| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When merging commandline parsers, a decision between 'argv[optind - 1]'
and 'optarg' had to be made in some spots. While the implementation of
check_inverse() required the former, use of the latter allows for the
common syntax of '--opt=arg' or even '-oarg' as 'optarg' will point at
the suffix while 'argv[optind - 1]' will just point at the following
option.
Fix the mess by making check_inverse() update optarg pointer if needed
so calling code may refer to and always correct 'optarg'.
Fixes: 0af80a91b0a98 ("nft: Merge xtables-arp-standalone.c into xtables-standalone.c")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1677
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While commit 1b8210f848631 kind of fixed the corner-case of invalid
short-options packed with others, it broke error reporting for
long-options. Revert it and deploy a proper solution:
When passing an invalid short-option, e.g. 'iptables -vaL', getopt_long
sets the variable 'optopt' to the invalid character's value. Use it for
reporting instead of optind if set.
To distinguish between invalid options and missing option arguments,
ebtables-translate optstring needs adjustment.
Fixes: 1b8210f848631 ("ebtables: Fix error message for invalid parameters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This is merely to make valgrind happy, but less noise means less real
issues missed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
This is nft_clear_iptables_command_state() but in a location reachable
by legacy iptables, too.
Changes callers in non-family-specific code to use clear_cs callback
instead of directly calling it - ebtables still has a custom variant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Since basic_exit_err() appends a newline to the message itself, drop
explicit ones.
While being at it, fix indentation and join texts split over multiple
lines.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Function bodies were mostly identical, the only difference being the use
of struct ipt_entry or ip6t_entry for size calculation. Pass this value
via parameter to make them fully identical.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
This is much trickier than expected: On one hand, proto_to_name() is
used to lookup protocol extensions so must resolve despite FMT_NUMERIC
being set. On the other, --verbose implies --numeric but changing the
output there is probably a bad idea. Luckily the latter situation is
identified by FMT_NOTABLE bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Format string ensured a minimum field width of five characters, but
allowed for longer strings to eat the column delimiting white space.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fact that the 'opt' table field reports spaces instead of '--' for
IPv6 as it would have been the case with IPv4 has a bit of an
unfortunate side effect that it completely confuses the 'jc' JSON
formatter tool (which has an iptables formatter module).
Consider:
# ip6tables -L test
Chain test (0 references)
target prot opt source destination
ACCEPT all a:b:c:: anywhere MAC01:02:03:04:05:06
Then:
# ip6tables -L test | jc --iptables
[{"chain":"test",
"rules":[
{"target":"ACCEPT",
"prot":"all",
"opt":"a:b:c::",
"source":"anywhere",
"destination":"MAC01:02:03:04:05:06"
}]
}]
which as you can see is wrong simply because whitespaces are considered
as a column delimiter.
[ Florian: added 'Link' for more background info.
The '--' difference exists for > 20 years, but changing it
appears to be least intrusive option. ]
Link: https://lore.kernel.org/netfilter-devel/bb391c763171f0c5511f73e383e1b2e6a53e2014.1658322396.git.eskultet@redhat.com/t/#u
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
With all ip(6)tables variants using the same do_parse() function, quite
a bunch of functions are not used outside of xshared.c anymore. Make them
static.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Gcc complains about missing types. Some commits introduced u_int* instead
of uint*. Use uint treewide.
Fixes errors in the form of:
In file included from xtables-legacy-multi.c:5:
xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
| ^~~~~~~~~
| uint16_t
make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
Avoid libipq API breakage by adjusting libipq.h include accordingly. For
arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
Signed-off-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Gcc complains about the omitted format string.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Define the different optstrings in xshared.h instead, they are not
relevant for other libxtables users.
This is a partial revert of commit 65b150ae382a8 ("xshared: Store
optstring in xtables_globals") to avoid breaking libxtables' ABI
compatibility.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function checks afinfo->family already to cover ip6tables specifics,
doing the same for arptables does not make things much worse.
This changes arptables-nft help output slightly:
* List possible negations extrapositioned, which is preferred anyway
(arptables-nft supports both)
* List --out-interface option at lexically sorted position
* Print --wait option, it's ignored just like with iptables
* Restore default target option printing as with legacy arptables (not
sure if arptables-nft ever did this) by explicitly loading them.
While being at it, add --set-counters short option '-c' to help output
for ip(6)tables.
This effectively removes the need for (and all users of)
xtables_global's 'print_help' callback, thus effectively reverts commit
fe83b12fc910e ("libxtables: Introduce xtables_globals print_help
callback") which broke libxtables' ABI compatibility.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
It will be referenced by xtables_printhelp() if printing for arptables
and therefore must be present in legacy as well even if unused.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reuse parse_chain() called from do_parse() for '-N' and rename it for a
better description of what it does.
Note that by itself, this patch will likely kill iptables-restore
performance for big rulesets due to the extra extension lookup for chain
lines. A following patch announcing those chains to libxtables will
alleviate that.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When dumping a large ruleset, common protocol matches such as for TCP
port number significantly slow down rule printing due to repeated calls
for getprotobynumber(). The latter does not involve any caching, so
/etc/protocols is consulted over and over again.
As a simple countermeasure, make functions converting between proto
number and name prefer the built-in list of "well-known" protocols. This
is not a perfect solution, repeated rules for protocol names libxtables
does not cache (e.g. igmp or dccp) will still be slow. Implementing
getprotoent() result caching could solve this.
As a side-effect, explicit check for pseudo-protocol "all" may be
dropped as it is contained in the built-in list and therefore immutable.
Also update xtables_chain_protos entries a bit to align with typical
/etc/protocols contents. The testsuite assumes those names, so the
preferred ones prior to this patch are indeed uncommon nowadays.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, if a lock timeout is specified using `-wN `, flock() is
called using LOCK_NB in a loop with a sleep. This results in two issues.
The first issue is that the process may wait longer than necessary when
the lock becomes available. For this the `-W` option was added, but this
requires fine-tuning.
The second issue is that if lock contention is high, invocations using
`-w` (without a timeout) will always win lock acquisition from
invocations that use `-w N`. This is because invocations using `-w` are
actively waiting on the lock whereas those using `-w N` only check from
time to time whether the lock is free, which will never be the case.
This patch removes the sleep loop and deprecates the `-W` option (making
it non-functional). Instead, flock() is always called in a blocking
fashion, but the alarm() function is used with a non-SA_RESTART signal
handler to cancel the system call.
Signed-off-by: Jethro Beekman <jethro@fortanix.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Expected behaviour in both variants is:
* Print help without error, append extension help if -m and/or -j
options are present
* Indicate lack of permissions in an error message for anything else
With iptables-nft, this was broken basically from day 1. Shared use of
do_parse() then somewhat broke legacy: it started complaining about
inability to create a lock file.
Fix this by making iptables-nft assume extension revision 0 is present
if permissions don't allow to verify. This is consistent with legacy.
Second part is to exit directly after printing help - this avoids having
to make the following code "nop-aware" to prevent privileged actions.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Same change as with iptables, merely have to set IP6T_F_PROTO flag in
ipv6_proto_parse().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
To do so, a few conversions are needed:
- Make use of xt_params->optstring
- Make use of xt_params->print_help callback
- Switch to using a proto_parse callback
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
They are not nft-variant-specific and may therefore be shared with
legacy.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
While nft-variants don't care, legacy ones do.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Small adjustments were needed:
- Pass line variable via xt_cmd_parse, xshared.c does not have it in
namespace.
- Replace opts, prog_name and prog_vers defines by the respective
xt_params field reference.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
The function existed three times in identical form. Avoid having to
declare extern int line in xshared.c by making it a parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Help texts in legacy and nft variants are supposed to be identical, but
those of iptables and ip6tables largely overlapped already. By referring
to xt_params and afinfo pointers, it is relatively trivial to craft a
suitable help text on demand, so duplicated help texts can be
eliminated.
As a side-effect, this fixes ip6tables-nft help text - it was identical
to that of iptables-nft.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The only difference between the former two copies was the type of
ip*_entry parameter. But since it is treated opaque, just hide that
detail by casting to void.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
The last outside users vanished ten years ago.
Fixes: 449cdd6bcc8d1 ("src: combine default_command functions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy iptables fetches the relevant data via libiptc before calling the
shared routine which merely prints data as requested.
Drop the 'basechain' parameter, instead make sure a policy name is
passed only with base chains. Since the function is not shared with
ebtables (which uses a very rudimental header instead), this is safe.
In order to support legacy iptables' checking of iptc_get_references()
return code (printing an error message instead of the reference count),
make refs parameter signed and print the error message if it's negative.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Also add a fake mode to make it suitable for ip6tables. This is required
because IPT_F_FRAG value clashes with IP6T_F_PROTO, so ip6tables rules
might seem to have IPT_F_FRAG bit set.
While being at it, drop the local variable 'flags' from
print_firewall().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Have to pass pointer to counters directly since different fields are
being used for some reason.
Since proto_to_name() is not used outside of xshared.c anymore, make it
static.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
While being at it, make save_ipv4_addr() accept an in_addr* as mask -
mask_to_str() needs it anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
The function combines printing of input and output interfaces and
protocol parameter, all being IP family independent. Extend the function
to print fragment option ('-f'), too if requested. While being at it,
drop unused iptables_command_state parameter and reorder the remaining
ones a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Merge the three identical copies into one and name it 'save_iface' (as
the printed syntax is for "save"-format). Leave arptables alone for now,
its rather complicated whitespace printing doesn't allow for use of the
shared function. Also keep ebtables' custom implementation, it is used
for the --logical-in/--logical-out long-options, too. Apart from that,
ebtables-nft does not use a mask, at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Have a common routine to perform chain name checks, combining all
variants' requirements.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Make use of libxtables allocators where sensible to have implicit error
checking. Leave library-internal calls in place to not create unexpected
program exit points for users, apart from xt_xlate_alloc() as that
function called xtables_error() in error case which exits by itself
already.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
This wraps strdup(), checking for errors.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Share the common proto name lookup code. While being at it, make proto
number variable 16bit, values may exceed 256.
This aligns iptables-nft '-p' argument printing with legacy iptables. In
practice, this should make a difference only in corner cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Join invflags handling between iptables, ip6tables, xtables and
arptables. Ebtables still has its own code which differs quite a bit.
In order to use a shared set_option() routine, iptables and ip6tables
need to provide a local 'invflags' variable which is 16bits wide.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
This field is not used by routines working with struct
iptables_command_state: It is merely a temporary flag used by parsers to
carry the '!' prefix until invflags have been populated (or error
checking done if unsupported).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This eliminates quite a bit of redundant code apart from also dropping
use of obsolete function gethostbyaddr().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add OPT_FRAGMENT define into the enum of other OPT_* defines at the
right position and adjust the arptables-specific ones that follow
accordingly. Appropriately adjust inverse_for_options array in
xtables-arp.c.
Extend optflags from iptables.c by the arptables values for the sake of
completeness, then move it to xshared.h along with NUMBER_OF_OPT
definition. As a side-effect, this fixes for wrong ordering of entries
in arptables' 'optflags' copy.
Add arptables-specific bits to commands_v_options table (the speicific
options are matches on ARP header fields, just treat them like '-s'
option. This is also just a cosmetic change, arptables doesn't have a
generic_opt_check() implementation and hence doesn't use such a table.
With things potentially ready for common use, move commands_v_options
table along with generic_opt_check() and opt2char() into xshared.c and
drop the local (identical) implementations from iptables.c, ip6tables.c
xtables.c and xtables-arp.c. While doing so, fix ordering of entries in
that table: the row for CMD_ZERO_NUM was in the wrong position. Since
all moved rows though are identical, this had no effect in practice.
Fixes: d960a991350ca ("xtables-arp: Integrate OPT_* defines into xshared.h")
Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allow users to override at runtime the lock file to use through the
XTABLES_LOCKFILE environment variable.
It allows to use iptables when the user has granted enough
capabilities (e.g. a user+network namespace) to configure the network
but that lacks access to the XT_LOCK_NAME (by default placed under
/run).
$ XTABLES_LOCKFILE=/tmp/xtables unshare -rn iptables ...
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This must be a leftover from a previous cleanup.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Old code in add_param_to_argv() assumed the input line would always end
with a newline character. Without it, the last word of input wasn't
recognized. Fix this by adding a final check for param.len (indicating
leftover data in buffer).
In line parsing code itself, only COMMIT line check required presence of
trailing newline. The replaced conditional is not 100% accurate as it
allows for characters after newline to be present, but since fgets() is
used this shouldn't happen anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The function is really small, but still copied four times.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The shared definition of cmdflags is a super set of the previous one in
xtables-arp.c so while not being identical, they're compatible.
Avoid accidental array overstep in cmd2char() by incrementing an index
variable and checking its final value before using it as such.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The use of global variables in code around add_argv() is error-prone and
hard to follow. Replace them by a struct which functions will modify
instead of causing side-effects.
Given the lack of static variables, this effectively makes argv
construction code reentrant.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Extend the shared argv parser by storing whether a given argument was
quoted or not, then use it in iptables-xml. One remaining extra bit is
extraction of chain name in -A commands, do that afterwards in a loop.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Xtables-restore tries to reject rule commands in input which contain a
--table parameter (since it is adding this itself based on the previous
table line). The manual check was not perfect though as it caught any
parameter starting with a dash and containing a 't' somewhere, even in
rule comments:
| *filter
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
| COMMIT
Instead of error-prone manual checking, go a much simpler route: All
do_command callbacks are passed a boolean indicating they're called from
*tables-restore. React upon this when handling a table parameter and
error out if it's not the first one.
Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|