xtables: fix compilation due to missing autogenerated header
Fix compilation:
nft.c:51:35: fatal error: xtables-config-parser.h: File or directory doesn't exist
xtables-config-parser.h was generated after compiling nft.c.
Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Tested-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables-config-parser.y: In function ‘xtables_config_parse’:
xtables-config-parser.y:216:4: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft: load tables and chains based on /etc/xtables.conf
If /etc/xtables.conf is available, use the configuration there to
autoload the xtables built-in table and chain so you can define custom
configurations. Otherwise, rely on default common table/chain
configuration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
shell$ xtables -6 -I INPUT -p tcp --dport 22 -j ACCEPT
xtables v1.4.15: -f is not valid on IPv6
Try `xtables -h' or 'xtables --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables-standalone.c: In function ‘xtables_main’:
xtables-standalone.c:64:2: warning: implicit declaration of function ‘do_commandx’ [-Wimplicit-function-declaration]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tomasz Bursztyka [Sun, 13 Jan 2013 15:42:11 +0000 (16:42 +0100)]
xtables: add IPv6 support
Summary of changes to add IPv6 support to the xtables utility:
* modify all commands (add, delete, replace, check and listing) to
support IPv6 addresses.
And for the internal nft library:
* add family to struct nft_handle and modify all caller to use this
family instead of the hardcoded AF_INET.
* move code that we can re-use for IPv4 and IPv6 into helper functions.
* add IPv6 rule printing support.
* add support to parse IPv6 address.
Pablo added several improvements to this patch:
* added basic xtables-save and xtables-restore support (so it defaults
to IPv4)
* fixed a couple of bugs found while testing
* added reference when -f is used to point to -m frag (until we can make
this consistent with IPv4).
Note that we use one single xtables binary utility for IPv4 and IPv6.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
In order to emulate the iptables behaviour, this patch changes
the current behaviour to:
1st) check if the table and chains are built-in.
2nd) If they don't exists, create them. If they exists, don't touch
them.
The automatic creation happens in the -I and -P paths.
We should provide a new command to allow to delete (unregister)
built-in tables and chains. It would be similar to unloading
the iptable_X module that registers the custom table.
This is not done for other commands like -C or -D since they
will fail while trying to find the rule in the kernel if such
combination of chain and table does not exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Wed, 28 Aug 2013 07:32:44 +0000 (09:32 +0200)]
utils: add nfsynproxy tool
[ Originally synconf, but Jesper D. Brouer suggested to change
the name to avoid a possible filename clash. I also include
nfsynproxy in the final configure report --pablo ]
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_cluster: add note on arptables-jf
Gao feng reported problems while getting the cluster match working with
arptables. This patch adds a note in the manpage to warn about the arptables-jf
syntax, which is different from mainstream arptables.
Reported-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Kevin Cernekee [Sat, 2 Nov 2013 04:08:34 +0000 (21:08 -0700)]
ip6tables: Use consistent exit code for EAGAIN
As of commit 056564f6a (Add new exit value to indicate concurrency
issues), the IPv4 iptables binary returns exit status 4 to indicate that
the kernel returned EAGAIN when trying to update a table. But ip6tables
still returns exit status 1 under the same circumstances. Update
ip6tables to bring it in line with iptables behavior.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Tue, 8 Oct 2013 16:20:15 +0000 (09:20 -0700)]
iptables: spurious error in load_extension
In commit 927385017047d (iptables: improve error reporting with extension
loading troubles), a new error message was added in an attempt to handle
the case where a match does not support a particular protocol family.
For instance, attempting to use the osf match on IPv6.
Unfortunately, this error message now triggers when creating a new chain
which has the same name as a match extension, because iptables calls
xtables_find_target with the name of the new chain to verify it does not
clash with an existing target. For example:
# iptables -N tcp
/usr/lib/xtables/libxt_tcp.so: no "tcp" extension found for this protocol
I attempted to resolve this by adding a new XTF flag, but that required changes
in many different places (including -j handling). It seems easiest just to
remove this warning and stick with the original error message of ENOENT, even
if less than precise.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Sat, 5 Oct 2013 16:33:15 +0000 (09:33 -0700)]
iptables: improve chain name validation
As pointed out by Andrew Domaszek, iptables allows whitespace to be included in
chain names. This causes issues with iptables-restore, and later iptables
actions on the chain. Attached patch disallows whitespace, and also consolidates
all chain name checking into a new function.
This closes netfilter bugzilla #855.
[ Included ip6tables changed as well --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Thu, 26 Sep 2013 16:06:58 +0000 (09:06 -0700)]
libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks
As pointed out by Peter Hoelsken, rules created with non-standard
masks such as 0.255.0.0, 0.0.255.0, etc. are displayed when output
with iptables -L in CIDR notation as -1. This is because the cidr
variable in xtables_ipmask_to_numeric is unsigned, and the return
value of -1 from xtables_ipmask_to_cidr is therefore converted to
UINT_MAX. Add a cast to workaround the issue.
This closes netfilter bugzilla #854.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jan Engelhardt [Tue, 13 Aug 2013 19:02:06 +0000 (21:02 +0200)]
iptables: link against libnetfilter_conntrack
Linking currently fails in --enable-static case:
../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name':
iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name'
[..]
It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack.
If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@
and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty,
therefore producing no harm to include unconditionally.
Laurence J. Lane [Sun, 18 Aug 2013 23:41:40 +0000 (19:41 -0400)]
iptables: libip(6)t_REJECT.man default icmp types
The extension man page shows "port-unreach" and "port-unreachable" as
default icmpv6 and icomp reject-with types. Either and variations work
fine for writing rules, but they are displayed as "icmp6-port-unreachable"
and "icmp-port-unreachable". Let's make that consistent.
http://bugs.debian.org/644819
Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
