summaryrefslogtreecommitdiffstats
path: root/iptables/nft-shared.c
Commit message (Collapse)AuthorAgeFilesLines
* nft: use xtables_print_numPablo Neira Ayuso2013-12-301-28/+4
| | | | | | So we can kill our own implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong flags handling in print_firewall_detailsPablo Neira Ayuso2013-12-301-33/+34
| | | | | | | | | | | | | | Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: convert rule into a command state structureTomasz Bursztyka2013-12-301-130/+142
| | | | | | | | This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Print unknown target data only when relevantTomasz Bursztyka2013-12-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Bug is: xtables -N test xtables -A FORWARD -j test xtables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination test all -- anywhere anywhere [0 bytes of unknown target data] Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain test (1 references) target prot opt source destination "[0 bytes of unknown target data]" should not be printed in this case. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Generalize nft_rule_list() against current familyTomasz Bursztyka2013-12-301-0/+239
| | | | | | | | | | Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix -p protocolPablo Neira Ayuso2013-12-301-2/+7
| | | | | | | | The protocol field in both IPv4 and IPv6 headers are 8 bits long, so we have to compare 8 bits. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Split nft core to become family independantTomasz Bursztyka2013-12-301-0/+418
This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>