Ana Rey [Thu, 30 Oct 2014 08:31:56 +0000 (09:31 +0100)]
iptables-compat: homogenize error messages
There are some differences between error messages in iptables and
iptables-compat:
# iptables -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: No chain/target/match by that name.
modprobe pointed to a non-existant program /sbin/modprobe, so execv()
always failed. Not a problem in itself on our platform, as the kernel
modules are pre-loaded before iptables-restore is run, but it took a
bit of headscratching to track this down, as a stack frame was
corrupted, leading to failures quite a while after the function
containing this code had returned!
Relevant caution in man 2 vfork:
"The vfork() function has the same effect as fork(2), except that
the behavior is undefined if the process created by vfork() either
modifies any data ... or calls any other function before
successfully calling _exit(2) or one of the exec(3) family of
functions."
Apparently this has not been a problem for us in earlier versions of
glibc, maybe because vfork was more like fork, maybe because the
stack corruption was innocuous. Ours is a corner case anyway, as
it might not have been a problem had modprobe existed or had
modprobe been a symlink to /bin/true. But it seems odd to disregard
man page cautions, and our problem goes away if they are heeded.
iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove
extra unused chain parameter and rename nft_chain_builtin_init to
nft_xt_builtin_init too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
There is not native arptables-save. The original author provides
perl scripts to implement arptables-save and arptables-restore.
We should use them to mimic arptables behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ip6tables-compat and arptables-compat are also fixed.
This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Anton Danilov [Tue, 2 Sep 2014 10:15:53 +0000 (14:15 +0400)]
xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)
This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.
Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Ronald Wahl [Thu, 4 Sep 2014 22:54:48 +0000 (00:54 +0200)]
libxtables: fix two off-by-one memory corruption bugs
The LSB of xtables_pending_matches was overwritten with zero
that lead to segmentation fault. But simply adding an additional variable
in the code or changing compilation options modified the behaviour so that no
segmentation fault happens so it is rather subtle.
(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
In case of bits % 8 == 0 we write the byte behind *p
(2) p[bits/8] = 0xff << (8 - (bits & 7));
In case of bits == 128 we write the byte behind *p
This patch adds an optional numeric argument
to -w option (added with 93587a0) so one can
specify how long to wait for an exclusive lock.
If the value isn't specified it works as before,
i.e. program waits indefinitely.
If user specifies it, program exits after
the given time interval passes.
This patch also adds the -w/--wait to nftables
compat code, so the parser doesn't complain.
[ In the original patch, iptables-compat -w X was not working,
I have fixed by adding the dummy code not to break scripts
using the new optional argument --pablo ]
Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Makefile: fix static compilation iptables-compat without shared libraries
Fix linking problems when this configuration is used:
$ ./configure --prefix=/usr --enable-shared=no --enable-static=yes
$ make
...
xtables_compat_multi-xtables-save.o: In function `xtables_save_main':
/home/pablo/devel/iptables/iptables/xtables-save.c:98: undefined reference to `init_extensions4'
xtables_compat_multi-xtables-restore.o: In function `xtables_restore_main':
/home/pablo/devel/iptables/iptables/xtables-restore.c:195: undefined reference to `init_extensions4'
xtables_compat_multi-xtables-standalone.o: In function `xtables_main':
/home/pablo/devel/iptables/iptables/xtables-standalone.c:61: undefined reference to `init_extensions4'
xtables_compat_multi-xtables-events.o: In function `xtables_events_main':
/home/pablo/devel/iptables/iptables/xtables-events.c:184: undefined reference to `init_extensions4'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure
to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure
to handle chain").
it is possible to put tables and chains in the same batch (which was
already including rules). This patch probes the kernel to check if
if the new transaction is available, otherwise it falls back to the
previous non-transactional approach to handle these two objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Giuseppe Longo [Mon, 24 Mar 2014 10:59:46 +0000 (11:59 +0100)]
nft: replace nft_rule_attr_get_u8
Since the family declaration has been modified in libnftnl,
from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16
the assertion is failed for {ip,ip6,arp}tables-compat
when printing rules.
Tomasz Bursztyka [Tue, 11 Feb 2014 16:36:43 +0000 (18:36 +0200)]
nft: A builtin chain might be created when restoring
nft_chain_set() is directly used in xtables-restore.c, however at that
point no builtin chains have been created yet thus the need to request
to build it relevantly.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
which point to the new binary xtables-compat-multi.
The idea is to keep both native and compatibility tools installed in the
system, which should also make it easier for testing purposes.
The iptables over nftables compatibility layer is enabled by default
and it requires the libmnl and libnftnl libraries. If you don't want to
compile the compatibility layer, you can still disable it through
--disable-nftables.
This patch also includes changes to adapt the existing code to this
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Daniel Borkmann [Mon, 23 Dec 2013 17:46:29 +0000 (18:46 +0100)]
iptables: add libxt_cgroup frontend
This patch adds the user space extension/frontend for process matching
based on cgroups from the kernel patch entitled "netfilter: xtables:
lightweight process control group matching".
Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Daniel Borkmann [Sun, 22 Dec 2013 03:15:38 +0000 (04:15 +0100)]
iptables: snat: add randomize-full support
This patch provides the userspace part for snat in order to make
randomize-full support available in {ip,nf}tables. It allows for
enabling full port randomization that was motivated in [1] and
introduced to the kernel in [2].
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft.c: In function ‘nft_xtables_config_load’:
nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default]
In file included from nft.c:41:0:
/usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’
Introduced in (12eb85b nft: fix memory leaks in
nft_xtables_config_load) but that was my fault indeed since Ana sent
a v2 patch that I have overlook.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10
==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102)
==12554== by 0x416520: nft_action (nft.c:2281)
==12554== by 0x41355E: xtables_main (xtables-standalone.c:75)
==12554== by 0x5B87994: (below main) (libc-start.c:260)
These objects are allocated from nft_init but they were not released
appropriately in the exit path.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5955B02: nft_table_list_alloc (table.c:425)
==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
==7377==
==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888)
==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428)
==7377== by 0x4189E6: nft_rule_append (nft.c:991)
==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424)
==7377== by 0x41524A: do_commandx (xtables.c:1176)
==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
Fix these leaks and consolidate error handling in the exit path of
nft_xtables_config_load
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Mon, 2 Dec 2013 10:43:25 +0000 (11:43 +0100)]
xtables-standalone: call nft_fini in the error path
This error is shown with valgrind tools:
valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14
==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==7377== by 0x574CC76: mnl_socket_open (socket.c:117)
==7377== by 0x417495: nft_init (nft.c:598)
==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64)
==7377== by 0x5B87994: (below main) (libc-start.c:260)
This patch calls nft_fini to release the objects that have been allocated in
nft_init. This function was not used so far.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Valgrind reports an invalid read after a memory block:
==11114== Invalid read of size 8
==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==11114== by 0x41788E: add_match (nft.c:781)
==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72)
==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945)
==11114== by 0x418ACE: nft_rule_append (nft.c:1000)
==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424)
==11114== by 0x4152DE: do_commandx (xtables.c:1184)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd
==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==11114== by 0x52448C8: xtables_calloc (xtables.c:272)
==11114== by 0x410AC2: command_default (xshared.c:150)
==11114== by 0x4149A2: do_commandx (xtables.c:1075)
==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72)
==11114== by 0x5B87994: (below main) (libc-start.c:260)
m->u.match_size also contains the size of the xt_entry_match structure.
Fix also the target path which is very similar.
Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used
This is a temporary workaround mechanism until variable interface
hardware address length can be handled through nftables. This
defaults on the length of EUI-64 mac address, which should be the
most common usage until this is appropriately fixed for all type
of layer 2 addresses.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This fixes such warning:
xtables-arp.c: In function ‘check_inverse’:
xtables-arp.c:561:54: attention : declaration of ‘optind’ shadows a
global declaration [-Wshadow]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
In (73ea1cc nft: convert rule into a command state structure), the
interface wildcard matching got broken. The previous handling was
flawed by the use of ifnametoindex in scenario where the interface
may vanished after a rule was added.
This approach relies on the trailing '\0' to identify if this is
an exact or wildcard matching, based on discussion with Florian.
Based on initial patch from Anand Raj Manickam.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft: fix bad length when comparing extension data area
Use ->userspacesize to compare the extension data area, otherwise
we also compare the internal private pointers which are only
meaningful to the kernelspace.
nft-shared.c: In function ‘nft_ipv46_rule_find’:
nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration]
nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function)
nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables: batch rule-set updates into one single netlink message
With this patch, all rule-set updates are put in one single batch
of netlink messages that is sent to user-space using the new
nfnetlink batch infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
