| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
With this patch, all rule-set updates are put in one single batch
of netlink messages that is sent to user-space using the new
nfnetlink batch infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should help to avoid code duplication to support ARP.
As a result, we have a common generic infrastructure for
IPv4, IPv6 and ARP.
This patch removes nft_arp_rule_append and nft_arp_rule_insert,
which were very similar to their original nft_rule_append and
nft_rule_insert.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch removes nft_arp_rule_new, which almost a copy and paste
of the original nft_rule_new. This patch generalizes the
infrastructure to support ARP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The following patch implements the is_same operation
for ARP family needed for searching arp rule.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The ARP family has less tables, so skip iteration once we find
a null one.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Now that we convert nft rules to native xt command structure, it's
easier to reset the counters by replacing the existing rule by a
new one with all counters set to zero.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
So we can kill our own implementation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This helps to reduce the code complexity to have one single common path
for printing, saving and looking up for the rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Now, firewall rule printing is done through nft_family_ops
.print_firewall function. This moves generic part for ipv4 and ipv6 into
nft-shared.c, and enables reusing nft_rule_list() for other family such
as ARP which will be useful for arptables compatibility tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Rulenum is already handled before the loop, making this test useless.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This will be useful for reusing nft_rule_list in other tools such as
xtables-arptables.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Thus, we can save some cycles by not dumping the entire chain list
and looping on it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Likely to be a leftover from the initial bootstrap.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This changes nft_xtables_config_load() permit to load only
the tables of the current family.
[ This patch includes a fix for the configuration parser
that I detected while testing this patch --pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
IPT_SO_GET_REVISION_MATCH != IP6T_SO_GET_REVISION_MATCH, thus,
the revision infrastructure was looking for targets instead
matches.
|
|
|
|
|
|
|
|
|
| |
We need family dependent built-in table/chain configuration. This
patch is a step forward making nft family independent in
order to support arptables and ebtables compatibility layers.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Improve (dc3d8a6 xtables: add -I chain rulenum) to avoid a look
up for the rule if no rule number is specified via -I.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the nft_rule_insert function, which allows
us to insert rules at a given position.
The function nft_rule_add has been renamed to nft_rule_append.
This is possible thanks to Eric Leblond's (netfilter: nf_tables:
add insert operation) kernel patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
% xtables -S INPUT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -j ACCEPT
After:
$ xtables -S INPUT
-P INPUT ACCEPT
-A INPUT -p tcp -j ACCEPT
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Break looping on the chain list if it finds the chain
that the user requested.
Based on patch from Tomasz Bursztyka.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Adapt it to the semantic fix that has been applied to libnftable
nft_*_list_add now inserts nodes, instead of appending them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Should be:
% iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
instead of:
% xtables -L -n -t nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
|
|
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If adding one of match/target/jumpto/verdit/counters fails, adding a rule will
return an error.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
|
|
|
|
|
|
|
|
|
| |
Fixes the debug output from (in case of ipv4 rule):
DEBUG: rule: arp filter INPUT 0
to:
DEBUG: rule: ip filter INPUT 0
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the display of rule by number.
[ Mangled this patch not to display the header, to mimic iptables
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The patch fixes the counter print, missing line,
and delete warnings.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch breaks looping in nft_chain_user_del, nft_chain_zero_counters
and nft_rule_flush after the chain is found.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
While at it, fix several memleaks of list objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes the leak of chain and rule iterators.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Otherwise we keep initializing the handle over and over again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Output of the tool should be the same as for iptables.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
If /etc/xtables.conf is available, use the configuration there to
autoload the xtables built-in table and chain so you can define custom
configurations. Otherwise, rely on default common table/chain
configuration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Now you can specify:
xtables-restore -6 < my-ip6tables-ruleset
to restore the IPv6 rule-set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes nft core code independant from the family. Each family needs
to implement and provide a struct nft_family_ops {}.
This split will ease the future support of bridge and arp rules manipulations.
[ updated header files and rebased upon the current tree --pablo ]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new program to listen to rule updates:
shell$ xtables-events
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-D INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-D INPUT -m state --state ESTABLISHED -j ACCEPT
You can use `-c' option to display counters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|