]> git.ipfire.org Git - thirdparty/iptables.git/log
thirdparty/iptables.git
5 years agonft: remove cache build calls
Pablo Neira Ayuso [Mon, 6 Jan 2020 12:20:16 +0000 (13:20 +0100)] 
nft: remove cache build calls

The cache requirements are now calculated once from the parsing phase.
There is no need to call __nft_build_cache() from several spots in the
codepath anymore.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: restore among support
Pablo Neira Ayuso [Mon, 6 Jan 2020 12:20:15 +0000 (13:20 +0100)] 
nft: restore among support

Update among support to work again with the new parser and cache logic.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: calculate cache requirements from list of commands
Pablo Neira Ayuso [Mon, 6 Jan 2020 12:20:14 +0000 (13:20 +0100)] 
nft: calculate cache requirements from list of commands

This patch uses the new list of commands to calculate the cache
requirements, the rationale after this updates is the following:

 #1 Parsing, that builds the list of commands and it also calculates
    cache level requirements.
 #2 Cache building.
 #3 Translate commands to jobs
 #4 Translate jobs to netlink

This patch removes the pre-parsing code in xtables-restore.c to
calculate the cache.

After this patch, cache is calculated only once, there is no need
to cancel and refetch for an in-transit transaction.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: split parsing from netlink commands
Pablo Neira Ayuso [Mon, 6 Jan 2020 12:20:13 +0000 (13:20 +0100)] 
nft: split parsing from netlink commands

This patch updates the parser to generate a list of command objects.
This list of commands is then transformed to a list of netlink jobs.
This new command object stores the rule using the nftnl representation
via nft_rule_new().

To reduce the number of updates in this patch, the nft_*_rule_find()
functions have been updated to restore the native representation to
skip the update of the rule comparison code.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoebtables-restore: Table line to trigger implicit commit
Phil Sutter [Tue, 7 Apr 2020 19:17:21 +0000 (21:17 +0200)] 
ebtables-restore: Table line to trigger implicit commit

Cache code is suited for holding multiple tables' data at once. The only
users of that are xtables-save and ebtables-restore with its support for
multiple tables and lack of explicit COMMIT lines.

Remove the second user by introducing implicit commits upon table line
parsing. This would allow to make cache single table only, but then
xtables-save would fetch cache multiple times (once for each table) and
therefore lose atomicity with regards to the acquired kernel ruleset
image.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Fetch sets per table
Phil Sutter [Mon, 6 Apr 2020 14:49:05 +0000 (16:49 +0200)] 
nft: cache: Fetch sets per table

Kernel accepts a table name when dumping sets, so make use of that in
case a table was passed to fetch_set_cache() but no set name.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Init per table set list along with chain list
Phil Sutter [Mon, 6 Apr 2020 12:36:30 +0000 (14:36 +0200)] 
nft: cache: Init per table set list along with chain list

This simplifies code a bit and also aligns set and chain lists handling
in cache.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Eliminate init_chain_cache()
Phil Sutter [Tue, 31 Mar 2020 01:09:26 +0000 (03:09 +0200)] 
nft: cache: Eliminate init_chain_cache()

The function is always called immediately after fetch_table_cache(), so
merge it into the latter.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoebtables-restore: Drop custom table flush routine
Phil Sutter [Fri, 24 Apr 2020 13:25:26 +0000 (15:25 +0200)] 
ebtables-restore: Drop custom table flush routine

At least since flushing xtables-restore doesn't fetch chains from kernel
anymore, problems with pending policy rule delete jobs can't happen
anymore.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoiptables: flush stdout after every verbose log.
Maciej Żenczykowski [Tue, 21 Apr 2020 08:15:42 +0000 (01:15 -0700)] 
iptables: flush stdout after every verbose log.

Ensures that each logged line is flushed to stdout after it's
written, and not held in any buffer.

Places to modify found via:
  git grep -C5 'fputs[(]buffer, stdout[)];'

On Android iptables-restore -v is run as netd daemon's child process
and fed actions via pipe.  '#PING' is used to verify the child
is still responsive, and thus needs to be unbuffered.

Luckily if you're running iptables-restore in verbose mode you
probably either don't care about performance or - like Android
- actually need this.

Test: builds, required on Android for ip6?tables-restore netd
  subprocess health monitoring.
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agolibiptc: do not typedef socklen_t on Android
Maciej Żenczykowski [Sat, 9 May 2020 19:23:56 +0000 (12:23 -0700)] 
libiptc: do not typedef socklen_t on Android

This is present in bionic header files regardless of compiler
being used (likely clang)

Test: builds
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agotests: shell: Add test for nfbz#1391
Phil Sutter [Tue, 28 Apr 2020 14:12:23 +0000 (16:12 +0200)] 
tests: shell: Add test for nfbz#1391

Problem is fixed since commit c550c81fd373e ("nft: cache: Fix
nft_release_cache() under stress"), looks like another case of
use-after-free.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agolibxt_IDLETIMER: fix target v1 help alignment and doc
Maciej Żenczykowski [Tue, 21 Apr 2020 09:45:10 +0000 (02:45 -0700)] 
libxt_IDLETIMER: fix target v1 help alignment and doc

Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoiptables: include sys/time.h to fix lack of struct timeval declaration
Maciej Żenczykowski [Tue, 21 Apr 2020 08:15:34 +0000 (01:15 -0700)] 
iptables: include sys/time.h to fix lack of struct timeval declaration

This fixes clang compiler warnings:

iptables/xshared.h:176:50: error: declaration of 'struct timeval' will not be visible outside of this function [-Werror,-Wvisibility]
extern int xtables_lock_or_exit(int wait, struct timeval *tv);
                                                 ^
iptables/xshared.h:179:57: error: declaration of 'struct timeval' will not be visible outside of this function [-Werror,-Wvisibility]
void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval);
                                                        ^

Test: builds with less warnings
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoextensions: include strings.h for the definition of ffs()
Maciej Żenczykowski [Tue, 21 Apr 2020 08:15:07 +0000 (01:15 -0700)] 
extensions: include strings.h for the definition of ffs()

This resolves clang compiler warnings:

extensions/libext4_srcs/gen/gensrcs/external/iptables/extensions/libipt_ULOG.c:89:32: error: implicit declaration of function 'ffs' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
  printf(" --ulog-nlgroup %d", ffs(loginfo->nl_group));
                               ^
extensions/libext4_srcs/gen/gensrcs/external/iptables/extensions/libipt_ULOG.c:105:9: error: implicit declaration of function 'ffs' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
  ffs(loginfo->nl_group));
  ^
extensions/libext_srcs/gen/gensrcs/external/iptables/extensions/libxt_addrtype.c:263:14: error: implicit declaration of function 'ffs' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
  int first = ffs(val);
              ^

Test: builds with less warnings
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agotests: shell: Test -F in dump files
Phil Sutter [Tue, 21 Apr 2020 12:10:53 +0000 (14:10 +0200)] 
tests: shell: Test -F in dump files

While not really useful, iptables-nft-restore shouldn't segfault either.
This tests the problem described in nfbz#1407.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agotests: shell: Extend ipt-restore/0004-restore-race_0
Phil Sutter [Tue, 21 Apr 2020 12:02:59 +0000 (14:02 +0200)] 
tests: shell: Extend ipt-restore/0004-restore-race_0

Add a second table to dump/restore. This triggers failures after
reverting c550c81fd373e ("nft: cache: Fix nft_release_cache() under
stress"), hence acts as a reproducer for the bug fixed by that commit as
well.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agotests: shell: Improve ipt-restore/0001load-specific-table_0 a bit
Phil Sutter [Sun, 22 Sep 2019 11:10:10 +0000 (13:10 +0200)] 
tests: shell: Improve ipt-restore/0001load-specific-table_0 a bit

Instead of reading from stdin, pass dump file as regular parameter. This
way dump file name occurs in 'bash -x' output which helps finding out
where things fail.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoxshared: Drop pointless assignment in add_param_to_argv()
Phil Sutter [Wed, 6 Nov 2019 17:43:06 +0000 (18:43 +0100)] 
xshared: Drop pointless assignment in add_param_to_argv()

This must be a leftover from a previous cleanup.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoextensions: IDLETIMER: Add alarm timer option
Manoj Basapathi [Thu, 16 Apr 2020 04:53:29 +0000 (10:23 +0530)] 
extensions: IDLETIMER: Add alarm timer option

Introduce "--alarm" option for idletimer rule.
If it is present, hardidle-timer is used, else default timer.
The default idletimer starts a deferrable timer or in other
words the timer will cease to run when cpu is in suspended
state. This change introduces the option to start a
non-deferrable or alarm timer which will continue to run even
when the cpu is in suspended state.

Signed-off-by: Manoj Basapathi <manojbm@codeaurora.org>
Signed-off-by: Sauvik Saha <ssaha@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft-shared: skip check for jumpto if cs->target is unset
Pablo Neira Ayuso [Wed, 15 Apr 2020 19:29:27 +0000 (21:29 +0200)] 
nft-shared: skip check for jumpto if cs->target is unset

The command_jump() function leaves cs->target unset if the target is not
found. Let's check if the jumpto string mismatches only in this case.

https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Tested-by: Etienne Champetier <etienne.champetier@anevia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoextensions: libxt_CT: add translation for NOTRACK
Pablo Neira Ayuso [Wed, 15 Apr 2020 16:16:41 +0000 (18:16 +0200)] 
extensions: libxt_CT: add translation for NOTRACK

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoiptables: open eBPF programs in read only mode
Maciej Żenczykowski [Tue, 31 Mar 2020 16:07:03 +0000 (09:07 -0700)] 
iptables: open eBPF programs in read only mode

Adjust the mode eBPF programs are opened in so 0400 pinned bpf programs
work without requiring CAP_DAC_OVERRIDE.

This matches Linux 5.2's:
  commit e547ff3f803e779a3898f1f48447b29f43c54085
  Author: Chenbo Feng <fengc@google.com>
  Date:   Tue May 14 19:42:57 2019 -0700

    bpf: relax inode permission check for retrieving bpf program

    For iptable module to load a bpf program from a pinned location, it
    only retrieve a loaded program and cannot change the program content so
    requiring a write permission for it might not be necessary.
    Also when adding or removing an unrelated iptable rule, it might need to
    flush and reload the xt_bpf related rules as well and triggers the inode
    permission check. It might be better to remove the write premission
    check for the inode so we won't need to grant write access to all the
    processes that flush and restore iptables rules.

  kernel/bpf/inode.c:
  - int ret = inode_permission(inode, MAY_READ | MAY_WRITE);
  + int ret = inode_permission(inode, MAY_READ);

In practice, AFAICT, the xt_bpf match .fd field isn't even used by new
kernels, but I believe it might be needed for compatibility with old ones
(though I'm pretty sure table modifications on them will outright fail).

Test: builds, passes Android test suite (albeit on an older iptables base),
  git grep bpf_obj_get - finds no other users
Cc: Chenbo Feng <fengc@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: cache: Fix iptables-save segfault under stress
Phil Sutter [Fri, 13 Mar 2020 12:02:12 +0000 (13:02 +0100)] 
nft: cache: Fix iptables-save segfault under stress

If kernel ruleset is constantly changing, code called by
nft_is_table_compatible() may crash: For each item in table's chain
list, nft_is_chain_compatible() is called. This in turn calls
nft_build_cache() to fetch chain's rules. Though if kernel genid has changed
meanwhile, cache is flushed and rebuilt from scratch, thereby freeing
table's chain list - the foreach loop in nft_is_table_compatible() then
operates on freed memory.

A simple reproducer (may need a few calls):

| RULESET='*filter
| :INPUT ACCEPT [10517:1483527]
| :FORWARD ACCEPT [0:0]
| :OUTPUT ACCEPT [1714:105671]
| COMMIT
| '
|
| for ((i = 0; i < 100; i++)); do
|         iptables-nft-restore <<< "$RULESET" &
| done &
| iptables-nft-save

To fix the problem, basically revert commit ab1cd3b510fa5 ("nft: ensure
cache consistency") so that __nft_build_cache() no longer flushes the
cache. Instead just record kernel's genid when fetching for the first
time. If kernel rule set changes until the changes are committed, the
commit simply fails and local cache is being rebuilt.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Fix for unused variable warnings
Phil Sutter [Fri, 13 Mar 2020 12:00:56 +0000 (13:00 +0100)] 
nft: cache: Fix for unused variable warnings

Loop index variable was left in place after removing the loops.

Fixes: 39ec645093baa ("nft: cache: Simplify chain list allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Review flush_cache()
Phil Sutter [Mon, 2 Mar 2020 17:29:54 +0000 (18:29 +0100)] 
nft: cache: Review flush_cache()

While fixing for iptables-nft-restore under stress, I managed to hit
NULL-pointer deref in flush_cache(). Given that nftnl_*_list_free()
functions are not NULL-pointer tolerant, better make sure such are not
passed by accident.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Simplify chain list allocation
Phil Sutter [Mon, 2 Mar 2020 17:17:51 +0000 (18:17 +0100)] 
nft: cache: Simplify chain list allocation

Allocate chain lists right after fetching table cache, regardless of
whether partial cache is fetched or not. Chain list pointers reside in
struct nft_cache's table array and hence are present irrespective of
actual tables in kernel. Given the small number of tables, there wasn't
much overhead avoided by the conditional in fetch_chain_cache().

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Make nft_rebuild_cache() respect fake cache
Phil Sutter [Sat, 29 Feb 2020 01:08:26 +0000 (02:08 +0100)] 
nft: cache: Make nft_rebuild_cache() respect fake cache

If transaction needed a refresh in nft_action(), restore with flush
would fetch a full cache instead of merely refreshing table list
contained in "fake" cache.

To fix this, nft_rebuild_cache() must distinguish between fake cache and
full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished
from NFT_CL_RULES.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: cache: Fix nft_release_cache() under stress
Phil Sutter [Fri, 28 Feb 2020 19:32:13 +0000 (20:32 +0100)] 
nft: cache: Fix nft_release_cache() under stress

iptables-nft-restore calls nft_action(h, NFT_COMPAT_COMMIT) for each
COMMIT line in input. When restoring a dump containing multiple large
tables, chances are nft_rebuild_cache() has to run multiple times.

If the above happens, consecutive table contents are added to __cache[1]
which nft_rebuild_cache() then frees, so next commit attempt accesses
invalid memory.

Fix this by making nft_release_cache() (called after each successful
commit) return things into pre-rebuild state again, but keeping the
fresh cache copy.

Fixes: f6ad231d698c7 ("nft: keep original cache in case of ERESTART")
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoconnlabel: Allow numeric labels even if connlabel.conf exists
Phil Sutter [Wed, 4 Mar 2020 01:43:27 +0000 (02:43 +0100)] 
connlabel: Allow numeric labels even if connlabel.conf exists

Existing code is a bit quirky: If no connlabel.conf was found, the local
function connlabel_value_parse() is called which tries to interpret
given label as a number. If the config exists though,
nfct_labelmap_get_bit() is called instead which doesn't care about
"undefined" connlabel names. So unless installed connlabel.conf contains
entries for all possible numeric labels, rules added by users may stop
working if a connlabel.conf is created.

Related man page snippet states: "Using a number always overrides
connlabel.conf", so try numeric parsing and fall back to nfct only if
that failed.

Fixes: 51340f7b6a110 ("extensions: libxt_connlabel: use libnetfilter_conntrack")
Fixes: 3a3bb480a738a ("extensions: connlabel: Fallback on missing connlabel.conf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoxtables: Review nft_init()
Phil Sutter [Fri, 21 Feb 2020 13:55:52 +0000 (14:55 +0100)] 
xtables: Review nft_init()

Move common code into nft_init(), such as:

* initial zeroing nft_handle fields
* family ops lookup and assignment to 'ops' field
* setting of 'family' field

This requires minor adjustments in xtables_restore_main() so extra field
initialization doesn't happen before nft_init() call.

As a side-effect, this fixes segfaulting xtables-monitor binary when
printing rules for trace event as in that code-path 'ops' field wasn't
initialized.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoxtables: Drop -4 and -6 support from xtables-{save,restore}
Phil Sutter [Fri, 21 Feb 2020 12:29:05 +0000 (13:29 +0100)] 
xtables: Drop -4 and -6 support from xtables-{save,restore}

Legacy tools don't support those options, either.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoxtables: Align effect of -4/-6 options with legacy
Phil Sutter [Fri, 21 Feb 2020 12:18:32 +0000 (13:18 +0100)] 
xtables: Align effect of -4/-6 options with legacy

Legacy iptables doesn't accept -4 or -6 if they don't match the
symlink's native family. The only exception to that is iptables-restore
which simply ignores the lines introduced by non-matching options, which
is useful to create combined dump files for feeding into both
iptables-restore and ip6tables-restore.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoiptables-test.py: Fix --host mode
Phil Sutter [Tue, 18 Feb 2020 15:43:16 +0000 (16:43 +0100)] 
iptables-test.py: Fix --host mode

In some cases, the script still called repo binaries. Avoid this when in
--host mode to allow testing without the need to compile sources in
beforehand.

Fixes: 1b5d762c1865e ("iptables-test: Support testing host binaries")
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agonft: Drop pointless assignment
Phil Sutter [Mon, 17 Feb 2020 11:56:24 +0000 (12:56 +0100)] 
nft: Drop pointless assignment

No need to set 'i' to zero here, it is not used before the next
assignment.

Fixes: 77e6a93d5c9dc ("xtables: add and set "implict" flag on transaction objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoebtables: among: Support mixed MAC and MAC/IP entries
Phil Sutter [Thu, 13 Feb 2020 16:49:53 +0000 (17:49 +0100)] 
ebtables: among: Support mixed MAC and MAC/IP entries

Powered by Stefano's support for concatenated ranges, a full among match
replacement can be implemented. The trick is to add MAC-only elements as
a concatenation of MAC and zero-length prefix, i.e. a range from
0.0.0.0 till 255.255.255.255.

Although not quite needed, detection of pure MAC-only matches is left in
place. For those, no implicit 'meta protocol' match is added (which is
required otherwise at least to keep nft output correct) and no concat
type is used for the set.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoxtables-translate: Fix for iface++
Phil Sutter [Thu, 13 Feb 2020 13:01:50 +0000 (14:01 +0100)] 
xtables-translate: Fix for iface++

In legacy iptables, only the last plus sign remains special, any
previous ones are taken literally. Therefore xtables-translate must not
replace all of them with asterisk but just the last one.

Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agotests: shell: Fix skip checks with --host mode
Phil Sutter [Wed, 12 Feb 2020 20:26:06 +0000 (21:26 +0100)] 
tests: shell: Fix skip checks with --host mode

When testing host binaries, XT_MULTI variable contains just the program
name without path component which most skip checks didn't expect. Fix
them, and while being at it also reduce indenting level in two scripts
by moving the skip check up front with an early exit call.

Fixes: 416898e335322 ("tests/shell: Support testing host binaries")
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoxtables-restore: fix for --noflush and empty lines
Phil Sutter [Tue, 11 Feb 2020 15:52:59 +0000 (16:52 +0100)] 
xtables-restore: fix for --noflush and empty lines

Lookahead buffer used for cache requirements estimate in restore
--noflush separates individual lines with nul-chars. Two consecutive
nul-chars are interpreted as end of buffer and remaining buffer content
is skipped.

Sadly, reading an empty line (i.e., one containing a newline character
only) caused double nul-chars to appear in buffer as well, leading to
premature stop when reading cached lines from buffer.

To fix that, make use of xtables_restore_parse_line() skipping empty
lines without calling strtok() and just leave the newline character in
place. A more intuitive approach, namely skipping empty lines while
buffering, is deliberately not chosen as that would cause wrong values
in 'line' variable.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
5 years agoxtables-translate: Fix for interface name corner-cases
Phil Sutter [Thu, 6 Feb 2020 14:08:41 +0000 (15:08 +0100)] 
xtables-translate: Fix for interface name corner-cases

There are two special situations xlate_ifname() didn't cover for:

* Interface name containing '*': This went unchanged, creating a command
  nft wouldn't accept. Instead translate into '\*' which doesn't change
  semantics.

* Interface name being '+': Can't translate into nft wildcard character
  as nft doesn't accept asterisk-only interface names. Instead decide
  what to do based on 'invert' value: Skip match creation if false,
  match against an invalid interface name if true.

Also add a test to make sure future changes to this behaviour are
noticed.

Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years ago.gitignore: add nano/vim swap file
Arturo Borrero Gonzalez [Mon, 10 Feb 2020 10:33:13 +0000 (11:33 +0100)] 
.gitignore: add nano/vim swap file

Ignore swap/lock files for nano/vim. Not interested in git being aware of them.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoextensions: time: add translation and tests
Jose M. Guisado Gomez [Tue, 4 Feb 2020 10:24:16 +0000 (11:24 +0100)] 
extensions: time: add translation and tests

Translation capabilities for xtables time match. Different time values
(hour and datetime) are translated into ranges.

These time match options can be translated now

--timestart value
--timestop value
[!] --weekdays listofdays
--datestart date
--datestop date

The option --monthdays can't be translated into nft as of now.

Examples can be found inside libxt_time.txlate

Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
5 years agoFixed some man pages typos ('This modules' -> 'This module')
Álvaro Santos [Thu, 16 Jan 2020 01:40:57 +0000 (01:40 +0000)] 
Fixed some man pages typos ('This modules' -> 'This module')

Signed-off-by: Álvaro Santos <aa.santos@campus.fct.unl.pt>
Signed-off-by: Phil Sutter <phil@nwl.cc>
5 years agoextensions: AUDIT: fix man-page typo.
Jeremy Sowden [Fri, 20 Dec 2019 19:54:50 +0000 (19:54 +0000)] 
extensions: AUDIT: fix man-page typo.

A recent commit fixed uses of "allows to" in man-pages.  There was one
instance where the "to" was removed but the "allows" was left behind.
Remove that as well.

Fixes: 3b9b515618c6 ("iptables: cleanup "allows to" usage")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoextensions: among: Check call to fstat()
Phil Sutter [Thu, 5 Dec 2019 15:35:51 +0000 (16:35 +0100)] 
extensions: among: Check call to fstat()

If this fails, a bogus length value may be passed to mmap().

Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
5 years agoxtables-translate: Guard strcpy() call in xlate_ifname()
Phil Sutter [Thu, 5 Dec 2019 15:01:29 +0000 (16:01 +0100)] 
xtables-translate: Guard strcpy() call in xlate_ifname()

The function potentially fed overlong strings to strcpy(). Given that
everything needed to avoid this is there, reorder code a bit to prevent
those inputs, too.

Fixes: 0ddd663e9c167 ("iptables-translate: add in/out ifname wildcard match translation to nft")
5 years agolibxtables: Avoid buffer overrun in xtables_compatible_revision()
Phil Sutter [Thu, 5 Dec 2019 12:57:18 +0000 (13:57 +0100)] 
libxtables: Avoid buffer overrun in xtables_compatible_revision()

The function is exported and accepts arbitrary strings as input. Calling
strcpy() without length checks is not OK.

5 years agoextensions: cluster: Avoid undefined shift
Phil Sutter [Thu, 5 Dec 2019 12:36:31 +0000 (13:36 +0100)] 
extensions: cluster: Avoid undefined shift

Value 1 is signed by default and left-shifting by 31 is undefined for
those. Fix this by marking the value as unsigned.

Fixes: 64a0e09894e52 ("extensions: libxt_cluster: Add translation to nft")
5 years agoextensions: time: Avoid undefined shift
Phil Sutter [Thu, 5 Dec 2019 12:15:01 +0000 (13:15 +0100)] 
extensions: time: Avoid undefined shift

Value 1 is signed by default and left-shifting by 31 is undefined for
those. Fix this by marking the value as unsigned.

Fixes: ad326ef9f734a ("Add the libxt_time iptables match")
5 years agoxtables-restore: Avoid access of uninitialized data
Phil Sutter [Thu, 5 Dec 2019 10:40:26 +0000 (11:40 +0100)] 
xtables-restore: Avoid access of uninitialized data

When flushing, 'buffer' is not written to prior to checking its first
byte's value. Therefore it needs to be initialized upon declaration.

Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
5 years agoiptables-apply: script and manpage update
gw.2010@tnode.com [Wed, 4 Dec 2019 18:18:34 +0000 (19:18 +0100)] 
iptables-apply: script and manpage update

This is GW's update to iptables-apply. It does a code cleanup and adds two
options: one runs a command and the other writes the sucessful rules file.

I modified the script to use mktemp instead of tempfile. I also fixed a couple
of hyphens in the man page addition.

Arturo says:
 I'm not a strong supporter of this script, but there are many users of it, so
 better do things right and add this patch that should produce no harm anyway.
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: GW <gw.2010@tnode.com>
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoextensions: libxt_sctp: add manpage description
Laurence J. Lane [Wed, 4 Dec 2019 18:18:28 +0000 (19:18 +0100)] 
extensions: libxt_sctp: add manpage description

Add manpage description.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoiptables: mention iptables-apply(8) in manpages
Laurence J. Lane [Wed, 4 Dec 2019 18:18:21 +0000 (19:18 +0100)] 
iptables: mention iptables-apply(8) in manpages

Add iptables-apply(8) to the SEE ALSO section of *-save(8) and *-restore(8).

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agolibipq: fix spelling in manpage
Laurence J. Lane [Wed, 4 Dec 2019 18:18:14 +0000 (19:18 +0100)] 
libipq: fix spelling in manpage

Fix spelling in this sentence.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoextensions: manpages: cleanup hyphens
Laurence J. Lane [Wed, 4 Dec 2019 18:18:07 +0000 (19:18 +0100)] 
extensions: manpages: cleanup hyphens

Cleanup, scape hyphens so they are not interpreted by the manpage generator.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoiptables: cleanup "allows to" usage
Laurence J. Lane [Wed, 4 Dec 2019 18:18:00 +0000 (19:18 +0100)] 
iptables: cleanup "allows to" usage

Gramatical cleanup.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoiptables: install iptables-apply script and manpage
Laurence J. Lane [Wed, 4 Dec 2019 18:17:53 +0000 (19:17 +0100)] 
iptables: install iptables-apply script and manpage

We have the iptables-apply script in the tree (and in the release tarball), but
is not being installed anywhere. Same for the manpage.

Arturo says:
 I'm not a strong supporter of this script, but there are many users of it, so
 better do things right and do a proper installation.
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Fix parser feed from line buffer
Phil Sutter [Wed, 4 Dec 2019 08:56:06 +0000 (09:56 +0100)] 
xtables-restore: Fix parser feed from line buffer

When called with --noflush, xtables-restore would trip over chain lines:
Parser uses strtok() to separate chain name, policy and counters which
inserts nul-chars into the source string. Therefore strlen() can't be
used anymore to find end of line. Fix this by caching line length before
calling xtables_restore_parse_line().

Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoFix DEBUG build
Phil Sutter [Wed, 4 Dec 2019 08:36:59 +0000 (09:36 +0100)] 
Fix DEBUG build

Fixed commit missed to update this conditional call to
nft_rule_print_save().

Fixes: 1e8ef6a584754 ("nft: family_ops: Pass nft_handle to 'rule_to_cs' callback")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoextensions: CLUSTERIP: Mark as deprecated in man page
Phil Sutter [Wed, 4 Dec 2019 13:06:02 +0000 (14:06 +0100)] 
extensions: CLUSTERIP: Mark as deprecated in man page

Kernel even warns if being used, reflect its state in man page, too.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
5 years agobuild: bump dependency on libnftnl
Pablo Neira Ayuso [Mon, 2 Dec 2019 17:14:51 +0000 (18:14 +0100)] 
build: bump dependency on libnftnl

nftnl_set_list_lookup_byname() libnftnl requires 1.1.5.

Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoconfigure: bump version for 1.8.4 release v1.8.4
Pablo Neira Ayuso [Mon, 2 Dec 2019 16:06:13 +0000 (17:06 +0100)] 
configure: bump version for 1.8.4 release

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: bridge: Rudimental among extension support
Phil Sutter [Tue, 20 Aug 2019 22:42:13 +0000 (00:42 +0200)] 
nft: bridge: Rudimental among extension support

Support among match as far as possible given the limitations of nftables
sets, namely limited to homogeneous MAC address only or MAC and IP
address only matches.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Support parsing lookup expression
Phil Sutter [Tue, 20 Aug 2019 22:33:51 +0000 (00:33 +0200)] 
nft: Support parsing lookup expression

Add required glue code to support family specific lookup expression
parsers implemented as family_ops callback.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Embed rule's table name in nft_xt_ctx
Phil Sutter [Tue, 20 Aug 2019 20:16:41 +0000 (22:16 +0200)] 
nft: Embed rule's table name in nft_xt_ctx

Down to the point where expression parsing happens, the rule's table is
not known anymore but relevant if set lookups are required.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Bore up nft_parse_payload()
Phil Sutter [Tue, 20 Aug 2019 20:09:04 +0000 (22:09 +0200)] 
nft: Bore up nft_parse_payload()

Allow for closer inspection by storing payload expression's base and
length values. Also facilitate for two consecutive payload expressions
as LHS of a (cmp/lookup) statement as used with concatenations.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Support NFT_COMPAT_SET_ADD
Phil Sutter [Tue, 20 Aug 2019 09:40:44 +0000 (11:40 +0200)] 
nft: Support NFT_COMPAT_SET_ADD

Implement the required infrastructure to create sets as part of a batch
job commit.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Introduce NFT_CL_SETS cache level
Phil Sutter [Tue, 20 Aug 2019 09:21:42 +0000 (11:21 +0200)] 
nft: Introduce NFT_CL_SETS cache level

In order to support anonymous sets, introduce an intermediate cache
level between NFT_CL_CHAINS and NFT_CL_RULES. Actually chains are not
needed to fetch sets, but given that sets are only needed for rules, put
it late to not slow down fetching chains.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Eliminate pointless calls to nft_family_ops_lookup()
Phil Sutter [Wed, 21 Aug 2019 08:42:19 +0000 (10:42 +0200)] 
nft: Eliminate pointless calls to nft_family_ops_lookup()

If nft_handle is available, use its 'ops' field instead of performing a
new lookup. For the same reason, there is no need to pass ops pointer to
__nft_print_header().

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Keep nft_handle pointer in nft_xt_ctx
Phil Sutter [Tue, 20 Aug 2019 22:19:25 +0000 (00:19 +0200)] 
nft: Keep nft_handle pointer in nft_xt_ctx

Instead of carrying the family value, carry the handle (which contains
the family value) and relieve expression parsers from having to call
nft_family_ops_lookup().

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: family_ops: Pass nft_handle to 'rule_to_cs' callback
Phil Sutter [Tue, 20 Aug 2019 19:41:12 +0000 (21:41 +0200)] 
nft: family_ops: Pass nft_handle to 'rule_to_cs' callback

This is the actual callback used to parse nftables rules. Pass
nft_handle to it so it can access the cache (and possible sets therein).

Having to pass nft_handle to nft_rule_print_save() allows to simplify it
a bit since no family ops lookup has to be done anymore.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: family_ops: Pass nft_handle to 'print_rule' callback
Phil Sutter [Tue, 20 Aug 2019 17:53:13 +0000 (19:53 +0200)] 
nft: family_ops: Pass nft_handle to 'print_rule' callback

Prepare for 'rule_to_cs' callback to receive nft_handle pointer so it is
able to access cache for set lookups.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: family_ops: Pass nft_handle to 'rule_find' callback
Phil Sutter [Tue, 20 Aug 2019 16:20:53 +0000 (18:20 +0200)] 
nft: family_ops: Pass nft_handle to 'rule_find' callback

In order to prepare for rules containing set references, nft handle has
to be passed to nft_rule_to_iptables_command_state() in order to let it
access the set in cache.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: family_ops: Pass nft_handle to 'add' callback
Phil Sutter [Tue, 20 Aug 2019 13:15:19 +0000 (15:15 +0200)] 
nft: family_ops: Pass nft_handle to 'add' callback

In order for add_match() to create anonymous sets when converting
xtables matches it needs access to nft handle. So pass it along from
callers of family ops' add callback.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: Fix -Z for rules with NFTA_RULE_COMPAT
Phil Sutter [Fri, 15 Nov 2019 09:47:25 +0000 (10:47 +0100)] 
nft: Fix -Z for rules with NFTA_RULE_COMPAT

The special nested attribute NFTA_RULE_COMPAT holds information about
any present l4proto match (given via '-p' parameter) in input. The match
is contained as meta expression as well, but some xtables extensions
explicitly check it's value (see e.g. xt_TPROXY).

This nested attribute is input only, the information is lost after
parsing (and initialization of compat extensions). So in order to feed a
rule back to kernel with zeroed counters, the attribute has to be
reconstructed based on the rule's expressions.

Other code paths are not affected since rule_to_cs() callback will
populate respective fields in struct iptables_command_state and 'add'
callback (which is the inverse to rule_to_cs()) calls add_compat() in
any case.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft: CMD_ZERO needs a rule cache
Phil Sutter [Fri, 15 Nov 2019 09:47:24 +0000 (10:47 +0100)] 
nft: CMD_ZERO needs a rule cache

In order to zero rule counters, they have to be fetched from kernel. Fix
this for both standalone calls as well as xtables-restore --noflush.

Fixes: b5cb6e631c828 ("nft-cache: Fetch only chains in nft_chain_list_get()")
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agotests: shell: Add ipt-restore/0007-flush-noflush_0
Phil Sutter [Tue, 17 Sep 2019 16:28:18 +0000 (18:28 +0200)] 
tests: shell: Add ipt-restore/0007-flush-noflush_0

Simple test to make sure iptables-restore does not touch tables it is
not supposed to.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Improve performance of --noflush operation
Phil Sutter [Tue, 17 Sep 2019 18:27:27 +0000 (20:27 +0200)] 
xtables-restore: Improve performance of --noflush operation

The reason for that full cache fetching when called with --noflush even
before looking at any input data was that there might be a command
requiring a rule cache following some rule add/insert ones which don't.
At that point one needs to fetch rules from kernel and try to insert the
local ones at the right spot which is non-trivial.

At the same time there is a performance-critical use-case for --noflush,
namely fast insertion of a bunch of rules in one go, avoiding the
process spawn overhead.

Optimize for this use-case by preloading input into a 64KB buffer to see
if it fits. If so, search for commands requiring a rule cache. If there
are none, skip initial full cache fetching.

The above algorithm may abort at any point, so actual input parsing must
happen in three stages:

1) parse all preloaded lines from 64KB buffer
2) parse any leftover line in line buffer (happens if input exceeds
   the preload buffer size)
3) parse remaining input from input file pointer

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Allow lines without trailing newline character
Phil Sutter [Wed, 18 Sep 2019 13:39:44 +0000 (15:39 +0200)] 
xtables-restore: Allow lines without trailing newline character

Old code in add_param_to_argv() assumed the input line would always end
with a newline character. Without it, the last word of input wasn't
recognized. Fix this by adding a final check for param.len (indicating
leftover data in buffer).

In line parsing code itself, only COMMIT line check required presence of
trailing newline. The replaced conditional is not 100% accurate as it
allows for characters after newline to be present, but since fgets() is
used this shouldn't happen anyway.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Remove some pointless linebreaks
Phil Sutter [Tue, 17 Sep 2019 16:58:17 +0000 (18:58 +0200)] 
xtables-restore: Remove some pointless linebreaks

Due to reduced indenting level, some linebreaks are no longer needed.
OTOH, strings should not be split to aid in grepping for error output.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Introduce line parsing function
Phil Sutter [Tue, 17 Sep 2019 14:15:23 +0000 (16:15 +0200)] 
xtables-restore: Introduce line parsing function

Move the loop code parsing a distinct line of input into a dedicated
function as a preparation for changing input sources. Since loop code
either calls continue or exit() directly, there is no need for a return
code to indicate failure.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Introduce struct nft_xt_restore_state
Phil Sutter [Fri, 18 Oct 2019 17:02:29 +0000 (19:02 +0200)] 
xtables-restore: Introduce struct nft_xt_restore_state

This data structure holds parser state information. A follow-up patch
will extract line parsing code into a separate function which will need
a place to persistently store this info in between calls.

While being at it, make 'in_table' variable boolean and drop some extra
braces in conditionals checking its value.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Integrate restore callbacks into struct nft_xt_restore_parse
Phil Sutter [Thu, 17 Oct 2019 20:26:50 +0000 (22:26 +0200)] 
xtables-restore: Integrate restore callbacks into struct nft_xt_restore_parse

There's really no point in passing those as separate parameter. While
being at it, make them static const everywhere.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agonft-arp: Use xtables_print_mac_and_mask()
Phil Sutter [Mon, 28 Oct 2019 10:46:04 +0000 (11:46 +0100)] 
nft-arp: Use xtables_print_mac_and_mask()

This libxtables function does exactly what the local implementation did.
The only noteworthy difference is that it assumes MAC/mask lengths, but
the local implementation was passed ETH_ALEN in each invocation, so no
practical difference.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-arp: Use xtables_parse_interface()
Phil Sutter [Sat, 26 Oct 2019 19:37:48 +0000 (21:37 +0200)] 
xtables-arp: Use xtables_parse_interface()

The local implementation differs just slightly but libxtables version
seems more correct (no needless memsetting of mask, more relevant
illegal character checking) so use that one.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-arp: Drop some unused variables
Phil Sutter [Fri, 25 Oct 2019 15:26:41 +0000 (17:26 +0200)] 
xtables-arp: Drop some unused variables

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-arp: Integrate OPT_* defines into xshared.h
Phil Sutter [Fri, 25 Oct 2019 15:21:13 +0000 (17:21 +0200)] 
xtables-arp: Integrate OPT_* defines into xshared.h

These defines are internal use only, so their actual value doesn't
matter as long as they're unique and inverse_for_options array items
match:

When negating a given option, the corresponding OPT_* value's bit is
used as an index into inverse_for_options to retrieve the corresponding
invflag. If zero, either negating or the option itself is not supported.
(In practice, a lookup for unsupported option won't happen as those are
caught by getopt_long()).

Since xtables-arp's OPT_* values change, adjust the local
inverse_for_options array accordingly.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoReplace TRUE/FALSE with true/false
Phil Sutter [Fri, 25 Oct 2019 12:35:51 +0000 (14:35 +0200)] 
Replace TRUE/FALSE with true/false

And drop the conditional defines.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-arp: Drop generic_opt_check()
Phil Sutter [Fri, 25 Oct 2019 12:08:59 +0000 (14:08 +0200)] 
xtables-arp: Drop generic_opt_check()

With all fields in commands_v_options[][] being whitespace, the function
is effectively a noop.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoMerge CMD_* defines
Phil Sutter [Mon, 13 May 2019 13:32:01 +0000 (15:32 +0200)] 
Merge CMD_* defines

They are mostly identical, just xtables-arp ones differ slightly. Though
since they are internal use only and their actual value doesn't matter
(as long as it's a distinct bit), they can be merged anyway.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxshared: Share a common implementation of parse_rulenumber()
Phil Sutter [Tue, 22 Oct 2019 20:55:08 +0000 (22:55 +0200)] 
xshared: Share a common implementation of parse_rulenumber()

The function is really small, but still copied four times.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxshared: Share a common add_command() implementation
Phil Sutter [Tue, 22 Oct 2019 20:49:29 +0000 (22:49 +0200)] 
xshared: Share a common add_command() implementation

The shared definition of cmdflags is a super set of the previous one in
xtables-arp.c so while not being identical, they're compatible.

Avoid accidental array overstep in cmd2char() by incrementing an index
variable and checking its final value before using it as such.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoip6tables, xtables-arp: Drop unused struct pprot
Phil Sutter [Tue, 22 Oct 2019 21:31:46 +0000 (23:31 +0200)] 
ip6tables, xtables-arp: Drop unused struct pprot

These seem like leftovers when changing code to use xtables_chain_protos
as struct xtables_pprot is identical to struct pprot removed here.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-arp: Use xtables_ipparse_multiple()
Phil Sutter [Fri, 25 Oct 2019 16:02:52 +0000 (18:02 +0200)] 
xtables-arp: Use xtables_ipparse_multiple()

Use the same code for parsing source and destination IP addresses as
iptables and drop all the local functions dealing with that.

While being at it, call free() for 'saddrs' and 'daddrs' unconditionally
(like iptables does), they are NULL if not used.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
5 years agoxshared: Introduce struct argv_store
Phil Sutter [Thu, 17 Oct 2019 21:36:47 +0000 (23:36 +0200)] 
xshared: Introduce struct argv_store

The use of global variables in code around add_argv() is error-prone and
hard to follow. Replace them by a struct which functions will modify
instead of causing side-effects.

Given the lack of static variables, this effectively makes argv
construction code reentrant.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
5 years agoiptables-xml: Use add_param_to_argv()
Phil Sutter [Thu, 17 Oct 2019 23:30:22 +0000 (01:30 +0200)] 
iptables-xml: Use add_param_to_argv()

Extend the shared argv parser by storing whether a given argument was
quoted or not, then use it in iptables-xml. One remaining extra bit is
extraction of chain name in -A commands, do that afterwards in a loop.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
5 years agonft: Use ARRAY_SIZE() macro in nft_strerror()
Phil Sutter [Thu, 17 Oct 2019 21:55:02 +0000 (23:55 +0200)] 
nft: Use ARRAY_SIZE() macro in nft_strerror()

Variable 'table' is an array of type struct table_struct, so this is a
classical use-case for ARRAY_SIZE() macro.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Unbreak *tables-restore
Phil Sutter [Tue, 22 Oct 2019 10:25:28 +0000 (12:25 +0200)] 
xtables-restore: Unbreak *tables-restore

Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
installed an error check which evaluated true in all cases as all
callers of do_command callbacks pass a pointer to a table name already.
Attached test case passed as it tested error condition only.

Fix the whole mess by introducing a boolean to indicate whether a table
parameter was seen already. Extend the test case to cover positive as
well as negative behaviour and to test ebtables-restore and
ip6tables-restore as well. Also add the required checking code to the
latter since the original commit missed it.

Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
5 years agoxtables-restore: Fix --table parameter check
Phil Sutter [Fri, 20 Sep 2019 15:31:58 +0000 (17:31 +0200)] 
xtables-restore: Fix --table parameter check

Xtables-restore tries to reject rule commands in input which contain a
--table parameter (since it is adding this itself based on the previous
table line). The manual check was not perfect though as it caught any
parameter starting with a dash and containing a 't' somewhere, even in
rule comments:

| *filter
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
| COMMIT

Instead of error-prone manual checking, go a much simpler route: All
do_command callbacks are passed a boolean indicating they're called from
*tables-restore. React upon this when handling a table parameter and
error out if it's not the first one.

Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
5 years agoxtables-restore: Drop chain_list callback
Phil Sutter [Thu, 17 Oct 2019 22:09:01 +0000 (00:09 +0200)] 
xtables-restore: Drop chain_list callback

Since commit 0baa08fed43fa ("xtables: unify user chain add/flush for
restore case") it is not used anymore, so just drop it.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>