| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new program to listen to rule updates:
shell$ xtables-events
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-D INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-D INPUT -m state --state ESTABLISHED -j ACCEPT
You can use `-c' option to display counters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following utilities:
* xtables
* xtables-restore
* xtables-save
* xtables-config
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
(Unclutter top-level dir)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
