From 384958620abab397062b67fb2763e813b63f74f0 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 27 Sep 2012 19:12:53 +0200 Subject: use nf_tables and nf_tables compatibility interface This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 iptables/nft.h (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h new file mode 100644 index 00000000..f5a9efb8 --- /dev/null +++ b/iptables/nft.h @@ -0,0 +1,62 @@ +#ifndef _NFT_H_ +#define _NFT_H_ + +#include "xshared.h" + +struct nft_handle { + struct mnl_socket *nl; + uint32_t portid; + uint32_t seq; +}; + +int nft_init(struct nft_handle *h); +void nft_fini(struct nft_handle *h); + +/* + * Operations with tables. + */ +struct nft_table; + +int nft_table_add(struct nft_handle *h, const struct nft_table *t); +int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); +bool nft_table_find(struct nft_handle *h, const char *tablename); + +/* + * Operations with chains. + */ +struct nft_chain; + +int nft_chain_add(struct nft_handle *h, const struct nft_chain *c); +int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); +struct nft_chain_list *nft_chain_dump(struct nft_handle *h); +int nft_chain_save(struct nft_handle *h, struct nft_chain_list *list, const char *table); +int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); +int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table); +int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); + +/* + * Operations with rule-set. + */ +struct nft_rule; + +int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, bool verbose); +int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); +int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); +int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); +int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, int rulenum, bool verbose); +int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); +int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); +int nft_rule_save(struct nft_handle *h, const char *table, bool counters); +int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); + +/* + * revision compatibility. + */ +int nft_compatible_revision(const char *name, uint8_t rev, int opt); + +/* + * Error reporting. + */ +const char *nft_strerror(int err); + +#endif -- cgit v1.2.3 From 0a366d8696582e979d55f6832a797d1217f4b908 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Tue, 30 Oct 2012 23:31:08 +0000 Subject: iptables: nft: Add support for -R option Signed-off-by: Tomasz Bursztyka --- iptables/nft.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index f5a9efb8..474e652e 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -39,7 +39,7 @@ int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *t */ struct nft_rule; -int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, bool verbose); +int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, uint16_t handle, bool verbose); int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); -- cgit v1.2.3 From 1298a1014bc14c45de50cc242779dfa382c456c9 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 3 Nov 2012 12:20:07 +0100 Subject: iptables: nft: use 64-bits handle Now that we use that in kernel space and in libnftables. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 474e652e..aa458f8c 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -39,7 +39,7 @@ int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *t */ struct nft_rule; -int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, uint16_t handle, bool verbose); +int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, uint64_t handle, bool verbose); int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); -- cgit v1.2.3 From 5705ea1f4e3c9cd3d5d9cbcf84b9733ce1f07e57 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 19 Nov 2012 15:32:18 +0100 Subject: xtables-restore: add support for dormant tables This patch adds support for dormant tables for xtables-restore. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index aa458f8c..aed2498b 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -20,6 +20,8 @@ struct nft_table; int nft_table_add(struct nft_handle *h, const struct nft_table *t); int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); bool nft_table_find(struct nft_handle *h, const char *tablename); +int nft_table_set_dormant(struct nft_handle *h, const char *table); +int nft_table_wake_dormant(struct nft_handle *h, const char *table); /* * Operations with chains. -- cgit v1.2.3 From 0391677c1a0b28c14d01febd9628a543e8e5fd62 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Sun, 13 Jan 2013 16:42:11 +0100 Subject: xtables: add IPv6 support Summary of changes to add IPv6 support to the xtables utility: * modify all commands (add, delete, replace, check and listing) to support IPv6 addresses. And for the internal nft library: * add family to struct nft_handle and modify all caller to use this family instead of the hardcoded AF_INET. * move code that we can re-use for IPv4 and IPv6 into helper functions. * add IPv6 rule printing support. * add support to parse IPv6 address. Pablo added several improvements to this patch: * added basic xtables-save and xtables-restore support (so it defaults to IPv4) * fixed a couple of bugs found while testing * added reference when -f is used to point to -m frag (until we can make this consistent with IPv4). Note that we use one single xtables binary utility for IPv4 and IPv6. Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 1 + 1 file changed, 1 insertion(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index aed2498b..1bd9ccce 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -4,6 +4,7 @@ #include "xshared.h" struct nft_handle { + int family; struct mnl_socket *nl; uint32_t portid; uint32_t seq; -- cgit v1.2.3 From 8ebee8c46101914b269afe94e772321e5ee09c3f Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 20 Jan 2013 20:24:36 +0100 Subject: xtables: fix compilation warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit xtables-standalone.c: In function ‘xtables_main’: xtables-standalone.c:64:2: warning: implicit declaration of function ‘do_commandx’ [-Wimplicit-function-declaration] Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 1bd9ccce..00216681 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -62,4 +62,7 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt); */ const char *nft_strerror(int err); +/* For xtables.c */ +int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table); + #endif -- cgit v1.2.3 From 0aad20f3979e3b6becd40e4ed5bba8d09d90706e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 20 Jan 2013 22:32:43 +0100 Subject: xtables: purge out user-define chains from the kernel xtables-restore has to purge out user-defined chains that are not defined in the configuration file. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 00216681..f7ed0a38 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -17,12 +17,14 @@ void nft_fini(struct nft_handle *h); * Operations with tables. */ struct nft_table; +struct nft_chain_list; int nft_table_add(struct nft_handle *h, const struct nft_table *t); int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); bool nft_table_find(struct nft_handle *h, const char *tablename); int nft_table_set_dormant(struct nft_handle *h, const char *table); int nft_table_wake_dormant(struct nft_handle *h, const char *table); +int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nft_chain_list *list); /* * Operations with chains. @@ -32,6 +34,7 @@ struct nft_chain; int nft_chain_add(struct nft_handle *h, const struct nft_chain *c); int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); struct nft_chain_list *nft_chain_dump(struct nft_handle *h); +struct nft_chain *nft_chain_list_find(struct nft_handle *h, struct nft_chain_list *list, const char *table, const char *chain); int nft_chain_save(struct nft_handle *h, struct nft_chain_list *list, const char *table); int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table); -- cgit v1.2.3 From 9e62dc8637f210cdeaed784396fecab9b6e5f043 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 20 Jan 2013 20:19:20 +0100 Subject: xtables-restore: support atomic commit Use new services in nf_tables to support atomic commit. Commit per table, although we support global commit at once, call commit for each table to emulate iptables-restore behaviour by now. Keep table dormant/wake up code in iptables/nft.c as it can be used in the future. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index f7ed0a38..834fff0d 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -8,6 +8,7 @@ struct nft_handle { struct mnl_socket *nl; uint32_t portid; uint32_t seq; + bool commit; }; int nft_init(struct nft_handle *h); @@ -55,6 +56,12 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl int nft_rule_save(struct nft_handle *h, const char *table, bool counters); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); +/* + * global commit and abort + */ +int nft_commit(struct nft_handle *h); +int nft_abort(struct nft_handle *h); + /* * revision compatibility. */ -- cgit v1.2.3 From 1ff21a68502d67e056100da7e0da074467bc08ed Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 9 Feb 2013 18:22:13 +0100 Subject: add xtables-events Add new program to listen to rule updates: shell$ xtables-events -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT -D INPUT -m state --state ESTABLISHED -j ACCEPT You can use `-c' option to display counters. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 834fff0d..3cffb777 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -56,6 +56,13 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl int nft_rule_save(struct nft_handle *h, const char *table, bool counters); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); +enum nft_rule_print { + NFT_RULE_APPEND, + NFT_RULE_DEL, +}; + +void nft_rule_print_save(struct nft_rule *r, enum nft_rule_print type, bool counters); + /* * global commit and abort */ -- cgit v1.2.3 From 077785df023ad8947d44d19769bc6d91e3917633 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Sat, 23 Feb 2013 17:50:31 +0100 Subject: nft: Split nft core to become family independant This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 3cffb777..d2a9b928 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -2,6 +2,7 @@ #define _NFT_H_ #include "xshared.h" +#include "nft-shared.h" struct nft_handle { int family; @@ -9,6 +10,7 @@ struct nft_handle { uint32_t portid; uint32_t seq; bool commit; + struct nft_family_ops *ops; }; int nft_init(struct nft_handle *h); -- cgit v1.2.3 From 8b9ea2e3f8d685a6b940691cabf5e82c96254747 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 10 Mar 2013 16:04:39 +0100 Subject: nft: load tables and chains based on /etc/xtables.conf If /etc/xtables.conf is available, use the configuration there to autoload the xtables built-in table and chain so you can define custom configurations. Otherwise, rely on default common table/chain configuration. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index d2a9b928..8d5881d6 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -84,4 +84,20 @@ const char *nft_strerror(int err); /* For xtables.c */ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table); +/* + * Parse config for tables and chain helper functions + */ +#define XTABLES_CONFIG_DEFAULT "/etc/xtables.conf" + +struct nft_table_list; +struct nft_chain_list; + +extern int xtables_config_parse(const char *filename, struct nft_table_list *table_list, struct nft_chain_list *chain_list); + +enum { + NFT_LOAD_VERBOSE = (1 << 0), +}; + +int nft_xtables_config_load(struct nft_handle *h, const char *filename, uint32_t flags); + #endif -- cgit v1.2.3 From b48126ca92cc44e88aa024e6da7ff245914d6a53 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Tue, 18 Jun 2013 02:29:11 +0200 Subject: xtables: allow to zero chains via -Z Signed-off-by: Giuseppe Longo Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 1 + 1 file changed, 1 insertion(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 8d5881d6..082260e5 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -42,6 +42,7 @@ int nft_chain_save(struct nft_handle *h, struct nft_chain_list *list, const char int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table); int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); +int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table); /* * Operations with rule-set. -- cgit v1.2.3 From e127d223d01aaa0886c7f279110ac36651b9a057 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Tue, 16 Jul 2013 22:07:22 +0200 Subject: xtables: Remove useless parameter to nft_chain_list_find Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 082260e5..a6476714 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -37,7 +37,7 @@ struct nft_chain; int nft_chain_add(struct nft_handle *h, const struct nft_chain *c); int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); struct nft_chain_list *nft_chain_dump(struct nft_handle *h); -struct nft_chain *nft_chain_list_find(struct nft_handle *h, struct nft_chain_list *list, const char *table, const char *chain); +struct nft_chain *nft_chain_list_find(struct nft_chain_list *list, const char *table, const char *chain); int nft_chain_save(struct nft_handle *h, struct nft_chain_list *list, const char *table); int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table); -- cgit v1.2.3 From cf95f347e52ca8badc6a7149045d9c09f4fa666d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 19 Jul 2013 18:42:30 +0200 Subject: xtables: add -I chain rulenum This patch adds the nft_rule_insert function, which allows us to insert rules at a given position. The function nft_rule_add has been renamed to nft_rule_append. This is possible thanks to Eric Leblond's (netfilter: nf_tables: add insert operation) kernel patch. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index a6476714..7a6351b7 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -49,7 +49,8 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char */ struct nft_rule; -int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, uint64_t handle, bool verbose); +int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, uint64_t handle, bool verbose); +int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, int rulenum, bool verbose); int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); -- cgit v1.2.3 From afae1f841bc2c4b39a38fa97d271f3877d00bf3a Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 26 Jul 2013 13:05:15 +0200 Subject: nft: associate table configuration to handle via nft_init We need family dependent built-in table/chain configuration. This patch is a step forward making nft family independent in order to support arptables and ebtables compatibility layers. Signed-off-by: Giuseppe Longo Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 7a6351b7..f3317c92 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -4,6 +4,25 @@ #include "xshared.h" #include "nft-shared.h" +#define FILTER 0 +#define MANGLE 1 +#define RAW 2 +#define SECURITY 3 +#define NAT 4 +#define TABLES_MAX 5 + +struct builtin_chain { + const char *name; + const char *type; + uint32_t prio; + uint32_t hook; +}; + +struct builtin_table { + const char *name; + struct builtin_chain chains[NF_INET_NUMHOOKS]; +}; + struct nft_handle { int family; struct mnl_socket *nl; @@ -11,9 +30,12 @@ struct nft_handle { uint32_t seq; bool commit; struct nft_family_ops *ops; + struct builtin_table *tables; }; -int nft_init(struct nft_handle *h); +extern struct builtin_table xtables_ipv4[TABLES_MAX]; + +int nft_init(struct nft_handle *h, struct builtin_table *t); void nft_fini(struct nft_handle *h); /* -- cgit v1.2.3 From cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Mon, 19 Aug 2013 15:04:02 +0300 Subject: nft: convert rule into a command state structure This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index f3317c92..006c0318 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -87,7 +87,9 @@ enum nft_rule_print { NFT_RULE_DEL, }; -void nft_rule_print_save(struct nft_rule *r, enum nft_rule_print type, bool counters); +void nft_rule_print_save(const struct iptables_command_state *cs, + struct nft_rule *r, enum nft_rule_print type, + unsigned int format); /* * global commit and abort -- cgit v1.2.3 From a69cc575295eedb44f0fa33cd5fcf1cc0114133a Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Mon, 19 Aug 2013 15:04:06 +0300 Subject: xtables: allow to reset the counters of an existing rule Now that we convert nft rules to native xt command structure, it's easier to reset the counters by replacing the existing rule by a new one with all counters set to zero. Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 1 + 1 file changed, 1 insertion(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 006c0318..fe1b9c81 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -81,6 +81,7 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, in int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); int nft_rule_save(struct nft_handle *h, const char *table, bool counters); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); +int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); enum nft_rule_print { NFT_RULE_APPEND, -- cgit v1.2.3 From 84909d171585d77fe769f03e2b1b96eab0aa0213 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Mon, 9 Sep 2013 12:54:04 +0200 Subject: xtables: bootstrap ARP compatibility layer for nftables This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index fe1b9c81..25275cee 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -34,7 +34,11 @@ struct nft_handle { }; extern struct builtin_table xtables_ipv4[TABLES_MAX]; +extern struct builtin_table xtables_arp[TABLES_MAX]; +int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, + int (*cb)(const struct nlmsghdr *nlh, void *data), + void *data); int nft_init(struct nft_handle *h, struct builtin_table *t); void nft_fini(struct nft_handle *h); @@ -44,6 +48,8 @@ void nft_fini(struct nft_handle *h); struct nft_table; struct nft_chain_list; +int nft_table_builtin_add(struct nft_handle *h, struct builtin_table *_t, bool dormant); +struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table); int nft_table_add(struct nft_handle *h, const struct nft_table *t); int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); bool nft_table_find(struct nft_handle *h, const char *tablename); @@ -56,6 +62,10 @@ int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nft_c */ struct nft_chain; +struct nft_chain *nft_chain_builtin_alloc(struct builtin_table *table, struct builtin_chain *chain, int policy); +void nft_chain_builtin_add(struct nft_handle *h, struct builtin_table *table, struct builtin_chain *chain, int policy); +struct builtin_chain *nft_chain_builtin_find(struct builtin_table *t, const char *chain); +int nft_chain_builtin_init(struct nft_handle *h, const char *table, const char *chain, int policy); int nft_chain_add(struct nft_handle *h, const struct nft_chain *c); int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); struct nft_chain_list *nft_chain_dump(struct nft_handle *h); @@ -82,6 +92,16 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl int nft_rule_save(struct nft_handle *h, const char *table, bool counters); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); +struct nft_rule_list *nft_rule_list_create(struct nft_handle *h); +void nft_rule_list_destroy(struct nft_rule_list *list); + +/* + * Operations used in userspace tools + */ +int add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes); +int add_verdict(struct nft_rule *r, int verdict); +int add_target(struct nft_rule *r, struct xt_entry_target *t); +int add_jumpto(struct nft_rule *r, const char *name, int verdict); enum nft_rule_print { NFT_RULE_APPEND, @@ -110,6 +130,8 @@ const char *nft_strerror(int err); /* For xtables.c */ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table); +/* For xtables-arptables.c */ +int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table); /* * Parse config for tables and chain helper functions @@ -127,4 +149,17 @@ enum { int nft_xtables_config_load(struct nft_handle *h, const char *filename, uint32_t flags); +/* + * ARP + */ + +struct arpt_entry; + +int nft_arp_rule_append(struct nft_handle *h, const char *chain, + const char *table, struct arpt_entry *fw, + bool verbose); +int nft_arp_rule_insert(struct nft_handle *h, const char *chain, + const char *table, struct arpt_entry *fw, + int rulenum, bool verbose); + #endif -- cgit v1.2.3 From 217f021925872dcbce4187408762845ae3f6f182 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Mon, 16 Sep 2013 10:58:16 +0200 Subject: xtables: nft-arp: implements is_same op for ARP family The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 25275cee..09d3e0c5 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -162,4 +162,6 @@ int nft_arp_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct arpt_entry *fw, int rulenum, bool verbose); +void nft_rule_to_arpt_entry(struct nft_rule *r, struct arpt_entry *fw); + #endif -- cgit v1.2.3 From c6836c19592dbe1a8be9b0ad76c0ae09abcb82e7 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 18 Sep 2013 14:57:38 +0200 Subject: nft: consolidate nft_rule_new to support ARP This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 09d3e0c5..8ddde48d 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -100,8 +100,10 @@ void nft_rule_list_destroy(struct nft_rule_list *list); */ int add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes); int add_verdict(struct nft_rule *r, int verdict); +int add_match(struct nft_rule *r, struct xt_entry_match *m); int add_target(struct nft_rule *r, struct xt_entry_target *t); int add_jumpto(struct nft_rule *r, const char *name, int verdict); +int add_action(struct nft_rule *r, struct iptables_command_state *cs, int ip_flags); enum nft_rule_print { NFT_RULE_APPEND, -- cgit v1.2.3 From b756cf08d6eff885d808504c674bd7eb5ebabfbb Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 18 Sep 2013 16:54:15 +0200 Subject: nft: consolidate nft_rule_* functions to support ARP This should help to avoid code duplication to support ARP. As a result, we have a common generic infrastructure for IPv4, IPv6 and ARP. This patch removes nft_arp_rule_append and nft_arp_rule_insert, which were very similar to their original nft_rule_append and nft_rule_insert. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 8ddde48d..50971e86 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -81,17 +81,18 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char */ struct nft_rule; -int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, uint64_t handle, bool verbose); -int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, int rulenum, bool verbose); -int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); -int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); +int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, uint64_t handle, bool verbose); +int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); +int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); +int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose); int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); -int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, int rulenum, bool verbose); +int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose); int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format); int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters); int nft_rule_save(struct nft_handle *h, const char *table, bool counters); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); + struct nft_rule_list *nft_rule_list_create(struct nft_handle *h); void nft_rule_list_destroy(struct nft_rule_list *list); -- cgit v1.2.3 From d6a127cd5710f8c60e95bfd0378ca352c07140a9 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 18 Sep 2013 17:00:18 +0200 Subject: xtables: batch rule-set updates into one single netlink message With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 50971e86..26b60b99 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -3,6 +3,7 @@ #include "xshared.h" #include "nft-shared.h" +#include #define FILTER 0 #define MANGLE 1 @@ -28,7 +29,9 @@ struct nft_handle { struct mnl_socket *nl; uint32_t portid; uint32_t seq; - bool commit; + struct list_head rule_list; + int rule_list_num; + struct mnl_nlmsg_batch *batch; struct nft_family_ops *ops; struct builtin_table *tables; }; -- cgit v1.2.3 From 7851975e5055381d30f0788d90671485695928e1 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Tue, 11 Feb 2014 12:46:44 +0200 Subject: xtables: Add backward compatibility with -w option Just to keep aligned with iptables legacy tool. Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 26b60b99..22af66e2 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -135,7 +135,7 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt); const char *nft_strerror(int err); /* For xtables.c */ -int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table); +int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); /* For xtables-arptables.c */ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table); -- cgit v1.2.3 From 8877968858a8dd6b7ae096988d57a7511c81733d Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Mon, 10 Feb 2014 16:49:33 +0100 Subject: nft: adds save_matches_and_target This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 22af66e2..8670f343 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -114,7 +114,7 @@ enum nft_rule_print { NFT_RULE_DEL, }; -void nft_rule_print_save(const struct iptables_command_state *cs, +void nft_rule_print_save(const void *data, struct nft_rule *r, enum nft_rule_print type, unsigned int format); -- cgit v1.2.3 From d007e1a59e4beaddab430992302d43b122ffc801 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 11 Feb 2014 13:58:03 +0100 Subject: nft-compat: fix IP6T_F_GOTO flag handling IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 8670f343..92488764 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -107,7 +107,7 @@ int add_verdict(struct nft_rule *r, int verdict); int add_match(struct nft_rule *r, struct xt_entry_match *m); int add_target(struct nft_rule *r, struct xt_entry_target *t); int add_jumpto(struct nft_rule *r, const char *name, int verdict); -int add_action(struct nft_rule *r, struct iptables_command_state *cs, int ip_flags); +int add_action(struct nft_rule *r, struct iptables_command_state *cs, bool goto_set); enum nft_rule_print { NFT_RULE_APPEND, -- cgit v1.2.3 From 690ea18fdd6f8bc12322a729a2f7c97d8e731c43 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Tue, 11 Feb 2014 18:36:43 +0200 Subject: nft: A builtin chain might be created when restoring nft_chain_set() is directly used in xtables-restore.c, however at that point no builtin chains have been created yet thus the need to request to build it relevantly. Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 1 + 1 file changed, 1 insertion(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 92488764..3b58d514 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -34,6 +34,7 @@ struct nft_handle { struct mnl_nlmsg_batch *batch; struct nft_family_ops *ops; struct builtin_table *tables; + bool restore; }; extern struct builtin_table xtables_ipv4[TABLES_MAX]; -- cgit v1.2.3 From e6b8e172fca48f5d80699afe80947b0fc1f23fd6 Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Tue, 11 Feb 2014 18:36:44 +0200 Subject: nft: Initialize a table only once This helps to remove some runtime overhead, especially when running xtables-restore. Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.h | 1 + 1 file changed, 1 insertion(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 3b58d514..c31371c0 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -22,6 +22,7 @@ struct builtin_chain { struct builtin_table { const char *name; struct builtin_chain chains[NF_INET_NUMHOOKS]; + bool initialized; }; struct nft_handle { -- cgit v1.2.3