summaryrefslogtreecommitdiffstats
path: root/libxtables
Commit message (Collapse)AuthorAgeFilesLines
* libxtables: Display weird character warning for wildcardsOliver Ford2017-05-081-9/+9
| | | | | | | | | | | Change the scope of the weird character check loop so that it checks for invalid characters when the interface name contains a wildcard. Fixes Bugzilla #1085. Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
* libxtables: abolish AI_CANONNAMEJan Engelhardt2017-03-081-2/+0
| | | | | | | | ares->ai_canonname is never used, so there is no point in requesting that piece of information with AI_CANONNAME. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: remove unnecessary nesting from host_to_ip(6)addrJan Engelhardt2017-03-081-30/+24
| | | | | | | | The error path already terminally returns from the function, so there is no point in having an explicit else block. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: xtables: Use getnameinfo()Shyam Saini2016-12-201-4/+11
| | | | | | | | | Replace gethostbyaddr() with getnameinfo() as getnameinfo() deprecates the former and allows programs to eliminate IPv4-versus-IPv6 dependencies Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: xtables: remove unnecessary debug codeShyam Saini2016-12-201-26/+3
| | | | | | | Remove unnecessary debug code Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Replace gethostbyname() with getaddrinfo()Arpan Kapoor2016-07-031-9/+23
| | | | | | | | Make the function host_to_ipaddr() similar to host_to_ip6addr(), using getaddrinfo() instead of the obsoleted gethostbyname(). Signed-off-by: Arpan Kapoor <rpnkpr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: missing comment initialization in xt_xlate_alloc()Pablo Neira Ayuso2016-03-251-0/+1
| | | | | | Initialize comment buffer when allocation the xt translation structure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* comment: Add translation to nftShivani Bhardwaj2016-02-291-0/+5
| | | | | | | | | | | | | | Add translation for match comment to nftables. This patch also adds the relevant infrastructure for carrying out the translation. Example: $ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block" nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\" Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add xt_xlate_add_comment()Pablo Neira Ayuso2016-02-161-15/+26
| | | | | | | This new function allows us to add comments to the nft rule. This can be used to provide a translation for the comment match. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-21/+21
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: fix leak in xt_buf objectPablo Neira Ayuso2016-02-161-0/+1
| | | | | | Release data area that is allocated by xt_buf_alloc(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: xtables: add the infrastructure to translate from iptables to nftPablo Neira Ayuso2016-02-161-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Spelling fixesVille Skyttä2015-09-071-1/+1
| | | | | | | While at it, update comment format for the respective blocks. Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: find extensions based on family tooArturo Borrero2015-04-091-5/+16
| | | | | | | | | | | | | | | | | | When using libxtables with an external program (nft) which switches family contexts (using xtables_set_nfproto()), the xtables_find_{match,target} functions need to compare the family too. We want to avoid this situation: 1) user first sets afinfo to IPv6 2) xtables_find_target() finds & load ip6t_REJECT and uses it 3) afinfo change to IPv4 4) user then tries to use ipt_REJECT 5) xtables_find_target() finds ip6t_REJECT instead (same target name) 6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-compat: remove unused fields from bridge and arp familiesPablo Neira Ayuso2015-02-181-10/+3
| | | | | | | | | These two families only work under nft compat, so leave unset the fields that we don't use. Basically, we need neither the module autoload code nor the native get/setsockopt() revision infrastructure since we use the one that nft_compat provides through nfnetlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* arptables-compat: add mangle target extensionArturo Borrero2015-02-181-0/+13
| | | | | | | | This patch adds support to use the mangle target extensions, along with the required changes in the surrounding code. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: search first for AF-specific extensionArturo Borrero2015-01-301-1/+1
| | | | | | | | | | | There are some extension which may name-clash, for example: * libxt_mark.so * liebt_mark.so Let's search first for AF-specific extension and then for the generic libxt_**. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add ebt 802_3 extensionArturo Borrero2014-12-231-0/+13
| | | | | | | | | | | | | | This patch adds the first ebtables extension to ebtables-compat. The original 802_3 code is adapted to the xtables environment. I tried to mimic as much as possible the original ebtables code paths. With this patch, ebtables-compat is able to send the 802_3 match to the kernel, but the kernel-to-userspace path is not tested and should be adjusted in follow-up patches. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: move some code to avoid cautions in vfork man pageDan Wilder2014-10-251-10/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame: 357 switch (vfork()) { 358 case 0: 359 argv[0] = (char *)modprobe; 360 argv[1] = (char *)modname; 361 if (quiet) { 362 argv[2] = "-q"; 363 argv[3] = NULL; 364 } else { 365 argv[2] = NULL; 366 argv[3] = NULL; 367 } 368 execv(argv[0], argv); 369 370 /* not usually reached */ 371 exit(1); modprobe pointed to a non-existant program /sbin/modprobe, so execv() always failed. Not a problem in itself on our platform, as the kernel modules are pre-loaded before iptables-restore is run, but it took a bit of headscratching to track this down, as a stack frame was corrupted, leading to failures quite a while after the function containing this code had returned! Relevant caution in man 2 vfork: "The vfork() function has the same effect as fork(2), except that the behavior is undefined if the process created by vfork() either modifies any data ... or calls any other function before successfully calling _exit(2) or one of the exec(3) family of functions." Apparently this has not been a problem for us in earlier versions of glibc, maybe because vfork was more like fork, maybe because the stack corruption was innocuous. Ours is a corner case anyway, as it might not have been a problem had modprobe existed or had modprobe been a symlink to /bin/true. But it seems odd to disregard man page cautions, and our problem goes away if they are heeded. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: fix two off-by-one memory corruption bugsRonald Wahl2014-09-051-2/+3
| | | | | | | | | | | | | | | | | The LSB of xtables_pending_matches was overwritten with zero that lead to segmentation fault. But simply adding an additional variable in the code or changing compilation options modified the behaviour so that no segmentation fault happens so it is rather subtle. (1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); In case of bits % 8 == 0 we write the byte behind *p (2) p[bits/8] = 0xff << (8 - (bits & 7)); In case of bits == 128 we write the byte behind *p Closes bug 943. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: fix getaddrinfo return value usageDomen Puncer2014-06-131-3/+3
| | | | | | | | | | | | | | getaddrinfo return value on error can also be positive. On Android they're positive, e.g.: android-ndk-r9d/platforms/android-19/arch-arm/usr/include/netdb.h 147 #define EAI_NONAME 8 /* hostname nor servname provided, or not known */ And as a plus, it's not bad to conform to specs. Signed-off-by: Domen Puncer Kugler <domen.puncer@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* update FSF address in license textJiri Popelka2014-03-131-1/+1
| | | | | | | http://www.gnu.org/licenses/gpl-2.0.html http://www.fsf.org/about/contact/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'nft-compat'Pablo Neira Ayuso2014-02-131-3/+3
|\ | | | | | | | | This merges the branch that contains the iptables over nftables compatibility layer into master.
| * use nf_tables and nf_tables compatibility interfacePablo Neira Ayuso2013-12-301-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxtables: Print meaningful error message for an invalid MAC address stringMart Frauenlob2014-02-021-1/+1
|/ | | | | | | | If an invalid MAC address is used on the commmand line, the error message `ether' was not really describing the problem. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable-1.4.20'Florian Westphal2013-11-231-1/+1
|\ | | | | | | | | | | | | | | | | | | | | | | ... to get 76e230e ('iptables: link against libnetfilter_conntrack'), else static build doesn't work. Conflicts: extensions/GNUmakefile.in [ CPPFLAGS was added in master, so keep it ] Reported-By: Gustavo Zacarias <gustavo@zacarias.com.ar>
| * iptables: link against libnetfilter_conntrackJan Engelhardt2013-08-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linking currently fails in --enable-static case: ../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name': iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name' [..] It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack. If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@ and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty, therefore producing no harm to include unconditionally. Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Florian Westphal <fw@strlen.de>
* | iptables: spurious error in load_extensionPhil Oester2013-11-031-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit 927385017047d (iptables: improve error reporting with extension loading troubles), a new error message was added in an attempt to handle the case where a match does not support a particular protocol family. For instance, attempting to use the osf match on IPv6. Unfortunately, this error message now triggers when creating a new chain which has the same name as a match extension, because iptables calls xtables_find_target with the name of the new chain to verify it does not clash with an existing target. For example: # iptables -N tcp /usr/lib/xtables/libxt_tcp.so: no "tcp" extension found for this protocol I attempted to resolve this by adding a new XTF flag, but that required changes in many different places (including -j handling). It seems easiest just to remove this warning and stick with the original error message of ENOENT, even if less than precise. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masksPhil Oester2013-09-271-1/+1
|/ | | | | | | | | | | | | | As pointed out by Peter Hoelsken, rules created with non-standard masks such as 0.255.0.0, 0.0.255.0, etc. are displayed when output with iptables -L in CIDR notation as -1. This is because the cidr variable in xtables_ipmask_to_numeric is unsigned, and the return value of -1 from xtables_ipmask_to_cidr is therefore converted to UINT_MAX. Add a cast to workaround the issue. This closes netfilter bugzilla #854. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip6tables: don't print out /128Phil Oester2013-07-081-1/+5
| | | | | | | | Similar to how iptables does not print /32 on IPv4 addresses, ip6tables should not print out /128 on IPv6 addresses. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* xtables: improve get_modprobe handlingPhil Oester2013-05-291-11/+11
| | | | | | | | | | | In bug #455, Dmitry V. Levin proposed a more robust get_modprobe implementation. The patch below is a version of his patch, updated to apply to current git. This closes bug #455. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* libxtables: fix parsing of dotted network mask formatPablo Neira Ayuso2013-05-091-3/+35
| | | | | | | | | | | | | | After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken: -A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN With iptables 1.4.18: iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32) This was probably broken by the augmented parser. Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_print_numPablo Neira Ayuso2013-01-041-0/+29
| | | | | | | | This function is used both by iptables and ip6tables, and refactorize to avoid longer than 80-chars per column lines of code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_rule_matches_freePablo Neira Ayuso2013-01-041-0/+22
| | | | | | This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: restore NOTRACK functionality, target aliasingJan Engelhardt2012-10-081-12/+14
| | | | | | | | | | | | | | | | | | | | | | | | | Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL which was always false (true). real_name was never NULL, so cs->jumpto would always be used, which rendered -j NOTRACK unusable, since the chosen real name.revision is for example NOTRACK.1, which does not exist at the kernel side. # ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK dbg: Using NOTRACK.1 WARNING: The NOTRACK target is obsolete. Use CT instead. iptables: Protocol wrong type for socket. To reasonably support the extra-special verdict names, make it so that real_name remains NULL when an extension defined no alias, which we can then use to determine whether the user entered an alias name (which needs to be followed) or not. [ I have mangled this patch to remove a comment unnecessarily large. BTW, this patch gets this very close to the initial target aliasing proposal --pablo ] Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: support for match aliasesJan Engelhardt2012-09-291-4/+8
| | | | | | | This patch allows for match names listed on the command line to be rewritten to new names and revisions, like we did for targets before. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* iptables: support for target aliasesJan Engelhardt2012-09-271-7/+25
| | | | | | | | | | | This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxtables: consolidate preference logicJan Engelhardt2012-09-271-16/+53
| | | | | | | | Alias support will require testing for more conditions, so move the revision comparison code into a separate function where it can be shared between matches and targets. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxtables: add xtables_ip[6]mask_to_cidrPablo Neira Ayuso2012-07-141-9/+24
| | | | | | | | | | | | | | This patch adds generic functions to return the mask in CIDR notation whenever is possible. This patch also simplifies xtables_ip[6]mask_to_numeric, that now use these new two functions. This patch also bumps libxtables_vcurrent and libxtables_vage since we added a couple new interfaces (thanks to Jan Engelhardt for his little reminder on this). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Fix file descriptor leak in xtables_lmap_init on errorThomas Jarosch2011-09-281-0/+1
| | | | | Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: restore build order of modulesJan Engelhardt2011-09-193-0/+3023
iptables(exe) requires libext.a, but extensions/ require libxtables.la (in iptables/). This circular dependency does not work out, so separate libxtables into its own directory and put it in front. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>