| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
nft_bridge_print_firewall
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Use iptables_command_state instead.
This allows to re-use code from the ip(6)tables layer and
reduces cop&pasted code.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This always uses xtables_ipv4 (which is same as _ipv6).
Pass the correct skeleton instead, this is needed to handle ebtables
correctly from xt-translate, as it doesn't use ip/ip6 tables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
if (outiface[len] == '\0')
is always true. 'eth+' is stored as 'eth' with length 3, so
"eth"[3] == 0.
'eth' is stored as 'eth\0' with length 4, so "eth\0"[4] is also true.
Add a helper for this, then use it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
With no -n, semantics for *filter are to delete filter table and all its
content.
This restores the similar behaviour introduced in ca165845f7ec
("xtables-compat-restore: flush rules and delete user-defined chains").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
# iptables-compat -X
iptables: No chain/target/match by that name.
While it should display no error message at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-n still flushes user-defined chains and its content, the following snippet:
iptables-compat -N FOO
iptables-compat -I INPUT
iptables-compat -I FOO
iptables-compat -I FOO
iptables-compat-save > A
iptables-compat-restore < A
iptables-compat -N BAR
iptables-compat -A BAR
iptables-compat-restore -n < A
results in:
iptables-compat-save
# Generated by xtables-save v1.6.2 on Mon May 7 17:18:44 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BAR - [0:0]
:FOO - [0:0]
-A INPUT
-A INPUT
-A BAR
-A FOO
-A FOO
COMMIT
# Completed on Mon May 7 17:18:44 2018
Still, user-defined chains that are not re-defined, such as BAR, are
left in place.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Instead of deleting the table and base chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
needed to display rules that exceed 4k (MNL buffer size).
This can happen with many matches in a rule or when using
-m cgroup (4k per match).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
noticed that iptables-compat-save exits with 1 on success,
whereas iptables-compat-save -t filter returns 0 (as expected).
Caused by double-invert of return value, so ge rid of those.
do_output now returns a value suitable to pass to exit() or return from main.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
We don't need extra locking as we don't go though rmw cycle
when adding a rule, but accept the option for compatibility with
legacy ebtables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-translate -A I -f
nft add rule ip filter I ip frag-off != 0 counter
iptables however checks:
frag_off = ntohs(iph->frag_off) & IP_OFFSET;
if (NF_INVF(ipinfo, IPT_INV_FRAG,
(ipinfo->flags & IPT_F_FRAG) && !frag_off))
return false;
So we need to mask off non-offset bits.
Second issue is that we negated the meaning in ipt-restore.
-f should match if (frag_off & IP_OFFSET) NE 0
! -f matches non-fragmented packets, i.e.
frag_off & IP_OFFSET == 0.
So we cannot use nft_invflags2cmp(), as that will use
NEQ for negation, but we need EQ instead here.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
memcmp uses tg1->userspacesize, make sure its same as tg2 first.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
no need to and with all-ones mask.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Remove dead code that uses the ancient non-batch netlink API. Chains
are already purged out from table flush.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following snippet fails if user chain FOO exists, but it should not fail:
iptables-compat -F
iptables-compat -N FOO
iptables-compat-save > foo
iptables-compat-restore < foo
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is only needed by 3.16, which was released 8 months after nftables was
merged upstream. That kernel version supports a reduced featureset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
... or when using multiple --comment lines.
This is more of a 'cosmetic' fix to handle the test suite case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nft-arp.c:112:3: note: 'sprintf' output between 2 and 21 bytes into a destination of size 20
sprintf(buf, "/%s", addr_to_dotted(mask));
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Kernel clamps udata size at 256 bytes, udata size however also includes
internal bookkeeping which brings us over this limit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Only ip and ip6tables have revision retrieval support; pretend
ebtables and arptables are always ok.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updating iptables from 1.4.x to 1.6.x brokes rules print/save output
and causes rules load after reboot to fail. Here is example from
iptables-save(8) output after update:
-A CHAIN1 -m set [unsupported revision] -j DROP
-A CHAIN1 -m set [unsupported revision] -j DROP
Similar output could be obtained via iptables -L CHAIN1. While issue
reproduced with xt_set match it is not specific to any match or
target module: it is related on how xtables handles revisions.
In this particular case we have following situation:
1) Kernel supports revisions from 1 to 4.
2) Rules configured with iptables 1.4.x supporting only
revisions from 1 to 3. Choosen highest possible revision 3.
3) Rules printed/saved with iptables 1.6.x supporting revisions
from 1 to 4.
4) Xtables registers matches/targets with highest supported
revision by the kernel. This is 4 in our case after update to
iptables 1.6.x.
5) When printing/saving kernel submits match/target with revision
it is configured (3), while iptables thinks that rules configured
with highest supported (4). That's causes revision mismatch in
during print and "[unsupported revision]" output.
To fix this issue we now store all supported by kernel and xtables
revisions in xt_matches/xt_targets list sorted in descending order.
Introduce helper routines to find match/target with given revision
and use them to find right revision to print submitted by kernel
entry.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
not needed as we won't be installing any rules.
So just assume kernel supports everything.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its not supported anymore as of 4.13, and it did not work
before this either (arp packets cannot be routed).
This unbreaks arptables-compat -- without this fix kernel rejects the
incoming ruleset skeleton.
filtering forwarded arp packets on a bridge can be done either via
'netdev' or 'bridge' families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
This function is only used from iptables/nft.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Release existing list and restart in case that netlink dump hits EINTR.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
it its good practice as interface names can be virtually any
identifier and could clash with nft keywords.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Will be used from eb-translate parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Mask needs to be all-ones, else we print
<macaddr>/ff:ff:ff:ff:ff:ff
but such a mask is redundant, we can omit the mask.
ebtables does this correctly.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
This needs to first check if pent is NULL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
ebtables sitll allows intra-postitioned negations, e.g.
--ip-src ! 1.2.3.4
support this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
nft-bridge.h:121:48: warning: 'struct nftnl_rule' declared inside parameter list will not be visible outside ..
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
nft_init() should rollback all changes it made during init
when something goes wrong, callers should NOT call nft_fini()
on error.
Note that this change is irrelevant at the moment, all users
call exit() on failure.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
avoids a compiler warning in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field and
is not modified anywhere.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Its already there but it did not work because it wasn't loaded.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
We will fail later when we can't parse the option, but that
failure only happens if the is actually used.
So in some cases things will work fine even if an extension
doesn't exist.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.
Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of not listing anything at all if an unknown table name
exists, just skip them. Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.
Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|