]> git.ipfire.org Git - thirdparty/iptables.git/log
thirdparty/iptables.git
9 years agoextensions: libip6t_REJECT: Add translation to nft
Shivani Bhardwaj [Tue, 5 Jan 2016 14:48:26 +0000 (20:18 +0530)] 
extensions: libip6t_REJECT: Add translation to nft

Add translation for target REJECT to nftables.

Examples:

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libipt_ttl: Add translation to nft
Shivani Bhardwaj [Mon, 4 Jan 2016 18:00:02 +0000 (23:30 +0530)] 
extensions: libipt_ttl: Add translation to nft

Add translation for module ttl to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m ttl --ttl-eq 3 -j ACCEPT
nft add rule ip filter INPUT ip ttl 3 counter accept

$ sudo iptables-translate -A INPUT -m ttl --ttl-gt 5 -j ACCEPT
nft add rule ip filter INPUT ip ttl gt 5 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libip6t_ah: Add translation to nft
Shivani Bhardwaj [Thu, 31 Dec 2015 17:25:28 +0000 (22:55 +0530)] 
extensions: libip6t_ah: Add translation to nft

Add translation for AH to nftables.

Examples:

$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500 -j DROP
nft add rule ip6 filter INPUT ah spi 500 counter drop

$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500:550 -j DROP
nft add rule ip6 filter INPUT ah spi 500-550 counter drop

$ sudo ip6tables-translate -A INPUT -m ah ! --ahlen 120
nft add rule ip6 filter INPUT ah hdrlength != 120 counter

$ sudo ip6tables-translate -A INPUT -m ah --ahres
nft add rule ip6 filter INPUT ah reserved 1 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_length: Add translation to nft
Shivani Bhardwaj [Tue, 29 Dec 2015 18:24:25 +0000 (23:54 +0530)] 
extensions: libxt_length: Add translation to nft

Add translation for module length to nftables.

Examples:

$ sudo iptables-translate -A INPUT -p icmp -m length --length 86:0xffff -j DROP
nft add rule ip filter INPUT ip protocol icmp meta length 86-65535 counter drop

$ sudo iptables-translate -A INPUT -p udp -m length --length :400
nft add rule ip filter INPUT ip protocol udp meta length 0-400 counter

$ sudo iptables-translate -A INPUT -p udp -m length --length 40
nft add rule ip filter INPUT ip protocol udp meta length 40 counter

$ sudo iptables-translate -A INPUT -p udp -m length ! --length 40
nft add rule ip filter INPUT ip protocol udp meta length != 40 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libip6t_SNAT: Add translation to nft
Shivani Bhardwaj [Wed, 30 Dec 2015 09:24:57 +0000 (14:54 +0530)] 
extensions: libip6t_SNAT: Add translation to nft

Add translation for SNAT target to nftables.

Examples:

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:80
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :80

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:1-20
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :1-20

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :123 random

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random-fully --persistent
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :123 fully-random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libip6t_DNAT: Add translation to nft
Shivani Bhardwaj [Wed, 30 Dec 2015 08:41:26 +0000 (14:11 +0530)] 
extensions: libip6t_DNAT: Add translation to nft

Add translation for target DNAT to nftables.

Examples:

$ sudo ip6tables-translate -t nat -A prerouting -i eth1 -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
nft add rule ip6 nat prerouting iifname eth1 tcp dport 8080 counter dnat fec0::1234 :80

$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:1-20
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :1-20

$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --persistent
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :80 persistent

$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :80 random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoiptables: nft-ipv6: Replace ip with ip6
Shivani Bhardwaj [Wed, 30 Dec 2015 05:38:08 +0000 (11:08 +0530)] 
iptables: nft-ipv6: Replace ip with ip6

Replace ip with ip6 to avoid conflict between the protocols in the
results obtained from ip6tables-translate utility.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libipt_DNAT: Add translation to nft
Shivani Bhardwaj [Mon, 28 Dec 2015 18:51:45 +0000 (00:21 +0530)] 
extensions: libipt_DNAT: Add translation to nft

Add translation for target DNAT to nftables.

Examples:

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4

$ sudo iptables-translate -t nat -A prerouting -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
nft add rule ip nat prerouting ip daddr 15.45.23.67 tcp dport 80 counter dnat 192.168.1.1-192.168.1.10

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1-1023
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4:1-1023

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libipt_SNAT: Add translation to nft
Shivani Bhardwaj [Mon, 28 Dec 2015 15:35:02 +0000 (21:05 +0530)] 
extensions: libipt_SNAT: Add translation to nft

Add translation for target SNAT to nftables.

Examples:

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4-1.2.3.6

$ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4:1-1023

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random --persistent
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libipt_realm: Add translation to nft
Shivani Bhardwaj [Fri, 25 Dec 2015 06:28:44 +0000 (11:58 +0530)] 
extensions: libipt_realm: Add translation to nft

Add translation for routing realm to nftables.

Examples:

$ sudo iptables-translate -A PREROUTING -m realm --realm 4
nft add rule ip filter PREROUTING rtclassid 0x4 counter

$ sudo iptables-translate -A PREROUTING -m realm --realm 5/5
nft add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter

$ sudo iptables-translate -A PREROUTING -m realm ! --realm 50
nft add rule ip filter PREROUTING rtclassid != 0x32 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libipt_REJECT: Add translation to nft
Shivani Bhardwaj [Sun, 27 Dec 2015 04:42:48 +0000 (10:12 +0530)] 
extensions: libipt_REJECT: Add translation to nft

Add translation for target REJECT to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp-net-unreachable
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_pkttype: Add translation to nft
Shivani Bhardwaj [Fri, 25 Dec 2015 15:07:33 +0000 (20:37 +0530)] 
extensions: libxt_pkttype: Add translation to nft

Add translation for packet type to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m pkttype --pkt-type broadcast -j DROP
nft add rule ip filter INPUT pkttype broadcast counter drop

$ sudo iptables-translate -A INPUT -m pkttype ! --pkt-type unicast -j DROP
nft add rule ip filter INPUT pkttype != unicast counter drop

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_connmark: Add translation to nft
Shivani Bhardwaj [Wed, 23 Dec 2015 14:33:33 +0000 (20:03 +0530)] 
extensions: libxt_connmark: Add translation to nft

Add translation for connmark to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m connmark --mark 2 -j ACCEPT
nft add rule ip filter INPUT ct mark 0x2 counter accept

$ sudo iptables-translate -A INPUT -m connmark ! --mark 2 -j ACCEPT
nft add rule ip filter INPUT ct mark != 0x2 counter accept

$ sudo iptables-translate -A INPUT -m connmark --mark 10/10 -j ACCEPT
nft add rule ip filter INPUT ct mark and 0xa == 0xa counter accept

$ sudo iptables-translate -A INPUT -m connmark ! --mark 10/10 -j ACCEPT
nft add rule ip filter INPUT ct mark and 0xa != 0xa counter accept

$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 40 -m
connmark --mark 0x40
nft add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libipt_ah: Add translation to nft
Shivani Bhardwaj [Thu, 24 Dec 2015 17:30:58 +0000 (23:00 +0530)] 
extensions: libipt_ah: Add translation to nft

Add translation for Authentication Header to nftables.

Examples:

$ sudo iptables-translate -A INPUT -p 51 -m ah --ahspi 500 -j DROP
nft add rule ip filter INPUT ah spi 500 counter drop

$ sudo iptables-translate -A INPUT -p 51 -m ah --ahspi 500:600 -j DROP
nft add rule ip filter INPUT ah spi 500-600 counter drop

$ sudo iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP
nft add rule ip filter INPUT ah spi != 50 counter drop

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_cpu: Add translation to nft
Shivani Bhardwaj [Wed, 23 Dec 2015 16:41:58 +0000 (22:11 +0530)] 
extensions: libxt_cpu: Add translation to nft

Add translation for module cpu to nftables.

Examples:

$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept

$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_devgroup: Add translation to nft
Shivani Bhardwaj [Wed, 23 Dec 2015 14:44:02 +0000 (20:14 +0530)] 
extensions: libxt_devgroup: Add translation to nft

Add translation for device group to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -m devgroup --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup 0x2 counter accept

$ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept

$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept

$ sudo iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept

$ sudo iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup != 0x2 counter accept

Signed-off-by : Shivani Bhardwaj <shivanib134@gmail.com>

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_mark: Fix inversion code
Shivani Bhardwaj [Wed, 23 Dec 2015 14:13:19 +0000 (19:43 +0530)] 
extensions: libxt_mark: Fix inversion code

Fix the code associated with invert flag.

Examples:

$ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0xa/0xa
nft insert rule ip filter INPUT ip protocol tcp mark and 0xa != 0xa counter

$ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0x1
nft insert rule ip filter INPUT ip protocol tcp mark != 0x1 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoinclude: xtables: Add enum for better nft translation code
Shivani Bhardwaj [Wed, 23 Dec 2015 14:21:33 +0000 (19:51 +0530)] 
include: xtables: Add enum for better nft translation code

Add enum xt_op for ease to write cleaner and better code for
nft translation.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_limit: Add translation to nft
Shivani Bhardwaj [Tue, 22 Dec 2015 21:55:21 +0000 (03:25 +0530)] 
extensions: libxt_limit: Add translation to nft

Add translation for module limit to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m limit --limit 5/s
nft add rule ip filter INPUT limit rate 5/second counter

$ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3
nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_NFLOG: Add group_info and remove multiple keywords
Shivani Bhardwaj [Tue, 22 Dec 2015 20:02:46 +0000 (01:32 +0530)] 
extensions: libxt_NFLOG: Add group_info and remove multiple keywords

Add group_info with every rule as it is mandatory to consider logging to
be same type as NFLOG.
Remove multiple log keywords to avoid loading multiple log expressions
at a time.

Examples:

$ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 2
nft insert rule ip filter INPUT counter log queue-threshold 2 group 0

$ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0"
nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" group 32

Reported-by: Arturo Borrero <arturoborreroglez@gmail.com>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_helper: Add translation to nft
Shivani Bhardwaj [Wed, 23 Dec 2015 10:08:40 +0000 (15:38 +0530)] 
extensions: libxt_helper: Add translation to nft

Add translation for helper module to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -m helper --helper sip
nft add rule ip filter FORWARD ct helper \"sip\" counter

$ sudo iptables-translate -A FORWARD -m helper ! --helper ftp
nft add rule ip filter FORWARD ct helper != \"ftp\" counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_mac: Add translation to nft
Shivani Bhardwaj [Tue, 22 Dec 2015 12:36:17 +0000 (18:06 +0530)] 
extensions: libxt_mac: Add translation to nft

Add translation for module mac to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m mac --mac-source 0a:12:3e:4f:b2:c6 -j DROP
nft add rule ip filter INPUT  ether saddr 0A:12:3E:4F:B2:C6 counter drop

$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m mac --mac-source 0a:12:3e:4f:b2:c6 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80  ether saddr 0A:12:3E:4F:B2:C6 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_iprange: Add translation to nft
Shivani Bhardwaj [Tue, 22 Dec 2015 07:05:20 +0000 (12:35 +0530)] 
extensions: libxt_iprange: Add translation to nft

Add translation for iprange to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m iprange --src-range 192.168.25.149-192.168.25.151 -j ACCEPT
nft add rule ip filter INPUT  ip saddr 192.168.25.149-192.168.25.151 counter accept

$ sudo iptables-translate -A INPUT -m iprange --dst-range 192.168.25.149-192.168.25.151 -j ACCEPT
nft add rule ip filter INPUT  ip daddr 192.168.25.149-192.168.25.151 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_NFLOG: Add translation to nft
Shivani Bhardwaj [Mon, 21 Dec 2015 17:35:59 +0000 (23:05 +0530)] 
extensions: libxt_NFLOG: Add translation to nft

Add translation for NF Logging to nftables.

Examples:

$ sudo iptables-translate -A OUTPUT -j NFLOG --nflog-group 30
nft add rule ip filter OUTPUT counter log group 30

$ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0"
nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" log group 32

$ sudo iptables-translate -I INPUT -j NFLOG --nflog-range 256
nft insert rule ip filter INPUT counter log snaplen 256

$ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 25
nft insert rule ip filter INPUT counter log queue-threshold 25

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_esp: Add translation to nft
Shivani Bhardwaj [Sun, 20 Dec 2015 18:13:21 +0000 (23:43 +0530)] 
extensions: libxt_esp: Add translation to nft

Add translation for ESP Protocol to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -p esp -j ACCEPT
nft add rule ip filter FORWARD ip protocol esp counter accept

$ sudo iptables-translate -A INPUT  --in-interface  wan --protocol esp -j ACCEPT
nft add rule ip filter INPUT iifname wan ip protocol esp counter accept

$ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP
nft add rule ip filter INPUT esp spi 500 counter drop

$ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP
nft add rule ip filter INPUT esp spi 500-600 counter drop

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_mark: Add translation to nft
Shivani Bhardwaj [Sun, 20 Dec 2015 03:14:12 +0000 (08:44 +0530)] 
extensions: libxt_mark: Add translation to nft

Add translation for metainformation mark to nftables.

Examples:

$ sudo iptables-translate -I INPUT -m mark --mark 12
nft insert rule ip filter INPUT mark  0xc counter

$ sudo iptables-translate -A FORWARD -m mark --mark 22 -j ACCEPT
nft add rule ip filter FORWARD mark  0x16 counter accept

$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 4600 -m mark --mark 0x40
nft add rule ip mangle PREROUTING tcp dport 4600 mark  0x40 counter

$ sudo iptables-translate -A FORWARD -m mark --mark 0x400/0x400 -j ACCEPT
nft add rule ip filter FORWARD mark  and 0x400 == 0x400 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_udp: add translation to nft
Ana Rey [Wed, 16 Apr 2014 07:19:40 +0000 (09:19 +0200)] 
extensions: libxt_udp: add translation to nft

Some examples:

 $ sudo iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
add rule ip filter INPUT iifname eth0 udp sport 53 counter accept

 $ sudo ./iptables-translate -A OUTPUT -p udp -o eth0 --dport 53:66 -j DROP
add rule ip filter OUTPUT oifname eth0 udp dport 53-66 counter drop

 $ sudo ./iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_state: add translation to nft
Pablo Neira Ayuso [Sun, 13 Apr 2014 12:13:51 +0000 (14:13 +0200)] 
extensions: libxt_state: add translation to nft

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_tcp: add translation to nft
Pablo Neira Ayuso [Fri, 11 Apr 2014 15:58:53 +0000 (17:58 +0200)] 
extensions: libxt_tcp: add translation to nft

Translation for the TCP option matching is not yet implemented as we
don't have a way to match this yet.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agonft: xtables: add the infrastructure to translate from iptables to nft
Pablo Neira Ayuso [Fri, 11 Apr 2014 10:31:39 +0000 (12:31 +0200)] 
nft: xtables: add the infrastructure to translate from iptables to nft

This patch provides the infrastructure and two new utilities to
translate iptables commands to nft, they are:

1) iptables-restore-translate which basically takes a file that contains
   the ruleset in iptables-restore format and converts it to the nft
   syntax, eg.

 % iptables-restore-translate -f ipt-ruleset > nft-ruleset
 % cat nft-ruleset
 # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014
 add table ip filter
 add chain ip filter INPUT { type filter hook input priority 0; }
 add chain ip filter FORWARD { type filter hook forward priority 0; }
 add chain ip filter OUTPUT { type filter hook output priority 0; }
 add rule ip filter INPUT iifname lo counter accept
 # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid:
 ...

The rules that cannot be translated are left commented. Users should be able
to run this to track down the nft progress to see at what point it can fully
replace iptables and their filtering policy.

2) iptables-translate which suggests a translation for an iptables
   command:

 $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
 nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agonft: xtables-restore: add generic parsing infrastructure
Pablo Neira Ayuso [Sun, 13 Apr 2014 09:05:15 +0000 (11:05 +0200)] 
nft: xtables-restore: add generic parsing infrastructure

This allows us to reuse the xtables-restore parser code in the
translation infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agonft: xtables: add generic parsing infrastructure to interpret commands
Pablo Neira Ayuso [Fri, 11 Apr 2014 09:57:53 +0000 (11:57 +0200)] 
nft: xtables: add generic parsing infrastructure to interpret commands

Split the code to parse arguments and to issue command so we reuse this
for the iptables to nft translation infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: fix cgroup2 help message in libxt_cgroup.c.
Rami Rosen [Mon, 25 Jan 2016 06:09:39 +0000 (08:09 +0200)] 
extensions: fix cgroup2 help message in libxt_cgroup.c.

This patch fixes a typo in the cgroup2 cgroup_help_v1() method in extensions\ibxt_cgroup.c.

Signed-off-by: Rami Rosen <rami.rosen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoiptables.8: mention iptables-save in -L documentation
Florian Westphal [Mon, 4 Jan 2016 23:29:10 +0000 (00:29 +0100)] 
iptables.8: mention iptables-save in -L documentation

-L omits some details (e.g. interfaces).

We already mentioned '-L -v' but for convenience also mention
ipt-save since that lists it as-is too.

Signed-off-by: Florian Westphal <fw@strlen.de>
9 years agoiptables: add xtables-config-parser.h to BUILT_SOURCES
Gustavo Zacarias [Wed, 30 Dec 2015 17:51:30 +0000 (14:51 -0300)] 
iptables: add xtables-config-parser.h to BUILT_SOURCES

Otherwise other sources that use it might be built before it's ready leading
to build failure, for example by iptables/nft.c

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoextensions: libxt_cgroup: add unit test
Tejun Heo [Mon, 28 Dec 2015 21:41:20 +0000 (16:41 -0500)] 
extensions: libxt_cgroup: add unit test

Add basic tests which depend only on the root cgroup.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agolibxt_cgroup2: add support for cgroup2 path matching
Tejun Heo [Tue, 22 Dec 2015 18:57:07 +0000 (13:57 -0500)] 
libxt_cgroup2: add support for cgroup2 path matching

This patch updates xt_cgroup so that it supports revision 1 interface
which includes cgroup2 path based matching.

v3: Folded into xt_cgroup as a new revision interface as suggested by
    Pablo.

v2: cgroup2_match->userspacesize and ->save and man page updated as
    per Jan.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agolibxt_cgroup: prepare for multi revisions
Tejun Heo [Tue, 22 Dec 2015 18:56:26 +0000 (13:56 -0500)] 
libxt_cgroup: prepare for multi revisions

libxt_cgroup will grow cgroup2 path based match.  Postfix existing
symbols with _v0 and prepare for multi revision registration.  While
at it, rename O_CGROUP to O_CLASSID and fwid to classid.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoiptables: fix static builds v1.6.0
Pablo Neira Ayuso [Wed, 9 Dec 2015 12:53:42 +0000 (13:53 +0100)] 
iptables: fix static builds

The libext_arpt is not included when linking the static version of
iptables.

We also need to include libnetfilter_conntrack if connlabel support is
on.

Based on patch from Daniel Wagner <daniel.wagner@bmw-carit.de>

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoiptables 1.6.0 release
Pablo Neira Ayuso [Wed, 16 Sep 2015 14:51:37 +0000 (16:51 +0200)] 
iptables 1.6.0 release

xtables_globals structure layout has changed, so let's bump
libxtables_vcurrent.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoiptables-compat: Keep xtables-config and xtables-events out from tree
Pablo Neira Ayuso [Wed, 11 Nov 2015 15:40:28 +0000 (16:40 +0100)] 
iptables-compat: Keep xtables-config and xtables-events out from tree

These binaries are part of the compat layer, however they provide more
features than actually available in the existing native iptables
binaries. So let's keep them out from the tree before the 1.6.0 release
as we only want to provide compatibility utils at this stage.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agolibxt_CT: add support for recently introduced zone options
Daniel Borkmann [Mon, 24 Aug 2015 15:38:15 +0000 (17:38 +0200)] 
libxt_CT: add support for recently introduced zone options

This adds the user space front-end and man-page bits for the additional
zone features (direction, mark) of the CT target.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoadded missing icmpv6 codes in REJECT
Andreas Herz [Fri, 21 Aug 2015 09:33:05 +0000 (11:33 +0200)] 
added missing icmpv6 codes in REJECT

RFC 4443 added two new codes values for ICMPv6 type 1:

 5 - Source address failed ingress/egress policy
 6 - Reject route to destination

And RFC 7084 states in L-14 that IPv6 Router MUST send ICMPv6 Destination
Unreachable with code 5 for packets forwarded to it that use an address
from a prefix that has been invalidated.

Signed-off-by: Andreas Herz <andi@geekosphere.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoiptables-compat: use new symbols in libnftnl
Pablo Neira Ayuso [Tue, 15 Sep 2015 14:37:32 +0000 (16:37 +0200)] 
iptables-compat: use new symbols in libnftnl

Adapt this code to use the new symbols in libnftnl. This patch contains quite
some renaming to reserve the nft_ prefix for our high level library.

Explicitly request libnftnl 1.0.5 at configure stage.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoextensions: fix several test errors
Pablo Neira Ayuso [Tue, 15 Sep 2015 15:14:58 +0000 (17:14 +0200)] 
extensions: fix several test errors

extensions/libxt_esp.t: ERROR: line 7 (should fail: iptables -A INPUT -p esp -m esp)
extensions/libip6t_rt.t: ERROR: line 5 (should fail: ip6tables -A INPUT -m rt)
extensions/libip6t_ah.t: ERROR: line 15 (should fail: ip6tables -A INPUT -m ah)
extensions/libipt_ah.t: ERROR: line 13 (should fail: iptables -A INPUT -p ah -m ah)

Fixes: 4264de1f270a ("extensions: restore matching any SPI id by default")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoextensions: icmp6: added missing icmpv6 dest-unreach codes
Andreas Herz [Thu, 20 Aug 2015 10:36:31 +0000 (12:36 +0200)] 
extensions: icmp6: added missing icmpv6 dest-unreach codes

https://tools.ietf.org/html/rfc4443 says:

   ICMPv6 Fields:

   Type           1

   Code           0 - No route to destination
                  1 - Communication with destination
                        administratively prohibited
                  2 - Beyond scope of source address
                  3 - Address unreachable
                  4 - Port unreachable
                  5 - Source address failed ingress/egress policy
                  6 - Reject route to destination

Add missing code 2, 5 and 6.

Signed-off-by: Andreas Herz <andi@geekosphere.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoiptables: Spelling fixes
Ville Skyttä [Sun, 6 Sep 2015 06:22:30 +0000 (09:22 +0300)] 
iptables: Spelling fixes

While at it, update comment format for the respective blocks.

Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoiptables: update gitignore list
Mike Frysinger [Thu, 20 Aug 2015 12:21:53 +0000 (08:21 -0400)] 
iptables: update gitignore list

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agolibiptc: fix fortify errors in debug code
Mike Frysinger [Thu, 20 Aug 2015 11:12:59 +0000 (07:12 -0400)] 
libiptc: fix fortify errors in debug code

When using open(O_CREAT), you must supply the mode bits, otherwise the
func will pull random garbage off the stack.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agobuild: add finer module blacklisting
Mike Frysinger [Tue, 18 Aug 2015 22:48:54 +0000 (18:48 -0400)] 
build: add finer module blacklisting

Newer extensions require libnftnl in order to build, but there are no
configure or build checks for it, which leads to a bunch of modules
failing when libnftnl isn't installed.  Add finer grained blacklisting
so we can disable modules for specific parts rather than all of them.
e.g. We want to blacklist libebt_limit, but not libxt_limit.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoconfigure: fix 3rd arg w/AC_ARG_ENABLE
Mike Frysinger [Sat, 15 Aug 2015 18:13:35 +0000 (14:13 -0400)] 
configure: fix 3rd arg w/AC_ARG_ENABLE

The 3rd arg is used when --{enable,disable}-foo are passed in, not when
the feature is enabled.  Use the existing $enableval instead.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoextensions: restore matching any SPI id by default
Jan Engelhardt [Wed, 15 Jul 2015 12:53:39 +0000 (14:53 +0200)] 
extensions: restore matching any SPI id by default

This is the same as commit v1.4.15-12-g8a988f6.

If no id option is given, the extensions only match packets with a
zero-valued identification field. This behavior deviates from what it
used to do back in v1.4.10-273-g6944f2c^.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoiptables-compat: Increase rule number only for the selected table and chain
Thomas Woerner [Tue, 21 Jul 2015 13:45:42 +0000 (15:45 +0200)] 
iptables-compat: Increase rule number only for the selected table and chain

This patch fixes the rule number handling in nft_rule_find and __nft_rule_list.
The rule number is only valid in the selected table and chain and therefore may
not be increased for other tables or chains.

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoiptables-compat: Allow to insert into rule_count+1 position
Thomas Woerner [Tue, 21 Jul 2015 13:45:41 +0000 (15:45 +0200)] 
iptables-compat: Allow to insert into rule_count+1 position

iptables allows to insert a rule into the next non existing rule number but
iptables-compat does not allow to do this

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoextension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols
Andreas Herz [Thu, 16 Jul 2015 13:54:19 +0000 (15:54 +0200)] 
extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols

In the --help output and manpage for ipv6header the name for upper layer
protocol headers was "proto", while in the code itself it's "prot" for
the short form. Fixed by changing manpage and help output.

Signed-off-by: Andreas Herz <andi@geekosphere.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoextensions: libxt_socket: update man pages and tests for --restore-skmark
Harout Hedeshian [Mon, 13 Jul 2015 16:01:30 +0000 (10:01 -0600)] 
extensions: libxt_socket: update man pages and tests for --restore-skmark

Update the man pages for libxt_socket with a description and example
usage of the --restore-skmark option.

Also added tests for libxt_socket with various combinations of
--restore-skmark and the existing options.

Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agobuild: resolve build error involving libnftnl
Jan Engelhardt [Wed, 15 Jul 2015 12:53:38 +0000 (14:53 +0200)] 
build: resolve build error involving libnftnl

make[2]: Entering directory '/home/jengelh/code/iptables/extensions'
  CC       libebt_limit.oo
In file included from ../iptables/nft.h:5:0,
                 from libebt_limit.c:21:
../iptables/nft-shared.h:6:27: fatal error: libnftnl/rule.h: No such file or directory
 #include <libnftnl/rule.h>
                           ^
compilation terminated.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoextensions: libxt_socket: add --restore-skmark option
Harout Hedeshian [Tue, 16 Jun 2015 00:41:19 +0000 (18:41 -0600)] 
extensions: libxt_socket: add --restore-skmark option

xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.

Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.

Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.

Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.

iptables -t mangle -I PREROUTING -m socket --transparent \
                                           --restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3

Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoinclude: Sync with upstream kernel headers
Felix Janda [Tue, 16 Jun 2015 19:24:07 +0000 (21:24 +0200)] 
include: Sync with upstream kernel headers

Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoinclude Use <stdint.h> types from xtables.h
Felix Janda [Tue, 16 Jun 2015 19:23:52 +0000 (21:23 +0200)] 
include Use <stdint.h> types from xtables.h

Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoinclude: Sync with ethernetdb.h from ebtables
Felix Janda [Tue, 16 Jun 2015 19:23:38 +0000 (21:23 +0200)] 
include: Sync with ethernetdb.h from ebtables

Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoinclude: remove libc5 support code
Felix Janda [Sat, 2 May 2015 19:51:38 +0000 (21:51 +0200)] 
include: remove libc5 support code

Current code makes the assumption that !defined(__GLIBC__) means libc5
which is very unlikely the case nowadays.

Fixes compile error because of conflict between kernel and musl headers.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoconsistently use <errno.h>
Felix Janda [Sat, 2 May 2015 19:51:01 +0000 (21:51 +0200)] 
consistently use <errno.h>

On glibc, <sys/errno.h> is a synomym for <errno.h>.
<errno.h> is specified by POSIX, so use that.

Fixes compilation error with musl libc

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoMerge branch 'ipset-next'
Pablo Neira Ayuso [Tue, 28 Apr 2015 12:09:07 +0000 (14:09 +0200)] 
Merge branch 'ipset-next'

Get this patch into master:

"Alignment problem between 64bit kernel 32bit userspace"

As Jozsef requests.

10 years agolibxtables: find extensions based on family too
Arturo Borrero [Wed, 8 Apr 2015 17:42:19 +0000 (19:42 +0200)] 
libxtables: find extensions based on family too

When using libxtables with an external program (nft) which switches family
contexts (using xtables_set_nfproto()), the xtables_find_{match,target}
functions need to compare the family too.

We want to avoid this situation:

 1) user first sets afinfo to IPv6
 2) xtables_find_target() finds & load ip6t_REJECT and uses it
 3) afinfo change to IPv4
 4) user then tries to use ipt_REJECT
 5) xtables_find_target() finds ip6t_REJECT instead (same target name)
 6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agolist: fix prefetch dummy
Arturo Borrero [Mon, 6 Apr 2015 18:05:41 +0000 (20:05 +0200)] 
list: fix prefetch dummy

linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
  for (pos = list_entry((head)->next, typeof(*pos), member), \
                                                           ^
libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry'
  list_for_each_entry(c, &h->chains, list) {
  ^

[ Patch copied from one similar of Patrick McHardy on libnftnl ]

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
10 years agoebtables-compat: fix misplaced function attribute on ebt_print_error()
Arturo Borrero Gonzalez [Mon, 6 Apr 2015 14:05:28 +0000 (16:05 +0200)] 
ebtables-compat: fix misplaced function attribute on ebt_print_error()

xtables-eb.c:305:1: warning: empty declaration
 } __attribute__((noreturn, format(printf,2,3)));
 ^
xtables-eb.c:311:2: warning: initialization makes '__attribute__((noreturn))' qualified function pointer from unqualified
  .exit_err  = ebt_print_error,
  ^

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agocgroup, man: improve man-page bits
Daniel Borkmann [Fri, 27 Mar 2015 18:38:36 +0000 (19:38 +0100)] 
cgroup, man: improve man-page bits

Document limitations when in use with INPUT until we found a
better solution. Also fix up indent in the example section.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agolibxt_tcp: manpage correction
Jiri Popelka [Mon, 16 Mar 2015 16:37:49 +0000 (17:37 +0100)] 
libxt_tcp: manpage correction

$ iptables -A INPUT -m tcp --sport 6500:6400 -j ACCEPT
iptables v1.4.21: invalid portrange (min > max)

Error message added with d15fb34c

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoebtables-compat: fix rule deleting with -D in rules with no target
Arturo Borrero [Wed, 11 Mar 2015 17:55:03 +0000 (18:55 +0100)] 
ebtables-compat: fix rule deleting with -D in rules with no target

Before this patch, rule deleting with -D produces segfault in rules
with no target.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: add a bridge-specific exit_error function
Arturo Borrero [Wed, 11 Mar 2015 17:54:57 +0000 (18:54 +0100)] 
ebtables-compat: add a bridge-specific exit_error function

Previous to this patch, error reporting in ebtables-compat was like:

% ebtables-compat xxx
(null) v1.4.21: Bad argument : 'xxx'
Try `(null) -h' or '(null) --help' for more information.

While the original ebtables was:

% ebtables xxx
Bad argument : 'xxx'.

With this patch, we switch to:

% ebtables-compat xxx
Bad argument : 'xxx'.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: add support for limit extension
Arturo Borrero [Wed, 4 Mar 2015 18:49:02 +0000 (19:49 +0100)] 
ebtables-compat: add support for limit extension

Add support for the ebtables limit extension (match),

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
10 years agoman: using physdev match in OUTPUT is not supported anymore
Florian Westphal [Fri, 6 Mar 2015 12:09:51 +0000 (13:09 +0100)] 
man: using physdev match in OUTPUT is not supported anymore

kernels 2.6.20 and later reject -m physdev in OUTPUT with
"using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for
 non-bridged traffic is not supported anymore" error in dmesg.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoarptables-compat: delete extra space in target printing
Arturo Borrero [Thu, 5 Mar 2015 18:47:52 +0000 (19:47 +0100)] 
arptables-compat: delete extra space in target printing

This is an extra space, let's get rid of it.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoarptables-compat: add support for the CLASSIFY target
Arturo Borrero [Thu, 5 Mar 2015 18:47:38 +0000 (19:47 +0100)] 
arptables-compat: add support for the CLASSIFY target

This patch adds support to arptables-compat for the CLASSIFY target.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: support nflog extension
Arturo Borrero [Tue, 3 Mar 2015 18:48:13 +0000 (19:48 +0100)] 
ebtables-compat: support nflog extension

Let's give support for the nflog extension (a watcher).

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agolibxt_quota: fix _save() invert syntax
Arturo Borrero [Mon, 23 Feb 2015 10:31:11 +0000 (11:31 +0100)] 
libxt_quota: fix _save() invert syntax

Space is misplaced.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoiptables-compat: unset context flags in netlink delinearize step
Pablo Neira Ayuso [Wed, 18 Feb 2015 23:15:13 +0000 (00:15 +0100)] 
iptables-compat: unset context flags in netlink delinearize step

Once the data that the compare expression provides have been digested.

For example:

-A INPUT -i noexist -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT

doesn't show anymore the following broken output via iptables-compat-save:

-A INPUT -i

+t -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT

Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
10 years agotests: remove old test cases
Florian Westphal [Thu, 19 Feb 2015 13:17:17 +0000 (14:17 +0100)] 
tests: remove old test cases

Obsoleted by iptables-test.py in project root directory,
see extensions/*.t for the new test cases.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoextensions: libip6t_dst: make inversion work
Florian Westphal [Thu, 19 Feb 2015 11:26:42 +0000 (12:26 +0100)] 
extensions: libip6t_dst: make inversion work

The inversion flag wasn't set in the match struct.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoextensions/libxt_recent.t: add test case for 3.19 regression
Florian Westphal [Thu, 19 Feb 2015 11:24:31 +0000 (12:24 +0100)] 
extensions/libxt_recent.t: add test case for 3.19 regression

fail with vanilla 3.19.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoextensions: SNPT,DNPT: fix save/print output
Florian Westphal [Thu, 19 Feb 2015 11:28:18 +0000 (12:28 +0100)] 
extensions: SNPT,DNPT: fix save/print output

wrong placement of ' ', i.e. we get
-j SNPT--src-pfx dead::/64 --dst-pfx 1c3::/64

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoextensions: add more test cases for iptables-test.py
Florian Westphal [Thu, 19 Feb 2015 01:23:19 +0000 (02:23 +0100)] 
extensions: add more test cases for iptables-test.py

Instead of using iptables-save-formatted files in the tests/ dir,
lets use the iptables-test.py framework for all matches/targets.

This obsoletes tests/ completely, will be removed in followup patch.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoextensions: remove 'unclean' match
Florian Westphal [Thu, 19 Feb 2015 00:27:36 +0000 (01:27 +0100)] 
extensions: remove 'unclean' match

removed from kernel in 2003.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoextensions: remove SAME target
Florian Westphal [Thu, 19 Feb 2015 00:20:15 +0000 (01:20 +0100)] 
extensions: remove SAME target

removed from the kernel December 2007.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoextensions: remove MIRROR
Florian Westphal [Thu, 19 Feb 2015 00:17:18 +0000 (01:17 +0100)] 
extensions: remove MIRROR

removed from the kernel back in 2003.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoxtables-compat: remove unused fields from bridge and arp families
Pablo Neira Ayuso [Mon, 16 Feb 2015 19:17:51 +0000 (20:17 +0100)] 
xtables-compat: remove unused fields from bridge and arp families

These two families only work under nft compat, so leave unset the fields
that we don't use. Basically, we need neither the module autoload code
nor the native get/setsockopt() revision infrastructure since we use the
one that nft_compat provides through nfnetlink.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoarptables-compat: add mangle target extension
Arturo Borrero [Fri, 13 Feb 2015 10:38:02 +0000 (11:38 +0100)] 
arptables-compat: add mangle target extension

This patch adds support to use the mangle target extensions, along with
the required changes in the surrounding code.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoxshared: calm down compilation warning
Pablo Neira Ayuso [Mon, 16 Feb 2015 15:57:39 +0000 (16:57 +0100)] 
xshared: calm down compilation warning

xshared.c: In function ‘xtables_lock’:
xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agotests: add test case for xt_recent regression
Florian Westphal [Fri, 13 Feb 2015 13:07:21 +0000 (14:07 +0100)] 
tests: add test case for xt_recent regression

fails on 3.19 kernel:
xt_recent: hitcount (8) is larger than packets to be remembered (8) for table foo

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agotests: split into family and table specific files
Florian Westphal [Fri, 13 Feb 2015 13:00:27 +0000 (14:00 +0100)] 
tests: split into family and table specific files

also add simple script to restore/save them.
run_qa.sh passes on standard-distro kernels.

Signed-off-by: Florian Westphal <fw@strlen.de>
10 years agoMerge branch 'ebtables-compat'
Pablo Neira Ayuso [Wed, 11 Feb 2015 15:16:50 +0000 (16:16 +0100)] 
Merge branch 'ebtables-compat'

The ebtables-compat branch provides the compatibility layer to run
ebtables extensions. Currently, only the following matches / targets /
watchers are supported:

* 802_3
* ip
* mark_m and mark
* log

The remaining ones should be easy to port them to on top of libxtables,
they will follow up later.

10 years agoebtables-compat: add log watcher extension
Arturo Borrero [Mon, 9 Feb 2015 12:16:17 +0000 (13:16 +0100)] 
ebtables-compat: add log watcher extension

This patch adds the log 'watcher' extension.

The work was started by Giuseppe Longo <giuseppelng@gmail.com> and finised
by me.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: add watchers support
Arturo Borrero [Mon, 9 Feb 2015 12:16:12 +0000 (13:16 +0100)] 
ebtables-compat: add watchers support

ebtables watchers are targets which always return EBT_CONTINUE.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: add mark target extension
Arturo Borrero [Tue, 3 Feb 2015 15:29:35 +0000 (16:29 +0100)] 
ebtables-compat: add mark target extension

Translate the mark target extension to the xtables-compat environment.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: finish target infrastructure
Arturo Borrero [Tue, 3 Feb 2015 16:58:17 +0000 (17:58 +0100)] 
ebtables-compat: finish target infrastructure

Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: call extensions final checks
Arturo Borrero [Tue, 3 Feb 2015 15:26:39 +0000 (16:26 +0100)] 
ebtables-compat: call extensions final checks

Let's call extensions final checks.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agolibxtables: search first for AF-specific extension
Arturo Borrero [Thu, 29 Jan 2015 16:44:33 +0000 (17:44 +0100)] 
libxtables: search first for AF-specific extension

There are some extension which may name-clash, for example:
 * libxt_mark.so
 * liebt_mark.so

Let's search first for AF-specific extension and then for the generic libxt_**.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoextensions: cleanup commented code in ebtables-compat extensions
Arturo Borrero [Fri, 30 Jan 2015 11:47:16 +0000 (12:47 +0100)] 
extensions: cleanup commented code in ebtables-compat extensions

This code can be cleaned up. No need for validation from userspace,
the kernel will reject incorrect options.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoebtables-compat: add mark_m match extension
Arturo Borrero [Fri, 30 Jan 2015 11:43:08 +0000 (12:43 +0100)] 
ebtables-compat: add mark_m match extension

Translate mark_m match extension to the xtables-compat environment.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>