This patch adds a cache of rules within the nft handle. This feature is
useful since the whole ruleset was brought from the kernel for every
chain during listing operations. In addition with the new checks of
ruleset compatibility, the rule list is loaded one more time.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache has been introduced for
this purpose.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 28 Aug 2016 08:50:48 +0000 (16:50 +0800)]
extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate
After commit "parser_bison: redirect to :port for consistency with
nat/masq statement" in nftables tree, we should recommend the end
user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to 1
Apply this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to :1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 28 Aug 2016 08:50:46 +0000 (16:50 +0800)]
extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft
When I want to translate SNAT target to nft rule, an error message
was printed out:
# iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
iptables-translate v1.6.0: OOM
Because ipt_natinfo{} started with a xt_entry_target{}, so when we
get the ipt_natinfo pointer, we should use the target itself,
not its data pointer. Yes, it is a little tricky and it's different
with other targets.
xtables-compat: check if nft ruleset is compatible
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 21 Aug 2016 14:34:55 +0000 (22:34 +0800)]
extensions: libxt_CLASSIFY: Add translation to nft
For examples:
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0
nft add rule ip filter OUTPUT counter meta priority set none
# iptables-translate -A OUTPUT -j CLASSIFY --set-class ffff:ffff
nft add rule ip filter OUTPUT counter meta priority set root
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 1:234
nft add rule ip filter OUTPUT counter meta priority set 1:234
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Willem de Bruijn [Wed, 10 Aug 2016 19:23:07 +0000 (15:23 -0400)]
extensions/libxt_bpf.man: clarify BPF code generation with tcpdump
The xt_bpf module applies BPF bytecode to the packet. Depending on
where the module is invoked, the kernel may pass a packet with or
without link layer header. Iptables has no such header.
A common `tcpdump -ddd <string>` compilation command may revert to
a physical device that generates code for packets starting from the
mac layer up (e.g., E10MB data link type: Ethernet).
Clarify in the man page that when using this tool for code generation,
a suitable target device must be chosen.
Netfilter Bugzilla Bug #1048
Reported-by: Lorenzo Pistone <blaffablaffa@gmail.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables-translate: add in/out ifname wildcard match translation to nft
In iptables, "-i eth+" means match all in ifname with the prefix "eth".
But in nftables, this was changed to "iifname eth*". So we should handle
this subtle difference.
Apply this patch, translation will become:
# iptables-translate -A INPUT -i eth+
nft add rule ip filter INPUT iifname eth* counter
# ip6tables-translate -A OUTPUT ! -o eth+
nft add rule ip6 filter OUTPUT oifname != eth* counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add some unit tests for connlabel match extension:
# ./iptables-test.py extensions/libxt_connlabel.t
extensions/libxt_connlabel.t: OK
1 test files, 7 unit tests, 7 passed
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified
The nflog-size was introduced by commit 7070b1f3c88a ("extensions:
libxt_NFLOG: nflog-range does not truncate packets"). Then make
the nflog-range become deprecated, because it has no effect from
the beginning.
So when we do translation, nft log snaplen is translated only if the
nflog-size is specified.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_NFLOG: display nflog-size even if it is zero
The following iptables rules have the different semantics:
# iptables -A INPUT -j NFLOG
# iptables -A INPUT -j NFLOG --nflog-size 0
But they are all displayed as "-A INPUT -j NFLOG", so if
the user input the following commands, the original semantics
will be broken.
# iptables-save | iptables-restore
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_connlabel: fix crash when connlabel.conf is empty
When connlabel.conf is empty, nfct_labelmap_new will return NULL and
set errno to 0. So we will miss to check this situation, and cause NULL
deference in nfct_labelmap_get_bit.
Input the following commands will reproduce this crash:
# echo > /etc/xtables/connlabel.conf
# iptables -A INPUT -m connlabel --label abc
Segmentation fault (core dumped)
xtables: Add an interval option for xtables lock wait
ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduce a new option 'W' to specify the wait interval in microseconds.
If this option is not specified, the command sleeps for 1 second by
default.
v1->v2: Change behavior to take millisecond sleep as an argument to
-w as suggested by Pablo. Also maintain current behavior for -w to
sleep for 1 second as mentioned by Liping.
v2->v3: Move the millisecond behavior to a new option as suggested
by Pablo.
v3->v4: Use select instead of usleep. Sleep every iteration for
the time specified in the "-W" argument. Update man page.
v4->v5: Fix compilation error when enabling nftables
v5->v6: Simplify -W so it only takes the interval wait in microseconds.
Bail out if -W is specific but -w is not.
Joint work with Pablo Neira.
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jordan Yelloz [Fri, 24 Jun 2016 19:18:45 +0000 (12:18 -0700)]
extensions: added AR substitution
This is to ensure that the correct AR is run in cross-compile jobs.
Often a cross-compile build will succeed without this change but it
fails on my Gentoo Linux system when I have binutils installed with the
"multitarget" USE flag.
This change substitues AR with the autotools-supplied AR for the
extensions subdirectory.
Signed-off-by: Jordan Yelloz <jordan@yelloz.me> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Fri, 24 Jun 2016 20:42:31 +0000 (16:42 -0400)]
extensions: libxt_NFLOG: nflog-range does not truncate packets
The option --nflog-range has never worked, but we cannot just fix this
because users might be using this feature option and their behavior would
change. Instead add a new option --nflog-size. This option works the same
way nflog-range should have, and both of them are mutually exclusive. When
someone uses --nflog-range we print a warning message informing them that
this feature has no effect.
To indicate the kernel that the user has set --nflog-size we have to pass a
new flag XT_NFLOG_F_COPY_LEN.
Also updated the man page to reflect the new option and added tests to
extensions/libxt_NFLOG.t
Reported-by: Joe Dollard <jdollard@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shivani Bhardwaj [Wed, 22 Jun 2016 19:41:39 +0000 (01:11 +0530)]
configure: Fix assignment statement
The assignment statement was interpreted as executing enable_connlabel
command with the argument "no". This was due to the whitespaces in the
assignment.
Fixes the trivial bug introduced in commit 3b7a227 (configure: Show
support for connlabel)
Roberto García [Wed, 22 Jun 2016 12:31:31 +0000 (14:31 +0200)]
iptables: extensions: libxt_MARK: Fix translation of --set-xmark option
Fix translation of MARK target's --set-xmark option.
Before:
#iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf
After:
# iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark and 0xffffff50 \
xor 0x64
Signed-off-by: Roberto García <rodanber@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-xmark 0x16/0x12
nft add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and
0xffffffed
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --and-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --or-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark
nft add rule ip mangle PREROUTING counter ct mark set mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
nft add rule ip mangle PREROUTING counter meta mark set ct mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12
Signed-off-by: Roberto García <rodanber@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shivani Bhardwaj [Mon, 20 Jun 2016 17:36:34 +0000 (23:06 +0530)]
configure: Remove flex check warning
Remove the warning about outdated version of flex as it is not needed
anymore. This check was introduced back in 2008 to skip a broken flex
version that doesn't seem to be packaged by any distribution anymore.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_connmark: Fix order of mask and mark
The order of mask and mark in the output is wrong. This has been pointed
out: http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang <liping.zhang@spreadtrum.com>.
This patch fixes the same issue with connmark.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Wed, 1 Jun 2016 12:07:17 +0000 (20:07 +0800)]
extensions: libxt_mark: fix a wrong translation to nft when mask is specified
The mask and mark's order is reversed, so when we specify the mask, we will
get the wrong translation result:
# iptables-translate -A INPUT -m mark --mark 0x1/0xff
nft add rule ip filter INPUT mark and 0x1 == 0xff counter
Apply this patch, translation will become:
# iptables-translate -A INPUT -m mark --mark 0x1/0xff
nft add rule ip filter INPUT mark and 0xff == 0x1 counter
extensions: NETMAP: add ' to:' prefix when printing NETMAP target
NETMAP .print function doesn't insert the ' ' character needed to seperate
earlier output from the target network, i.e. iptables -L prints
something like
2.2.2.5-2.2.2.103.3.3.64/28
instead of
2.2.2.5-2.2.2.10 3.3.3.64/28
Add a ' to:' prefix just like we do for S/DNAT targets.
Liping Zhang [Sat, 21 May 2016 10:07:16 +0000 (18:07 +0800)]
extensions: libxt_limit: fix a wrong translation to nft rule
The default burst value is 5 in iptables limit extension while it is 0 in
nft limit expression, if the burst value is default, it will not be
displayed when we dump the rules. But when we do translation from iptables
rules to nft rules, we should keep the limit burst value unchanged, even if
it is not displayed in iptables rules.
And now, if the limit-burst value in the iptables rule is 5 or 0, they are
all translated to nft rule without burst, this is wrong:
extensions: libxt_NFQUEUE: Fix bug with order of fanout and bypass
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
whenever it was used before bypass because then flags would be 1.
iptables: extensions: iptables-translate prints extra "nft" after printing any error
Output of command "./iptables-translate junk" is Bad argument
`junk' Try `iptables-translate -h' or 'iptables-translate --help' for more
information. nft
Output of command "./iptables-translate -B" is
iptables-translate v1.6.0: unknown option "-B"
Try `iptables-translate -h' or 'iptables-translate --help' for more
information.
nft
nft should have not been printed in both the cases. Moving the printf
call after the do_parse function call
Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shivani Bhardwaj [Tue, 23 Feb 2016 19:49:34 +0000 (01:19 +0530)]
comment: Add translation to nft
Add translation for match comment to nftables.
This patch also adds the relevant infrastructure for carrying out
the translation.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\"
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shivani Bhardwaj [Wed, 10 Feb 2016 05:22:00 +0000 (10:52 +0530)]
iptables: nft-ipv6: Fix ipv6 flags
Replace the flags with the correct ipv6 flags.
Details:
Ana found out the bug and submitted the patch, Shivani applied it
on the latest tree and compile tested it.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add translation for options log-level and log-prefix of LOG target
to nftables.
Full translation of this target awaits the support for the options
log-tcp-sequence, log-tcp-options, log-ip-options, log-uid and
log-macdecode in nftables
Add translation for options log-level and log-prefix of LOG target
to nftables.
Full translation of this target awaits the support for the options
log-tcp-sequence, log-tcp-options, log-ip-options, log-uid and
log-macdecode in nftables.
Examples:
$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-level error
nft add rule ip filter FORWARD ip protocol tcp counter log level err
$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix"
nft add rule ip filter FORWARD ip protocol tcp counter log prefix \"Random prefix\" level warn
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
