| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a clear distinction between old iptables (formerly
xtables-multi, now xtables-legacy-multi) and new iptables
(formerly xtables-compat-multi, now xtables-nft-multi).
Users will get the ip/ip6tables names via symbolic links, having
a distinct name postfix for the legacy/nft variants helps to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of commit 7462e4aa757dc28e74b4a731b3ee13079b04ef23
("iptables-compat: Keep xtables-config and xtables-events out from tree")
and re-adds xtables-events under a new name, with a few enhancements,
this is --trace mode, which replaces printk-based tracing, and an
imroved event mode which will now also display pid/name and new generation id
at the end of a batch.
Example output of xtables-monitor --event --trace
PACKET: 10 fa6b77e1 IN=wlan0 MACSRC=51:14:31:51:XX:XX MACDST=1c:b6:b0:ac:XX:XX MACPROTO=86dd SRC=2a00:3a0:2::1 DST=2b00:bf0:c001::1 LEN=1440 TC=18 HOPLIMIT=61 FLOWLBL=1921 SPORT=22 DPORT=13024 ACK PSH
TRACE: 10 fa6b77e1 raw:PREROUTING:return:
TRACE: 10 fa6b77e1 raw:PREROUTING:policy:DROP
EVENT: -6 -t mangle -A PREROUTING -j DNPT --src-pfx dead::/64 --dst-pfx 1c3::/64
NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows one to force a subsystem that one does not wish to modify
(e.g. libvirt) to use the ebtables compatibility layer.
ebtables-compat was already a symlink to xtables-compat-multi but ebtables was a
stand-alone program. So one could move it out of the way before making the
symlink as below:
lrwxrwxrwx 1 root root 20 Feb 24 11:03 ebtables -> xtables-compat-multi
-rwxr-xr-x 1 root root 75176 Feb 24 11:03 ebtables.orig
With this patch, kernel modules ebtable_filter & ebtables are no longer loaded.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides the infrastructure and two new utilities to
translate iptables commands to nft, they are:
1) iptables-restore-translate which basically takes a file that contains
the ruleset in iptables-restore format and converts it to the nft
syntax, eg.
% iptables-restore-translate -f ipt-ruleset > nft-ruleset
% cat nft-ruleset
# Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter INPUT iifname lo counter accept
# -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid:
...
The rules that cannot be translated are left commented. Users should be able
to run this to track down the nft progress to see at what point it can fully
replace iptables and their filtering policy.
2) iptables-translate which suggests a translation for an iptables
command:
$ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
These binaries are part of the compat layer, however they provide more
features than actually available in the existing native iptables
binaries. So let's keep them out from the tree before the 1.6.0 release
as we only want to provide compatibility utils at this stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This patch should allow distributors to switch to the iptables over
nftables compatibility layer in a transparent way by updating
symbolic links from:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-multi
to:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-compat-multi
Same thing with iptables-save, iptables-restore, ip6tables, ip6tables-save,
ip6tables-restore and arptables.
Note that, after this patch, the following new symlinks are installed:
* iptables-compat
* iptables-compat-save
* iptables-compat-restore
* ip6tables-compat
* ip6tables-compat-save
* ip6tables-compat-restore
* arptables-compat
which point to the new binary xtables-compat-multi.
The idea is to keep both native and compatibility tools installed in the
system, which should also make it easier for testing purposes.
The iptables over nftables compatibility layer is enabled by default
and it requires the libmnl and libnftnl libraries. If you don't want to
compile the compatibility layer, you can still disable it through
--disable-nftables.
This patch also includes changes to adapt the existing code to this
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
