Thierry Du Tre [Tue, 3 Apr 2018 16:39:22 +0000 (18:39 +0200)]
extensions: libipt_DNAT: support shifted portmap ranges
This is a proposal patch for iptables DNAT extension to support shifted portmap
ranges. It is related to the kernel patch proposed in earlier message '[PATCH
v5] netfilter : add NAT support for shifted portmap ranges'.
A new struct nf_nat_range2 was added as extension for existing struct
nf_nat_range and is used by new revisions (2) for the DNAT target. Current DNAT
revisions for Ipv4 (rev 0) and IPv6 (rev 1) are kept so functionality with
older kernels is not impacted.
The syntax for shifted portmaps uses an extra value in '--to-destination' for
setting the base port which determines the offset in the redirect port range
for incoming connections. i.e. : iptables -t nat -A zone_wan_prerouting -p tcp
-m tcp --dport 5000:5100 -j DNAT --to-destination '192.168.1.2:2000-2100/5000'
The base port value is totally optional, so current behavior is not impacted in
any way. The use of slash '/' as separator is an arbitrary choice, all other
suggestions are valid of course (original proposal used semicolon but this was
not practical for commandline use) Another approach using an additional option
seems also possible (i.e. '--base-port 5000'). However, that would mean more
parsing logic with extra lines of code and thus increased risk for regression.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Serhey Popovych [Wed, 7 Mar 2018 09:10:43 +0000 (11:10 +0200)]
xtables: Fix rules print/save after iptables update
Updating iptables from 1.4.x to 1.6.x brokes rules print/save output
and causes rules load after reboot to fail. Here is example from
iptables-save(8) output after update:
-A CHAIN1 -m set [unsupported revision] -j DROP
-A CHAIN1 -m set [unsupported revision] -j DROP
Similar output could be obtained via iptables -L CHAIN1. While issue
reproduced with xt_set match it is not specific to any match or
target module: it is related on how xtables handles revisions.
In this particular case we have following situation:
1) Kernel supports revisions from 1 to 4.
2) Rules configured with iptables 1.4.x supporting only
revisions from 1 to 3. Choosen highest possible revision 3.
3) Rules printed/saved with iptables 1.6.x supporting revisions
from 1 to 4.
4) Xtables registers matches/targets with highest supported
revision by the kernel. This is 4 in our case after update to
iptables 1.6.x.
5) When printing/saving kernel submits match/target with revision
it is configured (3), while iptables thinks that rules configured
with highest supported (4). That's causes revision mismatch in
during print and "[unsupported revision]" output.
To fix this issue we now store all supported by kernel and xtables
revisions in xt_matches/xt_targets list sorted in descending order.
Introduce helper routines to find match/target with given revision
and use them to find right revision to print submitted by kernel
entry.
Serhey Popovych [Wed, 7 Mar 2018 09:10:42 +0000 (11:10 +0200)]
xtables: Register all match/target revisions supported by us and kernel
Keep the order of matches by appending them; keep order between
revisions of same match from most to least recent. All of this
keeps xtables_find_match() happy to find most recent supported
by kernel revision in the given order.
Apply the same for targets, except prepend targets; order between
revisions preserved too.
All this needed to fix nasty bug related to iptables package update
and broken print/save output.
After this change all supported revisions of match/target stored
in corresponding list with following pattern:
Where new [m]atches added to the list tail and new [t]argets added
to the list head to preserve previous behaviour. Multiple revisions
of single match/target type are grouped together and sorted in
descending order. Both this ensures xtables_find_match() and
xtables_find_target() behaviour remains the same after change: find
highest supported match/target revision given by it's name.
Serhey Popovych [Thu, 1 Mar 2018 11:03:10 +0000 (13:03 +0200)]
extensions: Initialize linear mapping of symbols in _init() of extension
libxt_devgroup and libipt_realm currently unable to display symbolic
names in save/print commands because linear mapping is not initialized.
It looks bit confusing as linear mapping initialization is done in init()
of extension, which is expected to be called before any other function of
extension.
However init is called only when '-m' option specified on command line,
that is true only for insert, append, replace and destroy iptables
commands.
Move initialization to extension _init() function before calling
any function in extension.
Its not supported anymore as of 4.13, and it did not work
before this either (arp packets cannot be routed).
This unbreaks arptables-compat -- without this fix kernel rejects the
incoming ruleset skeleton.
filtering forwarded arp packets on a bridge can be done either via
'netdev' or 'bridge' families.
Florian Westphal [Fri, 30 Mar 2018 20:11:58 +0000 (22:11 +0200)]
libxt_comment: silence truncation warning
gcc warned here:
libxt_comment.c:62 output may be truncated before the last format character [-Wformat-truncation=]
snprintf(comment, XT_MAX_COMMENT_LEN, "\"%s\"" ...
It tells us that the '"' might not fit anymore, so increase output
buffer size to make room for "" escapes too.
Instead of not listing anything at all if an unknown table name
exists, just skip them. Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.
Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.
proto is u16 in the data structure, so this gave:
nft-ipv6.c:422:44: warning: '__builtin___snprintf_chk' output may be truncated before the last format character [-Wformat-truncation=]
Hauke Mehrtens [Tue, 27 Feb 2018 15:56:55 +0000 (16:56 +0100)]
extensions: libxt_bpf: Fix build with old kernel versions
In kernel 3.18 the union bpf_attr does not have a pathname attribute and
BPF_OBJ_GET is also not defined in these versions.
This was added in Linux commit b2197755b263 ("bpf: add support for
persistent maps/progs"). Check for the BPF_FS_MAGIC define which was
also added in this Linux commit and only activate this code in case we
find that define.
This fixes a build problem with Linux 3.18.
Netfilter bug: #1231
Fixes: f17f9ace8a8 ("extensions: libxt_bpf: support ebpf pinned objects") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Sun, 25 Feb 2018 07:14:00 +0000 (18:14 +1100)]
xtables-compat-multi.c: Allow symlink of ebtables
This patch allows one to force a subsystem that one does not wish to modify
(e.g. libvirt) to use the ebtables compatibility layer.
ebtables-compat was already a symlink to xtables-compat-multi but ebtables was a
stand-alone program. So one could move it out of the way before making the
symlink as below:
lrwxrwxrwx 1 root root 20 Feb 24 11:03 ebtables -> xtables-compat-multi
-rwxr-xr-x 1 root root 75176 Feb 24 11:03 ebtables.orig
With this patch, kernel modules ebtable_filter & ebtables are no longer loaded.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 19 Feb 2018 09:57:18 +0000 (10:57 +0100)]
extensions: prefer plain 'set' over 'set mark and'
adding a test case for MARK --set-mark 0 fails with
exp: nft add rule ip mangle OUTPUT counter meta mark set 0x0
res: nft add rule ip mangle OUTPUT counter meta mark set mark and 0x0
This translation isn't wrong, but unneccessarily complex, so
change order to first check if mask bits are all ones.
In that case we can simply use an immediate value without
need for logical operators.
Thierry Du Tre [Tue, 16 Jan 2018 12:44:37 +0000 (13:44 +0100)]
extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
This patch is fixing the detection of multiple '--to-destination' in a
DNAT rule and '--to-source' in SNAT rule for IPv6. Currently, when
defining multiple values for these, only the last will be used and
others ignored silently.
The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the
flags are never set before. It seems to be a copy-paste artefact since
introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.
I also removed the kernel_version checks because they seem useless.
Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1. That
seems only added since kernel version 3.7-rc1 and therefore the check
for > v2.6.10 will always return true. The check is probably also
coming from the IPv4 copy-paste.
Add tests to cover this too, including the IPv4 side.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta
mark set 0xffff
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ahmed Abdelsalam [Thu, 11 Jan 2018 17:12:41 +0000 (18:12 +0100)]
extensions: add support for 'srh' match
This patch adds a new exetension to iptables to supprt 'srh' match
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Harsha Sharma [Thu, 28 Dec 2017 07:28:33 +0000 (12:58 +0530)]
extensions: libxt_hashlimit: Do not print default timeout and burst
Do not print timeout and burst in case default values are used.
For e.g.
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 21 Dec 2017 03:35:45 +0000 (09:05 +0530)]
extensions: Add macro _DEFAULT_SOURCE.
Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated.
https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes
This patch fixes the following warning:
warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
_DEFAULT_SOURCE" [-Wcpp]
# warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
# _DEFAULT_SOURCE"
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 21 Dec 2017 03:35:45 +0000 (09:05 +0530)]
iptables: Remove const qualifier from struct option.
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning:
warning: initialization discards ‘const’ qualifier from pointer target
type [-Wdiscarded-qualifiers]
.orig_opts = original_opts,
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Yogesh Prasad [Wed, 29 Nov 2017 06:10:54 +0000 (00:10 -0600)]
iptables: patch to correct linker flag sequence
Description
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared. If -pie is provided after -shared, the linker throws an
error shown below as example.
-------------------------------------------------------------------------
/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
+ ./libxt_SYNPROXY.man
make[4]: *** [libxt_TCPOPTSTRIP.so] Error 1
+ ./libip6t_mh.man
/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
undefined reference to `main'
/host/lib/gcc/powerpc-buildroot-linux-gnu + ./libxt_TCPMSS.man
/6.4.0/../../../../powerpc-buildroot-linux-gnu/bin/ld:
BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
-------------------------------------------------------------------------
Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 30 Nov 2017 13:48:05 +0000 (19:18 +0530)]
iptables: xtables-eb: Remove const qualifier from struct option
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning.
xtables-eb.c: In function ‘ebt_load_match_extensions’:
xtables-eb.c:653:7: warning: assignment discards ‘const’ qualifier
from pointer target type
opts = ebt_original_options;
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
huaibin Wang [Mon, 13 Nov 2017 13:27:54 +0000 (14:27 +0100)]
libxt_sctp: fix array out of range in print_chunk
For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type
is not equal to the corresponding index in sctp_chunk_names[]. Using this field
leads to a segmentation fault (index out of range).
Example
$ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Segmentation fault
Signed-off-by: huaibin Wang <huaibin.wang@6wind.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Harsha Sharma [Sun, 22 Oct 2017 12:49:09 +0000 (18:19 +0530)]
tests: xlate: print output in same way as nft-test.py
Print errors and total no. of tests, tests passed, failed and errors for
testfile argument
Remove option "--all"
Print file names for which all tests are passed with OK
For e.g -
sudo ./xlate-test.py
generic.txlate: OK
libip6t_DNAT.txlate: OK
...
libxt_TCPMSS.txlate: Fail
src: iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
exp: nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter
tcp option maxseg size set rt mtu
res: nft # -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
...
libxt_connlabel.txlate: Error: iptables-translate failure
iptables-translate v1.6.1: Couldn't load match `connlabel':No such file
or directory
...
64 test files, 246 tests, 242 tests passed, 2 tests failed, 2 errors
Phil Sutter [Fri, 20 Oct 2017 11:24:36 +0000 (13:24 +0200)]
libxt_recent: Remove ineffective checks for info->name
In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a
pointer. So there is no point in comparing it against NULL. Changing the
check to make sure it's content is not an empty string is pointless
either, since a non-empty default string is used and the argument parser
will refuse empty strings as --name argument. So simply get rid of the
checks altogether.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
projects / thirdparty / iptables.git / log
