summaryrefslogtreecommitdiffstats
path: root/libxtables
Commit message (Collapse)AuthorAgeFilesLines
* libxtables: extend xlate infrastructurePablo Neira Ayuso12 days1-18/+64
| | | | | | | | | | | | | | This infrastructure extends the existing xlate infrastructure: - Extensions can define set dependencies through .xlate. The resulting set definition can be obtained through xt_xlate_set_get(). - Add xl_xlate_set_family() and xl_xlate_get_family() to store/fetch the family. The first client of this new xlate API is the connlimit extension, which is added in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter12 days2-11/+15
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Fix memleak in xtopt_parse_hostmask()Phil Sutter12 days1-0/+1
| | | | | | | The allocated hostmask duplicate needs to be freed again. Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()Phil Sutter12 days1-2/+1
| | | | | | | Variable 'err' was only used in removed debug code, so drop it as well. Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code") Signed-off-by: Phil Sutter <phil@nwl.cc>
* fix build for missing ETH_ALEN definitionMaciej Żenczykowski2021-04-031-0/+1
| | | | | | | (this is needed at least with bionic) Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Simplify xtables_ipmask_to_cidr() a bitPhil Sutter2021-03-091-10/+5
| | | | | | | Reduce the whole mask matching into a single for-loop. No need for a shortcut, /32 masks will match in the first iteration. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Extend MAC address printing/parsing supportPhil Sutter2020-12-031-0/+73
| | | | | | | | | | | | | | | Adding a parser which supports common names for special MAC/mask combinations and a print routine detecting those special addresses and printing the respective name allows to consolidate all the various duplicated implementations. The side-effects of this change are manageable: * arptables now accepts "BGA" as alias for the bridge group address * "mac" match now prints MAC addresses in lower-case which is consistent with the remaining code at least Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Register multiple extensions in ascending orderPhil Sutter2020-10-071-6/+8
| | | | | | | | | The newly introduced ordered insert algorithm in xtables_register_{match,target}() works best if extensions of same name are passed in ascending revisions. Since this is the case in about all extensions' arrays, iterate over them from beginning to end. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Simplify pending extension registrationPhil Sutter2020-10-071-95/+33
| | | | | | | | | | | | | | | | | | | | Assuming that pending extensions are sorted by first name and family, then descending revision, the decision where to insert a newly registered extension may be simplified by memorizing the previous registration (which obviously is of same name and family and higher revision). As a side-effect, fix for unsupported old extension revisions lingering in pending extension list forever and being retried with every use of the given extension. Any revision being rejected by the kernel may safely be dropped iff a previous (read: higher) revision was accepted already. Yet another side-effect of this change is the removal of an unwanted recursion by xtables_fully_register_pending_*() into itself via xtables_find_*(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Make sure extensions register in revision orderPhil Sutter2020-10-071-7/+64
| | | | | | | | | | | | Insert extensions into pending lists in ordered fashion: Group by extension name (and, for matches, family) and order groups by descending revision number. This allows to simplify the later full registration considerably. Since that involves kernel compatibility checks, the extra cycles here pay off eventually. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: compiler warning fixes for NO_SHARED_LIBSMaciej Żenczykowski2020-06-301-0/+4
| | | | | | | | | | | | Fixes two issues with NO_SHARED_LIBS: - #include <dlfcn.h> is ifdef'ed out and thus dlclose() triggers an undeclared function compiler warning - dlreg_add() is unused and thus triggers an unused function warning Test: builds without warnings Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Introduce xtables_fini()Phil Sutter2020-05-111-1/+43
| | | | | | | | | | | | Record handles of loaded shared objects in a linked list and dlclose() them from the newly introduced function. While functionally not necessary, this clears up valgrind's memcheck output when also displaying reachable memory. Since this is an extra function that doesn't change the existing API, increment both current and age. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Avoid buffer overrun in xtables_compatible_revision()Phil Sutter2019-12-061-1/+2
| | | | | The function is exported and accepts arbitrary strings as input. Calling strcpy() without length checks is not OK.
* xtables: Fix for false-positive rule matchingPhil Sutter2019-02-051-1/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | When comparing two rules with non-standard targets, differences in targets' payloads wasn't respected. The cause is a rather hideous one: Unlike xtables_find_match(), xtables_find_target() did not care whether the found target was already in use or not, so the same target instance was assigned to both rules and therefore payload comparison happened over the same memory location. With legacy iptables it is not possible to reuse a target: The only case where two rules (i.e., iptables_command_state instances) could exist at the same time is when comparing rules, but that's handled using libiptc. The above change clashes with ebtables-nft's reuse of target objects: While input parsing still just assigns the object from xtables_targets list, rule conversion from nftnl to iptables_command_state allocates new data. To fix this, make ebtables-nft input parsing use the common command_jump() routine instead of its own simplified copy. In turn, this also eliminates the ebtables-nft-specific variants of parse_target(), though with a slight change of behaviour: Names of user-defined chains are no longer allowed to contain up to 31 but merely 28 characters. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: xlate: init buffer to zeroFlorian Westphal2018-11-121-0/+1
| | | | | | | | | | | | | | Doesn't affect iptables-xlate, but nft (when built w. xtables support). Without this, nft can print random content if an extension doesn't add anything to the output xlate buffer, e.g. -p mh -m mh can cause nft to print random data after "meta l4proto mobility", as mh ->xlate doesn't do anything in this case. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: add and use mac print helpersFlorian Westphal2018-11-071-0/+22
| | | | | | | | | | | | This changes ebtables-nft to consistently print mac address with two characters, i.e. 00:01:02:03:04:0a, not 0:1:2:3:4:a. Will require another bump of vcurrent/vage. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: expose new etherdb lookup function through libxtables APIPablo Neira Ayuso2018-10-201-4/+3
| | | | | | | | | | This is used from extensions and included in libxtables, so we have to make them public. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: prefix exported new functions for etherdb lookupsPablo Neira Ayuso2018-10-201-11/+11
| | | | | | | | | | To avoid symbol pollution, place them under the xt_ and xtables_ prefix name. Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* libxtables: Check extension real_name lengthPhil Sutter2018-09-251-0/+12
| | | | | | | Just like with 'name', if given check 'real_name' to not exceed max length. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Use posix_spawn() instead of vfork()Phil Sutter2018-09-241-10/+5
| | | | | | | | | According to covscan, vfork() may lead to a deadlock in the parent process. It suggests to use posix_spawn() instead. Since the latter combines vfork() and exec() calls, use it for xtables_insmod(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Fix a few cases of pointless assignmentsPhil Sutter2018-09-241-1/+1
| | | | | | | | This gets rid of a number of assignments which are either redundant or not used afterwards. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Don't read garbage in xtables_strtoui()Phil Sutter2018-09-241-1/+1
| | | | | | | | | If xtables_strtoul() fails, it returns false and data pointed to by parameter 'value' is undefined. Hence avoid copying that data in xtables_strtoui() if the call failed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Avoid calling memcpy() with NULL sourcePhil Sutter2018-09-242-8/+16
| | | | | | | | | | Both affected functions check if 'oldopts' is NULL once but later seem to ignore that possibility. To catch up on that, increment the pointer only if it isn't NULL, also don't copy its content into the merged options buffer in that case. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Integrate getethertype.c from xtables corePhil Sutter2018-09-242-1/+162
| | | | | | | | | | | | | | This moves getethertype.c into libxtables so that both extensions and xtables-nft-multi may use the implementations therein. New users are libebt_arp and libebt_vlan which drop their own duplicated implementations of getethertypebyname() for the shared one. This change originated from a covscan report of extensions' implementations not checking fopen() return value which should be implicitly fixed by this as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Fix potential array overrun in xtables_option_parse()Phil Sutter2018-09-131-1/+1
| | | | | | | | If entry->type is to be used as array index, it needs to be at max one less than that array's size. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: store all requested match typesFlorian Westphal2018-05-141-3/+0
| | | | | | | | | | | | | iptables and ip6tables don't need this because iptables is AF_INET, ip6tables AF_INET6, etc. But tools that can change af in-between such as nftables will then may then find to find such module. One example is conntrack, it offsers NFPROTO_IPV4 and NFPROTO_IPV6. When first loading with NFPROTO_IPV6, the IPV4 would be discarded. Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Fix rules print/save after iptables updateSerhey Popovych2018-04-271-0/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updating iptables from 1.4.x to 1.6.x brokes rules print/save output and causes rules load after reboot to fail. Here is example from iptables-save(8) output after update: -A CHAIN1 -m set [unsupported revision] -j DROP -A CHAIN1 -m set [unsupported revision] -j DROP Similar output could be obtained via iptables -L CHAIN1. While issue reproduced with xt_set match it is not specific to any match or target module: it is related on how xtables handles revisions. In this particular case we have following situation: 1) Kernel supports revisions from 1 to 4. 2) Rules configured with iptables 1.4.x supporting only revisions from 1 to 3. Choosen highest possible revision 3. 3) Rules printed/saved with iptables 1.6.x supporting revisions from 1 to 4. 4) Xtables registers matches/targets with highest supported revision by the kernel. This is 4 in our case after update to iptables 1.6.x. 5) When printing/saving kernel submits match/target with revision it is configured (3), while iptables thinks that rules configured with highest supported (4). That's causes revision mismatch in during print and "[unsupported revision]" output. To fix this issue we now store all supported by kernel and xtables revisions in xt_matches/xt_targets list sorted in descending order. Introduce helper routines to find match/target with given revision and use them to find right revision to print submitted by kernel entry. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Register all match/target revisions supported by us and kernelSerhey Popovych2018-04-271-24/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Keep the order of matches by appending them; keep order between revisions of same match from most to least recent. All of this keeps xtables_find_match() happy to find most recent supported by kernel revision in the given order. Apply the same for targets, except prepend targets; order between revisions preserved too. All this needed to fix nasty bug related to iptables package update and broken print/save output. After this change all supported revisions of match/target stored in corresponding list with following pattern: xt_matches xt_targets ========== ========== m1 m2 m3 mN tN t1 t2 t3 +-----+--+---+---~~~---+ +---~~~---+---+----+--+ |43210|10|210|revisions| |revisions|210|3210|10| +-----+--+---+---~~~---+ +---~~~---+---+----+--+ Where new [m]atches added to the list tail and new [t]argets added to the list head to preserve previous behaviour. Multiple revisions of single match/target type are grouped together and sorted in descending order. Both this ensures xtables_find_match() and xtables_find_target() behaviour remains the same after change: find highest supported match/target revision given by it's name. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Check match/target size vs XT_ALIGN(size) at register timeSerhey Popovych2018-04-271-14/+16
| | | | | | | | Size is known at xtables_register_match()/xtables_register_target() calls: no need to defer it to final registration steps. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Do not register matches/targets with incompatible revisionSerhey Popovych2018-04-271-24/+42
| | | | | | | | | | | | | | If kernel tells revision isn't found/supported at the moment we should keep entity in pending list, not register or bail to do so later. Kernel might still load module for entity we asking it for and this could be slow on some embedded devices. Catch double registration attempts by checking me->next being non-NULL in xtables_register_match() and xtables_register_target(). Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to print val[/mask] argumentsSerhey Popovych2018-04-271-0/+20
| | | | | | | | | | | | | | | | There are number of places where argument is in val[/mask] format printed in extensions and some of them may print corresponding symbolic name. By introducing common function for this task we eliminate custom code parts in extensions to perform printing of arguments in required formats. Use xtables_print_mark_mask() helper for extensions without symbolic name for val[/mask]. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: Introduce and use common function to parse val[/mask] argumentsSerhey Popovych2018-04-272-21/+53
| | | | | | | | | | | | | | There are a couple of places in both core and extensions where arguments in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32). In some cases symbolic name might be used which is mapped in code to numeric value. Introduce common function to handle both cases where value given is either val[/mask] or symbolic name. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: Display weird character warning for wildcardsOliver Ford2017-05-081-9/+9
| | | | | | | | | | | Change the scope of the weird character check loop so that it checks for invalid characters when the interface name contains a wildcard. Fixes Bugzilla #1085. Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
* libxtables: abolish AI_CANONNAMEJan Engelhardt2017-03-081-2/+0
| | | | | | | | ares->ai_canonname is never used, so there is no point in requesting that piece of information with AI_CANONNAME. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: remove unnecessary nesting from host_to_ip(6)addrJan Engelhardt2017-03-081-30/+24
| | | | | | | | The error path already terminally returns from the function, so there is no point in having an explicit else block. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: xtables: Use getnameinfo()Shyam Saini2016-12-201-4/+11
| | | | | | | | | Replace gethostbyaddr() with getnameinfo() as getnameinfo() deprecates the former and allows programs to eliminate IPv4-versus-IPv6 dependencies Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: xtables: remove unnecessary debug codeShyam Saini2016-12-201-26/+3
| | | | | | | Remove unnecessary debug code Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: Replace gethostbyname() with getaddrinfo()Arpan Kapoor2016-07-031-9/+23
| | | | | | | | Make the function host_to_ipaddr() similar to host_to_ip6addr(), using getaddrinfo() instead of the obsoleted gethostbyname(). Signed-off-by: Arpan Kapoor <rpnkpr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: missing comment initialization in xt_xlate_alloc()Pablo Neira Ayuso2016-03-251-0/+1
| | | | | | Initialize comment buffer when allocation the xt translation structure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* comment: Add translation to nftShivani Bhardwaj2016-02-291-0/+5
| | | | | | | | | | | | | | Add translation for match comment to nftables. This patch also adds the relevant infrastructure for carrying out the translation. Example: $ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block" nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\" Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: add xt_xlate_add_comment()Pablo Neira Ayuso2016-02-161-15/+26
| | | | | | | This new function allows us to add comments to the nft rule. This can be used to provide a translation for the comment match. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-21/+21
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: fix leak in xt_buf objectPablo Neira Ayuso2016-02-161-0/+1
| | | | | | Release data area that is allocated by xt_buf_alloc(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: xtables: add the infrastructure to translate from iptables to nftPablo Neira Ayuso2016-02-161-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Spelling fixesVille Skyttä2015-09-071-1/+1
| | | | | | | While at it, update comment format for the respective blocks. Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: find extensions based on family tooArturo Borrero2015-04-091-5/+16
| | | | | | | | | | | | | | | | | | When using libxtables with an external program (nft) which switches family contexts (using xtables_set_nfproto()), the xtables_find_{match,target} functions need to compare the family too. We want to avoid this situation: 1) user first sets afinfo to IPv6 2) xtables_find_target() finds & load ip6t_REJECT and uses it 3) afinfo change to IPv4 4) user then tries to use ipt_REJECT 5) xtables_find_target() finds ip6t_REJECT instead (same target name) 6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-compat: remove unused fields from bridge and arp familiesPablo Neira Ayuso2015-02-181-10/+3
| | | | | | | | | These two families only work under nft compat, so leave unset the fields that we don't use. Basically, we need neither the module autoload code nor the native get/setsockopt() revision infrastructure since we use the one that nft_compat provides through nfnetlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* arptables-compat: add mangle target extensionArturo Borrero2015-02-181-0/+13
| | | | | | | | This patch adds support to use the mangle target extensions, along with the required changes in the surrounding code. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: search first for AF-specific extensionArturo Borrero2015-01-301-1/+1
| | | | | | | | | | | There are some extension which may name-clash, for example: * libxt_mark.so * liebt_mark.so Let's search first for AF-specific extension and then for the generic libxt_**. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add ebt 802_3 extensionArturo Borrero2014-12-231-0/+13
| | | | | | | | | | | | | | This patch adds the first ebtables extension to ebtables-compat. The original 802_3 code is adapted to the xtables environment. I tried to mimic as much as possible the original ebtables code paths. With this patch, ebtables-compat is able to send the 802_3 match to the kernel, but the kernel-to-userspace path is not tested and should be adjusted in follow-up patches. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>