path: root/iptables/xshared.h
Commit message (Collapse)AuthorAgeFilesLines
* Use proto_to_name() from xshared in more placesPhil Sutter2021-05-171-1/+1
| | | | | | | | | | Share the common proto name lookup code. While being at it, make proto number variable 16bit, values may exceed 256. This aligns iptables-nft '-p' argument printing with legacy iptables. In practice, this should make a difference only in corner cases. Signed-off-by: Phil Sutter <>
* xshared: Merge invflags handling codePhil Sutter2021-05-171-0/+11
| | | | | | | | | | Join invflags handling between iptables, ip6tables, xtables and arptables. Ebtables still has its own code which differs quite a bit. In order to use a shared set_option() routine, iptables and ip6tables need to provide a local 'invflags' variable which is 16bits wide. Signed-off-by: Phil Sutter <>
* xshared: Eliminate iptables_command_state->invertPhil Sutter2021-05-171-3/+2
| | | | | | | | | This field is not used by routines working with struct iptables_command_state: It is merely a temporary flag used by parsers to carry the '!' prefix until invflags have been populated (or error checking done if unsupported). Signed-off-by: Phil Sutter <>
* nft-arp: Make use of ipv4_addr_to_string()Phil Sutter2021-04-301-0/+3
| | | | | | | This eliminates quite a bit of redundant code apart from also dropping use of obsolete function gethostbyaddr(). Signed-off-by: Phil Sutter <>
* xshared: Merge some command option-related codePhil Sutter2020-12-031-6/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add OPT_FRAGMENT define into the enum of other OPT_* defines at the right position and adjust the arptables-specific ones that follow accordingly. Appropriately adjust inverse_for_options array in xtables-arp.c. Extend optflags from iptables.c by the arptables values for the sake of completeness, then move it to xshared.h along with NUMBER_OF_OPT definition. As a side-effect, this fixes for wrong ordering of entries in arptables' 'optflags' copy. Add arptables-specific bits to commands_v_options table (the speicific options are matches on ARP header fields, just treat them like '-s' option. This is also just a cosmetic change, arptables doesn't have a generic_opt_check() implementation and hence doesn't use such a table. With things potentially ready for common use, move commands_v_options table along with generic_opt_check() and opt2char() into xshared.c and drop the local (identical) implementations from iptables.c, ip6tables.c xtables.c and xtables-arp.c. While doing so, fix ordering of entries in that table: the row for CMD_ZERO_NUM was in the wrong position. Since all moved rows though are identical, this had no effect in practice. Fixes: d960a991350ca ("xtables-arp: Integrate OPT_* defines into xshared.h") Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface") Signed-off-by: Phil Sutter <>
* iptables: include sys/time.h to fix lack of struct timeval declarationMaciej ┼╗enczykowski2020-04-281-0/+1
| | | | | | | | | | | | | | | This fixes clang compiler warnings: iptables/xshared.h:176:50: error: declaration of 'struct timeval' will not be visible outside of this function [-Werror,-Wvisibility] extern int xtables_lock_or_exit(int wait, struct timeval *tv); ^ iptables/xshared.h:179:57: error: declaration of 'struct timeval' will not be visible outside of this function [-Werror,-Wvisibility] void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); ^ Test: builds with less warnings Signed-off-by: Maciej ┼╗enczykowski <> Signed-off-by: Pablo Neira Ayuso <>
* xtables-arp: Integrate OPT_* defines into xshared.hPhil Sutter2019-10-301-0/+7
| | | | | | | | | | | | | | | | | | These defines are internal use only, so their actual value doesn't matter as long as they're unique and inverse_for_options array items match: When negating a given option, the corresponding OPT_* value's bit is used as an index into inverse_for_options to retrieve the corresponding invflag. If zero, either negating or the option itself is not supported. (In practice, a lookup for unsupported option won't happen as those are caught by getopt_long()). Since xtables-arp's OPT_* values change, adjust the local inverse_for_options array accordingly. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* Merge CMD_* definesPhil Sutter2019-10-301-0/+20
| | | | | | | | | They are mostly identical, just xtables-arp ones differ slightly. Though since they are internal use only and their actual value doesn't matter (as long as it's a distinct bit), they can be merged anyway. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* xshared: Share a common implementation of parse_rulenumber()Phil Sutter2019-10-301-0/+1
| | | | | | | The function is really small, but still copied four times. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* xshared: Share a common add_command() implementationPhil Sutter2019-10-301-0/+4
| | | | | | | | | | | The shared definition of cmdflags is a super set of the previous one in xtables-arp.c so while not being identical, they're compatible. Avoid accidental array overstep in cmd2char() by incrementing an index variable and checking its final value before using it as such. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* xshared: Introduce struct argv_storePhil Sutter2019-10-241-11/+15
| | | | | | | | | | | | The use of global variables in code around add_argv() is error-prone and hard to follow. Replace them by a struct which functions will modify instead of causing side-effects. Given the lack of static variables, this effectively makes argv construction code reentrant. Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
* xtables-restore: Introduce rule counter tokenizer functionPhil Sutter2019-10-181-0/+1
| | | | | | | | | | | | | | The same piece of code appears three times, introduce a function to take care of tokenizing and error reporting. Pass buffer pointer via reference so it can be updated to point to after the counters (if found). While being at it, drop pointless casting when passing pcnt/bcnt to add_argv(). Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* DEBUG: Print to stderr to not disturb iptables-savePhil Sutter2019-09-231-1/+1
| | | | | | | | This way there's at least a chance to get meaningful results from testsuite with debugging being turned on. Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
* xshared: Explicitly pass target to command_jump()Phil Sutter2019-02-071-1/+1
| | | | | | | | | The use of global 'optarg' variable inside that function is a mess, but most importantly it limits its applicability to input parsers. Fix this by having it take the option argument as a parameter. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* Combine parse_target() and command_jump() implementationsPhil Sutter2018-09-251-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Merge these two functions from xtables, iptables, ip6tables and arptables. Both functions were basically identical in the first three, only the last one required a bit more attention. To eliminate access to 'invflags' in variant-specific location, move the call to set_option() into callers. This is actually consistent with parsing of other options in them. As with command_match(), use xt_params instead of the different *_globals objects to refer to 'opts' and 'orig_opts'. It was necessary to rename parse_target() as it otherwise clashes with a static function of same name in libxt_SET. In arptables, the maximum allowed target name is a bit larger, so introduce xtables_globals.target_maxnamelen defining the value. It is used in the shared xt_parse_target() implementation. Implementation of command_jump() in arptables diverted from the others for no obvious reason. The call to parse_target() was done outside of it and a pointer to cs->arp was passed but not used inside. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* Combine command_match() implementationsPhil Sutter2018-09-251-0/+2
| | | | | | | | | | This merges the basically identical implementations of command_match() from xtables, iptables and ip6tables into one. The only required adjustment was to make use of xt_params instead of the different *_globals objects. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* iptables: Use print_ifaces() from xtablesPhil Sutter2018-09-241-0/+3
| | | | | | | | | | Move the function to xshared.c for common use between legacy and xtables sources. While being at it, silence a covscan warning triggered by that function as it couldn't verify input buffers won't exceed IFNAMSIZ. Therefore use snprintf() when writing to the local buffer. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* Share print_ipv{4,6}_addr() from xtablesPhil Sutter2018-09-241-0/+3
| | | | | | | | | | | | | | | | These functions contain code which occurs in legacy's print_firewall() functions, so use them there. Rename them to at least make clear they print more than a single address. Also introduce ipv{4,6}_addr_to_string() which take care of converting an address/netmask pair into string representation in a way which doesn't upset covscan (since that didn't detect that 'buf' may not be exceeded by the strings written into it. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xshared: Consolidate argv construction routinesPhil Sutter2018-08-041-0/+13
| | | | | | | | | | | | | | | | | | | | | Implementations were equal in {ip,ip6,x}tables-restore.c. The one in iptables-xml.c differed slightly. For now, collect all features together. Maybe it would make sense to migrate iptables-xml.c to using add_param_to_argv() at some point and therefore extend the latter to store whether a given parameter was quoted or not. While being at it, a few improvements were done: * free_argv() now also resets 'newargc' variable, so users don't have to do that anymore. * Indenting level in add_param_to_argv() was reduced a bit. * That long error message is put into a single line to aid in grepping for it. * Explicit call to exit() after xtables_error() is removed since the latter does not return anyway. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xshared: Consolidate parse_counters()Phil Sutter2018-08-041-0/+1
| | | | | | | | | Move this helper function into xshared. While being at it, drop the need for temporary variables and take over null pointer tolerance from the implementation in iptables-xml.c. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* Consolidate DEBUGP macrosPhil Sutter2018-08-041-0/+6
| | | | | | | | | | | | | | | | | | This debug printing macro was defined in various places, always identical. Move it into xshared.h and drop it from sources including that header. There are a few exceptions: * iptables-xml.c did not include xshared.h, which this patch changes. * Sources in extensions and libiptc mostly left alone since they don't include xshared.h (and maybe shouldn't). Only libxt_set.h does, so it's converted, too. This also converts DEBUG define use in libip6t_hbh.c to avoid a compiler warning. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables: merge {ip,arp}tables_command_state structsPhil Sutter2018-07-191-0/+2
| | | | | | | | | | Differences between both structs are marginal (apart from arptables_command_state being much smaller), so merge them into one. Struct iptables_command_state is already shared between iptables, ip6tables and ebtables. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
* xtables-compat: ebtables: remove interface masks from ebt_entry structFlorian Westphal2018-05-101-3/+0
| | | | | | They don't exist in the legacy ABI, so don't pretend otherwise. Signed-off-by: Florian Westphal <>
* xtables-compat: ebtables: kill ebtables_command_stateFlorian Westphal2018-05-101-0/+35
| | | | | | | | Use iptables_command_state instead. This allows to re-use code from the ip(6)tables layer and reduces cop&pasted code. Signed-off-by: Florian Westphal <>
* iptables: insist that the lock is held.Lorenzo Colitti2017-05-291-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, iptables programs will exit with an error if the iptables lock cannot be acquired, but will silently continue if the lock cannot be opened at all. This can cause unexpected failures (with unhelpful error messages) in the presence of concurrent updates, which can be very difficult to find in a complex or multi-administrator system. Instead, refuse to do anything if the lock cannot be acquired. The behaviour is not affected by command-line flags because: 1. In order to reliably avoid concurrent modification, all invocations of iptables commands must follow this behaviour. 2. Whether or not the lock can be opened is typically not a run-time condition but is likely to be a configuration error. Existing systems that depended on things working mostly correctly even if there was no lock might be affected by this change. However, that is arguably a configuration error, and now that the iptables lock is configurable, it is trivial to provide a lock file that is always accessible: if nothing else, the iptables binary itself can be used. The lock does not have to be writable, only readable. Tested by configuring the system to use an xtables.lock file in a non-existent directory and observing that all commands failed. Signed-off-by: Lorenzo Colitti <> Signed-off-by: Pablo Neira Ayuso <>
* iptables-restore: support acquiring the lock.Lorenzo Colitti2017-03-211-1/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, ip[6]tables-restore does not perform any locking, so it is not safe to use concurrently with ip[6]tables. This patch makes ip[6]tables-restore wait for the lock if -w was specified. Arguments to -w and -W are supported in the same was as they are in ip[6]tables. The lock is not acquired on startup. Instead, it is acquired when a new table handle is created (on encountering '*') and released when the table is committed (COMMIT). This makes it possible to keep long-running iptables-restore processes in the background (for example, reading commands from a pipe opened by a system management daemon) and simultaneously run iptables commands. If -w is not specified, then the command proceeds without taking the lock. Tested as follows: 1. Run iptables-restore -w, and check that iptables commands work with or without -w. 2. Type "*filter" into the iptables-restore input. Verify that a) ip[6]tables commands without -w fail with "another app is currently holding the xtables lock...". b) ip[6]tables commands with "-w 2" fail after 2 seconds. c) ip[6]tables commands with "-w" hang until "COMMIT" is typed into the iptables-restore window. 3. With the lock held by an ip6tables-restore process: strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000 shows 11 calls to flock and fails. 4. Run an iptables-restore with -w and one without -w, and check: a) Type "*filter" in the first and then the second, and the second exits with an error. b) Type "*filter" in the second and "*filter" "-S" "COMMIT" into the first. The rules are listed only when the first copy sees "COMMIT". Signed-off-by: Narayan Kamath <> Signed-off-by: Lorenzo Colitti <> Signed-off-by: Pablo Neira Ayuso <>
* iptables: remove duplicated argument parsing codeLorenzo Colitti2017-03-171-1/+3
| | | | | | | | | | 1. Factor out repeated code to a new xs_has_arg function. 2. Add a new parse_wait_time option to parse the value of -w. 3. Make parse_wait_interval take argc and argv so its callers can be simpler. Signed-off-by: Lorenzo Colitti <> Signed-off-by: Pablo Neira Ayuso <>
* xtables-translate-restore: do not escape quotesPablo M. Bermudo Garay2016-09-051-0/+1
| | | | | | | | If quotes are escaped, nft -f is unable to parse and load the translated ruleset. Signed-off-by: Pablo M. Bermudo Garay <> Signed-off-by: Pablo Neira Ayuso <>
* xtables: Add an interval option for xtables lock waitSubash Abhinov Kasiviswanathan2016-07-031-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ip[6]tables currently waits for 1 second for the xtables lock to be freed if the -w option is used. We have seen that the lock is held much less than that resulting in unnecessary delay when trying to acquire the lock. This problem is even severe in case of latency sensitive applications. Introduce a new option 'W' to specify the wait interval in microseconds. If this option is not specified, the command sleeps for 1 second by default. v1->v2: Change behavior to take millisecond sleep as an argument to -w as suggested by Pablo. Also maintain current behavior for -w to sleep for 1 second as mentioned by Liping. v2->v3: Move the millisecond behavior to a new option as suggested by Pablo. v3->v4: Use select instead of usleep. Sleep every iteration for the time specified in the "-W" argument. Update man page. v4->v5: Fix compilation error when enabling nftables v5->v6: Simplify -W so it only takes the interval wait in microseconds. Bail out if -W is specific but -w is not. Joint work with Pablo Neira. Signed-off-by: Subash Abhinov Kasiviswanathan <> Signed-off-by: Pablo Neira Ayuso <>
* iptables: add optional [seconds] argument to -wJiri Popelka2014-07-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | This patch adds an optional numeric argument to -w option (added with 93587a0) so one can specify how long to wait for an exclusive lock. If the value isn't specified it works as before, i.e. program waits indefinitely. If user specifies it, program exits after the given time interval passes. This patch also adds the -w/--wait to nftables compat code, so the parser doesn't complain. [ In the original patch, iptables-compat -w X was not working, I have fixed by adding the dummy code not to break scripts using the new optional argument --pablo ] Signed-off-by: Jiri Popelka <> Signed-off-by: Pablo Neira Ayuso <>
* use nf_tables and nf_tables compatibility interfacePablo Neira Ayuso2013-12-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <>
* ip[6]tables: Add locking to prevent concurrent instancesPhil Oester2013-06-111-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There have been numerous complaints and bug reports over the years when admins attempt to run more than one instance of iptables simultaneously. Currently open bug reports which are related: 325: Parallel execution of the iptables is impossible 758: Retry iptables command on transient failure 764: Doing -Z twice in parallel breaks counters 822: iptables shows negative or other bad packet/byte counts As Patrick notes in 325: "Since this has been a problem people keep running into, I'd suggest to simply add some locking to iptables to catch the most common case." I started looking into alternatives to add locking, and of course the most common/obvious solution is to use a pidfile. But this has various downsides, such as if the application is terminated abnormally and the pidfile isn't cleaned up. And this also requires a writable filesystem. Using a UNIX domain socket file (e.g. in /var/run) has similar issues. Starting in 2.2, Linux added support for abstract sockets. These sockets require no filesystem, and automatically disappear once the application terminates. This is the locking solution I chose to implement in ip[6]tables. As an added bonus, since each network namespace has its own socket pool, an ip[6]tables instance running in one namespace will not lock out an ip[6]tables instance running in another namespace. A filesystem approach would have to recognize and handle multiple network namespaces. Signed-off-by: Phil Oester <> Signed-off-by: Pablo Neira Ayuso <>
* iptables: consolidate target/match init callJan Engelhardt2011-06-211-0/+2
| | | | | | | This is useful for the upcoming patch about per-instance auxiliary data. Signed-off-by: Jan Engelhardt <>
* option: fix ignored negation before implicit extension loadingJan Engelhardt2011-06-071-1/+1
| | | | | | | | | | | | `iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it was not present in a subsequent `iptables -S`. Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto extension, cs.invert must not be touched until the next getopt call. This is now fixed by having command_default return a value to indicate whether to jump or not. Signed-off-by: Jan Engelhardt <>
* src: move all iptables pieces into a separate directoryJan Engelhardt2011-06-071-0/+87
(Unclutter top-level dir) Signed-off-by: Jan Engelhardt <>