| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This uncovered broken translation of ethernet + mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
kernel would reject ip, ip6 etc. without -p ip, -p ip6.
So add it. On reverse, search the match list to decide if -p
has to be translated or not.
Also, icmp and icmpv6 also imply l3 protocol, so no need to translate
that either.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow checking for an all-zero mac address by replacing checks on the
address with a check on the option flag.
Its set when '-d' or '-s' appears on the command line and when seeing
a linklayer payload request for ether s/daddr.
Same for -p: s this flag gets removed during getopt when 'p' is encountered.
So, if its set, no need to check protocol type.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Reduces repetition, follow patch adds back suppression of
src/dst mac when it was not given.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
They don't exist in the legacy ABI, so don't pretend otherwise.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
before:
Bridge chain: OUTPUT, entries: 4, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out notlogout -j CONTINUE
--logical-out logout -j CONTINUE
after:
Bridge chain: OUTPUT, entries: 5, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out ! notlogout -j CONTINUE
--logical-out logout -j CONTINUE
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
nft_bridge_print_firewall
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Use iptables_command_state instead.
This allows to re-use code from the ip(6)tables layer and
reduces cop&pasted code.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
no need to and with all-ones mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Mask needs to be all-ones, else we print
<macaddr>/ff:ff:ff:ff:ff:ff
but such a mask is redundant, we can omit the mask.
ebtables does this correctly.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Adapt this code to use the new symbols in libnftnl. This patch contains quite
some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Before this patch, rule deleting with -D produces segfault in rules
with no target.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Let's give support for the nflog extension (a watcher).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
ebtables watchers are targets which always return EBT_CONTINUE.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information
from packets in the bridge family.
Let's allow the add_payload() function to know in which base it should work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Counters are missing in ebtables rules.
This patch includes them just before the target, so counters are incremented
when the rule is about to take his action.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The compat information is required by some ebtables extensions to properly
work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit bc543af ("ebtables-compat: fix segfault in rules w/o target")
doesn't handle all possible cases of target printing, and ACCEPT is left
behind.
BTW, the logic of target (-j XXX) printing is a bit weird. This patch
simplifies it.
I assume:
* cs->jumpto is only filled by nft_immediate.
* cs->target is only filled by nft_target.
So we end with these cases:
* nft_immediate contains a 'standard' target (ACCEPT, DROP, CONTINUE, RETURN, chain)
Then cs->jumpto contains the target already. We have the rule.
* No standard target. If nft_target contains a target, try to load it.
* Neither nft_target nor nft_immediate exist. Then, assume CONTINUE.
The printing path is then straight forward: either cs.jumpto or cs.target
contains the target.
As there isn't support for target extensions yet, there is no way to test the
nft_target (cs.target) path.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a segfault in rules without target.
Now, these two rules are allowed:
% ebtables-compat -A FORWARD -p 0x0600 -j CONTINUE
% ebtables-compat -A FORWARD -p 0x0600
And both are printed:
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-p 0x600 -j CONTINUE
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fix printing of ebt extensions:
% sudo ebtables-compat -L
[...]
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
--802_3-type 0x0012 -j ACCEPT
[...]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch:
% sudo ebtables-compat -L --Lc
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
-j ACCEPT , pcnt = 123 -- bcnt = 123
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.
So, with this patch, ebtables-compat ends with:
Command: Result:
-L Always RETURN for user-defined chains
-P builtin RETURN Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP ok
-P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
-N userdefined ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes inversion of builtin matches by updating the use of add_*()
functions and using nft_invflags2cmp() as well.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous to this patch, no '!' is printed in payload comparisions.
This patch solves it, so we can print for example inverted protocols:
% ebtables-compat -L
[...]
-p ! 0x800 -j ACCEPT
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This prints the header like ebtables.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
And introduce fake ebt_entry.
This gets the code in sync in other existing compat tools. This
will likely allow to consolidate common infrastructure.
This code is still quite experimental.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|