Shivani Bhardwaj [Tue, 22 Dec 2015 12:36:17 +0000 (18:06 +0530)]
extensions: libxt_mac: Add translation to nft
Add translation for module mac to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m mac --mac-source 0a:12:3e:4f:b2:c6 -j DROP
nft add rule ip filter INPUT ether saddr 0A:12:3E:4F:B2:C6 counter drop
$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m mac --mac-source 0a:12:3e:4f:b2:c6 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 ether saddr 0A:12:3E:4F:B2:C6 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft: xtables: add the infrastructure to translate from iptables to nft
This patch provides the infrastructure and two new utilities to
translate iptables commands to nft, they are:
1) iptables-restore-translate which basically takes a file that contains
the ruleset in iptables-restore format and converts it to the nft
syntax, eg.
% iptables-restore-translate -f ipt-ruleset > nft-ruleset
% cat nft-ruleset
# Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter INPUT iifname lo counter accept
# -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid:
...
The rules that cannot be translated are left commented. Users should be able
to run this to track down the nft progress to see at what point it can fully
replace iptables and their filtering policy.
2) iptables-translate which suggests a translation for an iptables
command:
Tejun Heo [Tue, 22 Dec 2015 18:56:26 +0000 (13:56 -0500)]
libxt_cgroup: prepare for multi revisions
libxt_cgroup will grow cgroup2 path based match. Postfix existing
symbols with _v0 and prepare for multi revision registration. While
at it, rename O_CGROUP to O_CLASSID and fwid to classid.
Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <dborkman@redhat.com> Cc: Jan Engelhardt <jengelh@inai.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables-compat: Keep xtables-config and xtables-events out from tree
These binaries are part of the compat layer, however they provide more
features than actually available in the existing native iptables
binaries. So let's keep them out from the tree before the 1.6.0 release
as we only want to provide compatibility utils at this stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
And RFC 7084 states in L-14 that IPv6 Router MUST send ICMPv6 Destination
Unreachable with code 5 for packets forwarded to it that use an address
from a prefix that has been invalidated.
Signed-off-by: Andreas Herz <andi@geekosphere.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Mike Frysinger [Tue, 18 Aug 2015 22:48:54 +0000 (18:48 -0400)]
build: add finer module blacklisting
Newer extensions require libnftnl in order to build, but there are no
configure or build checks for it, which leads to a bunch of modules
failing when libnftnl isn't installed. Add finer grained blacklisting
so we can disable modules for specific parts rather than all of them.
e.g. We want to blacklist libebt_limit, but not libxt_limit.
Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
If no id option is given, the extensions only match packets with a
zero-valued identification field. This behavior deviates from what it
used to do back in v1.4.10-273-g6944f2c^.
Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Thomas Woerner [Tue, 21 Jul 2015 13:45:42 +0000 (15:45 +0200)]
iptables-compat: Increase rule number only for the selected table and chain
This patch fixes the rule number handling in nft_rule_find and __nft_rule_list.
The rule number is only valid in the selected table and chain and therefore may
not be increased for other tables or chains.
Signed-off-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Andreas Herz [Thu, 16 Jul 2015 13:54:19 +0000 (15:54 +0200)]
extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols
In the --help output and manpage for ipv6header the name for upper layer
protocol headers was "proto", while in the code itself it's "prot" for
the short form. Fixed by changing manpage and help output.
Signed-off-by: Andreas Herz <andi@geekosphere.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jan Engelhardt [Wed, 15 Jul 2015 12:53:38 +0000 (14:53 +0200)]
build: resolve build error involving libnftnl
make[2]: Entering directory '/home/jengelh/code/iptables/extensions'
CC libebt_limit.oo
In file included from ../iptables/nft.h:5:0,
from libebt_limit.c:21:
../iptables/nft-shared.h:6:27: fatal error: libnftnl/rule.h: No such file or directory
#include <libnftnl/rule.h>
^
compilation terminated.
Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
When using libxtables with an external program (nft) which switches family
contexts (using xtables_set_nfproto()), the xtables_find_{match,target}
functions need to compare the family too.
We want to avoid this situation:
1) user first sets afinfo to IPv6
2) xtables_find_target() finds & load ip6t_REJECT and uses it
3) afinfo change to IPv4
4) user then tries to use ipt_REJECT
5) xtables_find_target() finds ip6t_REJECT instead (same target name)
6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
man: using physdev match in OUTPUT is not supported anymore
kernels 2.6.20 and later reject -m physdev in OUTPUT with
"using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for
non-bridged traffic is not supported anymore" error in dmesg.
xtables-compat: remove unused fields from bridge and arp families
These two families only work under nft compat, so leave unset the fields
that we don't use. Basically, we need neither the module autoload code
nor the native get/setsockopt() revision infrastructure since we use the
one that nft_compat provides through nfnetlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The ebtables-compat branch provides the compatibility layer to run
ebtables extensions. Currently, only the following matches / targets /
watchers are supported:
* 802_3
* ip
* mark_m and mark
* log
The remaining ones should be easy to port them to on top of libxtables,
they will follow up later.
Arturo Borrero [Tue, 13 Jan 2015 17:36:10 +0000 (18:36 +0100)]
ebtables-compat: fix ACCEPT printing by simplifying logic
The commit bc543af ("ebtables-compat: fix segfault in rules w/o target")
doesn't handle all possible cases of target printing, and ACCEPT is left
behind.
BTW, the logic of target (-j XXX) printing is a bit weird. This patch
simplifies it.
I assume:
* cs->jumpto is only filled by nft_immediate.
* cs->target is only filled by nft_target.
So we end with these cases:
* nft_immediate contains a 'standard' target (ACCEPT, DROP, CONTINUE, RETURN, chain)
Then cs->jumpto contains the target already. We have the rule.
* No standard target. If nft_target contains a target, try to load it.
* Neither nft_target nor nft_immediate exist. Then, assume CONTINUE.
The printing path is then straight forward: either cs.jumpto or cs.target
contains the target.
As there isn't support for target extensions yet, there is no way to test the
nft_target (cs.target) path.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables: use flock() instead of abstract unix sockets
Abstract unix sockets cannot be used to synchronize several concurrent
instances of iptables since an unpriviledged process can create them and
prevent the legitimate iptables instance from running.
Use flock() and /run instead as suggested by Lennart Poettering.
Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances") Reported-by: Lennart Poettering <lennart@poettering.net> Cc: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 7 Jan 2015 16:22:01 +0000 (17:22 +0100)]
ebtables-compat: include /etc/ethertypes in tarball
The /etc/ethertypes file was originally distributed by the ebtables tarball.
So, let's include the file also in ebtables-compat, so users can keep using
protocol names instead of the hex code.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 17 Dec 2014 11:06:56 +0000 (12:06 +0100)]
extensions: add ebt 802_3 extension
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Mon, 24 Nov 2014 18:43:05 +0000 (19:43 +0100)]
iptables: xtables-eb: fix renaming of chains
Renaming of chains is not working. and ebtables-compat gets:
libnftnl: attribute 0 assertion failed in chain.c:159
This patch brings back the parser code of the original ebtables tool:
http://git.netfilter.org/ebtables.old-history/tree/userspace/ebtables2/ebtables.c#n652
I adapted the original parser code to fit in the new environment. Also tried to
keep original error messages as much as possible.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Mon, 24 Nov 2014 09:52:04 +0000 (10:52 +0100)]
iptables: xtables-eb: user-defined chains default policy is always RETURN
The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.
So, with this patch, ebtables-compat ends with:
Command: Result:
-L Always RETURN for user-defined chains
-P builtin RETURN Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP ok
-P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
-N userdefined ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
