| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
All commands this block handles set p->chain. Also the pointer is
dereferenced before, so no point in checking for it to be non-NULL.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to
strcmp() may be passed a NULL pointer. Therefore check if the pointer is
valid before doing so.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
The problem here is that get_frag() does not set 'inv' in any case, so
when later checking its value, garbage may be read. Sanitize this case
by setting 'inv' to false before calling get_frag().
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This gets rid of a number of assignments which are either redundant or
not used afterwards.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Since fw->arp.arhln is of type __u8, its value will never become less
than zero.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Move the function to xshared.c for common use between legacy and xtables
sources. While being at it, silence a covscan warning triggered by that
function as it couldn't verify input buffers won't exceed IFNAMSIZ.
Therefore use snprintf() when writing to the local buffer.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions contain code which occurs in legacy's print_firewall()
functions, so use them there.
Rename them to at least make clear they print more than a single
address.
Also introduce ipv{4,6}_addr_to_string() which take care of converting
an address/netmask pair into string representation in a way which
doesn't upset covscan (since that didn't detect that 'buf' may not be
exceeded by the strings written into it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
As covscan stated: "Trapping signals by number is not well defined.
Prefer signal names."
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Not a real problem here, but covscan got confused by one string
containing 'then' keyword.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This is a leftover from previous cleanup.
Fixes: 098ee2e91756c ("xtables-save: Ignore uninteresting tables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
When reading sufficiently malformed input, parser might hit end of
loop without having written the current table name into curtable and
therefore calling strcmp() with uninitialized buffer. Avoid this by
setting curtable to zero upon declaration.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Typical covscan complaint, non-empty fall throughs should be marked as
such. There was but a single case which should break instead, namely in
libebt_log.c: It is not critical, since the next case merely asserts
'invert' being zero (which can't be as it was checked before). But while
being at it, introduce log_chk_inv() to consolidate the semantically
equal cases for the various log types.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves getethertype.c into libxtables so that both extensions and
xtables-nft-multi may use the implementations therein. New users are
libebt_arp and libebt_vlan which drop their own duplicated
implementations of getethertypebyname() for the shared one.
This change originated from a covscan report of extensions'
implementations not checking fopen() return value which should be
implicitly fixed by this as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
The code obviously tries to assert that nft_table_builtin_find()
returned a valid pointer before dereferencing it, but the wrong argument
was given. Assume this is just a typo and insert the missing underscore.
Fixes: 9b896224e0bfc ("xtables: rework rule cache logic")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running iptables-nft-save with other tables present, the dump
succeeded but the tool complained about those other tables. In an
environment where iptables-nft and nftables are uses in parallel, this
is an expected situation, so only complain about incompatible builtin
tables.
While being at it, move the table existence check from __do_output()
into do_output() since the former may be called from
nft_for_each_table() in which case the table is guaranteed to exist.
Also use nft_table_builtin_find() in nft_is_table_compatible() instead
of open-coding the search by name in h->tables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Fix the parameter check in nft_ebt_standard_target() to avoid an array
out of bounds access in ebt_standard_targets.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Passing --wait option to iptables-nft-restore led to program abort
because the flag parameter was not skipped. Mimick iptables-restore
behaviour when encountering --wait or --wait-interval options (but still
ignore the parameter).
Fixes: b9d7b49d84bc2 ("xtables-compat: restore: sync options with iptables-restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Commit f8e29a13fed8d ("xtables: avoid bogus 'is incompatible' warning")
fixed for compatibility checking to extend over all chains, not just the
relevant ones. This patch does the same for rules: Make sure only rules
belonging to the relevant table are being considered.
Note that comparing the rule's table name is sufficient here since the
table family is already considered when populating the rule cache.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The logic to replicate 'iptables-restore --noflush' behaviour of
flushing custom chains if listed in the dump was broken for chains being
referenced. A minimal dump reproducing the issue is:
| *filter
| :foobar - [0:0]
| -I INPUT -j foobar
| -A foobar -j ACCEPT
| COMMIT
With --noflush, this can be restored just once in iptables-nft-restore.
Consecutive attempts return an error since xtables tries to delete the
referenced chain and recreate it instead of performing a real flush.
Fix this by really flushing the custom chain in 'chain_user_flush'
callback and running 'chain_user_add' callback only if the chain doesn't
exist already.
Fixes: df3d92bec6007 ("xtables-compat-restore: flush user-defined chains with -n")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting this bit in cs->fw6.ipv6.flags was done only for rules parsed
from command line, not for those read from kernel. As a result,
appropriate rules could not be deleted. A simple test case is:
| # ip6tables-nft -A INPUT -p tcp -j ACCEPT
| # ip6tables-nft -D INPUT -p tcp -j ACCEPT
| iptables: Bad rule (does a matching rule exist in that chain?).
Since the flag is not used anywhere in xtables-nft, dropping its use fixes
the bug as well as setting it in both cases.
Fixes: 5ee03e6df4172 ("xtables: Use meta l4proto for -p match")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Make sure return codes match legacy ones at least for a few selected
commands typically used to check ruleset state.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Comment match allocation in command_match() and
nft_rule_to_iptables_command_state() were misaligned in that the latter
set match_size to just what is required instead of what the match needs
at maximum like the further. This led to failure when comparing them
later and therefore a rule with a comment could not be deleted.
For comments of a specific length, the udata buffer is padded by
libnftnl so nftnl_rule_get_data() returns a length value which is larger
than the string (including NULL-byte). The trailing data is supposed to
be ignored, but compare_matches() can't not know about that detail and
therefore returns a false-negative if trailing data contains junk. To
overcome this, use strncpy() when populating match data in
nft_rule_to_iptables_command_state(). While being at it, make sure
comment match allocation in that function is identical to what
command_match() does with regards to data allocation size. Also use
xtables_calloc() which does the required error checking.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
These fix reports for definitely lost blocks in valgrind. Not really
memleaks, but due to nft_handle going out of scope they're counted as
lost. Still worth fixing though since it reduces noise when auditing
code for real issues.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of my previous commit with similar subject - it
missed to apply the needed changes to ebtables-translate as well and on
top of that still left some leaks and use-after-frees in place. The new
strategy is to make ebtables extension loading compatible with that of
xtables, because otherwise the heavy code sharing between
ebtables-translate and iptables-translate will cause trouble.
Basically, ebt_add_match() and ebt_add_watcher() copy what xtables'
command_match() does, but after the actual extension argument parsing
has already happened. Therefore they duplicate the loaded match along
with its data and reset the original one to default state for being
reused (e.g., by ebtables-restore). Since mflags/tflags are cleared
while doing so, clearing them for all loaded extensions in
do_commandeb() is not necessary anymore.
In ebt_command_default() (where extension parameter parsing happens),
the list of added extensions to the current rule are consolidated first
so no duplicate extension loading happens.
With the above in place, ebt_cs_clean() can be reverted to its old
state.
Apart from sharing command_jump() function with ebtables-translate, make
use of nft_init_eb() there, as well.
Fixes: aa7fb04fcf72c ("ebtables: Review match/target lookup")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Mostly to reduce noise from valgrind output, add missing calls to
destroy iterators in nft.c and add cleanup for the populated nft_handle
in xtables_eb_save_main().
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous review of match/target lookup did not consider
xtables-eb-translate.c which contains the same code. Fix parsing of
target/match arguments there as well by introducing
ebt_command_default() which consolidates the previously duplicated code.
One notable quirk in comparison to the similar xtables code: Since
ebtables allows for negations in ugly places (e.g. '--arp-opcode ! 1'),
ebt_check_inverse2() has to be called first.
Fixes: aa7fb04fcf72c ("ebtables: Review match/target lookup")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This nit was discovered when comparing do_commandeb() with
do_commandeb_xlate(): Since 'cs' is initialized upon declaration
already, initialization of field '.eb.bitmask' may be moved there as
well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use of payload expression to match against IPv6 nexthdr field does not
work if extension headers are present. A simple example for that is
matching for fragmented icmpv6 traffic. Instead, generate a 'meta
l4proto' expression which works even if extension headers are present.
For consistency, apply the same change to iptables-nft as well.
No adjustment to reverse path required as the needed bits were added by
commit 6ea7579e6fe24 ("nft: decode meta l4proto") already.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Trying to set a chain's policy in an invalid table resulted in a
segfault. Reproducer was:
| # iptables -t broute -P BROUTING ACCEPT
Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
returned NULL for the given table name.
For an illustrative error message, set errno to ENXIO in the above case
and add an appropriate Mesage to nft_strerror().
While being at it, improve the error message if an invalid policy was
given. Before:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Incompatible with this kernel.
After:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Bad policy name. Run `dmesg' for more information.
Third unrelated change in this patch: Drop error checking of
nft_chain_set() in do_commandx(): The function never returns negative,
so that check never yielded true.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous fix for reference counts in iptables-nft output wasn't
complete: While iptables lists the number of references for each custom
chain (i.e., the number of jumps to it), ebtables lists number of
entries (i.e., the number of rules contained) for each chain. Both used
the same value for it, although they are different metrics.
Fix this by passing both numbers separately to the 'print_header'
callback so that each tool may print the desired value.
Fixes: a0698de9866d2 ("xtables: Do not count rules as chain references")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To be consistent with legacy iptables, calling -S with a non-existing
chain should lead to an error message. This is how some scripts find out
whether a user-defined chain exists or not.
Make sure doing the same for an existing chain does succeed, even if an
invalid rule number was given.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to list a non-existent chain, ebtables-nft would just print
the table header and then exit with a code of zero. In order to be more
consistent with legacy ebtables, change the code to:
* Print table header only if chosen chain is found and
* propagate the error condition if chain was not found to print an error
message.
Note that this does not establish full parity with legacy ebtables due
to the error code being 1 instead of 255 and the error message differing
from the legacy one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Just like with 'iptables-nft -L', we have to make sure the standard set
of chains exist for a given table when listing it using '-S' flag.
The added code was just copied over from nft_rule_list() which does the
same.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both extensions were very similar already, but now that they both are
translated into native nftables code, their actual difference (i.e.
match size) doesn't matter anymore.
This change comes with one caveat: Since ebtables limit match is not in
its own file anymore, match preloading automatically also loads the
NFPROTO_UNSPEC limit match. This is not a problem per se since match
lookup will prefer the family-specific one, but when parsing unknown
options, a match without 'parse' callback is encountered. Therefore
do_commandeb() has to check existence of that callback prior to
dereferencing it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original issue was that for a rule with limit match added by
ebtables-nft, the kernel might attempt to use xt_limit instead of
ebt_limit (and fail due to that). This happens if xt_limit.ko is loaded
but ebt_limit.ko is not, because the kernel prefers the
family-independent variants.
There are multiple ways to avoid above issue, but using neither xt_limit
nor ebt_limit with nft-variants should be the most effective one.
Therefore translate a created limit match in userspace into native
nftables code before sending it to kernel and do the reverse translation
when listing rules. Apart from the translation routines, this requires
slight adjustment of nft_is_expr_compatible() since neither xt_limit nor
ebt_limit support byte-based limits or inverted limit match.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is actually quite a mess: xtables-eb.c defines names for bits in
'flags' variable of do_commandeb(), though these tend to clash with bit
names defined in xshared.h due to the same 'OPT_' prefix. Therefore
checking for bits OPT_NUMERIC and OPT_VERBOSE is syntactically correct,
but semantically wrong as they actually refer to bits OPT_COMMAND and
OPT_PROTOCOL.
Since ebtables doesn't support numeric nor verbose modes, just replace
the checks with zero values.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant
used '[PCNT BCNT]' prefix like with iptables-save.
In order to pass the counter format preference along, FMT_C_COUNTS is
introduced and related 'format' checks adjusted.
Since legacy iptables prints the counters between matches and target,
this change affects save_matches_and_target() function. In order to get
access to the rule counters, it's declaration is adjusted to receive
iptables_command_state pointer instead of match, target and jumpto
pointers from the same object.
While being at it, integrate jump to user-defined chain into it as well
since the related code in both callers was almost identical. Though
since different rule flags are used between iptables and ip6tables, pass
a 'goto_flag' boolean instead of the actual 'flags' bitfield.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The function expects a boolean, not a bitfield. This bug caused
inversion in another match to carry over to protocol match by accident.
The supplied testcase contains rules which then fail because they
contain matches requiring that protocol.
Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags")
Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
First time users are likely to call 'xtables-monitor --help' to see
what's going on. Make this situation a bit more pleasant for them:
* When complaining about illegal arguments, add a final newline
character to the error message.
* Actually support '--help' long option as an alias to '-h'.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In an attempt to sanitize shell scripting, exit test in recent testcases
was altered, which led to them being skipped even in nft test runs. Drop
the quotes so that globbing happens again.
While here, improve the check a bit to glob only on leading path part,
not also the file name. Also print "skip ..." just like
nft-only/0001compat_0 testcase does.
Fixes: f1d8508fd6fdc ("tests: Add arptables-{save,restore} testcases")
Fixes: fbf0bf7c079d8 ("tests: Add ebtables-{save,restore} testcases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Fix a few minor spelling issues in xtables-monitor help output and man
page. While being at it, change 'ipv4' and 'ipv6' to 'IPv4' and 'IPv6',
respectively.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
If batch_rule_add() failed (ENOMEM), nft_rule_append() frees the
rule and then tries to add it to the rule cache. Better return 0
(failure) instead of continuing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This actually does a bit more since it creates the ruleset using
separate ebtables calls.
Note that there are a few commented out lines containing commands which
don't apply for unknown reasons - something to investigate later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This actually does a bit more since it creates the ruleset using
separate arptables calls.
Note that there are a few commented out lines containing commands which
don't apply for unknown reasons - something to investigate later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds C implementations for arptables-save and -restore in compat
layer based on the two perl scripts in legacy arptables repository.
To share common code, introduce nft_init_arp() analogous to
nft_init_eb() introduced earlier.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since ebtables does not indicate extension use on commandline via '-m'
flag as in iptables, loading of matches has to happen prior to
commandline parsing. While parsing, the right extension is searched for
unknown parameters by passing it to its 'parse' callback and checking if
it succeeds. As an unavoidable side-effect, custom data in
xtables_targets objects is being altered if the extension parser
succeeds.
If called multiple times, do_commandeb() leaks memory and fixing this
requires to properly treat the above quirk:
* Load extensions just once at program startup, thereby reusing the
existing ones for several calls of do_commandeb().
* In ebt_cs_clean(), don't free memory which is being reused. Instead
reinit custom extension data if it was used in current do_commandeb()
call (i.e., it is contained in cs->match_list).
On the other hand, target lookup in command_jump() can be simplified a
lot: The only target it may have loaded is 'standard', so just load that
at as well at program startup and reduce command_jump() to a simple
linked list search. Since 'standard' target does not prove a 'parse'
callback, a check is necessary when parsing target options.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
This drops the dedicated input parser (which was broken in many ways
anyway) and replaces it by the common one now that all required knobs
are in place.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy ebtables-restore does not support COMMIT directive, so allow for
callers of xtables_restore_parse() to toggle whether it is required or
not.
In iptables, omitting COMMIT may be used for syntax checking, so we must
not add an implicit commit at EOF. Although ebtables/arptables legacy
does not support COMMIT lines at all, this patch allows them in nft
variants. If omitted, an implicit commit happens for them at EOF.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Legacy ebtables-save does not use a policy string of '-' to denote
user-defined chains but instead lists them with a policy of ACCEPT.
In order to use ebtables_restore_parse() for ebtables-save
implementation, make use of builtin table definitions to decide whether
a given chain is a builtin one or not.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legacy ip{,6}tables prints feedback for various commands if in verbose
mode, make sure nft variants do the same.
There is one difference, namely when checking a rule (-C command):
Legacy ip{,6}tables print the rule in any case, nft variants don't in
case the rule wasn't found. Changing this though would require to
populate the nftnl_rule object just for printing, which is probably not
feasible.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
