git.ipfire.org Git - thirdparty/iptables.git/log

extensions: libxt_conntrack: Add translation to nft

Add translation of conntrack to nftables.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT
nft add rule ip filter INPUT ct state new,related counter accept

$ sudo ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
nft add rule ip6 filter INPUT ct state != new,related counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct proto 17 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct proto != 17 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.0.0/255.255.0.0 -j ACCEPT
nft add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigdst 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctreplsrc 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctrepldst 10.100.2.131 -j ACCEPT
nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT
nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
nft add rule ip filter INPUT ct status != confirmed counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
nft add rule ip filter INPUT ct expiration 3 counter accept

$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctdir ORIGINAL -j ACCEPT
nft add rule ip filter INPUT ct direction original counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: iprange: remove extra space in translation

Extra space was printed by iprange_xlate:

  # iptables-translate -A INPUT -m iprange --src-range \
    192.168.25.149-192.168.25.151 -j ACCEPT

  nft add rule ip filter INPUT  ip saddr 192.168.25.149-192.168.25...
                              ^^

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables: extensions: libxt_MARK: Fix translation of --set-xmark option

Fix translation of MARK target's --set-xmark option.

Before:
  #iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
  nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf

After:

  # iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
  nft add rule ip mangle PREROUTING counter meta mark set mark and 0xffffff50 \
  xor 0x64

Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_CONNMARK: Add translation to nft

Add translation for the CONNMARK target to nftables.

The following options have no available translation:

  --save-mark [--nfmask nfmask] [--ctmask ctmask]
  --restore-mark [--nfmask nfmask] [--ctmask ctmask]

Examples:

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
  nft add rule ip mangle PREROUTING counter ct mark set 0x16

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-xmark 0x16/0x12
  nft add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and
  0xffffffed

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --and-mark 0x16
  nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --or-mark 0x16
  nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark
  nft add rule ip mangle PREROUTING counter ct mark set mark

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark \
    --mask 0x12
  nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
  nft add rule ip mangle PREROUTING counter meta mark set ct mark

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark \
    --mask 0x12
  nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12

Signed-off-by: Roberto García <rodanber@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_MARK: Add translation for revision 1 to nft

Add translation for revision 1 of the MARK target to nft.

Examples:

  # iptables-translate -t mangle -A PREROUTING -j MARK --set-mark 0x64
  nft add rule ip mangle PREROUTING counter meta mark set 0x64

  # iptables-translate -t mangle -A PREROUTING -j MARK --and-mark 0x64
  nft add rule ip mangle PREROUTING counter meta mark set mark and 0x64

  # iptables-translate -t mangle -A PREROUTING -j MARK --or-mark 0x64
  nft add rule ip mangle PREROUTING counter meta mark set mark or 0x64

Signed-off-by: Roberto García <rodanber@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

configure: Remove flex check warning

Remove the warning about outdated version of flex as it is not needed
anymore. This check was introduced back in 2008 to skip a broken flex
version that doesn't seem to be packaged by any distribution anymore.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: NETMAP: fix iptables-save output

NETMAP_print is also used by its .save hook so this change
broke iptables-save output.

Revert the patch, rename NETMAP_print to __NETMAP_print and
use that as the workhorse for both xtables -L and xtables-save.

The addition of the 'to' prefix is done in the .print hook only.

Reported-by: Shivani Bhardwaj <shivanib134@gmail.com>
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fixes: 90becf12bd5823b6d59d32d ("extensions: NETMAP: add ' to:' prefix when printing NETMAP target")
Signed-off-by: Florian Westphal <fw@strlen.de>

ip6tables: Warn about use of DROP in nat table

Clone of 1eada72b with 9bb76094 and e0390bee on top.

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_MARK: Add translation to nft

Add translation for the MARK target to nftables.

Examples:

$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64
nft add rule ip mangle OUTPUT counter meta mark set 0x40

$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-xmark 0x40/0x32
nft add rule ip mangle OUTPUT counter meta mark set mark xor 0x40 and 0x32

$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --or-mark 64
nft add rule ip mangle OUTPUT counter meta mark set mark or 0x40

$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --and-mark 64
nft add rule ip mangle OUTPUT counter meta mark set mark and 0x40

$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --xor-mark 64
nft add rule ip mangle OUTPUT counter meta mark set mark xor 0x40

Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_cgroup: Add translation to nft

Add translation for cgroup to nft. Path parameter not supported in nft
yet.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT
nft add rule ip filter INPUT meta cgroup 0 counter accept

$ sudo iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT
nft add rule ip filter INPUT meta cgroup != 0 counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_frag: Add translation to nft

Add translation for frag to nftables. According to the --fraglen code:

case O_FRAGLEN:
/*
* As of Linux 3.0, the kernel does not check for
* fraglen at all.
*/

In addition, the kernel code doesn't show any reference to the flag
IP6T_FRAG_LEN, so this option is deprecated and won't be translated to
nft.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200 -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 counter accept

$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100 --fragres --fragmore -j ACCEPT
nft add rule ip6 filter INPUT frag id 100 frag reserved 1 frag more-fragments 1 counter accept

$ sudo iptables-translate -t filter -A INPUT -m frag ! --fragid 100:200 -j ACCEPT
nft add rule ip6 filter INPUT frag id != 100-200 counter accept

$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200 --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 frag more-fragments 0 counter accept

$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200 --fragfirst -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 frag frag-off 0 counter accept

$ sudo iptables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag more-fragments 0 counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_TRACE: Add translation to nft

For example:

# iptables-translate -t raw -A PREROUTING -j TRACE
nft add rule ip raw PREROUTING counter nftrace set 1

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_dscp: Add translation to nft

Add translation for dscp to nftables, for both ipv4 and ipv6.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT
nft add rule ip filter INPUT ip dscp 0x32 counter accept

$ sudo ip6tables-translate -t filter -A INPUT -m dscp ! --dscp 0x32 -j ACCEPT
nft add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_multiport: Add translation to nft

Add translation for multiport to nftables, which it's supported natively.

Examples:

$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81} counter accept

$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80:88 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept

$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport ! --dports 80:88 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport != 80-88 counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_devgroup: Fix order of mask and id

The order of mask and id in the translated code is not apt
so fix it.
This patch follows commit 8548dd by Liping Zhang.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_hbh: Add translation to nft

Add translation for Hop-By-Hop header to nftables. Hbh options are not
supported yet in nft.

$ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength 22 counter

$ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength != 22 counter

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_connmark: Fix order of mask and mark

The order of mask and mark in the output is wrong. This has been pointed
out: http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang <liping.zhang@spreadtrum.com>.
This patch fixes the same issue with connmark.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_ipcomp: Add translation to nft

Add translation of ipcomp to nftables.

First value of the parameter 'ipcompspi' will be translated to 'cpi'
parameter in nftables. Parameter 'compres' is not supported in nftables.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m ipcomp --ipcompspi 0x12 -j ACCEPT
nft add rule ip filter INPUT comp cpi 18 counter accept

$ sudo iptables-translate -t filter -A INPUT -m ipcomp ! --ipcompspi 0x12 -j ACCEPT
nft add rule ip filter INPUT comp cpi != 18 counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_mark: fix a wrong translation to nft when mask is specified

The mask and mark's order is reversed, so when we specify the mask, we will
get the wrong translation result:
  # iptables-translate -A INPUT -m mark --mark 0x1/0xff
  nft add rule ip filter INPUT mark and 0x1 == 0xff counter

Apply this patch, translation will become:
  # iptables-translate -A INPUT -m mark --mark 0x1/0xff
  nft add rule ip filter INPUT mark and 0xff == 0x1 counter

Cc: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: NETMAP: add ' to:' prefix when printing NETMAP target

NETMAP .print function doesn't insert the ' ' character needed to seperate
earlier output from the target network, i.e. iptables -L prints
something like

2.2.2.5-2.2.2.103.3.3.64/28
instead of
2.2.2.5-2.2.2.10 3.3.3.64/28

Add a ' to:' prefix just like we do for S/DNAT targets.

Closes https://bugzilla.netfilter.org/show_bug.cgi?id=1070.

Signed-off-by: Florian Westphal <fw@strlen.de>

extensions: libxt_limit: fix a wrong translation to nft rule

The default burst value is 5 in iptables limit extension while it is 0 in
nft limit expression, if the burst value is default, it will not be
displayed when we dump the rules. But when we do translation from iptables
rules to nft rules, we should keep the limit burst value unchanged, even if
it is not displayed in iptables rules.

And now, if the limit-burst value in the iptables rule is 5 or 0, they are
all translated to nft rule without burst, this is wrong:

$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5
nft add rule ip filter INPUT limit rate 10/second counter
$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0
nft add rule ip filter INPUT limit rate 10/second burst 0 packets counter

Apply this patch, translation will become:

$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5
nft add rule ip filter INPUT limit rate 10/second burst 5 packets counter
$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0
nft add rule ip filter INPUT limit rate 10/second counter

Fixes: a8dfbe3a3acb ("extensions: libxt_limit: Add translation to nft")
Cc: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables: update pf.os

Sync with latest *BSD release: https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/HEAD:/etc/pf.os
Changelog: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os

Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru>
Cc: Jan Engelhardt <jengelh@medozas.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_NFQUEUE: Add missing tests

Add missing tests for NFQUEUE.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

configure: make libmnl and libnftnl hard requirements

Iptables building is broken if either libmnl or libnftnl
is not installed on the system.

Configure script actually checks if libmnl and libnftnl are installed,
but doesn't exit if they are not.

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_NFQUEUE: Unstack different versions

Remove the stacking of older version into the newer one by adding the
appropriate code corresponding to each version.

Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_NFQUEUE: Fix bug with order of fanout and bypass

NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
whenever it was used before bypass because then flags would be 1.

Before this patch,

$ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout --queue-bypass

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    tcp  --  anywhere             anywhere             tcp spt:http NFQUEUE balance 0:3 bypass

After this patch,

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    tcp  --  anywhere             anywhere             tcp spt:http NFQUEUE balance 0:3 bypass cpu-fanout

Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables-translate: Don't print "nft" in iptables-restore-translate command

No need to print "nft" in function do_command_xlate,
if the function is called from iptables-restore-translate command.

Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables-translate: Printing the table name before chain name.

Command ./iptables-restore-translate, was printing
table name before the chain name for user added chains.
This is breaking ./nft -f command.

Before fix, output of "./iptables-restore-translate"
add chain ip OUTPUT_direct raw

After fix:
add chain ip raw OUTPUT_direct

Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables.8: nat table has four builtin chains

SNAT section in iptables-extensions(8) already mentions this
but the main section did not.

Reported-by: Lion Yang <lion@aosc.io>
Signed-off-by: Florian Westphal <fw@strlen.de>

extensions/libxt_tcp: fix nftables translate flags value, 'none' vs '0x0'

The iptables command:
-m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE

should translate to:
tcp flags & fin|syn|rst|psh|ack|urg == 0x0

instead of:
tcp flags & fin|syn|rst|psh|ack|urg == none

Reported-by: Vadim A. Misbakh-Soloviov <netfilter@mva.name>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Tested-by: Vadim A. Misbakh-Soloviov <netfilter@mva.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables: extensions: libxt_TEE: Add translation to nft

Add translation for TEE target to nft. However, there is a
problem with the output when using ip6tables-translate. I couldn't find a fix
for that.

Examples:

$ iptables-translate -t mangle -A PREROUTING \
-j TEE --gateway 192.168.0.2 --oif eth0
nft add rule ip mangle PREROUTING counter dup to 192.168.0.2 device eth0

$ iptables-translate -t mangle -A PREROUTING \
-j TEE --gateway 192.168.0.2
nft add rule ip mangle PREROUTING counter dup to 192.168.0.2

$ ip6tables-translate -t mangle -A PREROUTING \
-j TEE --gateway ab12:00a1:1112:acba::
nft add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba::

$ ip6tables-translate -t mangle -A PREROUTING \
-j TEE --gateway ab12:00a1:1112:acba:: --oif eth0
nft add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba:: device eth0

Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

libxtables: missing comment initialization in xt_xlate_alloc()

Initialize comment buffer when allocation the xt translation structure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

configure: Show support for connlabel

Add the --disable-connlabel option and the appropriate functionality
associated with it.

After this patch, iptables configuration shows up as:

Iptables Configuration:
  IPv4 support:                         yes
  IPv6 support:                         yes
  Devel support:                        yes
  IPQ support:                          no
  Large file support:                   yes
  BPF utils support:                    no
  nfsynproxy util support:              no
  nftables support:                     yes
  connlabel support:                    yes

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables-translate: translate iptables --flush

translation for iptables --flush

Examples: $ sudo
iptables-translate -F INPUT nft flush chain ip filter INPUT

$ sudo iptables-translate -F -t nat
nft flush table ip nat

Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_REJECT: Avoid to print the default reject with value in the translation

Avoid to print the reject with value in the translation when the value
is the default.

Before this patch:

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type port-unreachable

After this patch:

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_REJECT: Avoid to print the default reject with value in the translation

Avoid to print the reject with value in the translation when the value is the default.

Before this patch:

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable

After this patch:

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_icmp: Add translation to nft

Add translation for icmp to nftables. Not supported icmp codes in nftables
are: network-unreachable, host-unreachable, protocol-unreachable,
port-unreachable, fragmentation-needed, source-route-failed,
network-unknown, host-unknown, network-prohibited, host-prohibited,
TOS-network-unreachable, TOS-host-unreachable, communication-prohibited,
host-precedence-violation, precedence-cutoff, network-redirect,
host-redirect, TOS-network-redirect, TOS-host-redirect,
ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j ACCEPT
nft add rule ip filter INPUT icmp type echo-reply counter accept

$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type destination-unreachable counter accept

$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type != destination-unreachable counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_LOG: Avoid to print the default log level in the translation

Remove the log level when default is used

Before:
$ sudo iptables-translate -I INPUT -j LOG
nft add rule filter INPUT log level warning

After:
$ sudo iptables-translate -I INPUT -j LOG
nft add rule filter INPUT counter log

Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_LOG: Avoid to print the default log level in the translation

Avoid to print the log level in the translation when the level is the
default value.

Example:

$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
nft add rule ip filter INPUT icmp type != router-solicitation counter log

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>

iptables/xtables-arp.c: fix typo, wierd vs weird

Reported by Debian lintian tool.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

extensions/libxt_rpfilter.man: fix typo, specifiy vs specify

Reported by Debian lintian tool.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()

The multiport match needs it, this basically leaves ->xlate() indirection
with almost the same interface as ->print().

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_icmp6: Add translation to nft

Add translation for icmpv6 to nftables.

Not supported icmp codes in nftables are: no-route,
communication-prohibited, beyond-scope, address-unreachable,
port-unreachable, failed-policy, reject-route, ttl-zero-during-transit,
ttl-zero-during-reassembly, bad-header, unknown-header-type and
unknown-option.

Examples:

$ ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type 1 -j LOG
nft add rule ip6 filter INPUT icmpv6 type destination-unreachable counter log level warn

$ ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type neighbour-advertisement -j LOG
nft add rule ip6 filter INPUT icmpv6 type nd-neighbor-advert counter log level warn

$ ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type packet-too-big -j LOG
nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log level warn

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_rt.c: Add translation to nft

Add translation for rt for options --rt-type, --rt-segsleft and --rt-len.

Examples:

$ sudo ip6tables-translate -A INPUT -m rt --rt-type 0 -j DROP
nft add rule ip6 filter INPUT rt type 0 counter drop

$ sudo ip6tables-translate -A INPUT -m rt ! --rt-len 22 -j DROP
nft add rule ip6 filter INPUT rt hdrlength != 22 counter drop

$ sudo ip6tables-translate -A INPUT -m rt --rt-segsleft 26 -j ACCEPT
nft add rule ip6 filter INPUT rt seg-left 26 counter accept

The xlate function returns 0 for other options.

Signed-off-by: Janani Ravichandran <janani.rvchndrn@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_dccp: Add translation to nft

Add translation for dccp to nftables.

Full translation of this match awaits the support for --dccp-option.

Examples:

$ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
nft add rule ip filter INPUT dccp sport 100 counter

$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
nft add rule ip filter INPUT dccp dport 100-200 counter

$ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
nft add rule ip filter INPUT dccp dport != 100 counter

$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_sctp: Add translation to nft

Add translation for sctp to nftables.
Full translation of this match awaits the support for --chunk-types
option.

Examples:

$ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft add rule ip filter INPUT sctp dport 80 counter drop

$ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 80-100 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_owner: Add translation to nft

Add translation for module owner to nftables.
Full translation of this match awaits the support for --socket-exists
option.

Examples:

$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept

$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 0-10 -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept

$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner shivani -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_mh: Add translation to nft

Add translation for mobility header to nftables.

Examples:

$ sudo ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept

$ sudo ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables: nft-ipv6: Use meta l4proto instead of nexthdr

Use meta l4proto in place of nexthdr for ipv6 protocols as it is not
necessary that all protocols be next header.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_MASQUERADE: Add translation to nft

Add translation for masquerade to nftables.

Examples:

$ sudo ip6tables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip6 nat POSTROUTING counter masquerade

$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10

$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10-20 random

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_MASQUERADE: Add translation to nft

Add translation for masquerade to nftables.

Examples:

$ sudo iptables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip nat POSTROUTING counter masquerade

$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10

$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20 random

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables: extensions: iptables-translate prints extra "nft" after printing any error

Output of command "./iptables-translate junk" is Bad argument
`junk' Try `iptables-translate -h' or 'iptables-translate --help' for more
information. nft

Output of command "./iptables-translate -B" is
iptables-translate v1.6.0: unknown option "-B"
Try `iptables-translate -h' or 'iptables-translate --help' for more
information.
nft

nft should have not been printed in both the cases. Moving the printf
call after the do_parse function call

Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

libxt_TCPOPTSTRIP: Fix musl compatibility

Add missing constants for libxt_TCPOPTSTRIP.c, in case they are not defined.

(Original patch from VoidLinux)

Signed-off-by: Loganaden Velvindron <logan@hackers.mu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

comment: Add translation to nft

Add translation for match comment to nftables.
This patch also adds the relevant infrastructure for carrying out
the translation.

Example:

$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\"

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_NFQUEUE: Add translation to nft

Add translation for NF queue to nftables.

Examples:

$ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 30
nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30

$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p TCP --sport 80
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass

$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables: nft-ipv6: Fix ipv6 flags

Replace the flags with the correct ipv6 flags.

Details:
Ana found out the bug and submitted the patch, Shivani applied it
on the latest tree and compile tested it.

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

xtables: add xt_xlate_add_comment()

This new function allows us to add comments to the nft rule. This
can be used to provide a translation for the comment match.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: rename xt_buf to xt_xlate

Use a more generic name for this object to prepare the introduction of
other translation specific fields.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

libxtables: fix leak in xt_buf object

Release data area that is allocated by xt_buf_alloc().

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_REDIRECT: Add translation to nft

Add translation for REDIRECT target to nftables.

Examples:

$ sudo ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to 8080

$ sudo ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to 8080 random

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_REDIRECT: Add translation to nft

Add translation for target REDIRECT to nftables.

Examples:

$ sudo iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080
nft add rule ip nat prerouting tcp dport 80 counter redirect to 8080

$ sudo iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random
nft add rule ip nat prerouting tcp dport 80 counter redirect to 8080 random

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_hl: Add translation to nft

Add translation for hop limit to nftables.

Examples:

$ sudo ip6tables-translate -t nat -A postrouting -m hl --hl-gt 3
nft add rule ip6 nat postrouting ip6 hoplimit gt 3 counter

$ sudo ip6tables-translate -t nat -A postrouting -m hl ! --hl-eq 3
nft add rule ip6 nat postrouting ip6 hoplimit != 3 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_LOG: Add translation to nft

Add translation for options log-level and log-prefix of LOG target
to nftables.
Full translation of this target awaits the support for the options
log-tcp-sequence, log-tcp-options, log-ip-options, log-uid and
log-macdecode in nftables

Examples:

$ sudo ip6tables-translate -A FORWARD -p tcp -j LOG --log-level debug
nft add rule ip6 filter FORWARD ip6 nexthdr tcp counter log level debug

$ sudo ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log"
nft add rule ip6 filter FORWARD ip6 nexthdr tcp counter log prefix \"Checking log\" level warn

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_LOG: Add translation to nft

Add translation for options log-level and log-prefix of LOG target
to nftables.
Full translation of this target awaits the support for the options
log-tcp-sequence, log-tcp-options, log-ip-options, log-uid and
log-macdecode in nftables.

Examples:

$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-level error
nft add rule ip filter FORWARD ip protocol tcp counter log level err

$ sudo iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix"
nft add rule ip filter FORWARD ip protocol tcp counter log prefix \"Random prefix\" level warn

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_REJECT: Add translation to nft

Add translation for target REJECT to nftables.

Examples:

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_ttl: Add translation to nft

Add translation for module ttl to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m ttl --ttl-eq 3 -j ACCEPT
nft add rule ip filter INPUT ip ttl 3 counter accept

$ sudo iptables-translate -A INPUT -m ttl --ttl-gt 5 -j ACCEPT
nft add rule ip filter INPUT ip ttl gt 5 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_ah: Add translation to nft

Add translation for AH to nftables.

Examples:

$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500 -j DROP
nft add rule ip6 filter INPUT ah spi 500 counter drop

$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500:550 -j DROP
nft add rule ip6 filter INPUT ah spi 500-550 counter drop

$ sudo ip6tables-translate -A INPUT -m ah ! --ahlen 120
nft add rule ip6 filter INPUT ah hdrlength != 120 counter

$ sudo ip6tables-translate -A INPUT -m ah --ahres
nft add rule ip6 filter INPUT ah reserved 1 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_length: Add translation to nft

Add translation for module length to nftables.

Examples:

$ sudo iptables-translate -A INPUT -p icmp -m length --length 86:0xffff -j DROP
nft add rule ip filter INPUT ip protocol icmp meta length 86-65535 counter drop

$ sudo iptables-translate -A INPUT -p udp -m length --length :400
nft add rule ip filter INPUT ip protocol udp meta length 0-400 counter

$ sudo iptables-translate -A INPUT -p udp -m length --length 40
nft add rule ip filter INPUT ip protocol udp meta length 40 counter

$ sudo iptables-translate -A INPUT -p udp -m length ! --length 40
nft add rule ip filter INPUT ip protocol udp meta length != 40 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_SNAT: Add translation to nft

Add translation for SNAT target to nftables.

Examples:

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:80
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :80

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:1-20
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :1-20

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :123 random

$ sudo ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random-fully --persistent
nft add rule ip6 nat postrouting oifname eth0 ip6 nexthdr tcp counter snat fec0::1234 :123 fully-random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libip6t_DNAT: Add translation to nft

Add translation for target DNAT to nftables.

Examples:

$ sudo ip6tables-translate -t nat -A prerouting -i eth1 -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
nft add rule ip6 nat prerouting iifname eth1 tcp dport 8080 counter dnat fec0::1234 :80

$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:1-20
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :1-20

$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --persistent
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :80 persistent

$ sudo ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent
nft add rule ip6 nat prerouting ip6 nexthdr tcp counter dnat fec0::1234 :80 random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables: nft-ipv6: Replace ip with ip6

Replace ip with ip6 to avoid conflict between the protocols in the
results obtained from ip6tables-translate utility.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_DNAT: Add translation to nft

Add translation for target DNAT to nftables.

Examples:

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4

$ sudo iptables-translate -t nat -A prerouting -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
nft add rule ip nat prerouting ip daddr 15.45.23.67 tcp dport 80 counter dnat 192.168.1.1-192.168.1.10

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1-1023
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4:1-1023

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random

$ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent
nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_SNAT: Add translation to nft

Add translation for target SNAT to nftables.

Examples:

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4-1.2.3.6

$ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4:1-1023

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random --persistent
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_realm: Add translation to nft

Add translation for routing realm to nftables.

Examples:

$ sudo iptables-translate -A PREROUTING -m realm --realm 4
nft add rule ip filter PREROUTING rtclassid 0x4 counter

$ sudo iptables-translate -A PREROUTING -m realm --realm 5/5
nft add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter

$ sudo iptables-translate -A PREROUTING -m realm ! --realm 50
nft add rule ip filter PREROUTING rtclassid != 0x32 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_REJECT: Add translation to nft

Add translation for target REJECT to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp-net-unreachable
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_pkttype: Add translation to nft

Add translation for packet type to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m pkttype --pkt-type broadcast -j DROP
nft add rule ip filter INPUT pkttype broadcast counter drop

$ sudo iptables-translate -A INPUT -m pkttype ! --pkt-type unicast -j DROP
nft add rule ip filter INPUT pkttype != unicast counter drop

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_connmark: Add translation to nft

Add translation for connmark to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m connmark --mark 2 -j ACCEPT
nft add rule ip filter INPUT ct mark 0x2 counter accept

$ sudo iptables-translate -A INPUT -m connmark ! --mark 2 -j ACCEPT
nft add rule ip filter INPUT ct mark != 0x2 counter accept

$ sudo iptables-translate -A INPUT -m connmark --mark 10/10 -j ACCEPT
nft add rule ip filter INPUT ct mark and 0xa == 0xa counter accept

$ sudo iptables-translate -A INPUT -m connmark ! --mark 10/10 -j ACCEPT
nft add rule ip filter INPUT ct mark and 0xa != 0xa counter accept

$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 40 -m
connmark --mark 0x40
nft add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libipt_ah: Add translation to nft

Add translation for Authentication Header to nftables.

Examples:

$ sudo iptables-translate -A INPUT -p 51 -m ah --ahspi 500 -j DROP
nft add rule ip filter INPUT ah spi 500 counter drop

$ sudo iptables-translate -A INPUT -p 51 -m ah --ahspi 500:600 -j DROP
nft add rule ip filter INPUT ah spi 500-600 counter drop

$ sudo iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP
nft add rule ip filter INPUT ah spi != 50 counter drop

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_cpu: Add translation to nft

Add translation for module cpu to nftables.

Examples:

$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept

$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_devgroup: Add translation to nft

Add translation for device group to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -m devgroup --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup 0x2 counter accept

$ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept

$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept

$ sudo iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept

$ sudo iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup != 0x2 counter accept

Signed-off-by : Shivani Bhardwaj <shivanib134@gmail.com>

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_mark: Fix inversion code

Fix the code associated with invert flag.

Examples:

$ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0xa/0xa
nft insert rule ip filter INPUT ip protocol tcp mark and 0xa != 0xa counter

$ sudo iptables-translate -I INPUT -p tcp -m mark ! --mark 0x1
nft insert rule ip filter INPUT ip protocol tcp mark != 0x1 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include: xtables: Add enum for better nft translation code

Add enum xt_op for ease to write cleaner and better code for
nft translation.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_limit: Add translation to nft

Add translation for module limit to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m limit --limit 5/s
nft add rule ip filter INPUT limit rate 5/second counter

$ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3
nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_NFLOG: Add group_info and remove multiple keywords

Add group_info with every rule as it is mandatory to consider logging to
be same type as NFLOG.
Remove multiple log keywords to avoid loading multiple log expressions
at a time.

Examples:

$ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 2
nft insert rule ip filter INPUT counter log queue-threshold 2 group 0

$ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0"
nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" group 32

Reported-by: Arturo Borrero <arturoborreroglez@gmail.com>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_helper: Add translation to nft

Add translation for helper module to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -m helper --helper sip
nft add rule ip filter FORWARD ct helper \"sip\" counter

$ sudo iptables-translate -A FORWARD -m helper ! --helper ftp
nft add rule ip filter FORWARD ct helper != \"ftp\" counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_mac: Add translation to nft

Add translation for module mac to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m mac --mac-source 0a:12:3e:4f:b2:c6 -j DROP
nft add rule ip filter INPUT ether saddr 0A:12:3E:4F:B2:C6 counter drop

$ sudo iptables-translate -A INPUT -p tcp --dport 80 -m mac --mac-source 0a:12:3e:4f:b2:c6 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 ether saddr 0A:12:3E:4F:B2:C6 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_iprange: Add translation to nft

Add translation for iprange to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m iprange --src-range 192.168.25.149-192.168.25.151 -j ACCEPT
nft add rule ip filter INPUT ip saddr 192.168.25.149-192.168.25.151 counter accept

$ sudo iptables-translate -A INPUT -m iprange --dst-range 192.168.25.149-192.168.25.151 -j ACCEPT
nft add rule ip filter INPUT ip daddr 192.168.25.149-192.168.25.151 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_NFLOG: Add translation to nft

Add translation for NF Logging to nftables.

Examples:

$ sudo iptables-translate -A OUTPUT -j NFLOG --nflog-group 30
nft add rule ip filter OUTPUT counter log group 30

$ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0"
nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" log group 32

$ sudo iptables-translate -I INPUT -j NFLOG --nflog-range 256
nft insert rule ip filter INPUT counter log snaplen 256

$ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 25
nft insert rule ip filter INPUT counter log queue-threshold 25

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_esp: Add translation to nft

Add translation for ESP Protocol to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -p esp -j ACCEPT
nft add rule ip filter FORWARD ip protocol esp counter accept

$ sudo iptables-translate -A INPUT --in-interface wan --protocol esp -j ACCEPT
nft add rule ip filter INPUT iifname wan ip protocol esp counter accept

$ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP
nft add rule ip filter INPUT esp spi 500 counter drop

$ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP
nft add rule ip filter INPUT esp spi 500-600 counter drop

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_mark: Add translation to nft

Add translation for metainformation mark to nftables.

Examples:

$ sudo iptables-translate -I INPUT -m mark --mark 12
nft insert rule ip filter INPUT mark  0xc counter

$ sudo iptables-translate -A FORWARD -m mark --mark 22 -j ACCEPT
nft add rule ip filter FORWARD mark  0x16 counter accept

$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 4600 -m mark --mark 0x40
nft add rule ip mangle PREROUTING tcp dport 4600 mark  0x40 counter

$ sudo iptables-translate -A FORWARD -m mark --mark 0x400/0x400 -j ACCEPT
nft add rule ip filter FORWARD mark  and 0x400 == 0x400 counter accept

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_udp: add translation to nft

Some examples:

$ sudo iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
add rule ip filter INPUT iifname eth0 udp sport 53 counter accept

$ sudo ./iptables-translate -A OUTPUT -p udp -o eth0 --dport 53:66 -j DROP
add rule ip filter OUTPUT oifname eth0 udp dport 53-66 counter drop

$ sudo ./iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_state: add translation to nft

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_tcp: add translation to nft

Translation for the TCP option matching is not yet implemented as we
don't have a way to match this yet.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

nft: xtables: add the infrastructure to translate from iptables to nft

This patch provides the infrastructure and two new utilities to
translate iptables commands to nft, they are:

1) iptables-restore-translate which basically takes a file that contains
   the ruleset in iptables-restore format and converts it to the nft
   syntax, eg.

% iptables-restore-translate -f ipt-ruleset > nft-ruleset
% cat nft-ruleset
# Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter INPUT iifname lo counter accept
# -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid:
...

The rules that cannot be translated are left commented. Users should be able
to run this to track down the nft progress to see at what point it can fully
replace iptables and their filtering policy.

2) iptables-translate which suggests a translation for an iptables
   command:

$ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

nft: xtables-restore: add generic parsing infrastructure

This allows us to reuse the xtables-restore parser code in the
translation infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

nft: xtables: add generic parsing infrastructure to interpret commands

Split the code to parse arguments and to issue command so we reuse this
for the iptables to nft translation infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: fix cgroup2 help message in libxt_cgroup.c.

This patch fixes a typo in the cgroup2 cgroup_help_v1() method in extensions\ibxt_cgroup.c.

Signed-off-by: Rami Rosen <rami.rosen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables.8: mention iptables-save in -L documentation

-L omits some details (e.g. interfaces).

We already mentioned '-L -v' but for convenience also mention
ipt-save since that lists it as-is too.

Signed-off-by: Florian Westphal <fw@strlen.de>

iptables: add xtables-config-parser.h to BUILT_SOURCES

Otherwise other sources that use it might be built before it's ready leading
to build failure, for example by iptables/nft.c

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions: libxt_cgroup: add unit test

Add basic tests which depend only on the root cgroup.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>