| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This patch removes nft_arp_rule_new, which almost a copy and paste
of the original nft_rule_new. This patch generalizes the
infrastructure to support ARP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The following patch implements the is_same operation
for ARP family needed for searching arp rule.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This should help Giuseppe with his ARP support works, this change
was missing in (618309c nft: refactoring parse operations for more
genericity).
Based on patch from Giuseppe.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This allows to reuse the nft_parse_* function for the bridge and
arp family (not yet supported).
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have
to add an specific function to print the fragment flag, otherwise
xtables -6 misinterprets the protocol flag, ie.
Chain INPUT (policy ACCEPT)
tcp -f ::/0 ::/0
Note that -f should not show up. This problem was likely added with
the IPv6 support for the compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This helps to reduce the code complexity to have one single common path
for printing, saving and looking up for the rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Now, firewall rule printing is done through nft_family_ops
.print_firewall function. This moves generic part for ipv4 and ipv6 into
nft-shared.c, and enables reusing nft_rule_list() for other family such
as ARP which will be useful for arptables compatibility tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Move specific layer 3 protocol post argument parsing code
to the respective nft-ipv[4|6].c files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This makes nft core code independant from the family. Each family needs
to implement and provide a struct nft_family_ops {}.
This split will ease the future support of bridge and arp rules manipulations.
[ updated header files and rebased upon the current tree --pablo ]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
