55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure
to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure
to handle chain").
it is possible to put tables and chains in the same batch (which was
already including rules). This patch probes the kernel to check if
if the new transaction is available, otherwise it falls back to the
previous non-transactional approach to handle these two objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Giuseppe Longo [Mon, 24 Mar 2014 10:59:46 +0000 (11:59 +0100)]
nft: replace nft_rule_attr_get_u8
Since the family declaration has been modified in libnftnl,
from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16
the assertion is failed for {ip,ip6,arp}tables-compat
when printing rules.
Tomasz Bursztyka [Tue, 11 Feb 2014 16:36:43 +0000 (18:36 +0200)]
nft: A builtin chain might be created when restoring
nft_chain_set() is directly used in xtables-restore.c, however at that
point no builtin chains have been created yet thus the need to request
to build it relevantly.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
which point to the new binary xtables-compat-multi.
The idea is to keep both native and compatibility tools installed in the
system, which should also make it easier for testing purposes.
The iptables over nftables compatibility layer is enabled by default
and it requires the libmnl and libnftnl libraries. If you don't want to
compile the compatibility layer, you can still disable it through
--disable-nftables.
This patch also includes changes to adapt the existing code to this
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Daniel Borkmann [Mon, 23 Dec 2013 17:46:29 +0000 (18:46 +0100)]
iptables: add libxt_cgroup frontend
This patch adds the user space extension/frontend for process matching
based on cgroups from the kernel patch entitled "netfilter: xtables:
lightweight process control group matching".
Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Daniel Borkmann [Sun, 22 Dec 2013 03:15:38 +0000 (04:15 +0100)]
iptables: snat: add randomize-full support
This patch provides the userspace part for snat in order to make
randomize-full support available in {ip,nf}tables. It allows for
enabling full port randomization that was motivated in [1] and
introduced to the kernel in [2].
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft.c: In function ‘nft_xtables_config_load’:
nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default]
In file included from nft.c:41:0:
/usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’
Introduced in (12eb85b nft: fix memory leaks in
nft_xtables_config_load) but that was my fault indeed since Ana sent
a v2 patch that I have overlook.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
These objects are allocated from nft_init but they were not released
appropriately in the exit path.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5955B02: nft_table_list_alloc (table.c:425)
==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888)
==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
Fix these leaks and consolidate error handling in the exit path of
nft_xtables_config_load
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Mon, 2 Dec 2013 10:43:25 +0000 (11:43 +0100)]
xtables-standalone: call nft_fini in the error path
This error is shown with valgrind tools:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x574CC76: mnl_socket_open (socket.c:117)
==7377== by 0x417495: nft_init (nft.c:598)
==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
This patch calls nft_fini to release the objects that have been allocated in
nft_init. This function was not used so far.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Valgrind reports an invalid read after a memory block:
==11114== Invalid read of size 8
==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==11114== by 0x41788E: add_match (nft.c:781)
==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72)
==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945)
==11114== by 0x418ACE: nft_rule_append (nft.c:1000)
==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424)
==11114== by 0x4152DE: do_commandx (xtables.c:1184)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd
==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==11114== by 0x52448C8: xtables_calloc (xtables.c:272)
==11114== by 0x410AC2: command_default (xshared.c:150)
==11114== by 0x4149A2: do_commandx (xtables.c:1075)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
m->u.match_size also contains the size of the xt_entry_match structure.
Fix also the target path which is very similar.
Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used
This is a temporary workaround mechanism until variable interface
hardware address length can be handled through nftables. This
defaults on the length of EUI-64 mac address, which should be the
most common usage until this is appropriately fixed for all type
of layer 2 addresses.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This fixes such warning:
xtables-arp.c: In function ‘check_inverse’:
xtables-arp.c:561:54: attention : declaration of ‘optind’ shadows a
global declaration [-Wshadow]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
In (73ea1cc nft: convert rule into a command state structure), the
interface wildcard matching got broken. The previous handling was
flawed by the use of ifnametoindex in scenario where the interface
may vanished after a rule was added.
This approach relies on the trailing '\0' to identify if this is
an exact or wildcard matching, based on discussion with Florian.
Based on initial patch from Anand Raj Manickam.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft: fix bad length when comparing extension data area
Use ->userspacesize to compare the extension data area, otherwise
we also compare the internal private pointers which are only
meaningful to the kernelspace.
nft-shared.c: In function ‘nft_ipv46_rule_find’:
nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration]
nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function)
nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables: batch rule-set updates into one single netlink message
With this patch, all rule-set updates are put in one single batch
of netlink messages that is sent to user-space using the new
nfnetlink batch infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch removes nft_arp_rule_new, which almost a copy and paste
of the original nft_rule_new. This patch generalizes the
infrastructure to support ARP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Giuseppe Longo [Mon, 9 Sep 2013 10:54:04 +0000 (12:54 +0200)]
xtables: bootstrap ARP compatibility layer for nftables
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft-shared.c: In function ‘nft_rule_to_iptables_command_state’:
nft-shared.c:454:22: warning: ‘jumpto’ may be used uninitialized in this function [-Wmaybe-uninitialized]
nft-shared.c:432:14: note: ‘jumpto’ was declared here
All verdicts are managed and jumpto has to get a value, but since
the compiler complains, let's fix it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tomasz Bursztyka [Mon, 19 Aug 2013 12:04:06 +0000 (15:04 +0300)]
xtables: allow to reset the counters of an existing rule
Now that we convert nft rules to native xt command structure, it's
easier to reset the counters by replacing the existing rule by a
new one with all counters set to zero.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft: fix wrong flags handling in print_firewall_details
Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have
to add an specific function to print the fragment flag, otherwise
xtables -6 misinterprets the protocol flag, ie.
Chain INPUT (policy ACCEPT)
tcp -f ::/0 ::/0
Note that -f should not show up. This problem was likely added with
the IPv6 support for the compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft: Generalize nft_rule_list() against current family
Now, firewall rule printing is done through nft_family_ops
.print_firewall function. This moves generic part for ipv4 and ipv6 into
nft-shared.c, and enables reusing nft_rule_list() for other family such
as ARP which will be useful for arptables compatibility tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Giuseppe Longo [Fri, 26 Jul 2013 11:05:15 +0000 (13:05 +0200)]
nft: associate table configuration to handle via nft_init
We need family dependent built-in table/chain configuration. This
patch is a step forward making nft family independent in
order to support arptables and ebtables compatibility layers.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
