| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous review of match/target lookup did not consider
xtables-eb-translate.c which contains the same code. Fix parsing of
target/match arguments there as well by introducing
ebt_command_default() which consolidates the previously duplicated code.
One notable quirk in comparison to the similar xtables code: Since
ebtables allows for negations in ugly places (e.g. '--arp-opcode ! 1'),
ebt_check_inverse2() has to be called first.
Fixes: aa7fb04fcf72c ("ebtables: Review match/target lookup")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This nit was discovered when comparing do_commandeb() with
do_commandeb_xlate(): Since 'cs' is initialized upon declaration
already, initialization of field '.eb.bitmask' may be moved there as
well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to list a non-existent chain, ebtables-nft would just print
the table header and then exit with a code of zero. In order to be more
consistent with legacy ebtables, change the code to:
* Print table header only if chosen chain is found and
* propagate the error condition if chain was not found to print an error
message.
Note that this does not establish full parity with legacy ebtables due
to the error code being 1 instead of 255 and the error message differing
from the legacy one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both extensions were very similar already, but now that they both are
translated into native nftables code, their actual difference (i.e.
match size) doesn't matter anymore.
This change comes with one caveat: Since ebtables limit match is not in
its own file anymore, match preloading automatically also loads the
NFPROTO_UNSPEC limit match. This is not a problem per se since match
lookup will prefer the family-specific one, but when parsing unknown
options, a match without 'parse' callback is encountered. Therefore
do_commandeb() has to check existence of that callback prior to
dereferencing it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is actually quite a mess: xtables-eb.c defines names for bits in
'flags' variable of do_commandeb(), though these tend to clash with bit
names defined in xshared.h due to the same 'OPT_' prefix. Therefore
checking for bits OPT_NUMERIC and OPT_VERBOSE is syntactically correct,
but semantically wrong as they actually refer to bits OPT_COMMAND and
OPT_PROTOCOL.
Since ebtables doesn't support numeric nor verbose modes, just replace
the checks with zero values.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since ebtables does not indicate extension use on commandline via '-m'
flag as in iptables, loading of matches has to happen prior to
commandline parsing. While parsing, the right extension is searched for
unknown parameters by passing it to its 'parse' callback and checking if
it succeeds. As an unavoidable side-effect, custom data in
xtables_targets objects is being altered if the extension parser
succeeds.
If called multiple times, do_commandeb() leaks memory and fixing this
requires to properly treat the above quirk:
* Load extensions just once at program startup, thereby reusing the
existing ones for several calls of do_commandeb().
* In ebt_cs_clean(), don't free memory which is being reused. Instead
reinit custom extension data if it was used in current do_commandeb()
call (i.e., it is contained in cs->match_list).
On the other hand, target lookup in command_jump() can be simplified a
lot: The only target it may have loaded is 'standard', so just load that
at as well at program startup and reduce command_jump() to a simple
linked list search. Since 'standard' target does not prove a 'parse'
callback, a check is necessary when parsing target options.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
This drops the dedicated input parser (which was broken in many ways
anyway) and replaces it by the common one now that all required knobs
are in place.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy ip{,6}tables prints feedback for various commands if in verbose
mode, make sure nft variants do the same.
There is one difference, namely when checking a rule (-C command):
Legacy ip{,6}tables print the rule in any case, nft variants don't in
case the rule wasn't found. Changing this though would require to
populate the nftnl_rule object just for printing, which is probably not
feasible.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
This effectively flushes all built-in chains and removes user-defined
ones. Since compat layer takes care of built-in table/chain creation, it
is sufficient to just drop the relevant table.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Find the end of the match_list before inserting in case the list
contains more than one element.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Since nft_init_eb() is shared among standalone ebtables and
ebtables-restore, allow for callers to pass the program name.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code for ebtables-restore was derived from legacy code,
ebtables-save is actually a new implementation using the existing
infrastructure and trying to adhere to legacy perl script output
formatting as much as possible.
This introduces a new format flag (FMT_EBT_SAVE) to allow
nft_bridge_save_rule() to distinguish between ruleset listing (i.e.,
ebtables -L) and saving via ebtables-save - the two differ in how
counters are being formatted. Odd, but that's how it is.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This wraps nft_init(), adding required things needed for ebtables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This cleans up a few obvious cases identified by grepping the source
code for 'memset'.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Unfortunately no nft translation available so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
In both cases the argument is optional, in both cases
the argument wasn't evaluated.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
no plans to support daemon mode, so remove this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-V now yields:
arptables vlibxtables.so.12 (nf_tables)
ebtables 1.6.2 (nf_tables)
ip6tables v1.6.2 (legacy)
ip6tables v1.6.2 (nf_tables)
ip6tables-restore v1.6.2 (nf_tables)
ip6tables-save v1.6.2 (nf_tables)
ip6tables-restore v1.6.2 (legacy)
ip6tables-restore-translate v1.6.2
ip6tables-save v1.6.2 (legacy)
ip6tables-translate v1.6.2 (nf_tables)
iptables v1.6.2 (legacy)
iptables v1.6.2 (nf_tables)
iptables-restore v1.6.2 (nf_tables)
iptables-save v1.6.2 (nf_tables)
iptables-restore v1.6.2 (legacy)
iptables-restore-translate v1.6.2
iptables-save v1.6.2 (legacy)
iptables-translate v1.6.2 (nf_tables)
This allows to see wheter "iptables" is using
old set/getsockopt or new nf_tables infrastructure.
Suggested-by: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
previous patch shows this problem:
xtables-eb.c: In function ‘parse_change_counters_rule’:
xtables-eb.c:534:65: warning: logical ‘and’ of mutually exclusive tests is always false [-Wlogical-op]
(argv[optind + 1][0] == '-' && (argv[optind + 1][1] < '0' && argv[optind + 1][1] > '9')))
... so this never worked. Just remove it, the arg will be fed to
strtol() -- No need to do this check.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1149
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
no translation yet, might be doable with raw payload expressions though.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
No translation. The kernel match will alter packet type
(meta set pkttype), but also replace dst mac with the bridges' mac address,
however nft currently doesn't allow to retrieve this at runtime.
So just add this without the xlate part for now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
adds snat and dnat.
Translation for snat isn't complete, the --snat-arp switch isn't supported so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
gcc emits these warnings:
xtables-eb-translate.c:185:2: warning: ‘strncpy’ specified bound 29 equals destination size [-Wstringop-truncation]
strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow checking for an all-zero mac address by replacing checks on the
address with a check on the option flag.
Its set when '-d' or '-s' appears on the command line and when seeing
a linklayer payload request for ether s/daddr.
Same for -p: s this flag gets removed during getopt when 'p' is encountered.
So, if its set, no need to check protocol type.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Use iptables_command_state instead.
This allows to re-use code from the ip(6)tables layer and
reduces cop&pasted code.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
We don't need extra locking as we don't go though rmw cycle
when adding a rule, but accept the option for compatibility with
legacy ebtables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Will be used from eb-translate parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
ebtables sitll allows intra-postitioned negations, e.g.
--ip-src ! 1.2.3.4
support this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Its already there but it did not work because it wasn't loaded.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
We will fail later when we can't parse the option, but that
failure only happens if the is actually used.
So in some cases things will work fine even if an extension
doesn't exist.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning.
xtables-eb.c: In function ‘ebt_load_match_extensions’:
xtables-eb.c:653:7: warning: assignment discards ‘const’ qualifier
from pointer target type
opts = ebt_original_options;
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field inside
the xtables_globals struct and is not modified anywhere.
Done using following coccinelle semantic patch
@r1 disable optional_qualifier@
identifier s,i;
position p;
@@
static struct option i@p[] ={...};
@ok1@
identifier r1.i;
expression e;
position p;
@@
e = i@p
@bad@
position p != {r1.p,ok1.p};
identifier r1.i;
@@
e@i@p
@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
static
+const
struct option i[] = { ... };
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
xtables-eb.c:305:1: warning: empty declaration
} __attribute__((noreturn, format(printf,2,3)));
^
xtables-eb.c:311:2: warning: initialization makes '__attribute__((noreturn))' qualified function pointer from unqualified
.exit_err = ebt_print_error,
^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous to this patch, error reporting in ebtables-compat was like:
% ebtables-compat xxx
(null) v1.4.21: Bad argument : 'xxx'
Try `(null) -h' or '(null) --help' for more information.
While the original ebtables was:
% ebtables xxx
Bad argument : 'xxx'.
With this patch, we switch to:
% ebtables-compat xxx
Bad argument : 'xxx'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add support for the ebtables limit extension (match),
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
| |
Let's give support for the nflog extension (a watcher).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
ebtables watchers are targets which always return EBT_CONTINUE.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's call extensions final checks.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Translate mark_m match extension to the xtables-compat environment.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the 'ip' match extension to ebtables-compat.
It involves adapting old ebtables extension code to the xtables-compat
environment.
For testing:
% sudo ebtables-compat -p 0x0800 --ip-src 1.1.1.1 -j ACCEPT
The patch includes a cached copy of the extension kernel header.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using two matches options results in two copies of the match being included
in the nft rule.
Example before this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
-p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
Example with this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
% -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
[Note: the br_ip extension comes in a follow-up patch]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Parsing options will be overwritten if every time we load a match
the extension options are merged to the original options.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch:
% sudo ebtables-compat -L --Lc
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
-j ACCEPT , pcnt = 123 -- bcnt = 123
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
