Arturo Borrero [Wed, 17 Dec 2014 11:06:56 +0000 (12:06 +0100)]
extensions: add ebt 802_3 extension
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Mon, 24 Nov 2014 18:43:05 +0000 (19:43 +0100)]
iptables: xtables-eb: fix renaming of chains
Renaming of chains is not working. and ebtables-compat gets:
libnftnl: attribute 0 assertion failed in chain.c:159
This patch brings back the parser code of the original ebtables tool:
http://git.netfilter.org/ebtables.old-history/tree/userspace/ebtables2/ebtables.c#n652
I adapted the original parser code to fit in the new environment. Also tried to
keep original error messages as much as possible.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Mon, 24 Nov 2014 09:52:04 +0000 (10:52 +0100)]
iptables: xtables-eb: user-defined chains default policy is always RETURN
The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.
So, with this patch, ebtables-compat ends with:
Command: Result:
-L Always RETURN for user-defined chains
-P builtin RETURN Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP ok
-P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
-N userdefined ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_TEE: Trim kernel struct to allow deletion
Correct trimming of userspacesize to fix deletions.
Fixes: Bugzilla #884.
The rule having TEE target with '--oif' option cannot be deleted by iptables command.
$ iptables -I INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
$ iptables -D INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
iptables: No chain/target/match by that name.
Signed-off-by: Loganaden Velvindron <logan@elandsys.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Wed, 5 Nov 2014 15:46:34 +0000 (16:46 +0100)]
iptables-compat: homogenize error messages with 'R' option
There is a difference between error messages in iptables and
iptables-compat:
# iptables -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: Index of replacement too big.
# iptables-compat -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: No chain/target/match by that name.
Now, iptables-compat shows the same error message than iptables in
this case.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Thu, 30 Oct 2014 08:31:56 +0000 (09:31 +0100)]
iptables-compat: homogenize error messages
There are some differences between error messages in iptables and
iptables-compat:
# iptables -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: No chain/target/match by that name.
modprobe pointed to a non-existant program /sbin/modprobe, so execv()
always failed. Not a problem in itself on our platform, as the kernel
modules are pre-loaded before iptables-restore is run, but it took a
bit of headscratching to track this down, as a stack frame was
corrupted, leading to failures quite a while after the function
containing this code had returned!
Relevant caution in man 2 vfork:
"The vfork() function has the same effect as fork(2), except that
the behavior is undefined if the process created by vfork() either
modifies any data ... or calls any other function before
successfully calling _exit(2) or one of the exec(3) family of
functions."
Apparently this has not been a problem for us in earlier versions of
glibc, maybe because vfork was more like fork, maybe because the
stack corruption was innocuous. Ours is a corner case anyway, as
it might not have been a problem had modprobe existed or had
modprobe been a symlink to /bin/true. But it seems odd to disregard
man page cautions, and our problem goes away if they are heeded.
iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove
extra unused chain parameter and rename nft_chain_builtin_init to
nft_xt_builtin_init too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
There is not native arptables-save. The original author provides
perl scripts to implement arptables-save and arptables-restore.
We should use them to mimic arptables behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ip6tables-compat and arptables-compat are also fixed.
This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Anton Danilov [Tue, 2 Sep 2014 10:15:53 +0000 (14:15 +0400)]
xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)
This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.
Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Ronald Wahl [Thu, 4 Sep 2014 22:54:48 +0000 (00:54 +0200)]
libxtables: fix two off-by-one memory corruption bugs
The LSB of xtables_pending_matches was overwritten with zero
that lead to segmentation fault. But simply adding an additional variable
in the code or changing compilation options modified the behaviour so that no
segmentation fault happens so it is rather subtle.
(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
In case of bits % 8 == 0 we write the byte behind *p
(2) p[bits/8] = 0xff << (8 - (bits & 7));
In case of bits == 128 we write the byte behind *p
This patch adds an optional numeric argument
to -w option (added with 93587a0) so one can
specify how long to wait for an exclusive lock.
If the value isn't specified it works as before,
i.e. program waits indefinitely.
If user specifies it, program exits after
the given time interval passes.
This patch also adds the -w/--wait to nftables
compat code, so the parser doesn't complain.
[ In the original patch, iptables-compat -w X was not working,
I have fixed by adding the dummy code not to break scripts
using the new optional argument --pablo ]
Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Makefile: fix static compilation iptables-compat without shared libraries
Fix linking problems when this configuration is used:
$ ./configure --prefix=/usr --enable-shared=no --enable-static=yes
$ make
...
xtables_compat_multi-xtables-save.o: In function `xtables_save_main':
/home/pablo/devel/iptables/iptables/xtables-save.c:98: undefined reference to `init_extensions4'
xtables_compat_multi-xtables-restore.o: In function `xtables_restore_main':
/home/pablo/devel/iptables/iptables/xtables-restore.c:195: undefined reference to `init_extensions4'
xtables_compat_multi-xtables-standalone.o: In function `xtables_main':
/home/pablo/devel/iptables/iptables/xtables-standalone.c:61: undefined reference to `init_extensions4'
xtables_compat_multi-xtables-events.o: In function `xtables_events_main':
/home/pablo/devel/iptables/iptables/xtables-events.c:184: undefined reference to `init_extensions4'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure
to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure
to handle chain").
it is possible to put tables and chains in the same batch (which was
already including rules). This patch probes the kernel to check if
if the new transaction is available, otherwise it falls back to the
previous non-transactional approach to handle these two objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Giuseppe Longo [Mon, 24 Mar 2014 10:59:46 +0000 (11:59 +0100)]
nft: replace nft_rule_attr_get_u8
Since the family declaration has been modified in libnftnl,
from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16
the assertion is failed for {ip,ip6,arp}tables-compat
when printing rules.
Tomasz Bursztyka [Tue, 11 Feb 2014 16:36:43 +0000 (18:36 +0200)]
nft: A builtin chain might be created when restoring
nft_chain_set() is directly used in xtables-restore.c, however at that
point no builtin chains have been created yet thus the need to request
to build it relevantly.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
which point to the new binary xtables-compat-multi.
The idea is to keep both native and compatibility tools installed in the
system, which should also make it easier for testing purposes.
The iptables over nftables compatibility layer is enabled by default
and it requires the libmnl and libnftnl libraries. If you don't want to
compile the compatibility layer, you can still disable it through
--disable-nftables.
This patch also includes changes to adapt the existing code to this
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Daniel Borkmann [Mon, 23 Dec 2013 17:46:29 +0000 (18:46 +0100)]
iptables: add libxt_cgroup frontend
This patch adds the user space extension/frontend for process matching
based on cgroups from the kernel patch entitled "netfilter: xtables:
lightweight process control group matching".
Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Daniel Borkmann [Sun, 22 Dec 2013 03:15:38 +0000 (04:15 +0100)]
iptables: snat: add randomize-full support
This patch provides the userspace part for snat in order to make
randomize-full support available in {ip,nf}tables. It allows for
enabling full port randomization that was motivated in [1] and
introduced to the kernel in [2].
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft.c: In function ‘nft_xtables_config_load’:
nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default]
In file included from nft.c:41:0:
/usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’
Introduced in (12eb85b nft: fix memory leaks in
nft_xtables_config_load) but that was my fault indeed since Ana sent
a v2 patch that I have overlook.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
These objects are allocated from nft_init but they were not released
appropriately in the exit path.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5955B02: nft_table_list_alloc (table.c:425)
==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888)
==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
Fix these leaks and consolidate error handling in the exit path of
nft_xtables_config_load
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Mon, 2 Dec 2013 10:43:25 +0000 (11:43 +0100)]
xtables-standalone: call nft_fini in the error path
This error is shown with valgrind tools:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x574CC76: mnl_socket_open (socket.c:117)
==7377== by 0x417495: nft_init (nft.c:598)
==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
This patch calls nft_fini to release the objects that have been allocated in
nft_init. This function was not used so far.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Valgrind reports an invalid read after a memory block:
==11114== Invalid read of size 8
==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==11114== by 0x41788E: add_match (nft.c:781)
==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72)
==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945)
==11114== by 0x418ACE: nft_rule_append (nft.c:1000)
==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424)
==11114== by 0x4152DE: do_commandx (xtables.c:1184)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd
==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==11114== by 0x52448C8: xtables_calloc (xtables.c:272)
==11114== by 0x410AC2: command_default (xshared.c:150)
==11114== by 0x4149A2: do_commandx (xtables.c:1075)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
m->u.match_size also contains the size of the xt_entry_match structure.
Fix also the target path which is very similar.
Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
