]> git.ipfire.org Git - thirdparty/iptables.git/log
thirdparty/iptables.git
7 years agoxtables: extended error reporting
Florian Westphal [Sat, 26 May 2018 17:20:16 +0000 (19:20 +0200)] 
xtables: extended error reporting

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables: allocate struct xt_comment_info for comments
Pablo Neira Ayuso [Sat, 26 May 2018 17:04:08 +0000 (19:04 +0200)] 
xtables: allocate struct xt_comment_info for comments

When mapping it to the comment match, otherwise, crash happens when
trying to save the ruleset listing.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables: use libnftnl batch API
Pablo Neira Ayuso [Sat, 26 May 2018 09:34:34 +0000 (11:34 +0200)] 
xtables: use libnftnl batch API

Use existing batching API from library, the existing code relies on an
earlier implementation of it.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables-compat: remove nft_is_ruleset_compatible
Florian Westphal [Thu, 24 May 2018 15:57:34 +0000 (17:57 +0200)] 
xtables-compat: remove nft_is_ruleset_compatible

Use nft_is_table_compatible instead as only helper to a 'skip' decision.

Custom tables, tables that have extra base chains that iptables
syntax doesn't allow or rules that have special constructs line nftables
set lookups or verdict maps are not listed, but a message is provided
to show that such table exists.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: allow dumping of chains in specific table
Florian Westphal [Thu, 24 May 2018 15:50:25 +0000 (17:50 +0200)] 
xtables: allow dumping of chains in specific table

This is used by a followup patch to avoid continuing the 'dump everything
and then ignore what we don't need' model.

Places that know they only need a particular table
'iptables-save -t filter' can ask the kernel to limit this for us.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: inconsistent error reporting for -X and no empty chain
Pablo Neira Ayuso [Wed, 23 May 2018 09:55:24 +0000 (11:55 +0200)] 
xtables: inconsistent error reporting for -X and no empty chain

 # iptables-compat -N coffee
 # iptables-compat -I coffee
 # iptables-compat -X coffee
 iptables: Device or resource busy.

While it should say:

 iptables: Directory not empty.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoebtables-compat: add arp match extension
Florian Westphal [Fri, 4 May 2018 15:32:42 +0000 (17:32 +0200)] 
ebtables-compat: add arp match extension

no translation yet, might be doable with raw payload expressions though.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-compat: add redirect match extension
Florian Westphal [Tue, 10 Apr 2018 09:15:26 +0000 (11:15 +0200)] 
ebtables-compat: add redirect match extension

No translation.  The kernel match will alter packet type
(meta set pkttype), but also replace dst mac with the bridges' mac address,
however nft currently doesn't allow to retrieve this at runtime.

So just add this without the xlate part for now.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-compat: add nat match extensions
Florian Westphal [Tue, 10 Apr 2018 08:55:30 +0000 (10:55 +0200)] 
ebtables-compat: add nat match extensions

adds snat and dnat.

Translation for snat isn't complete, the --snat-arp switch isn't supported so far.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: prefer snprintf to strncpy
Florian Westphal [Sun, 20 May 2018 21:56:32 +0000 (23:56 +0200)] 
xtables-compat: ebtables: prefer snprintf to strncpy

gcc emits these warnings:
xtables-eb-translate.c:185:2: warning: ‘strncpy’ specified bound 29 equals destination size [-Wstringop-truncation]
  strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name));
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: extend generic tests for masks and wildcards
Florian Westphal [Mon, 14 May 2018 22:48:01 +0000 (00:48 +0200)] 
xtables-compat: extend generic tests for masks and wildcards

This uncovered broken translation of ethernet + mask.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agolibxtables: store all requested match types
Florian Westphal [Fri, 11 May 2018 21:17:15 +0000 (23:17 +0200)] 
libxtables: store all requested match types

iptables and ip6tables don't need this because iptables is AF_INET,
ip6tables AF_INET6, etc.

But tools that can change af in-between such as nftables will then
may then find to find such module.

One example is conntrack, it offsers NFPROTO_IPV4 and NFPROTO_IPV6.
When first loading with NFPROTO_IPV6, the IPV4 would be discarded.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ip6table-save: fix save of ip6 address masks
Florian Westphal [Thu, 10 May 2018 19:47:30 +0000 (21:47 +0200)] 
xtables-compat: ip6table-save: fix save of ip6 address masks

ip6tables-save didn't include the masks.
Furhermore, mask decoding used the ipv4 struct which caused it to write
into parts of ipv6 saddr.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-translate: suppress redundant protocols
Florian Westphal [Tue, 8 May 2018 08:15:11 +0000 (10:15 +0200)] 
ebtables-translate: suppress redundant protocols

kernel would reject ip, ip6 etc. without -p ip, -p ip6.
So add it.  On reverse, search the match list to decide if -p
has to be translated or not.

Also, icmp and icmpv6 also imply l3 protocol, so no need to translate
that either.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: allow checking for zero-mac
Florian Westphal [Tue, 8 May 2018 14:31:29 +0000 (16:31 +0200)] 
xtables-compat: ebtables: allow checking for zero-mac

Allow checking for an all-zero mac address by replacing checks on the
address with a check on the option flag.

Its set when '-d' or '-s' appears on the command line and when seeing
a linklayer payload request for ether s/daddr.

Same for -p: s this flag gets removed during getopt when 'p' is encountered.

So, if its set, no need to check protocol type.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: add helpers to print interface and mac addresses
Florian Westphal [Tue, 8 May 2018 10:03:46 +0000 (12:03 +0200)] 
xtables-compat: ebtables: add helpers to print interface and mac addresses

Reduces repetition, follow patch adds back suppression of
src/dst mac when it was not given.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: remove interface masks from ebt_entry struct
Florian Westphal [Tue, 8 May 2018 09:37:46 +0000 (11:37 +0200)] 
xtables-compat: ebtables: remove interface masks from ebt_entry struct

They don't exist in the legacy ABI, so don't pretend otherwise.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: fix logical interface negation
Florian Westphal [Tue, 8 May 2018 11:48:44 +0000 (13:48 +0200)] 
xtables-compat: ebtables: fix logical interface negation

before:
Bridge chain: OUTPUT, entries: 4, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out notlogout -j CONTINUE
--logical-out logout -j CONTINUE

after:
Bridge chain: OUTPUT, entries: 5, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out ! notlogout -j CONTINUE
--logical-out logout -j CONTINUE

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: add and use helper to parse all interface names
Florian Westphal [Tue, 8 May 2018 09:33:02 +0000 (11:33 +0200)] 
xtables-compat: ebtables: add and use helper to parse all interface names

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: split match/target print from nft_bridge_print_firewall
Florian Westphal [Tue, 8 May 2018 08:43:45 +0000 (10:43 +0200)] 
xtables-compat: ebtables: split match/target print from nft_bridge_print_firewall

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: kill ebtables_command_state
Florian Westphal [Tue, 8 May 2018 07:41:47 +0000 (09:41 +0200)] 
xtables-compat: ebtables: kill ebtables_command_state

Use iptables_command_state instead.
This allows to re-use code from the ip(6)tables layer and
reduces cop&pasted code.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: pass correct table skeleton
Florian Westphal [Thu, 12 Apr 2018 09:31:42 +0000 (11:31 +0200)] 
xtables-compat: pass correct table skeleton

This always uses xtables_ipv4 (which is same as _ipv6).
Pass the correct skeleton instead, this is needed to handle ebtables
correctly from xt-translate, as it doesn't use ip/ip6 tables.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: fix wildcard detection
Florian Westphal [Tue, 8 May 2018 10:45:25 +0000 (12:45 +0200)] 
xtables-compat: fix wildcard detection

if (outiface[len] == '\0')

is always true. 'eth+' is stored as 'eth' with length 3, so
   "eth"[3] == 0.

'eth' is stored as 'eth\0' with length 4, so "eth\0"[4] is also true.
Add a helper for this, then use it.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoextensions: libip6t_srh.t: Add test cases for psid, nsid, and lsid
Ahmed Abdelsalam [Wed, 9 May 2018 08:12:54 +0000 (03:12 -0500)] 
extensions: libip6t_srh.t: Add test cases for psid, nsid, and lsid

This patch add some testcases for psid, nsid, and lsid matches
into libip6t_srh.t

Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoextensions: libxt_CONNMARK: incorrect translation after v2
Pablo Neira Ayuso [Tue, 8 May 2018 13:06:33 +0000 (15:06 +0200)] 
extensions: libxt_CONNMARK: incorrect translation after v2

src: iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0
exp: nft add rule ip mangle PREROUTING counter ct mark set 0x0
res: nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x0

Fixes: db7b4e0de960 ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoextensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark
Jack Ma [Tue, 24 Apr 2018 02:58:57 +0000 (14:58 +1200)] 
extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

This patch adds a new feature to iptables that allow bitshifting for
--restore,set and save-mark operations. This allows existing logic
operators (and, or and xor) and mask to co-operate with new bitshift
operations.

The intention is to provide uses with more fexible uses of skb->mark
and ct->mark. For example, users can save extra bits in skb->mark:
        skb->mark = ct->mark << 8;

Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoextensions: libip6t_srh: support matching previous, next and last SID
Ahmed Abdelsalam [Wed, 25 Apr 2018 10:30:47 +0000 (05:30 -0500)] 
extensions: libip6t_srh: support matching previous, next and last SID

This patch extends the libip6t_srh shared library to support matching
previous SID, next SID, and last SID.

Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoextensions: libipt_DNAT: tests added for shifted portmap range
Thierry Du Tre [Mon, 7 May 2018 20:31:31 +0000 (22:31 +0200)] 
extensions: libipt_DNAT: tests added for shifted portmap range

I added and verified these tests after applying Florian's fixed wrt.
nf_nat_range2 size for rev2.

Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables-compat-restore: flush table and its content with no -n
Pablo Neira Ayuso [Tue, 8 May 2018 09:45:59 +0000 (11:45 +0200)] 
xtables-compat-restore: flush table and its content with no -n

With no -n, semantics for *filter are to delete filter table and all its
content.

This restores the similar behaviour introduced in ca165845f7ec
("xtables-compat-restore: flush rules and delete user-defined chains").

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables-compat: fix bogus error with -X and no user-defined chains
Pablo Neira Ayuso [Mon, 7 May 2018 15:11:21 +0000 (17:11 +0200)] 
xtables-compat: fix bogus error with -X and no user-defined chains

 # iptables-compat -X
 iptables: No chain/target/match by that name.

While it should display no error message at all.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables-compat-restore: flush user-defined chains with -n
Pablo Neira Ayuso [Mon, 7 May 2018 13:32:33 +0000 (15:32 +0200)] 
xtables-compat-restore: flush user-defined chains with -n

-n still flushes user-defined chains and its content, the following snippet:

 iptables-compat -N FOO
 iptables-compat -I INPUT
 iptables-compat -I FOO
 iptables-compat -I FOO
 iptables-compat-save > A
 iptables-compat-restore < A
 iptables-compat -N BAR
 iptables-compat -A BAR
 iptables-compat-restore -n < A

results in:

 iptables-compat-save
 # Generated by xtables-save v1.6.2 on Mon May  7 17:18:44 2018
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :BAR - [0:0]
 :FOO - [0:0]
 -A INPUT
 -A INPUT
 -A BAR
 -A FOO
 -A FOO
 COMMIT
 # Completed on Mon May  7 17:18:44 2018

Still, user-defined chains that are not re-defined, such as BAR, are
left in place.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables-compat-restore: flush rules and delete user-defined chains
Pablo Neira Ayuso [Mon, 7 May 2018 13:05:15 +0000 (15:05 +0200)] 
xtables-compat-restore: flush rules and delete user-defined chains

Instead of deleting the table and base chains.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoextensions: libipt_DNAT: use size of nf_nat_range2 for rev2
Florian Westphal [Thu, 3 May 2018 19:40:52 +0000 (21:40 +0200)] 
extensions: libipt_DNAT: use size of nf_nat_range2 for rev2

DNAT tests fail on nf-next.git, kernel complains about target size
mismatch (40 vs 48), this fixes this for me.

Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap ranges")
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: pass larger socket buffer
Florian Westphal [Mon, 7 May 2018 11:41:21 +0000 (13:41 +0200)] 
xtables-compat: pass larger socket buffer

needed to display rules that exceed 4k (MNL buffer size).
This can happen with many matches in a rule or when using
-m cgroup (4k per match).

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: xtables-save: don't return 1
Florian Westphal [Mon, 7 May 2018 11:37:45 +0000 (13:37 +0200)] 
xtables-compat: xtables-save: don't return 1

noticed that iptables-compat-save exits with 1 on success,
whereas iptables-compat-save -t filter returns 0 (as expected).

Caused by double-invert of return value, so ge rid of those.
do_output now returns a value suitable to pass to exit() or return from main.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: support concurrent option
Florian Westphal [Mon, 7 May 2018 11:35:49 +0000 (13:35 +0200)] 
xtables-compat: ebtables: support concurrent option

We don't need extra locking as we don't go though rmw cycle
when adding a rule, but accept the option for compatibility with
legacy ebtables.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoiptables-test: fix bug with rateest
Florian Westphal [Sun, 6 May 2018 22:05:11 +0000 (00:05 +0200)] 
iptables-test: fix bug with rateest

rateest test needs to insert rateest targets with
@progname syntax.

However, this used the system-installed binary rather than the one
from git.

Morever, it did not respect --nftables switch, i.e. add occurs with
iptables so iptables-compat won't find it.

Fixes: d7ac61b58e78 ("add nft switch and test binaries from git")
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: fix ipv4 frag (-f)
Florian Westphal [Sat, 5 May 2018 08:38:38 +0000 (10:38 +0200)] 
xtables-compat: fix ipv4 frag (-f)

iptables-translate -A I -f
nft add rule ip filter I ip frag-off != 0 counter

iptables however checks:
frag_off = ntohs(iph->frag_off) & IP_OFFSET;

if (NF_INVF(ipinfo, IPT_INV_FRAG,
    (ipinfo->flags & IPT_F_FRAG) && !frag_off))
       return false;

So we need to mask off non-offset bits.

Second issue is that we negated the meaning in ipt-restore.

-f should match if (frag_off & IP_OFFSET) NE 0
  ! -f matches non-fragmented packets, i.e.
  frag_off & IP_OFFSET == 0.

So we cannot use nft_invflags2cmp(), as that will use
NEQ for negation, but we need EQ instead here.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: also check tg2->userspacesize
Florian Westphal [Sat, 5 May 2018 17:52:55 +0000 (19:52 +0200)] 
xtables-compat: also check tg2->userspacesize

memcmp uses tg1->userspacesize, make sure its same as tg2 first.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: avoid unneeded bitwise ops
Florian Westphal [Sat, 5 May 2018 17:34:57 +0000 (19:34 +0200)] 
xtables-compat: avoid unneeded bitwise ops

no need to and with all-ones mask.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: restore: sync options with iptables-restore
Florian Westphal [Sat, 5 May 2018 17:17:45 +0000 (19:17 +0200)] 
xtables-compat: restore: sync options with iptables-restore

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoextensions: add xlate test for ipables -f
Florian Westphal [Sat, 5 May 2018 09:21:48 +0000 (11:21 +0200)] 
extensions: add xlate test for ipables -f

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: output -s,d first during save, just like iptables
Florian Westphal [Sat, 5 May 2018 07:59:43 +0000 (09:59 +0200)] 
xtables-compat: output -s,d first during save, just like iptables

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoiptables-compat: chains are purge out already from table flush
Pablo Neira Ayuso [Fri, 4 May 2018 09:41:10 +0000 (11:41 +0200)] 
iptables-compat: chains are purge out already from table flush

Remove dead code that uses the ancient non-batch netlink API. Chains
are already purged out from table flush.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoiptables-compat: do not fail on restore if user chain exists
Pablo Neira Ayuso [Fri, 4 May 2018 09:25:00 +0000 (11:25 +0200)] 
iptables-compat: do not fail on restore if user chain exists

The following snippet fails if user chain FOO exists, but it should not fail:

iptables-compat -F
iptables-compat -N FOO
iptables-compat-save > foo
iptables-compat-restore < foo

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoiptables-compat: remove non-batching routines
Pablo Neira Ayuso [Thu, 3 May 2018 14:38:20 +0000 (16:38 +0200)] 
iptables-compat: remove non-batching routines

This is only needed by 3.16, which was released 8 months after nftables was
merged upstream. That kernel version supports a reduced featureset.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoxtables.conf: fix hook skeletons
Florian Westphal [Wed, 2 May 2018 16:29:51 +0000 (18:29 +0200)] 
xtables.conf: fix hook skeletons

nat prio for in/out were inverted.
arp no longer has a forward chain.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: fall back to comment match in case name is too long
Florian Westphal [Thu, 3 May 2018 19:45:59 +0000 (21:45 +0200)] 
xtables-compat: fall back to comment match in case name is too long

... or when using multiple --comment lines.
This is more of a 'cosmetic' fix to handle the test suite case.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxlate-test: use locally installed xlate tools
Florian Westphal [Fri, 27 Apr 2018 22:26:27 +0000 (00:26 +0200)] 
xlate-test: use locally installed xlate tools

same as iptables-test: use the translate tools in the current working
directory, not the system-wide ones.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: ebtables: handle mac masks properly
Florian Westphal [Fri, 4 May 2018 20:33:35 +0000 (22:33 +0200)] 
xtables-compat: ebtables: handle mac masks properly

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: nft-arp: fix warning wrt. sprintf-out-of-bounds
Florian Westphal [Thu, 3 May 2018 20:27:03 +0000 (22:27 +0200)] 
xtables-compat: nft-arp: fix warning wrt. sprintf-out-of-bounds

nft-arp.c:112:3: note: 'sprintf' output between 2 and 21 bytes into a destination of size 20
sprintf(buf, "/%s", addr_to_dotted(mask));

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: truncate comments to 254 bytes
Florian Westphal [Sat, 28 Apr 2018 09:43:09 +0000 (11:43 +0200)] 
xtables-compat: truncate comments to 254 bytes

Kernel clamps udata size at 256 bytes, udata size however also includes
internal bookkeeping which brings us over this limit.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoextensions: libipt_DNAT: support shifted portmap ranges
Thierry Du Tre [Tue, 3 Apr 2018 16:39:22 +0000 (18:39 +0200)] 
extensions: libipt_DNAT: support shifted portmap ranges

This is a proposal patch for iptables DNAT extension to support shifted portmap
ranges. It is related to the kernel patch proposed in earlier message '[PATCH
v5] netfilter : add NAT support for shifted portmap ranges'.

A new struct nf_nat_range2 was added as extension for existing struct
nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT
revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with
older kernels is not impacted.

The syntax for shifted portmaps uses an extra value in '--to-destination' for
setting the base port which determines the offset in the redirect port range
for incoming connections.  i.e. : iptables -t nat -A zone_wan_prerouting -p tcp
-m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000'

The base port value is totally optional, so current behavior is not impacted in
any way.  The use of slash '/' as separator is an arbitrary choice, all other
suggestions are valid of course (original proposal used semicolon but this was
not practical for commandline use) Another approach using an additional option
seems also possible (i.e. '--base-port 5000'). However, that would mean more
parsing logic with extra lines of code and thus increased risk for regression.

Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoiptables-test: add nft switch and test binaries from git
Florian Westphal [Fri, 27 Apr 2018 14:50:13 +0000 (16:50 +0200)] 
iptables-test: add nft switch and test binaries from git

instead of testing the system-wide installed iptables, test the
version from git instead.

Also add a --nftables switch to feed the test cases to xt-compat.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: only fetch revisions for ip/ip6
Florian Westphal [Fri, 27 Apr 2018 10:37:53 +0000 (12:37 +0200)] 
xtables-compat: only fetch revisions for ip/ip6

Only ip and ip6tables have revision retrieval support; pretend
ebtables and arptables are always ok.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: Fix rules print/save after iptables update
Serhey Popovych [Wed, 7 Mar 2018 09:10:43 +0000 (11:10 +0200)] 
xtables: Fix rules print/save after iptables update

Updating iptables from 1.4.x to 1.6.x brokes rules print/save output
and causes rules load after reboot to fail. Here is example from
iptables-save(8) output after update:

  -A CHAIN1 -m set [unsupported revision] -j DROP
  -A CHAIN1 -m set [unsupported revision] -j DROP

Similar output could be obtained via iptables -L CHAIN1. While issue
reproduced with xt_set match it is not specific to any match or
target module: it is related on how xtables handles revisions.

In this particular case we have following situation:

  1) Kernel supports revisions from 1 to 4.

  2) Rules configured with iptables 1.4.x supporting only
     revisions from 1 to 3. Choosen highest possible revision 3.

  3) Rules printed/saved with iptables 1.6.x supporting revisions
     from 1 to 4.

  4) Xtables registers matches/targets with highest supported
     revision by the kernel. This is 4 in our case after update to
     iptables 1.6.x.

  5) When printing/saving kernel submits match/target with revision
     it is configured (3), while iptables thinks that rules configured
     with highest supported (4). That's causes revision mismatch in
     during print and "[unsupported revision]" output.

To fix this issue we now store all supported by kernel and xtables
revisions in xt_matches/xt_targets list sorted in descending order.

Introduce helper routines to find match/target with given revision
and use them to find right revision to print submitted by kernel
entry.

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: Register all match/target revisions supported by us and kernel
Serhey Popovych [Wed, 7 Mar 2018 09:10:42 +0000 (11:10 +0200)] 
xtables: Register all match/target revisions supported by us and kernel

Keep the order of matches by appending them; keep order between
revisions of same match from most to least recent. All of this
keeps xtables_find_match() happy to find most recent supported
by kernel revision in the given order.

Apply the same for targets, except prepend targets; order between
revisions preserved too.

All this needed to fix nasty bug related to iptables package update
and broken print/save output.

After this change all supported revisions of match/target stored
in corresponding list with following pattern:

         xt_matches                 xt_targets
         ==========                 ==========

     m1  m2  m3     mN             tN     t1  t2  t3
  +-----+--+---+---~~~---+    +---~~~---+---+----+--+
  |43210|10|210|revisions|    |revisions|210|3210|10|
  +-----+--+---+---~~~---+    +---~~~---+---+----+--+

Where new [m]atches added to the list tail and new [t]argets added
to the list head to preserve previous behaviour. Multiple revisions
of single match/target type are grouped together and sorted in
descending order. Both this ensures xtables_find_match() and
xtables_find_target() behaviour remains the same after change: find
highest supported match/target revision given by it's name.

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: Check match/target size vs XT_ALIGN(size) at register time
Serhey Popovych [Wed, 7 Mar 2018 09:10:41 +0000 (11:10 +0200)] 
xtables: Check match/target size vs XT_ALIGN(size) at register time

Size is known at xtables_register_match()/xtables_register_target()
calls: no need to defer it to final registration steps.

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: Do not register matches/targets with incompatible revision
Serhey Popovych [Wed, 7 Mar 2018 09:10:40 +0000 (11:10 +0200)] 
xtables: Do not register matches/targets with incompatible revision

If kernel tells revision isn't found/supported at the moment we should
keep entity in pending list, not register or bail to do so later.

Kernel might still load module for entity we asking it for and this
could be slow on some embedded devices.

Catch double registration attempts by checking me->next being non-NULL
in xtables_register_match() and xtables_register_target().

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: Introduce and use common function to print val[/mask] arguments
Serhey Popovych [Thu, 1 Mar 2018 11:03:12 +0000 (13:03 +0200)] 
xtables: Introduce and use common function to print val[/mask] arguments

There are number of places where argument is in val[/mask] format
printed in extensions and some of them may print corresponding symbolic
name.

By introducing common function for this task we eliminate custom code
parts in extensions to perform printing of arguments in required
formats.

Use xtables_print_mark_mask() helper for extensions without
symbolic name for val[/mask].

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables: Introduce and use common function to parse val[/mask] arguments
Serhey Popovych [Thu, 1 Mar 2018 11:03:11 +0000 (13:03 +0200)] 
xtables: Introduce and use common function to parse val[/mask] arguments

There are a couple of places in both core and extensions where arguments
in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32).

In some cases symbolic name might be used which is mapped in code to
numeric value.

Introduce common function to handle both cases where value given is
either val[/mask] or symbolic name.

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoextensions: Initialize linear mapping of symbols in _init() of extension
Serhey Popovych [Thu, 1 Mar 2018 11:03:10 +0000 (13:03 +0200)] 
extensions: Initialize linear mapping of symbols in _init() of extension

libxt_devgroup and libipt_realm currently unable to display symbolic
names in save/print commands because linear mapping is not initialized.

It looks bit confusing as linear mapping initialization is done in init()
of extension, which is expected to be called before any other function of
extension.

However init is called only when '-m' option specified on command line,
that is true only for insert, append, replace and destroy iptables
commands.

Move initialization to extension _init() function before calling
any function in extension.

Before:
-------
... src-group 0x1 dst-group 0x2
... src-group 0x2 dst-group 0x1

After:
------
... src-group grp1 dst-group grp2
... src-group grp2 dst-group grp1

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoextensions: ULOG: remove test
Florian Westphal [Fri, 27 Apr 2018 13:52:59 +0000 (15:52 +0200)] 
extensions: ULOG: remove test

ULOG target was removed in 3.17, so this always fails now.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-translate: turn off useless compat queries
Florian Westphal [Fri, 27 Apr 2018 05:45:41 +0000 (07:45 +0200)] 
ebtables-translate: turn off useless compat queries

not needed as we won't be installing any rules.
So just assume kernel supports everything.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agonft: arptables: remove obsolete forward hook definition
Florian Westphal [Fri, 27 Apr 2018 10:53:48 +0000 (12:53 +0200)] 
nft: arptables: remove obsolete forward hook definition

Its not supported anymore as of 4.13, and it did not work
before this either (arp packets cannot be routed).
This unbreaks arptables-compat -- without this fix kernel rejects the
incoming ruleset skeleton.

filtering forwarded arp packets on a bridge can be done either via
'netdev' or 'bridge' families.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoiptables-compat: statify nft_restart()
Pablo Neira Ayuso [Tue, 24 Apr 2018 14:42:42 +0000 (16:42 +0200)] 
iptables-compat: statify nft_restart()

This function is only used from iptables/nft.c.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoiptables-compat: handle netlink dump EINTR errors
Pablo Neira Ayuso [Tue, 24 Apr 2018 14:03:33 +0000 (16:03 +0200)] 
iptables-compat: handle netlink dump EINTR errors

Release existing list and restart in case that netlink dump hits EINTR.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoebtables-compat: add 'vlan' match extension
Florian Westphal [Tue, 10 Apr 2018 09:54:57 +0000 (11:54 +0200)] 
ebtables-compat: add 'vlan' match extension

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-compat: add 'pkttype' match extension
Florian Westphal [Tue, 10 Apr 2018 08:26:42 +0000 (10:26 +0200)] 
ebtables-compat: add 'pkttype' match extension

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-translate: update table name on -t
Florian Westphal [Thu, 19 Apr 2018 09:44:39 +0000 (11:44 +0200)] 
ebtables-translate: update table name on -t

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-compat: add 'ip6' match extension
Florian Westphal [Thu, 19 Apr 2018 09:19:52 +0000 (11:19 +0200)] 
ebtables-compat: add 'ip6' match extension

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agolibebt_ip: fix translations for tos and icmp
Florian Westphal [Thu, 19 Apr 2018 09:00:28 +0000 (11:00 +0200)] 
libebt_ip: fix translations for tos and icmp

tos translation to dscp yielded incorrect value.
icmp inserted extra "ip" keyword, remove it.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agolibebt_ip: add icmp support
Florian Westphal [Tue, 17 Apr 2018 22:09:06 +0000 (00:09 +0200)] 
libebt_ip: add icmp support

Was added to ebtables recently, so backport this to ebt-compat.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxt-translate: quote interface names in translated output
Florian Westphal [Tue, 17 Apr 2018 22:09:05 +0000 (00:09 +0200)] 
xt-translate: quote interface names in translated output

it its good practice as interface names can be virtually any
identifier and could clash with nft keywords.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoicmp: split icmp type printing to header file
Florian Westphal [Tue, 17 Apr 2018 22:09:04 +0000 (00:09 +0200)] 
icmp: split icmp type printing to header file

libebt_ip will get icmp support soon, unify icmp name
mapping a bit so we can re-use this code from libebt_ip.c.

It doesn't seem to be too useful to move to libxtables
(as its icmp specific), so add a hedaer file for this to reduce
copy & paste needs.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-translate: add initial test cases
Florian Westphal [Fri, 13 Apr 2018 15:40:56 +0000 (17:40 +0200)] 
ebtables-translate: add initial test cases

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxt-compat: add ebtables-translate
Florian Westphal [Thu, 12 Apr 2018 09:31:31 +0000 (11:31 +0200)] 
xt-compat: add ebtables-translate

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxlate-translate: split common parts into helper
Florian Westphal [Thu, 12 Apr 2018 09:46:02 +0000 (11:46 +0200)] 
xlate-translate: split common parts into helper

7 years agoxtables-eb: export 3 functions
Florian Westphal [Fri, 13 Apr 2018 12:53:43 +0000 (14:53 +0200)] 
xtables-eb: export 3 functions

Will be used from eb-translate parser.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agonft-bridge: add eb-translate backend functions
Florian Westphal [Fri, 13 Apr 2018 12:49:17 +0000 (14:49 +0200)] 
nft-bridge: add eb-translate backend functions

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agonft-bridge: fix mac address printing
Florian Westphal [Fri, 13 Apr 2018 12:43:28 +0000 (14:43 +0200)] 
nft-bridge: fix mac address printing

Mask needs to be all-ones, else we print
<macaddr>/ff:ff:ff:ff:ff:ff

but such a mask is redundant, we can omit the mask.
ebtables does this correctly.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agonft: fix crash when getprotobynumber() returns 0
Florian Westphal [Fri, 13 Apr 2018 17:19:57 +0000 (19:19 +0200)] 
nft: fix crash when getprotobynumber() returns 0

This needs to first check if pent is NULL.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-compat: support intra-positioned negations
Florian Westphal [Fri, 13 Apr 2018 15:41:47 +0000 (17:41 +0200)] 
ebtables-compat: support intra-positioned negations

ebtables sitll allows intra-postitioned negations, e.g.

--ip-src ! 1.2.3.4

support this.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agonft-bridge: add forward declaration for struct nftnl_rule
Florian Westphal [Fri, 13 Apr 2018 13:10:27 +0000 (15:10 +0200)] 
nft-bridge: add forward declaration for struct nftnl_rule

nft-bridge.h:121:48: warning: 'struct nftnl_rule' declared inside parameter list will not be visible outside ..

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agolibebt_limit: print 'minute' and 'seconds', not 'min' and 'secs'
Florian Westphal [Fri, 13 Apr 2018 15:46:27 +0000 (17:46 +0200)] 
libebt_limit: print 'minute' and 'seconds', not 'min' and 'secs'

nft xlate needs the full name, for ebtables it makes no difference,
'minute' would work too.

Also fixup ' ' placement in xlate.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agonft: make nft_init self-contained
Florian Westphal [Thu, 12 Apr 2018 09:51:38 +0000 (11:51 +0200)] 
nft: make nft_init self-contained

nft_init() should rollback all changes it made during init
when something goes wrong, callers should NOT call nft_fini()
on error.

Note that this change is irrelevant at the moment, all users
call exit() on failure.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-translate: rm duplicate includes
Florian Westphal [Thu, 12 Apr 2018 09:26:59 +0000 (11:26 +0200)] 
xtables-translate: rm duplicate includes

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxt-compat: constify a few struct members
Florian Westphal [Fri, 13 Apr 2018 11:43:33 +0000 (13:43 +0200)] 
xt-compat: constify a few struct members

avoids a compiler warning in a followup patch.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoebtables-compat: add initial translations
Florian Westphal [Wed, 11 Apr 2018 08:24:37 +0000 (10:24 +0200)] 
ebtables-compat: add initial translations

add translations for ip, limit, log, mark, mark_m, nflog.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoiptables: constify option struct
Arushi Singhal [Wed, 21 Mar 2018 09:50:28 +0000 (15:20 +0530)] 
iptables: constify option struct

The struct of type option is only used to initialise a field and
is not modified anywhere.

Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoebtables-compat: load mark target
Florian Westphal [Tue, 10 Apr 2018 10:53:38 +0000 (12:53 +0200)] 
ebtables-compat: load mark target

Its already there but it did not work because it wasn't loaded.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoebtables-compat: don't make failing extension load fatal
Florian Westphal [Tue, 10 Apr 2018 10:54:16 +0000 (12:54 +0200)] 
ebtables-compat: don't make failing extension load fatal

We will fail later when we can't parse the option, but that
failure only happens if the is actually used.

So in some cases things will work fine even if an extension
doesn't exist.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agolibxt_comment: silence truncation warning
Florian Westphal [Fri, 30 Mar 2018 20:11:58 +0000 (22:11 +0200)] 
libxt_comment: silence truncation warning

gcc warned here:
libxt_comment.c:62 output may be truncated before the last format character [-Wformat-truncation=]
snprintf(comment, XT_MAX_COMMENT_LEN, "\"%s\"" ...

It tells us that the '"' might not fit anymore, so increase output
buffer size to make room for "" escapes too.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: only validate the xtables builtin tables
Florian Westphal [Sat, 7 Apr 2018 21:16:04 +0000 (23:16 +0200)] 
xtables-compat: only validate the xtables builtin tables

This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.

Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: skip unsupported tables
Florian Westphal [Fri, 6 Apr 2018 22:44:49 +0000 (00:44 +0200)] 
xtables-compat: skip unsupported tables

Instead of not listing anything at all if an unknown table name
exists, just skip them.  Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.

Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: also validate priorities and hook points match expected values
Florian Westphal [Fri, 6 Apr 2018 22:42:28 +0000 (00:42 +0200)] 
xtables-compat: also validate priorities and hook points match expected values

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoxtables-compat: fix snprintf truncation warnings
Florian Westphal [Sat, 7 Apr 2018 21:21:23 +0000 (23:21 +0200)] 
xtables-compat: fix snprintf truncation warnings

proto is u16 in the data structure, so this gave:
nft-ipv6.c:422:44: warning: '__builtin___snprintf_chk' output may be truncated before the last format character [-Wformat-truncation=]

Signed-off-by: Florian Westphal <fw@strlen.de>
7 years agoextensions: CLUSTERIP: do not allow --local-node 0
Pablo Neira Ayuso [Fri, 30 Mar 2018 10:32:38 +0000 (12:32 +0200)] 
extensions: CLUSTERIP: do not allow --local-node 0

Makes no sense, fail in such a case.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoextensions: CLUSTERIP: add tests
Pablo Neira Ayuso [Wed, 28 Mar 2018 14:19:27 +0000 (16:19 +0200)] 
extensions: CLUSTERIP: add tests

Add a few tests to catch regressions.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoiptables: add xtables-translate.8 manpage
Arturo Borrero Gonzalez [Fri, 16 Mar 2018 18:24:36 +0000 (19:24 +0100)] 
iptables: add xtables-translate.8 manpage

This new manpage describes how to operate the translation tools for nftables.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>