exposed to downstream users in any way, it can just be replaced by PACKAGE_VERSION, which saves a configure-time file substitution. This goes towards eliminating unnecessary rebuilds after rerunning ./configure. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* include: extend the headers conflict workaround to in6.hBaruch Siach2018-12-031-1/+1
| | | | | | | | | | | | | Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2") introduced a kernel/user headers conflict workaround that allows build of iptables with kernel headers older than 4.2. This minor extension allows build with kernel headers older than 3.12, which is the version that introduced explicit IP headers synchronization. Fixes: 8d9d7e4b9ef4 ("include: fix build with kernel headers before 4.2") Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix build with kernel headers before 4.2Baruch Siach2018-11-171-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit 672accf1530 (include: update kernel netfilter header files) updated linux/netfilter.h and brought with it the update from kernel commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h from netns headers). This triggers conflict of headers that is fixed in kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with netinet/in.h) included in kernel version 4.2. For earlier kernel headers we need a workaround that prevents the headers conflict. Fixes the following build failure: In file included from .../sysroot/usr/include/netinet/ip.h:25:0, from ../include/libiptc/ipt_kernel_headers.h:8, from ../include/libiptc/libiptc.h:6, from libip4tc.c:29: .../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’ IPPROTO_IP = 0, /* Dummy protocol for TCP */ ^ .../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here IPPROTO_IP = 0, /* Dummy protocol for TCP. */ ^~~~~~~~~~ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: Extend struct xtc_opsPhil Sutter2018-11-131-0/+5
| | | | | | | Add a few more callbacks used by iptables-save. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: add 'printf' attribute to xlate_addFlorian Westphal2018-11-121-1/+1
| | | | | | | | | | | | | | This allows gcc to check format string vs. passed arguments. Fix the fallout from this as well, typical warning produced is: libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long unsigned int' [-Wformat=] xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, ... ~^ ~~~~~~~~~~ so add the required casts or fixup format strings as needed. libxt_conntrack also passed an unneeded argument (port), so remove that. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: add and use mac print helpersFlorian Westphal2018-11-071-0/+3
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: expose new etherdb lookup function through libxtables APIPablo Neira Ayuso2018-10-202-45/+12
| | | | | | | | | | This is used from extensions and included in libxtables, so we have to make them public. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: prefix exported new functions for etherdb lookupsPablo Neira Ayuso2018-10-201-17/+5
| | | | | | | | | | To avoid symbol pollution, place them under the xt_ and xtables_ prefix name. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* Revert "extensions: libxt_quota: Allow setting the remaining quota"Pablo Neira Ayuso2018-10-191-5/+3
| | | | | | | This reverts commit 0a8f2bcadff157489a737f8cc8846adcb750b91f. Google folks are reporting some issues with 32-bits arch, let's revert this until we have a new version for this.
* xtables: Remove target_maxnamelen fieldPhil Sutter2018-10-151-1/+0
| | | | | | | | | | | | This is a partial revert of commit 9f075031a1973 ("Combine parse_target() and command_jump() implementations"): Upstream prefers to reduce max chain name length of arptables by two characters instead of the introduced struct xtables_globals field which requires to bump library API version. Fixes: 9f075031a1973 ("Combine parse_target() and command_jump() implementations") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_quota: Allow setting the remaining quotaChenbo Feng2018-10-091-3/+5
| | | | | | | | | | | | | | | | The current xt_quota module cannot track the current remaining quota of a specific rule. Everytime an unrelated rule is updated in the same iptables table, the quota will be reset. This is not a very useful function for iptables that get changed at run time. This patch fixes the above problem by adding a new field in the struct that records the current remaining quota. Fixed a print out bug in verbose print out wrt. inversion. Signed-off-by: Chenbo Feng <fengc@google.com> Suggested-by: Maciej Żenczykowski <maze@google.com> Reviewed-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Combine parse_target() and command_jump() implementationsPhil Sutter2018-09-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Merge these two functions from xtables, iptables, ip6tables and arptables. Both functions were basically identical in the first three, only the last one required a bit more attention. To eliminate access to 'invflags' in variant-specific location, move the call to set_option() into callers. This is actually consistent with parsing of other options in them. As with command_match(), use xt_params instead of the different *_globals objects to refer to 'opts' and 'orig_opts'. It was necessary to rename parse_target() as it otherwise clashes with a static function of same name in libxt_SET. In arptables, the maximum allowed target name is a bit larger, so introduce xtables_globals.target_maxnamelen defining the value. It is used in the shared xt_parse_target() implementation. Implementation of command_jump() in arptables diverted from the others for no obvious reason. The call to parse_target() was done outside of it and a pointer to cs->arp was passed but not used inside. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add cgroup revision 2Pablo Neira Ayuso2018-09-181-3/+20
| | | | | | Just like revision v1, but cgroup path field is smaller. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Fix for wrong counter format in -S outputPhil Sutter2018-08-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant used '[PCNT BCNT]' prefix like with iptables-save. In order to pass the counter format preference along, FMT_C_COUNTS is introduced and related 'format' checks adjusted. Since legacy iptables prints the counters between matches and target, this change affects save_matches_and_target() function. In order to get access to the rule counters, it's declaration is adjusted to receive iptables_command_state pointer instead of match, target and jumpto pointers from the same object. While being at it, integrate jump to user-defined chain into it as well since the related code in both callers was almost identical. Though since different rule flags are used between iptables and ip6tables, pass a 'goto_flag' boolean instead of the actual 'flags' bitfield. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: implement ebtables-{save,restore}Phil Sutter2018-07-191-0/+1
| | | | | | | | | | | | | | | The code for ebtables-restore was derived from legacy code, ebtables-save is actually a new implementation using the existing infrastructure and trying to adhere to legacy perl script output formatting as much as possible. This introduces a new format flag (FMT_EBT_SAVE) to allow nft_bridge_save_rule() to distinguish between ruleset listing (i.e., ebtables -L) and saving via ebtables-save - the two differ in how counters are being formatted. Odd, but that's how it is. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* include: update kernel netfilter header filesFlorian Westphal2018-06-173-8/+703
| | | | | | needed to get the TRACE definition. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-markJack Ma2018-05-081-0/+5
| | | | | | | | | | | | | | | This patch adds a new feature to iptables that allow bitshifting for --restore,set and save-mark operations. This allows existing logic operators (and, or and xor) and mask to co-operate with new bitshift operations. The intention is to provide uses with more fexible uses of skb->mark and ct->mark. For example, users can save extra bits in skb->mark: skb->mark = ct->mark << 8; Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_srh: support matching previous, next and last SIDAhmed Abdelsalam2018-05-081-2/+41
| | | | | | | | This patch extends the libip6t_srh shared library to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_DNAT: support shifted portmap rangesThierry Du Tre2018-04-291-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | This is a proposal patch for iptables DNAT extension to support shifted portmap ranges. It is related to the kernel patch proposed in earlier message '[PATCH v5] netfilter : add NAT support for shifted portmap ranges'. A new struct nf_nat_range2 was added as extension for existing struct nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with older kernels is not impacted. The syntax for shifted portmaps uses an extra value in '--to-destination' for setting the base port which determines the offset in the redirect port range for incoming connections. i.e. : iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000' The base port value is totally optional, so current behavior is not impacted in any way. The use of slash '/' as separator is an arbitrary choice, all other suggestions are valid of course (original proposal used semicolon but this was not practical for commandline use) Another approach using an additional option seems also possible (i.e. '--base-port 5000'). However, that would mean more parsing logic with extra lines of code and thus increased risk for regression. Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Fix rules print/save after iptables updateSerhey Popovych2018-04-271-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updating iptables from 1.4.x to 1.6.x brokes rules print/save output and causes rules load after reboot to fail. Here is example from iptables-save(8) output after update: -A CHAIN1 -m set [unsupported revision] -j DROP -A CHAIN1 -m set [unsupported revision] -j DROP Similar output could be obtained via iptables -L CHAIN1. While issue reproduced with xt_set match it is not specific to any match or target module: it is related on how xtables handles revisions. In this particular case we have following situation: 1) Kernel supports revisions from 1 to 4. 2) Rules configured with iptables 1.4.x supporting only revisions from 1 to 3. Choosen highest possible revision 3. 3) Rules printed/saved with iptables 1.6.x supporting revisions from 1 to 4. 4) Xtables registers matches/targets with highest supported revision by the kernel. This is 4 in our case after update to iptables 1.6.x. 5) When printing/saving kernel submits match/target with revision it is configured (3), while iptables thinks that rules configured with highest supported (4). That's causes revision mismatch in during print and "[unsupported revision]" output. To fix this issue we now store all supported by kernel and xtables revisions in xt_matches/xt_targets list sorted in descending order. Introduce helper routines to find match/target with given revision and use them to find right revision to print submitted by kernel entry. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to print val[/mask] argumentsSerhey Popovych2018-04-271-0/+9
| | | | | | | | | | | | | | | | There are number of places where argument is in val[/mask] format printed in extensions and some of them may print corresponding symbolic name. By introducing common function for this task we eliminate custom code parts in extensions to perform printing of arguments in required formats. Use xtables_print_mark_mask() helper for extensions without symbolic name for val[/mask]. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to parse val[/mask] argumentsSerhey Popovych2018-04-271-0/+11
| | | | | | | | | | | | | | There are a couple of places in both core and extensions where arguments in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32). In some cases symbolic name might be used which is mapped in code to numeric value. Introduce common function to handle both cases where value given is either val[/mask] or symbolic name. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add support for 'srh' matchAhmed Abdelsalam2018-01-121-0/+56
| | | | | | | | | This patch adds a new exetension to iptables to supprt 'srh' match The implementation considers revision 7 of the SRH draft. https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07 Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netfilter: xt_hashlimit: add rate match modeVishwanath Pai2017-09-081-6/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new feature to hashlimit that allows matching on the current packet/byte rate without rate limiting. This can be enabled with a new flag --hashlimit-rate-match. The match returns true if the current rate of packets is above/below the user specified value. The main difference between the existing algorithm and the new one is that the existing algorithm rate-limits the flow whereas the new algorithm does not. Instead it *classifies* the flow based on whether it is above or below a certain rate. I will demonstrate this with an example below. Let us assume this rule: iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets every second and send 5 packets to "new_chain". But with the new algorithm, as long as the rate of 15/s is sustained, all packets will continue to match and every packet is sent to new_chain. This new functionality will let us classify different flows based on their current rate, so that further decisions can be made on them based on what the current rate is. This is how the new algorithm works: We divide time into intervals of 1 (sec/min/hour) as specified by the user. We keep track of the number of packets/bytes processed in the current interval. After each interval we reset the counter to 0. When we receive a packet for match, we look at the packet rate during the current interval and the previous interval to make a decision: if [ prev_rate < user and cur_rate < user ] return Below else return Above Where cur_rate is the number of packets/bytes seen in the current interval, prev is the number of packets/bytes seen in the previous interval and 'user' is the rate specified by the user. We also provide flexibility to the user for choosing the time interval using the option --hashilmit-interval. For example the user can keep a low rate like x/hour but still keep the interval as small as 1 second. To preserve backwards compatibility we have to add this feature in a new revision, so I've created revision 3 for hashlimit. The two new options we add are: --hashlimit-rate-match --hashlimit-rate-interval I have updated the help text to add these new options. Also added a few tests for the new options. Suggested-by: Igor Lubashev <ilubashe@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>