summaryrefslogtreecommitdiffstats
path: root/iptables.c
Commit message (Collapse)AuthorAgeFilesLines
* src: replace old IP*T_ALIGN macrosJan Engelhardt2011-05-121-8/+8
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.Maciej Żenczykowski2011-04-191-1/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This enables one to have a single configuration file for both ipv4 and ipv6 firewall rules. Example: iptables-restore config ip6tables-restore config Where the file 'config' contains: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :ssh - [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -4 -p icmp -j ACCEPT -A INPUT -6 -p icmpv6 -j ACCEPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ssh -A ssh -j ACCEPT COMMIT Signed-off-by: Maciej Zenczykowski <maze@google.com>
* Merge branch 'opts' of git://dev.medozas.de/iptablesPatrick McHardy2011-04-121-22/+36
|\
| * libxtables: provide better final_checkJan Engelhardt2011-04-061-14/+4
| | | | | | | | | | | | | | | | This passes the per-extension data block to the new x6_fcheck function pointer, which can then do last alterations without using hacks like global variables (think libxt_statistic). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: guided option parserJan Engelhardt2011-04-061-18/+42
| | | | | | | | | | | | | | | | | | | | | | This patchset seeks to drastically reduce the code in the individual extensions by centralizing their argument parsing (breakdown of strings), validation, and in part, assignment. As a secondary goal, this reduces the number of static storage duration variables in flight. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | move 'int line' definition from ip6?tables.c into xtables.cMaciej Zenczykowski2011-04-051-6/+0
| | | | | | | | | | Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | v4: rename do_command() to do_command4()Maciej Zenczykowski2011-04-041-3/+3
| | | | | | | | | | Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | v4: rename print_rule() to print_rule4()Maciej Zenczykowski2011-04-041-2/+2
| | | | | | | | | | Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | v4: rename delete_chain() to delete_chain4()Maciej Zenczykowski2011-04-041-3/+3
| | | | | | | | | | Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | v4: rename flush_entries() to flush_entries4()Maciej Zenczykowski2011-04-041-3/+3
| | | | | | | | | | Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | v4: rename for_each_chain() to for_each_chain4()Maciej Zenczykowski2011-04-041-4/+4
|/ | | | | Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables: add -C to check for existing rulesStefan Tomanek2011-03-081-6/+54
| | | | | | | | | | | | | | | | | It is often useful to check whether a specific rule is already present in a chain without actually modifying the iptables config. Services like fail2ban usually employ techniques like grepping through the output of "iptables -L" which is quite error prone. This patch adds a new operation -C to the iptables command which mostly works like -D; it can detect and indicate the existence of the specified rule by modifying the exit code. The new operation TC_CHECK_ENTRY uses the same code as the -D operation, whose functions got a dry-run parameter appended. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: fix segfault target option parsingJan Engelhardt2011-02-111-3/+3
| | | | | | | With v1.4.10-58-g94e247b, target option parsing started to happen in the wrong case. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: fix error message for unknown optionsJan Engelhardt2011-02-071-10/+7
| | | | | | | -From: iptables v1.4.10: option "-q" requires an argument +To: iptables v1.4.10: unknown option "-q" Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move match option handling from do_command6 into its own functionsJan Engelhardt2011-02-071-30/+29
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move jump option handling from do_command6 into its own functionJan Engelhardt2011-02-071-38/+41
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: unclutter command_default functionJan Engelhardt2011-02-071-62/+47
| | | | | | | | | | | | | | | | | | | (Essentially, 5 levels of indentation have been stripped compared to the original layout, and this is surely a result that looks a lot better than it did before.) Things to note: 1. If the m->parse call succeeded, we can return from the function and do not need to go through the other code. As such, "m" is guaranteed to be useless at the end of the match loop, and so, conditions can be removed. 2. Since the per-extension parse function only ever get their own option codes (since v1.4.10-26-gd09b6d5), their return value no longer has a meaning and can be ignored. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: deduplicate and simplify implicit protocol extension loadingJan Engelhardt2011-02-071-33/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: put shared option flags into xsharedJan Engelhardt2011-02-071-14/+2
| | | | | | This will be needed for the find_proto function. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move OPT_FRAGMENT to the end so the list can be sharedJan Engelhardt2011-02-071-11/+11
|
* src: deduplicate find_proto functionJan Engelhardt2011-02-071-35/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: share iptables_command_state across the two programsJan Engelhardt2011-02-071-12/+0
| | | | | | | struct iptables_command_state and quite a bit of the code looks worthy of deduplication. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move large default: block from do_command6 into its own functionJan Engelhardt2011-02-061-104/+115
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: collect do_command variables in a structJan Engelhardt2011-02-061-158/+165
| | | | | | | This will make it easier to put the code for the cases into separate functions. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: do not print trailing whitespacesJan Engelhardt2011-01-311-19/+17
| | | | | | | | | | | | | | | | | Due to the use of printf("foobar "), iptables emits spaces at the end-of-line, which looks odd to some users because it causes the terminal to wrap even if there is seemingly nothing to print. It may also have other points of annoyance, such as mailers interpreting a trailing space as an indicator that the paragraph continues when format=flowed is also on. And git highlights trailing spaces in red, so let's avoid :) Preexisting inconsistencies in outputting spaces in the right spot are also addressed right away. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* ip[6]tables: only call target's parse function when option char is in rangeJan Engelhardt2011-01-081-0/+2
| | | | | | | Same as previous commit. Doing this actually allows to remove code that is no longer needed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* ip[6]tables: only call match's parse function when option char is in rangeJan Engelhardt2011-01-081-0/+3
| | | | | | | | | | | | | | | | | Normally, extensions use a "default:" case in switch(c) to just return if they do not handle c. Apparently, libip6t_hl does that too late and checks for hl-specific parsing state before it has established that c refers to one of its own options. Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic. One way to fix this is to move the flags checks into case '2', '3', '4'. Doing this replication feels bad, so as an alternative, let's just free extensions from having to deal with other extension's options passing thru. References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: abort on empty interface specificationJan Engelhardt2011-01-081-0/+8
| | | | | | | | | | Fiedler Roman brings to attention that if, in a faulty script, "$some_variable" expands to an empty string, iptables should probably catch this most likely undesired invocation. If no/all interfaces were really desired, one can either omit -i completely, or use -i +. References: http://marc.info/?l=netfilter&m=129439862903487&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use C99/POSIX typesJan Engelhardt2011-01-081-8/+8
| | | | | | "u_int" was a non-standardized extension predating C99 on some platforms. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: const annotationsJan Engelhardt2010-12-181-12/+13
| | | | | | Also one int -> uint here on the way through. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: reset options at the start of each commandJan Engelhardt2010-11-281-1/+1
| | | | | | | | | | | For each new command, iptables is supposed to start afresh with a blank option set (opts) that only contains the program-specific options (orig_opts), without any extension options. We failed to restore this pointer (in function do_command) after the previous free call in xtables_free_opts. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: fix longopt reecognition and workaround getopt(3) behaviorJan Engelhardt2010-11-151-0/+1
| | | | | | | | | | | | | | | | | | | * On the first call to getopt, opts was NULL, so long options would not be recognized until a match/target was loaded. Whacky getopt behavior: * If the longopts parameter is NULL, getopt fails to recognize unknown options, such that `iptables-multi main --append` will print a garbage help message ("main needs an argument"). * If the longopts parameter is NULL on the first call, but not on subsequent calls, it completely screws up option parsing, taking the --dport in `iptables-multi main -A INPUT -p tcp --dport 1000` as --destination instead, but not accepting "--destination 1.2.3.4" either. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: change option precedence order to be intuitiveJan Engelhardt2010-10-291-4/+9
| | | | | | | | | | | | | When using `-m mark --mark 2 -m connmark --mark 2`, the user currently gets an error about the (libxt_mark) --mark option being used twice. This is because libxt_connmark's option table does not override any previous options. This patch changes this behavior, since the current behavior does not allow connmark's option to be used at all, which is illogical. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables: limit chain name length to be consistent with targetsJan Engelhardt2010-09-131-3/+3
| | | | | | | | | Creationg of chain names longer than the ones being able to jump to should be inhibited for consistency. References: http://marc.info/?l=netfilter-devel&m=128397022618316&w=2 Cc: Stig Thormodsrud <stig@vyatta.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: remove xtables_set_revision functionJan Engelhardt2010-06-071-7/+4
| | | | | | | | Since iptables uses its own copies of the header files anyway where the revision field is exposed, there is no reach to access name[] beyond its size. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: another try at chain name length checkingJan Engelhardt2010-06-071-2/+2
| | | | | | | Since XT_EXTENSION_MAXNAMELEN is now available, make use of it and clear the confusion. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: add noreturn attribute to exit_tryhelp()Dmitry V. Levin2010-05-141-1/+1
| | | | | | | Found by gcc -Wmissing-noreturn. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables: correctly check for too-long chain/target/match namesJan Engelhardt2010-03-161-2/+2
| | | | | | | | | * iptables-restore was not checking for chain name length * iptables was not checking for match name length * target length was checked against 32, not 29. References: http://bugzilla.netfilter.org/show_bug.cgi?id=641 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: take masks into consideration for replace commandJan Engelhardt2009-11-151-4/+6
| | | | | | | | | | | | | The two commands: -A OUPUT -d 10.11.12.13/32 -j LOG -R OUTPUT 1 -j LOG -d 10.11.12.13 will replace 10.11.12.13/32 by 10.11.12.13/0, which is not right. (No regression, this problem was there forever.) Reported-by: Werner Pawlitschko <werner.pawlitschko@arcor.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables/extensions: make bundled options work againJan Engelhardt2009-11-031-6/+6
| | | | | | | | | | | | | When using a bundled option like "-ptcp", 'argv[optind-1]' would logically point to "-ptcp", but this is obviously not right. 'optarg' is needed instead, which if properly offset to "tcp". Not all places change optind-based access to optarg; where look-ahead is needed, such as for tcp's --tcp-flags option for example, optind is ok. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-5/+5
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: fix undersized deletion mask creationJan Engelhardt2009-10-291-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | The mask created for the -D rulespec is simply too small. xtables_targets points to whatever target has last been loaded, so xtables_targets->size is quite almost wrong, as we need to use the size of the target for the specific rule that is about to be deleted. This bug existed ever since iptables history is tracked, and requires certain circumstances to be visible, where the deletion operation is one. Furthermore, multiple userspace target extensions must have been loaded, and a target B whose .size is smaller than the target A of the rule we are about to delete must have been loaded more recently than target A. The minimal testcase is (rule 60007 gets wrongly removed) *nat -F -X -A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60007 -A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008 -A POSTROUTING -p udp -j CONNMARK --set-mark 0 -D POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008 COMMIT References: http://bugzilla.netfilter.org/show_bug.cgi?id=606 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: expose option to zero packet/byte counters for a specific ruleMohit Mehta2009-08-201-7/+24
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: allow for help-less extensionsJan Engelhardt2009-06-261-16/+2
| | | | | | | This is for extensions that do not take any options, and which subsequently do not offer any help text either. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: allow for parse-less extensionsJan Engelhardt2009-06-261-4/+5
| | | | | | This means we can do some code removal in extensions. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: accept multiple IP address specifications for -s, -dMichael Granzow2009-06-261-12/+30
| | | | | | | | | | | | | | libiptc already supports adding and deleting multiple rules with different addresses, so it only needs to be wired up to the options. # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2 Adjustments made: syntax, removal of unneeded variables, manpage adjustment, soversion bump. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: print negation extrapositionedJan Engelhardt2009-04-041-6/+6
| | | | | | | | | | | | | | This patch combines the two referenced ones by Peter. I did a quick extra audit to spot and fix the missing ip6tables parts. (People like to forget ip6tables it seems.) Extension modules were, to the best of my knowledge, already audited in v1.4.3-rc1-10-gcea9f71. Reported-by: Yar Odin <yarodin@gmail.com> References: http://bugs.gentoo.org/264089 Reported-by: Peter Volkov <pva@gentoo.org> References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2 References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge commit 'nf/master'Jan Engelhardt2009-03-151-2/+1
|\
| * iptables: fix broken options-merging during libxtables reworkPablo Neira Ayuso2009-03-031-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes options-merging that was broken somewhere during the libxtables rework. Before this patch, two pointers were used to keep the current options, however, the options field in xt_params was not appropritely updated. Thus, xtables_free_opts() was not restoring the original options. This patch fixes iptables-restore and ip6tables-restore that stopped working in my personal firewall. % iptables-restore *filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED' Error occurred at line: 4 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: turn deprecation warning into enforcing modeJan Engelhardt2009-03-151-4/+3
|/ | | | | | | The deprecation warning was added 7 months ago in v1.4.2-rc1-13-g1eada72 with a warning "next release". Next release is coming up, so enforce it. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>