summaryrefslogtreecommitdiffstats
path: root/iptables/nft-shared.c
Commit message (Collapse)AuthorAgeFilesLines
...
* nft: fix bad length when comparing extension data areaPablo Neira Ayuso2013-12-301-4/+2
| | | | | | | | | | | | | | | | Use ->userspacesize to compare the extension data area, otherwise we also compare the internal private pointers which are only meaningful to the kernelspace. This fixes: xtables -4 -D INPUT -m connlimit \ --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr But it also fixes many other matches/targets which use internal private data. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: pass ipt_entry to ->save_firewall hookPablo Neira Ayuso2013-12-301-2/+2
| | | | | | | | | | | | The extension needs the ipt_entry not to crash. Since cs->fw actually points to an union that also contains cs->fw6, just pass cs->fw to make it work. This fixes: -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong target sizeTomasz Bursztyka2013-12-301-2/+5
| | | | | | | The allocated area was not aligned. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Header inclusion missingTomasz Bursztyka2013-12-301-0/+1
| | | | | | | | | | | | Fixes compilation issues. nft-shared.c: In function ‘nft_ipv46_rule_find’: nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration] nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function) nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: adapt nft_rule_expr_get to use uint32_t instead of size_tPablo Neira Ayuso2013-12-301-4/+4
| | | | | | | According to libnftables change 437d610, now the length obtained via getter function is uint32_t, not size_t anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_find for ARP, IPv4 and IPv6Pablo Neira Ayuso2013-12-301-0/+86
| | | | | | | | | This patch kills nft_arp_rule_find, which is almost a copy and paste of the original nft_rule_find function. Refactor this function to move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: bootstrap ARP compatibility layer for nftablesGiuseppe Longo2013-12-301-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix a minor compilation warningTomasz Bursztyka2013-12-301-1/+1
| | | | | | | | | | | | nft-shared.c: In function ‘nft_rule_to_iptables_command_state’: nft-shared.c:454:22: warning: ‘jumpto’ may be used uninitialized in this function [-Wmaybe-uninitialized] nft-shared.c:432:14: note: ‘jumpto’ was declared here All verdicts are managed and jumpto has to get a value, but since the compiler complains, let's fix it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: refactoring parse operations for more genericityGiuseppe Longo2013-12-301-18/+25
| | | | | | | | This allows to reuse the nft_parse_* function for the bridge and arp family (not yet supported). Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: use xtables_print_numPablo Neira Ayuso2013-12-301-28/+4
| | | | | | So we can kill our own implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong flags handling in print_firewall_detailsPablo Neira Ayuso2013-12-301-33/+34
| | | | | | | | | | | | | | Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: convert rule into a command state structureTomasz Bursztyka2013-12-301-130/+142
| | | | | | | | This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Print unknown target data only when relevantTomasz Bursztyka2013-12-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Bug is: xtables -N test xtables -A FORWARD -j test xtables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination test all -- anywhere anywhere [0 bytes of unknown target data] Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain test (1 references) target prot opt source destination "[0 bytes of unknown target data]" should not be printed in this case. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Generalize nft_rule_list() against current familyTomasz Bursztyka2013-12-301-0/+239
| | | | | | | | | | Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix -p protocolPablo Neira Ayuso2013-12-301-2/+7
| | | | | | | | The protocol field in both IPv4 and IPv6 headers are 8 bits long, so we have to compare 8 bits. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Split nft core to become family independantTomasz Bursztyka2013-12-301-0/+418
This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>