xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
When using libxtables with an external program (nft) which switches family
contexts (using xtables_set_nfproto()), the xtables_find_{match,target}
functions need to compare the family too.
We want to avoid this situation:
1) user first sets afinfo to IPv6
2) xtables_find_target() finds & load ip6t_REJECT and uses it
3) afinfo change to IPv4
4) user then tries to use ipt_REJECT
5) xtables_find_target() finds ip6t_REJECT instead (same target name)
6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
man: using physdev match in OUTPUT is not supported anymore
kernels 2.6.20 and later reject -m physdev in OUTPUT with
"using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for
non-bridged traffic is not supported anymore" error in dmesg.
xtables-compat: remove unused fields from bridge and arp families
These two families only work under nft compat, so leave unset the fields
that we don't use. Basically, we need neither the module autoload code
nor the native get/setsockopt() revision infrastructure since we use the
one that nft_compat provides through nfnetlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The ebtables-compat branch provides the compatibility layer to run
ebtables extensions. Currently, only the following matches / targets /
watchers are supported:
* 802_3
* ip
* mark_m and mark
* log
The remaining ones should be easy to port them to on top of libxtables,
they will follow up later.
Arturo Borrero [Tue, 13 Jan 2015 17:36:10 +0000 (18:36 +0100)]
ebtables-compat: fix ACCEPT printing by simplifying logic
The commit bc543af ("ebtables-compat: fix segfault in rules w/o target")
doesn't handle all possible cases of target printing, and ACCEPT is left
behind.
BTW, the logic of target (-j XXX) printing is a bit weird. This patch
simplifies it.
I assume:
* cs->jumpto is only filled by nft_immediate.
* cs->target is only filled by nft_target.
So we end with these cases:
* nft_immediate contains a 'standard' target (ACCEPT, DROP, CONTINUE, RETURN, chain)
Then cs->jumpto contains the target already. We have the rule.
* No standard target. If nft_target contains a target, try to load it.
* Neither nft_target nor nft_immediate exist. Then, assume CONTINUE.
The printing path is then straight forward: either cs.jumpto or cs.target
contains the target.
As there isn't support for target extensions yet, there is no way to test the
nft_target (cs.target) path.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables: use flock() instead of abstract unix sockets
Abstract unix sockets cannot be used to synchronize several concurrent
instances of iptables since an unpriviledged process can create them and
prevent the legitimate iptables instance from running.
Use flock() and /run instead as suggested by Lennart Poettering.
Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances") Reported-by: Lennart Poettering <lennart@poettering.net> Cc: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 7 Jan 2015 16:22:01 +0000 (17:22 +0100)]
ebtables-compat: include /etc/ethertypes in tarball
The /etc/ethertypes file was originally distributed by the ebtables tarball.
So, let's include the file also in ebtables-compat, so users can keep using
protocol names instead of the hex code.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 17 Dec 2014 11:06:56 +0000 (12:06 +0100)]
extensions: add ebt 802_3 extension
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Mon, 24 Nov 2014 18:43:05 +0000 (19:43 +0100)]
iptables: xtables-eb: fix renaming of chains
Renaming of chains is not working. and ebtables-compat gets:
libnftnl: attribute 0 assertion failed in chain.c:159
This patch brings back the parser code of the original ebtables tool:
http://git.netfilter.org/ebtables.old-history/tree/userspace/ebtables2/ebtables.c#n652
I adapted the original parser code to fit in the new environment. Also tried to
keep original error messages as much as possible.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Mon, 24 Nov 2014 09:52:04 +0000 (10:52 +0100)]
iptables: xtables-eb: user-defined chains default policy is always RETURN
The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.
So, with this patch, ebtables-compat ends with:
Command: Result:
-L Always RETURN for user-defined chains
-P builtin RETURN Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP ok
-P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
-N userdefined ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_TEE: Trim kernel struct to allow deletion
Correct trimming of userspacesize to fix deletions.
Fixes: Bugzilla #884.
The rule having TEE target with '--oif' option cannot be deleted by iptables command.
$ iptables -I INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
$ iptables -D INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
iptables: No chain/target/match by that name.
Signed-off-by: Loganaden Velvindron <logan@elandsys.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Wed, 5 Nov 2014 15:46:34 +0000 (16:46 +0100)]
iptables-compat: homogenize error messages with 'R' option
There is a difference between error messages in iptables and
iptables-compat:
# iptables -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: Index of replacement too big.
# iptables-compat -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: No chain/target/match by that name.
Now, iptables-compat shows the same error message than iptables in
this case.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Thu, 30 Oct 2014 08:31:56 +0000 (09:31 +0100)]
iptables-compat: homogenize error messages
There are some differences between error messages in iptables and
iptables-compat:
# iptables -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: No chain/target/match by that name.
modprobe pointed to a non-existant program /sbin/modprobe, so execv()
always failed. Not a problem in itself on our platform, as the kernel
modules are pre-loaded before iptables-restore is run, but it took a
bit of headscratching to track this down, as a stack frame was
corrupted, leading to failures quite a while after the function
containing this code had returned!
Relevant caution in man 2 vfork:
"The vfork() function has the same effect as fork(2), except that
the behavior is undefined if the process created by vfork() either
modifies any data ... or calls any other function before
successfully calling _exit(2) or one of the exec(3) family of
functions."
Apparently this has not been a problem for us in earlier versions of
glibc, maybe because vfork was more like fork, maybe because the
stack corruption was innocuous. Ours is a corner case anyway, as
it might not have been a problem had modprobe existed or had
modprobe been a symlink to /bin/true. But it seems odd to disregard
man page cautions, and our problem goes away if they are heeded.
iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove
extra unused chain parameter and rename nft_chain_builtin_init to
nft_xt_builtin_init too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
There is not native arptables-save. The original author provides
perl scripts to implement arptables-save and arptables-restore.
We should use them to mimic arptables behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ip6tables-compat and arptables-compat are also fixed.
This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Anton Danilov [Tue, 2 Sep 2014 10:15:53 +0000 (14:15 +0400)]
xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)
This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.
Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Ronald Wahl [Thu, 4 Sep 2014 22:54:48 +0000 (00:54 +0200)]
libxtables: fix two off-by-one memory corruption bugs
The LSB of xtables_pending_matches was overwritten with zero
that lead to segmentation fault. But simply adding an additional variable
in the code or changing compilation options modified the behaviour so that no
segmentation fault happens so it is rather subtle.
(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
In case of bits % 8 == 0 we write the byte behind *p
(2) p[bits/8] = 0xff << (8 - (bits & 7));
In case of bits == 128 we write the byte behind *p
projects / thirdparty / iptables.git / log
