From be70918eab26e0c5fe219fefab325056144976d9 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Mon, 18 Jun 2018 09:18:28 +0200 Subject: xtables: rename xt-multi binaries to -nft, -legacy This adds a clear distinction between old iptables (formerly xtables-multi, now xtables-legacy-multi) and new iptables (formerly xtables-compat-multi, now xtables-nft-multi). Users will get the ip/ip6tables names via symbolic links, having a distinct name postfix for the legacy/nft variants helps to make a clear distinction, as iptables-nft will always use nf_tables and iptables-legacy always uses get/setsockopt wheres "iptables" could be symlinked to either -nft or -legacy. Signed-off-by: Florian Westphal --- iptables-test.py | 6 +- iptables/Makefile.am | 74 ++++++++------- iptables/xtables-compat-multi.c | 45 --------- iptables/xtables-compat.8 | 177 ----------------------------------- iptables/xtables-legacy-multi.c | 53 +++++++++++ iptables/xtables-legacy.8 | 78 ++++++++++++++++ iptables/xtables-multi.c | 53 ----------- iptables/xtables-nft-multi.c | 43 +++++++++ iptables/xtables-nft.8 | 201 ++++++++++++++++++++++++++++++++++++++++ 9 files changed, 417 insertions(+), 313 deletions(-) delete mode 100644 iptables/xtables-compat-multi.c delete mode 100644 iptables/xtables-compat.8 create mode 100644 iptables/xtables-legacy-multi.c create mode 100644 iptables/xtables-legacy.8 delete mode 100644 iptables/xtables-multi.c create mode 100644 iptables/xtables-nft-multi.c create mode 100644 iptables/xtables-nft.8 diff --git a/iptables-test.py b/iptables-test.py index 75095d2d..9bfb8086 100755 --- a/iptables-test.py +++ b/iptables-test.py @@ -269,6 +269,8 @@ def main(): parser.add_argument('filename', nargs='?', metavar='path/to/file.t', help='Run only this test') + parser.add_argument('-l', '--legacy', action='store_true', + help='Test iptables-legacy') parser.add_argument('-m', '--missing', action='store_true', help='Check for missing tests') parser.add_argument('-n', '--nftables', action='store_true', @@ -283,9 +285,9 @@ def main(): return global EXECUTEABLE - EXECUTEABLE = "xtables-multi" + EXECUTEABLE = "xtables-legacy-multi" if args.nftables: - EXECUTEABLE = "xtables-compat-multi" + EXECUTEABLE = "xtables-nft-multi" if os.getuid() != 0: print "You need to be root to run this, sorry" diff --git a/iptables/Makefile.am b/iptables/Makefile.am index 95e67b83..9e6f3f4b 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -6,39 +6,39 @@ AM_YFLAGS = -d BUILT_SOURCES = -xtables_multi_SOURCES = xtables-multi.c iptables-xml.c -xtables_multi_CFLAGS = ${AM_CFLAGS} -xtables_multi_LDADD = ../extensions/libext.a +xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c +xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} +xtables_legacy_multi_LDADD = ../extensions/libext.a if ENABLE_STATIC -xtables_multi_CFLAGS += -DALL_INCLUSIVE +xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE endif if ENABLE_IPV4 -xtables_multi_SOURCES += iptables-save.c iptables-restore.c \ +xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \ iptables-standalone.c iptables.c -xtables_multi_CFLAGS += -DENABLE_IPV4 -xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a +xtables_legacy_multi_CFLAGS += -DENABLE_IPV4 +xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a endif if ENABLE_IPV6 -xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ +xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ ip6tables-standalone.c ip6tables.c -xtables_multi_CFLAGS += -DENABLE_IPV6 -xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a +xtables_legacy_multi_CFLAGS += -DENABLE_IPV6 +xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a endif -xtables_multi_SOURCES += xshared.c -xtables_multi_LDADD += ../libxtables/libxtables.la -lm +xtables_legacy_multi_SOURCES += xshared.c +xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm -# nftables compatibility layer +# iptables using nf_tables api if ENABLE_NFTABLES BUILT_SOURCES += xtables-config-parser.h -xtables_compat_multi_SOURCES = xtables-compat-multi.c iptables-xml.c -xtables_compat_multi_CFLAGS = ${AM_CFLAGS} -xtables_compat_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a +xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c +xtables_nft_multi_CFLAGS = ${AM_CFLAGS} +xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a if ENABLE_STATIC -xtables_compat_multi_CFLAGS += -DALL_INCLUSIVE +xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE endif -xtables_compat_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6 -xtables_compat_multi_SOURCES += xtables-config-parser.y xtables-config-syntax.l -xtables_compat_multi_SOURCES += xtables-save.c xtables-restore.c \ +xtables_nft_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6 +xtables_nft_multi_SOURCES += xtables-config-parser.y xtables-config-syntax.l +xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \ xtables-standalone.c xtables.c nft.c \ nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \ xtables-monitor.c \ @@ -47,38 +47,40 @@ xtables_compat_multi_SOURCES += xtables-save.c xtables-restore.c \ xtables-eb-standalone.c xtables-eb.c \ xtables-eb-translate.c \ xtables-translate.c -xtables_compat_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a +xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a # yacc and lex generate dirty code -xtables_compat_multi-xtables-config-parser.o xtables_compat_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls -xtables_compat_multi_SOURCES += xshared.c -xtables_compat_multi_LDADD += ../libxtables/libxtables.la -lm +xtables_nft_multi-xtables-config-parser.o xtables_nft_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls +xtables_nft_multi_SOURCES += xshared.c +xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm endif -sbin_PROGRAMS = xtables-multi +sbin_PROGRAMS = xtables-legacy-multi if ENABLE_NFTABLES -sbin_PROGRAMS += xtables-compat-multi +sbin_PROGRAMS += xtables-nft-multi endif man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 iptables-extensions.8 \ - xtables-compat.8 xtables-translate.8 \ + xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ xtables-monitor.8 CLEANFILES = iptables.8 xtables-monitor.8 \ xtables-config-parser.c xtables-config-syntax.c vx_bin_links = iptables-xml if ENABLE_IPV4 -v4_sbin_links = iptables iptables-restore iptables-save +v4_sbin_links = iptables-legacy iptables-legacy-restore iptables-legacy-save \ + iptables iptables-restore iptables-save endif if ENABLE_IPV6 -v6_sbin_links = ip6tables ip6tables-restore ip6tables-save +v6_sbin_links = ip6tables-legacy ip6tables-legacy-restore ip6tables-legacy-save \ + ip6tables ip6tables-restore ip6tables-save endif if ENABLE_NFTABLES -x_sbin_links = iptables-compat iptables-compat-restore iptables-compat-save \ - ip6tables-compat ip6tables-compat-restore ip6tables-compat-save \ +x_sbin_links = iptables-nft iptables-nft-restore iptables-nft-save \ + ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \ iptables-translate ip6tables-translate \ iptables-restore-translate ip6tables-restore-translate \ - arptables-compat ebtables-compat xtables-monitor + arptables ebtables xtables-monitor endif iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man @@ -92,7 +94,7 @@ pkgconfig_DATA = xtables.pc install-exec-hook: -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; ${INSTALL} -dm0755 "${DESTDIR}${bindir}"; - for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-multi" "${DESTDIR}${bindir}/$$i"; done; - for i in ${v4_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done; - for i in ${v6_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done; - for i in ${x_sbin_links}; do ${LN_S} -f xtables-compat-multi "${DESTDIR}${sbindir}/$$i"; done; + for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-legacy-multi" "${DESTDIR}${bindir}/$$i"; done; + for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; + for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; + for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done; diff --git a/iptables/xtables-compat-multi.c b/iptables/xtables-compat-multi.c deleted file mode 100644 index 014e5a4e..00000000 --- a/iptables/xtables-compat-multi.c +++ /dev/null @@ -1,45 +0,0 @@ -#include -#include -#include -#include "xshared.h" - -#include "xtables-multi.h" - -static const struct subcommand multi_subcommands[] = { - {"iptables-xml", iptables_xml_main}, - {"xml", iptables_xml_main}, - {"iptables", xtables_ip4_main}, - {"iptables-compat", xtables_ip4_main}, - {"main4", xtables_ip4_main}, - {"save4", xtables_ip4_save_main}, - {"restore4", xtables_ip4_restore_main}, - {"iptables-save", xtables_ip4_save_main}, - {"iptables-restore", xtables_ip4_restore_main}, - {"iptables-compat-save", xtables_ip4_save_main}, - {"iptables-compat-restore", xtables_ip4_restore_main}, - {"ip6tables", xtables_ip6_main}, - {"ip6tables-compat", xtables_ip6_main}, - {"main6", xtables_ip6_main}, - {"save6", xtables_ip6_save_main}, - {"restore6", xtables_ip6_restore_main}, - {"ip6tables-save", xtables_ip6_save_main}, - {"ip6tables-restore", xtables_ip6_restore_main}, - {"ip6tables-compat-save", xtables_ip6_save_main}, - {"ip6tables-compat-restore", xtables_ip6_restore_main}, - {"iptables-translate", xtables_ip4_xlate_main}, - {"ip6tables-translate", xtables_ip6_xlate_main}, - {"iptables-restore-translate", xtables_ip4_xlate_restore_main}, - {"ip6tables-restore-translate", xtables_ip6_xlate_restore_main}, - {"arptables", xtables_arp_main}, - {"arptables-compat", xtables_arp_main}, - {"ebtables-compat", xtables_eb_main}, - {"ebtables-translate", xtables_eb_xlate_main}, - {"ebtables", xtables_eb_main}, - {"xtables-monitor", xtables_monitor_main}, - {NULL}, -}; - -int main(int argc, char **argv) -{ - return subcmd_main(argc, argv, multi_subcommands); -} diff --git a/iptables/xtables-compat.8 b/iptables/xtables-compat.8 deleted file mode 100644 index 90f887e1..00000000 --- a/iptables/xtables-compat.8 +++ /dev/null @@ -1,177 +0,0 @@ -.\" -.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez -.\" -.\" %%%LICENSE_START(GPLv2+_DOC_FULL) -.\" This is free documentation; you can redistribute it and/or -.\" modify it under the terms of the GNU General Public License as -.\" published by the Free Software Foundation; either version 2 of -.\" the License, or (at your option) any later version. -.\" -.\" The GNU General Public License's references to "object code" -.\" and "executables" are to be interpreted as the output of any -.\" document formatting or typesetting system, including -.\" intermediate and printed output. -.\" -.\" This manual is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public -.\" License along with this manual; if not, see -.\" . -.\" %%%LICENSE_END -.\" -.TH XTABLES-COMPAT 8 "Feb 25, 2017" - -.SH NAME -xtables-compat \- compat tools to migrate from iptables to nftables - -.SH DESCRIPTION -\fBxtables-compat\fP is set of tools to help the system administrator migrate the -ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and -\fBebtables(8)\fP to \fBnftables(8)\fP. - -The \fBxtables-compat\fP set is composed of several commands: -.IP \[bu] 2 -iptables-compat -.IP \[bu] -iptables-compat-save -.IP \[bu] -iptables-compat-restore -.IP \[bu] -ip6tables-compat -.IP \[bu] -ip6tables-compat-save -.IP \[bu] -ip6tables-compat-restore -.IP \[bu] -arptables-compat -.IP \[bu] -ebtables-compat - -These tools use the libxtables framework extensions and hook to the nf_tables -kernel subsystem using the \fBnft_compat\fP module. - -.SH USAGE -The compat tools set allows you to manage the nf_tables backend using the -native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and -\fBebtables(8)\fP. - -You should use the compat tools exactly the same way as you would use the -corresponding original tool. - -Adding a rule will result in that rule being added to the nf_tables kernel -subsystem instead. -Listing the ruleset will use the nf_tables backend as well. - -When these tools were designed, the main idea was to replace each legacy binary -with a symlink to the corresponding compat tool, for example: - -.nf - /sbin/iptables --> /usr/sbin/iptables-compat - /sbin/ip6tables --> /usr/sbin/ip6tables-compat - /sbin/arptables --> /usr/sbin/arptables-compat - /sbin/ebtables --> /usr/sbin/ebtables-compat -.fi - -.SH EXAMPLES -One basic example is creating the skeleton ruleset in nf_tables from the -compat tools, in a fresh machine: - -.nf - root@machine:~# iptables-compat -L - [...] - root@machine:~# ip6tables-compat -L - [...] - root@machine:~# arptables-compat -L - [...] - root@machine:~# ebtables-compat -L - [...] - root@machine:~# nft list ruleset - table ip filter { - chain INPUT { - type filter hook input priority 0; policy accept; - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - } - - chain OUTPUT { - type filter hook output priority 0; policy accept; - } - } - table ip6 filter { - chain INPUT { - type filter hook input priority 0; policy accept; - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - } - - chain OUTPUT { - type filter hook output priority 0; policy accept; - } - } - table bridge filter { - chain INPUT { - type filter hook input priority -200; policy accept; - } - - chain FORWARD { - type filter hook forward priority -200; policy accept; - } - - chain OUTPUT { - type filter hook output priority -200; policy accept; - } - } - table arp filter { - chain INPUT { - type filter hook input priority 0; policy accept; - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - } - - chain OUTPUT { - type filter hook output priority 0; policy accept; - } - } -.fi - -(please note that in fresh machines, listing the ruleset for the first time -results in all tables an chain being created). - -To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP, -you would use: - -.nf - root@machine:~# iptables-save > myruleset # reads from x_tables - root@machine:~# iptables-compat-restore myruleset # writes to nf_tables -.fi - - -.SH LIMITATIONS -You should use \fBLinux kernel >= 4.2\fP. - -Some (few) extensions may be not supported (or fully-supported) for whatever -reason (for example, they were considered obsolete). - -To get up-to-date information about this, please head to -\fBhttp://wiki.nftables.org/\fP. - -.SH SEE ALSO -\fBnft(8)\fP, \fBxtables-translate(8)\fP - -.SH AUTHORS -The nftables framework is written by the Netfilter project -(https://www.netfilter.org). - -This manual page was written by Arturo Borrero Gonzalez - for the Debian project, but may be used by others. - -This documentation is free/libre under the terms of the GPLv2+. diff --git a/iptables/xtables-legacy-multi.c b/iptables/xtables-legacy-multi.c new file mode 100644 index 00000000..71ec7f5e --- /dev/null +++ b/iptables/xtables-legacy-multi.c @@ -0,0 +1,53 @@ +#include +#include +#include +#include "xshared.h" + +#include "xtables-multi.h" + +#ifdef ENABLE_IPV4 +#include "iptables-multi.h" +#endif + +#ifdef ENABLE_IPV6 +#include "ip6tables-multi.h" +#endif + +#ifdef ENABLE_NFTABLES +#include "xtables-multi.h" +#endif + +static const struct subcommand multi_subcommands[] = { +#ifdef ENABLE_IPV4 + {"iptables", iptables_main}, + {"main4", iptables_main}, + {"iptables-save", iptables_save_main}, + {"save4", iptables_save_main}, + {"iptables-restore", iptables_restore_main}, + {"restore4", iptables_restore_main}, + {"iptables-legacy", iptables_main}, + {"iptables-legacy-save",iptables_save_main}, + {"iptables-legacy-restore",iptables_restore_main}, + + +#endif + {"iptables-xml", iptables_xml_main}, + {"xml", iptables_xml_main}, +#ifdef ENABLE_IPV6 + {"ip6tables", ip6tables_main}, + {"main6", ip6tables_main}, + {"ip6tables-save", ip6tables_save_main}, + {"save6", ip6tables_save_main}, + {"ip6tables-restore", ip6tables_restore_main}, + {"restore6", ip6tables_restore_main}, + {"ip6tables", ip6tables_main}, + {"ip6tables-legacy-save",ip6tables_save_main}, + {"ip6tables-legacy-restore",ip6tables_restore_main}, +#endif + {NULL}, +}; + +int main(int argc, char **argv) +{ + return subcmd_main(argc, argv, multi_subcommands); +} diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8 new file mode 100644 index 00000000..eb075e2c --- /dev/null +++ b/iptables/xtables-legacy.8 @@ -0,0 +1,78 @@ +.\" +.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez +.\" +.\" %%%LICENSE_START(GPLv2+_DOC_FULL) +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, see +.\" . +.\" %%%LICENSE_END +.\" +.TH XTABLES-LEGACY 8 "June 2018" + +.SH NAME +xtables-legacy \- iptables using old getsockopt/setsockopt based kernel api + +.SH DESCRIPTION +\fBxtables-legacy\fP are the original versions of iptables that use +old getsockopt/setsockopt based kernel interface. +This kernel interface has some limitations, therefore iptables can also +be used with the newer nf_tables based API. +See +.B xtables-nft(8) +for information about the xtables-nft variants of iptables. + +.SH USAGE +The xtables-legacy-multi binary can be linked to the traditional names: + +.nf + /sbin/iptables \-> /sbin/iptables-legacy-multi + /sbin/ip6tables \-> /sbin/ip6tables-legacy-mulit + /sbin/iptables-save \-> /sbin/ip6tables-legacy-mulit + /sbin/iptables-restore \-> /sbin/ip6tables-legacy-mulit +.fi + +The iptables version string will indicate if the legacy API (get/setsockopt) or +the new nf_tables api is used: +.nf + iptables \-V + iptables v1.7 (legacy) +.fi + +.SH LIMITATIONS + +When inserting a rule using +iptables \-A or iptables \-I, iptables first needs to retrieve the current active +ruleset, change it to include the new rule, and then commit back the result. +This means that if two instances of iptables are running concurrently, one of the +updates might be lost. This can be worked around partially with the \-\-wait option. + +There is also no method to monitor changes to the ruleset, except periodically calling +iptables-legacy-save and checking for any differences in output. + +.B xtables-monitor(8) +will need the +.B xtables-nft(8) +versions to work, it cannot display changes made using the. +.B iptables-legacy +tools. + +.SH SEE ALSO +\fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP + +.SH AUTHORS +Rusty Russell originally wrote iptables, in early consultation with Michael Neuling. diff --git a/iptables/xtables-multi.c b/iptables/xtables-multi.c deleted file mode 100644 index e90885dd..00000000 --- a/iptables/xtables-multi.c +++ /dev/null @@ -1,53 +0,0 @@ -#include -#include -#include -#include "xshared.h" - -#include "xtables-multi.h" - -#ifdef ENABLE_IPV4 -#include "iptables-multi.h" -#endif - -#ifdef ENABLE_IPV6 -#include "ip6tables-multi.h" -#endif - -#ifdef ENABLE_NFTABLES -#include "xtables-multi.h" -#endif - -static const struct subcommand multi_subcommands[] = { -#ifdef ENABLE_IPV4 - {"iptables", iptables_main}, - {"main4", iptables_main}, - {"iptables-save", iptables_save_main}, - {"save4", iptables_save_main}, - {"iptables-restore", iptables_restore_main}, - {"restore4", iptables_restore_main}, -#endif - {"iptables-xml", iptables_xml_main}, - {"xml", iptables_xml_main}, -#ifdef ENABLE_IPV6 - {"ip6tables", ip6tables_main}, - {"main6", ip6tables_main}, - {"ip6tables-save", ip6tables_save_main}, - {"save6", ip6tables_save_main}, - {"ip6tables-restore", ip6tables_restore_main}, - {"restore6", ip6tables_restore_main}, -#endif -#ifdef ENABLE_NFTABLES - {"xtables", xtables_main}, - {"xtables-save", xtables_save_main}, - {"xtables-restore", xtables_restore_main}, - {"xtables-config", xtables_config_main}, - {"xtables-arp", xtables_arp_main}, - {"xtables-ebtables", xtables_eb_main}, -#endif - {NULL}, -}; - -int main(int argc, char **argv) -{ - return subcmd_main(argc, argv, multi_subcommands); -} diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c new file mode 100644 index 00000000..187da81e --- /dev/null +++ b/iptables/xtables-nft-multi.c @@ -0,0 +1,43 @@ +#include +#include +#include +#include "xshared.h" + +#include "xtables-multi.h" + +static const struct subcommand multi_subcommands[] = { + {"iptables-xml", iptables_xml_main}, + {"xml", iptables_xml_main}, + {"iptables", xtables_ip4_main}, + {"iptables-nft", xtables_ip4_main}, + {"main4", xtables_ip4_main}, + {"save4", xtables_ip4_save_main}, + {"restore4", xtables_ip4_restore_main}, + {"iptables-save", xtables_ip4_save_main}, + {"iptables-restore", xtables_ip4_restore_main}, + {"iptables-nft-save", xtables_ip4_save_main}, + {"iptables-nft-restore", xtables_ip4_restore_main}, + {"ip6tables", xtables_ip6_main}, + {"ip6tables-nft", xtables_ip6_main}, + {"main6", xtables_ip6_main}, + {"save6", xtables_ip6_save_main}, + {"restore6", xtables_ip6_restore_main}, + {"ip6tables-save", xtables_ip6_save_main}, + {"ip6tables-restore", xtables_ip6_restore_main}, + {"ip6tables-nft-save", xtables_ip6_save_main}, + {"ip6tables-nft-restore", xtables_ip6_restore_main}, + {"iptables-translate", xtables_ip4_xlate_main}, + {"ip6tables-translate", xtables_ip6_xlate_main}, + {"iptables-restore-translate", xtables_ip4_xlate_restore_main}, + {"ip6tables-restore-translate", xtables_ip6_xlate_restore_main}, + {"arptables", xtables_arp_main}, + {"ebtables-translate", xtables_eb_xlate_main}, + {"ebtables", xtables_eb_main}, + {"xtables-monitor", xtables_monitor_main}, + {NULL}, +}; + +int main(int argc, char **argv) +{ + return subcmd_main(argc, argv, multi_subcommands); +} diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8 new file mode 100644 index 00000000..91d5b54e --- /dev/null +++ b/iptables/xtables-nft.8 @@ -0,0 +1,201 @@ +.\" +.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez +.\" +.\" %%%LICENSE_START(GPLv2+_DOC_FULL) +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, see +.\" . +.\" %%%LICENSE_END +.\" +.TH XTABLES-NFT 8 "June 2018" + +.SH NAME +xtables-nft \- iptables using nftables kernel api + +.SH DESCRIPTION +\fBxtables-nft\fP are versions of iptables that use the nftables api. + is set of tools to help the system administrator migrate the +ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and +\fBebtables(8)\fP to \fBnftables(8)\fP. + +The \fBxtables-nft\fP set is composed of several commands: +.IP \[bu] 2 +iptables-nft +.IP \[bu] +iptables-nft-save +.IP \[bu] +iptables-nft-restore +.IP \[bu] +ip6tables-nft +.IP \[bu] +ip6tables-nft-save +.IP \[bu] +ip6tables-nft-restore +.IP \[bu] +arptables-nft +.IP \[bu] +ebtables-nft + +These tools use the libxtables framework extensions and hook to the nf_tables +kernel subsystem using the \fBnft_compat\fP module. + +.SH USAGE +The xtables-nft tools allow you to manage the nf_tables backend using the +native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and +\fBebtables(8)\fP. + +You should use the xtables-nft tools exactly the same way as you would use the +corresponding original tool. + +Adding a rule will result in that rule being added to the nf_tables kernel +subsystem instead. +Listing the ruleset will use the nf_tables backend as well. + +When these tools were designed, the main idea was to replace each legacy binary +with a symlink to the xtables-nft program, for example: + +.nf + /sbin/iptables \-> /usr/sbin/iptables-nft-multi + /sbin/ip6tables \-> /usr/sbin/ip6tables-nft-mulit + /sbin/arptables \-> /usr/sbin/arptables-nft-multi + /sbin/ebtables \-> /usr/sbin/ebtables-nft-multi +.fi + +The iptables version string will indicate if the legacy API (get/setsockopt) or +the new nf_tables api is used: +.nf + iptables \-V + iptables v1.7 (nf_tables) +.fi + +.SH DIFFERENCES TO LEGACY IPTABLES + +Because the xtables-nft tools use the nf_tables kernel api, rule additions +are deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A .. +will NOT need to retrieve the current ruleset from the kernel, change it, and +re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add +one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in +iptables-nft. + +Use of the xtables-nft tools allow monitoring ruleset changes using the +.B xtables-monitor(8) +command. + +When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use +.B xtables-monitor(8) +in \-\-trace mode to obtain monitoring trace events. + +.SH EXAMPLES +One basic example is creating the skeleton ruleset in nf_tables from the +xtables-nft tools, in a fresh machine: + +.nf + root@machine:~# iptables-nft -L + [...] + root@machine:~# ip6tables-nft -L + [...] + root@machine:~# arptables-nft -L + [...] + root@machine:~# ebtables-nft -L + [...] + root@machine:~# nft list ruleset + table ip filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } + } + table ip6 filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } + } + table bridge filter { + chain INPUT { + type filter hook input priority -200; policy accept; + } + + chain FORWARD { + type filter hook forward priority -200; policy accept; + } + + chain OUTPUT { + type filter hook output priority -200; policy accept; + } + } + table arp filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } + } +.fi + +(please note that in fresh machines, listing the ruleset for the first time +results in all tables an chain being created). + +To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP, +you would use: + +.nf + root@machine:~# iptables-legacy-save > myruleset # reads from x_tables + root@machine:~# iptables-nft-restore myruleset # writes to nf_tables +.fi + + +.SH LIMITATIONS +You should use \fBLinux kernel >= 4.17\fP. + +The CLUSTERIP target is not supported. + +To get up-to-date information about this, please head to +\fBhttp://wiki.nftables.org/\fP. + +.SH SEE ALSO +\fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP + +.SH AUTHORS +The nftables framework is written by the Netfilter project +(https://www.netfilter.org). + +This manual page was written by Arturo Borrero Gonzalez + for the Debian project, but may be used by others. + +This documentation is free/libre under the terms of the GPLv2+. -- cgit v1.2.3