| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning:
warning: initialization discards ‘const’ qualifier from pointer target
type [-Wdiscarded-qualifiers]
.orig_opts = original_opts,
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning.
xtables-eb.c: In function ‘ebt_load_match_extensions’:
xtables-eb.c:653:7: warning: assignment discards ‘const’ qualifier
from pointer target type
opts = ebt_original_options;
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If user chain contains rules, flush needs to happen first to retain
iptables semantics. Use NLM_F_NONREC to request non-recursive chain
deletion.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The struct of type option is only used to initialise a field inside
the xtables_globals struct and is not modified anywhere.
Done using following coccinelle semantic patch
@r1 disable optional_qualifier@
identifier s,i;
position p;
@@
static struct option i@p[] ={...};
@ok1@
identifier r1.i;
expression e;
position p;
@@
e = i@p
@bad@
position p != {r1.p,ok1.p};
identifier r1.i;
@@
e@i@p
@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
static
+const
struct option i[] = { ... };
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If -W <val> was given, error out if -w wasn't since that doesn't make
sense.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Passing -W without a value doesn't make sense so bail out if none was
given.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This chain should be translated as a route chain, not as a filter chain.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following memory leaks are detected by valgrind when
ip[6]tables-compat is used for listing operations:
==1604== 1,064 (120 direct, 944 indirect) bytes in 5 blocks are definitely lost in loss record 21 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x56ABB78: xtables_malloc (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x56AC7D3: xtables_find_match (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x11F502: nft_parse_match (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x11FC7B: nft_rule_to_iptables_command_state (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x1218C0: nft_ipv4_print_firewall (nft-ipv4.c:301)
==1604== by 0x11CBEB: __nft_rule_list (nft.c:2042)
==1604== by 0x11CEA4: nft_rule_list (nft.c:2126)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 25 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11A311: nft_init (nft.c:777)
==1604== by 0x115A71: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 26 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11910C: mnl_nftnl_batch_page_add (nft.c:122)
==1604== by 0x11D8FE: nft_action (nft.c:2402)
==1604== by 0x11D957: nft_commit (nft.c:2413)
==1604== by 0x11CCB7: nft_rule_list (nft.c:2076)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following memory leaks are detected by valgrind when
ip[6]tables-compat-restore is executed:
valgrind --leak-check=full iptables-compat-restore test-ruleset
==2548== 16 bytes in 1 blocks are definitely lost in loss record 1 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x4E39D67: __mnl_socket_open (socket.c:110)
==2548== by 0x4E39DDE: mnl_socket_open (socket.c:133)
==2548== by 0x11A48E: nft_init (nft.c:765)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 16 bytes in 1 blocks are definitely lost in loss record 2 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11B2DB: nftnl_chain_list_get (nft.c:1194)
==2548== by 0x11B377: nft_chain_dump (nft.c:1210)
==2548== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2548== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 5 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x56ABB99: xtables_calloc (xtables.c:291)
==2548== by 0x116DA7: command_jump (xtables.c:623)
==2548== by 0x117D5B: do_parse (xtables.c:923)
==2548== by 0x1188BA: do_commandx (xtables.c:1183)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 6 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x4E3AE07: mnl_nlmsg_batch_start (nlmsg.c:441)
==2548== by 0x1192B7: mnl_nftnl_batch_alloc (nft.c:106)
==2548== by 0x11931A: mnl_nftnl_batch_page_add (nft.c:122)
==2548== by 0x11DB0C: nft_action (nft.c:2402)
==2548== by 0x11DB65: nft_commit (nft.c:2413)
==2548== by 0x114FBB: xtables_restore_parse (xtables-restore.c:238)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 8 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x50496FE: nftnl_table_list_alloc (table.c:433)
==2548== by 0x11DF88: nft_xtables_config_load (nft.c:2539)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 9 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11DF91: nft_xtables_config_load (nft.c:2540)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 135,168 bytes in 1 blocks are definitely lost in loss record 19 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x119280: mnl_nftnl_batch_alloc (nft.c:102)
==2548== by 0x11A51F: nft_init (nft.c:777)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
An additional leak occurs if a rule-set already exits:
==2735== 375 (312 direct, 63 indirect) bytes in 3 blocks are definitely lost in loss record 19 of 24
==2735== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2735== by 0x504AAE9: nftnl_chain_alloc (chain.c:92)
==2735== by 0x11B1F1: nftnl_chain_list_cb (nft.c:1172)
==2735== by 0x4E3A2E8: __mnl_cb_run (callback.c:78)
==2735== by 0x4E3A4A7: mnl_cb_run (callback.c:162)
==2735== by 0x11920D: mnl_talk (nft.c:70)
==2735== by 0x11B343: nftnl_chain_list_get (nft.c:1203)
==2735== by 0x11B377: nft_chain_dump (nft.c:1210)
==2735== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2735== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2735== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2735== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported in Bugzilla #1152, a segfault occurs in iptables-xml if a
jump or goto argument lacks a target argument. The following input will
segfault:
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 2200 -j
Problem occurs in do_rule_part, where the existsChain() function is called
with argv[arg + 1]. If the jump/goto argument is the last argument, then
arg + 1 is out of the array bounds. The fix ensures that arg + 1 is within
the array bounds before the call to existsChain() is made.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a comment translation immediately follows a counter statement, two
spaces are printed between "counter" and "comment" keywords.
The counter statement is almost always followed by a target, so we need
to move the space following "counter" to the beginning of the target
translation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an option to output the results of iptables-save,
ip6tables-save, and xtables-save save to a file.
Updates the man page with this new option.
Uses the dup2 call to replace stdout with the specified file.
Error output is unchanged.
This is a feature requested by a Gentoo developer in
Bugzilla #905.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
specifies the table option during a restore can create an invalid pointer.
It was discovered during fuzz testing that options like '-ftf'
can cause a segfault. A parameter that includes a 't' is not currently
filtered correctly.
Improves the filtering to:
Filter a beginning '-' followed by a character other than '-' and then a 't'
anywhere in the parameter. This filters parameters like '-ftf'.
Filter '--t'.
Filter '--table', stopping when the parameter length is reached. Because the
getopt_long function allows abbreviations, any unique abbreviation of '--table'
will be treated as '--table'. This filters parameters like '--t', '--ta', but not
'--ttl' or '--target'.
Signed-off-by: Oliver Ford <ojford@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, iptables programs will exit with an error if the
iptables lock cannot be acquired, but will silently continue if
the lock cannot be opened at all. This can cause unexpected
failures (with unhelpful error messages) in the presence of
concurrent updates, which can be very difficult to find in a
complex or multi-administrator system.
Instead, refuse to do anything if the lock cannot be acquired.
The behaviour is not affected by command-line flags because:
1. In order to reliably avoid concurrent modification, all
invocations of iptables commands must follow this behaviour.
2. Whether or not the lock can be opened is typically not
a run-time condition but is likely to be a configuration
error.
Existing systems that depended on things working mostly correctly
even if there was no lock might be affected by this change.
However, that is arguably a configuration error, and now that the
iptables lock is configurable, it is trivial to provide a lock
file that is always accessible: if nothing else, the iptables
binary itself can be used. The lock does not have to be writable,
only readable.
Tested by configuring the system to use an xtables.lock file in
a non-existent directory and observing that all commands failed.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When an unknown option is given, iptables-restore should exit instead of
continue its operation. For example, if `--table` was misspelled, this
could lead to an unwanted change. Moreover, exit with a status code of
1. Make the same change for iptables-save.
OTOH, exit with a status code of 0 when requesting help.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fixes: 999eaa241212 ("iptables-restore: support acquiring the lock.")
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Prints program version just like iptables/ip6tables.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove braces which are not required, to fix the check patch issue.
The following coccinelle script was used to fix this issue.
@@
expression e;
expression e1;
@@
if(e)
-{
e1;
-}
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Static variables are initialized to zero by default, so remove explicit
initalization. This patch fixes the checkpatch issue.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, ip[6]tables-restore does not perform any locking, so it
is not safe to use concurrently with ip[6]tables.
This patch makes ip[6]tables-restore wait for the lock if -w
was specified. Arguments to -w and -W are supported in the same
was as they are in ip[6]tables.
The lock is not acquired on startup. Instead, it is acquired when
a new table handle is created (on encountering '*') and released
when the table is committed (COMMIT). This makes it possible to
keep long-running iptables-restore processes in the background
(for example, reading commands from a pipe opened by a system
management daemon) and simultaneously run iptables commands.
If -w is not specified, then the command proceeds without taking
the lock.
Tested as follows:
1. Run iptables-restore -w, and check that iptables commands work
with or without -w.
2. Type "*filter" into the iptables-restore input. Verify that
a) ip[6]tables commands without -w fail with "another app is
currently holding the xtables lock...".
b) ip[6]tables commands with "-w 2" fail after 2 seconds.
c) ip[6]tables commands with "-w" hang until "COMMIT" is
typed into the iptables-restore window.
3. With the lock held by an ip6tables-restore process:
strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000
shows 11 calls to flock and fails.
4. Run an iptables-restore with -w and one without -w, and check:
a) Type "*filter" in the first and then the second, and the
second exits with an error.
b) Type "*filter" in the second and "*filter" "-S" "COMMIT"
into the first. The rules are listed only when the first
copy sees "COMMIT".
Signed-off-by: Narayan Kamath <narayan@google.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
1. Factor out repeated code to a new xs_has_arg function.
2. Add a new parse_wait_time option to parse the value of -w.
3. Make parse_wait_interval take argc and argv so its callers
can be simpler.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This slightly simplifies configure.ac and results in more
correct dependencies.
Tested by running ./configure with --with-xt-lock-name and
without, and using strace to verify that the right lock is used.
$ make distclean-recursive && ./autogen.sh &&
./configure --disable-nftables --prefix /tmp/iptables &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
$ make distclean-recursive && ./autogen.sh && \
./configure --disable-nftables --prefix /tmp/iptables \
--with-xt-lock-name=/tmp/iptables/run/xtables.lock &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the iptables lock is hardcoded as "/run/xtables.lock".
Allow users to change this path using the --with-xt-lock-name
option to ./configure option. This is useful on systems like
Android which do not have /run.
Tested on Ubuntu, as follows:
1. By default, the lock is placed in /run/xtables.lock:
$ make distclean-recursive && ./autogen.sh &&
./configure --disable-nftables --prefix /tmp/iptables &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
2. Specifying the lock results in the expected location being
used:
$ make distclean-recursive && ./autogen.sh && \
./configure --disable-nftables --prefix /tmp/iptables \
--with-xt-lock-name=/tmp/iptables/run/xtables.lock &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
$ iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
nft
This extra 'nft' print is incorrect, just print it if there are more
rules to be printed.
Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Tested-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to print nft at the very beginning for each rule that rules from
the expansion, otherwise the output is not correct:
# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
insert rule ip filter INPUT ip saddr 98.138.253.109 counter
insert rule ip filter INPUT ip saddr 98.139.183.24 counter
After this patch:
# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This originally came up when accidentally calling iptables-translate as
unprivileged user - nft_compatible_revision() then fails every time,
making the translator fall back to using revision 0 only which often
leads to failed translations (due to missing xlate callback).
The bottom line is there is no need to check what revision of a given
iptables match the kernel supports when it is only to be translated into
an nftables equivalent. So just assign a dummy callback returning good
for any revision being asked for.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using "-w" to avoid concurrent instances, we try to do flock() every
one second until it success. But one second maybe too long in some
situations, and it's hard to select a suitable interval time. So when
using "iptables -w" to wait indefinitely, it's better to block until
it become success.
Now do some performance tests. First, flush all the iptables rules in
filter table, and run "iptables -w -S" endlessly:
# iptables -F
# iptables -X
# while : ; do
iptables -w -S >&- &
done
Second, after adding and deleting the iptables rules 100 times, measure
the time cost:
# time for i in $(seq 100); do
iptables -w -A INPUT
iptables -w -D INPUT
done
Before this patch:
real 1m15.962s
user 0m0.224s
sys 0m1.475s
Apply this patch:
real 0m1.830s
user 0m0.168s
sys 0m1.130s
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After running the following commands, some confusing messages was printed
out:
# while : ; do
iptables -A INPUT &
iptables -D INPUT &
done
[...]
Another app is currently holding the xtables lock; still -9s 0us time
ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still -29s 0us time
ahead to have a chance to grab the lock...
If "-w" option is not specified, the "wait" will be zero, so we should
check whether the timer_left is less than wait_interval before we call
select to sleep.
Also remove unused "BASE_MICROSECONDS" and "struct timeval waited_time"
introduced by commit e8f857a5a151 ("xtables: Add an interval option for
xtables lock wait").
Fixes: e8f857a5a151 ("xtables: Add an interval option for xtables lock wait")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix wrong appending of jump verdict after the comment
For example:
$ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
Note that even without comment with double-quotes (i.e. --comment
"foobar"), it will add quotes:
$ iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment
nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"singlecomment\"drop
Attempting to apply the translated/generated rule will result to:
$ nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
<cmdline>:1:111-114: Error: syntax error, unexpected jump, expecting endof file or newline or semicolon
add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment "foobar"jump LONGNACCEPT
After this patch
$ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\"
which is correct translation
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Reviewed-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The first:
```
iptables/extensions/libebt_limit.c:21:26: fatal error: iptables/nft.h: No such file or directory
#include "iptables/nft.h"
```
The second:
```
/data/keno/sandbox/iptables/iptables/xtables-config-parser.y:19:32: fatal error: libiptc/linux_list.h: No such file or directory
#include <libiptc/linux_list.h>
^
```
Simply fixed by adding the relevant `-I` directives.
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Between revisions, the layout of xtables data may change completely.
Do not interpret the data in a revision M with a module of revision N.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes the type of translated chains in nat table to be of type
'nat' instead of 'filter' which is incorrect.
Verified like so:
| $ iptables-restore-translate -f /dev/stdin <<EOF
| *nat
| :POSTROUTING ACCEPT [0:0]
| [0:0] -A POSTROUTING -j MASQUERADE
| COMMIT
| EOF
| # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016
| add table ip nat
| add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
| add rule ip nat POSTROUTING counter masquerade
Ditto for ip6tables-restore-translate.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was an annoying bug in the translator since it silently dropped
crucial information which is easily overlooked:
| $ iptables-translate -A INPUT -s 192.168.0.0/24 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 192.168.0.0 counter accept
| $ ip6tables-translate -A INPUT -s feed:babe::/64 -j ACCEPT
| nft add rule ip6 filter INPUT ip6 saddr feed:babe:: counter accept
To my surprise, this fix works really well in all kinds of situations:
| $ iptables-translate -A INPUT -s 1.2.3.4/0 -j ACCEPT
| nft add rule ip filter INPUT counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/23 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.2.0/23 counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/24 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.3.0/24 counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/32 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.3.4 counter accept
|
| $ iptables-translate -A INPUT -s 1.2.3.4/255.255.0.0 -j ACCEPT
| nft add rule ip filter INPUT ip saddr 1.2.0.0/16 counter accept
Ditto for IPv6.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Looks like this bit was simply forgotten when implementing
xlate_chain_set() as everything needed was there to just print the
desired policy along with the chain definition.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If quotes are escaped, nft -f is unable to parse and load the translated
ruleset.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a cache of rules within the nft handle. This feature is
useful since the whole ruleset was brought from the kernel for every
chain during listing operations. In addition with the new checks of
ruleset compatibility, the rule list is loaded one more time.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache has been introduced for
this purpose.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
iptables-restore was missing -n, -T and -M from the
usage message, added them to match the man page.
Cleaned-up other *restore files as well.
Signed-off-by: Brian Haley <brian.haley@hpe.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The comment_xlate function was not supporting this option that is
necessary in some situations.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The static function nft_rule_list_get was exposed outside nft.c through
the nft_rule_list_create function, but this was never used out there.
A similar situation occurs with nftnl_rule_list_free and
nft_rule_list_destroy.
This patch removes nft_rule_list_create and nft_rule_list_destroy for
the sake of simplicity.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
ip[6]tables-compat -L was not printing the comments since commit
d64ef34a9961 ("iptables-compat: use nft built-in comments support").
This patch solves the issue.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In iptables, "-i eth+" means match all in ifname with the prefix "eth".
But in nftables, this was changed to "iifname eth*". So we should handle
this subtle difference.
Apply this patch, translation will become:
# iptables-translate -A INPUT -i eth+
nft add rule ip filter INPUT iifname eth* counter
# ip6tables-translate -A OUTPUT ! -o eth+
nft add rule ip6 filter OUTPUT oifname != eth* counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some translations included escaped quotes when they were called from
nft:
$ sudo nft list ruleset
table ip mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
ct helper \"ftp\" counter packets 0 bytes 0
^^ ^^
}
}
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduce a new option 'W' to specify the wait interval in microseconds.
If this option is not specified, the command sleeps for 1 second by
default.
v1->v2: Change behavior to take millisecond sleep as an argument to
-w as suggested by Pablo. Also maintain current behavior for -w to
sleep for 1 second as mentioned by Liping.
v2->v3: Move the millisecond behavior to a new option as suggested
by Pablo.
v3->v4: Use select instead of usleep. Sleep every iteration for
the time specified in the "-W" argument. Update man page.
v4->v5: Fix compilation error when enabling nftables
v5->v6: Simplify -W so it only takes the interval wait in microseconds.
Bail out if -W is specific but -w is not.
Joint work with Pablo Neira.
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
After this patch, iptables-compat uses nft built-in comments support
instead of comment match.
This change simplifies the treatment of comments in nft after load a
rule set through iptables-compat-restore.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Clone of 1eada72b with 9bb76094 and e0390bee on top.
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
