]> git.ipfire.org Git - thirdparty/iptables.git/log
thirdparty/iptables.git
11 months agonft: Fix for zeroing non-existent builtin chains
Phil Sutter [Tue, 16 Jul 2024 19:07:31 +0000 (21:07 +0200)] 
nft: Fix for zeroing non-existent builtin chains

Trying to zero a specific rule in an entirely empty ruleset caused an
error:

| # nft flush ruleset
| # iptables-nft -Z INPUT
| iptables v1.8.10 (nf_tables):  CHAIN_ZERO failed (No such file or directory): chain INPUT

To fix this, start by faking any non-existing builtin chains so verbose
mode prints all the would-be-flushed chains. Later set 'skip' flag if
given chain is a fake one (indicated by missing HANDLE attribute).
Finally cover for concurrent ruleset updates by checking whether the
chain exists.

This bug seems to exist for a long time already, Fixes tag identified
via git-bisect. This patch won't apply to such old trees though, but
calling nft_xt_builtin_init() from nft_chain_zero_counters() should work
there.

Fixes: a6ce0c65d3a39 ("xtables: Optimize nft_chain_zero_counters()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoxtables-monitor: Print commands instead of -4/-6/-0 flags
Phil Sutter [Fri, 12 Jul 2024 18:30:10 +0000 (20:30 +0200)] 
xtables-monitor: Print commands instead of -4/-6/-0 flags

The '-4' and '-6' flags are a rarely used feature of iptables-restore.
The '-0' flag is purely artificial and not recognized anywhere (at least
not as an arptables rule prefix in this sense). Finally, there is no
such flag for ebtables in the first place. Go with a more intuitively
clear approach and instead print the typical command which added the
rule being printed.

Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoxtables-monitor: Ignore ebtables policy rules unless tracing
Phil Sutter [Fri, 12 Jul 2024 16:07:16 +0000 (18:07 +0200)] 
xtables-monitor: Ignore ebtables policy rules unless tracing

Do not expose this implementation detail to users, otherwise new
user-defined chains are followed by a new rule event.

When tracing, they are useful as they potentially terminate rule
traversal.

Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoxtables-monitor: Fix for ebtables rule events
Phil Sutter [Fri, 12 Jul 2024 12:01:45 +0000 (14:01 +0200)] 
xtables-monitor: Fix for ebtables rule events

Bridge family wasn't recognized in rule_cb(), so merely an empty
"EVENT:" line was printed for ebtables rule changes. For lack of a
well-known family modifier flag for bridge family, simply prefix rules
by "ebtables".

Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agotests: shell: New xtables-monitor test
Phil Sutter [Fri, 12 Jul 2024 11:10:08 +0000 (13:10 +0200)] 
tests: shell: New xtables-monitor test

Only events monitoring for now.

Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoxtables-monitor: Support arptables chain events
Phil Sutter [Fri, 12 Jul 2024 13:48:49 +0000 (15:48 +0200)] 
xtables-monitor: Support arptables chain events

Print arptables NEWCHAIN/DELCHAIN events just like for iptables, using
the '-0' prefix rule callback already uses.

Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoxtables-monitor: Align builtin chain and table output
Phil Sutter [Fri, 12 Jul 2024 11:37:12 +0000 (13:37 +0200)] 
xtables-monitor: Align builtin chain and table output

Drop the leading hash sign and add "NEW/DEL chain" annotation.

Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoxtables-monitor: Flush stdout after all lines of output
Phil Sutter [Fri, 12 Jul 2024 11:03:18 +0000 (13:03 +0200)] 
xtables-monitor: Flush stdout after all lines of output

Writing an xtables-monitor testsuite is pretty much impossible without
this due to unreliable output flushing. Just move the fflush() call from
trace_cb() to its caller so monitor events benefit from it as well.

Fixes: 07af4da52ab30 ("xtables-monitor: fix rule printing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoxtables-monitor: Proper re-init for rule's family
Phil Sutter [Fri, 12 Jul 2024 10:49:22 +0000 (12:49 +0200)] 
xtables-monitor: Proper re-init for rule's family

When not running for a specific family only (via -4/-6 flags),
xtables-monitor potentially sees events/traces for all families. To
correctly parse rules when printing for NEWRULE, DELRULE or TRACE
messages, nft_handle has to be reinitialized for the rule's family.

It is not sufficient to reset nft_handle::ops: Some expression parsers
rely upon nft_handle::family to be properly set, too (cf. references to
'ctx->h->family in nft-ruleparse.c). Adjusting the 'afinfo' pointer
provided by libxtables is even more crucial, as e.g. do_parse() in
xshared.c relies upon it for the proper optstring.

This is actually a day-1 bug in xtables-monitor which surfaced due to
commit 9075c3aa983d9 ("nft: Increase rule parser strictness"). Therefore
make this fix the commit it is following-up.

Fixes: ca69b0290dc50 ("xtables-monitor: Fix ip6tables rule printing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
11 months agoman: recent: Adjust to changes around ip_pkt_list_tot parameter
Phil Sutter [Wed, 12 Jun 2024 14:17:28 +0000 (16:17 +0200)] 
man: recent: Adjust to changes around ip_pkt_list_tot parameter

The parameter became obsolete in kernel commit abc86d0f9924 ("netfilter:
xt_recent: relax ip_pkt_list_tot restrictions").

Reported-by: Fabio <pedretti.fabio@gmail.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1745
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
12 months agoebtables: Include 'bitmask' value when comparing rules
Phil Sutter [Wed, 12 Jun 2024 12:22:54 +0000 (14:22 +0200)] 
ebtables: Include 'bitmask' value when comparing rules

The former FIXME comment pointed at the fact that struct ebt_entry does
not have a 'flags' field (unlike struct ipt_ip). In fact, ebt_entry's
equivalent is 'bitmask' field. Comparing that instead is the right
thing to do, even though it does not seem to make a difference in
practice: No rule options alter just the bitmask value, nor is it
possible to fill an associated field with default values (e.g. all-zero
MAC and mask).

Since the situation described above might change and there is a slight
performance improvement in some cases (e.g. comparing rules differing
only by specified/omitted source/dest MAC address), add the check
anyway.

Suggested-by: Michael Estner <michaelestner@web.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
12 months agoextensions: libxt_sctp: Add an extra assert()
Phil Sutter [Fri, 17 May 2024 13:20:05 +0000 (15:20 +0200)] 
extensions: libxt_sctp: Add an extra assert()

The code is sane, but this keeps popping up in static code analyzers.

Signed-off-by: Phil Sutter <phil@nwl.cc>
12 months agoman: extensions: recent: Clarify default value of ip_list_hash_size
Phil Sutter [Wed, 24 Apr 2024 21:09:39 +0000 (23:09 +0200)] 
man: extensions: recent: Clarify default value of ip_list_hash_size

The default value of 0 is a bit confusing.

Reported-by: Fabio <pedretti.fabio@gmail.com>
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1745
Signed-off-by: Phil Sutter <phil@nwl.cc>
14 months agoconfigure: Add option to enable/disable libnfnetlink
Maxin B. John [Thu, 25 Apr 2024 08:51:02 +0000 (10:51 +0200)] 
configure: Add option to enable/disable libnfnetlink

Default behavior (autodetecting) does not change, but specifying
either option would explicitly disable or enable libnfnetlink support,
and if the library is not found in the latter case, ./configure will error
out.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
14 months agolibxtables: Attenuate effects of functions' internal static buffers
Phil Sutter [Tue, 9 Apr 2024 13:38:14 +0000 (15:38 +0200)] 
libxtables: Attenuate effects of functions' internal static buffers

While functions returning pointers to internal static buffers have
obvious limitations, users are likely unaware how they call each other
internally and thus won't notice unsafe use. One such case is calling
both xtables_ipaddr_to_numeric() and xtables_ipmask_to_numeric() as
parameters for a single printf() call.

Defuse this trap by avoiding the internal calls to
xtables_ip{,6}addr_to_numeric() which is easily doable since callers
keep their own static buffers already.

While being at it, make use of inet_ntop() everywhere and also use
INET_ADDRSTRLEN/INET6_ADDRSTRLEN defines for correct (and annotated)
static buffer sizes.

Reported-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
14 months agoxshared: Fix parsing of empty string arg in '-c' option
Phil Sutter [Tue, 9 Apr 2024 11:18:12 +0000 (13:18 +0200)] 
xshared: Fix parsing of empty string arg in '-c' option

Calling iptables with '-c ""' resulted in a call to strchr() with an
invalid pointer as 'optarg + 1' points to past the buffer. The most
simple fix is to drop the offset: The global optstring part specifies a
single colon after 'c', so getopt() enforces a valid pointer in optarg.
If it contains a comma at first position, packet counter value parsing
will fail so all cases are covered.

Reported-by: gorbanev.es@gmail.com
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1741
Fixes: 60a6073690a45 ("Make --set-counters (-c) accept comma separated counters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
14 months agoxlate: libip6t_mh: Fix and simplify plain '-m mh' match
Phil Sutter [Tue, 5 Mar 2024 16:02:56 +0000 (17:02 +0100)] 
xlate: libip6t_mh: Fix and simplify plain '-m mh' match

Since core xlate code now ignores '-p mh' if an mh extension is also
present in the rule, mh extension has to emit the l4proto match itself.
Therefore emit the exthdr match irrespective of '-p' argument value just
like other IPv6 extension header matches do.

Fixes: 83f60fb37d594 ("extensions: mh: Save/xlate inverted full ranges")
Signed-off-by: Phil Sutter <phil@nwl.cc>
14 months agoxlate: Improve redundant l4proto match avoidance
Phil Sutter [Tue, 5 Mar 2024 15:28:29 +0000 (16:28 +0100)] 
xlate: Improve redundant l4proto match avoidance

xtables-translate tries to avoid 'ip protocol'/'meta l4proto' matches if
following expressions add this as dependency anyway. E.g.:

| # iptables-translate -A FOO -p tcp -m tcp --dport 22 -j ACCEPT
| nft 'add rule ip filter FOO tcp dport 22 counter accept'

This worked by searching protocol name in loaded matches, but that
approach is flawed as the protocol name and corresponding extension may
differ ("mobility-header" vs. "mh"). Improve this by searching for all
names (cached or resolved) for a given protocol number.

Signed-off-by: Phil Sutter <phil@nwl.cc>
15 months agonft: Do not combine inverted payload matches
Sriram Rajagopalan [Wed, 13 Mar 2024 09:04:37 +0000 (02:04 -0700)] 
nft: Do not combine inverted payload matches

Fixed the issue with combining the payload in case of invert filter for
tcp src and dst ports.

Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
15 months agoextensions: xt_TPROXY: add txlate support
Florian Westphal [Fri, 8 Mar 2024 14:24:28 +0000 (15:24 +0100)] 
extensions: xt_TPROXY: add txlate support

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
15 months agoextensions: xt_socket: add txlate support for socket match
Florian Westphal [Wed, 6 Mar 2024 10:11:25 +0000 (11:11 +0100)] 
extensions: xt_socket: add txlate support for socket match

v2: document the match semantics of -m socket.

Ignore --nowildcard if used with other options when translating
and add "wildcard 0" if the option is missing.

"-m socket" will ignore sockets bound to 0.0.0.0/:: by default,
unless --nowildcard is given.

So, xlate must always append "wildcard 0", can elide "wildcard"
if other options are present along with --nowildcard.

To emulate "-m socket --nowildcard", check for "wildcard <= 1" to
get a "socket exists" type matching.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
16 months agoxtables-translate: Leverage stored protocol names
Phil Sutter [Thu, 29 Feb 2024 16:55:32 +0000 (17:55 +0100)] 
xtables-translate: Leverage stored protocol names

Align output of ip(6)tables-translate for --protocol arguments with that
of ip(6)tables -L/-S by calling proto_to_name() from xshared.c. The
latter will consult xtables_chain_protos list first to make sure (the
right) names are used for "common" protocol values and otherwise falls
back to getprotobynumber() which it replaces here.

Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1738
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agonft: Fix for broken recover_rule_compat()
Phil Sutter [Tue, 27 Feb 2024 17:47:39 +0000 (18:47 +0100)] 
nft: Fix for broken recover_rule_compat()

When IPv4 rule generator was changed to emit payload instead of
meta expressions for l4proto matches, the code reinserting
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
zeroing was broken by accident.

Make rule compat recovery aware of the alternative match, basically
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
with NFTA_RULE_COMPAT") but add a test case this time to make sure
things stay intact.

Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoiptables-save: Avoid /etc/protocols lookups
Phil Sutter [Wed, 10 Jan 2024 14:26:59 +0000 (15:26 +0100)] 
iptables-save: Avoid /etc/protocols lookups

Instrument proto_to_name() to abort if given protocol number is not
among the well-known ones in xtables_chain_protos. Along with
xtables_parse_protocol() preferring said array for lookups as well, this
ensures reliable dump'n'restore regardless of /etc/protocols contents.

Another benefit is rule dump performance. A simple test-case dumping
100k rules matching on dccp protocol shows an 8s delta (2s vs. 10s for
legacy, 0.5s vs. 8s for nft) with this patch applied. For reference:

| for variant in nft legacy; do
|  (
|  echo "*filter"
|  for ((i = 0; i < 100000; i++)); do
|          echo "-A FORWARD -p dccp -j ACCEPT"
|  done
|  echo "COMMIT"
|  ) | iptables-${variant}-restore
|  time iptables-${variant}-save | wc -l
|  iptables-${variant} -F
| done

Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agolibxtables: Add dccp and ipcomp to xtables_chain_protos
Phil Sutter [Wed, 10 Jan 2024 22:22:32 +0000 (23:22 +0100)] 
libxtables: Add dccp and ipcomp to xtables_chain_protos

There are "protocol extensions" for both just like with TCP or UDP.
Caching their values allows for implicit extension lookup after '-p'
flag, for instance:

| iptables -A FORWARD -p dccp --dport 1
| iptables -A FORWARD -p ipcomp --ipcompspi 18

Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoRevert "xshared: Print protocol numbers if --numeric was given"
Phil Sutter [Wed, 10 Jan 2024 13:08:58 +0000 (14:08 +0100)] 
Revert "xshared: Print protocol numbers if --numeric was given"

This reverts commit da8ecc62dd765b15df84c3aa6b83dcb7a81d4ffa.

The patch's original intention is not entirely clear anymore. If it was
to reduce delays involved by calling getprotobynumber() though, commit
b6196c7504d4d ("xshared: Prefer xtables_chain_protos lookup over
getprotoent") avoids those if --numeric flag was given already. Also,
this numeric protocol output did not cover iptables-save which is a more
relevant candidate for such optimizations anyway.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1729
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agolibxtables: xtoptions: Respect min/max values when completing ranges
Phil Sutter [Fri, 26 Jan 2024 00:50:22 +0000 (01:50 +0100)] 
libxtables: xtoptions: Respect min/max values when completing ranges

If an extension defines a minimum/maximum valid value for an option's
range argument, treat this as the lower/upper boundary to use when
completing (half) open ranges.

Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: tcp/udp: Save/xlate inverted full ranges
Phil Sutter [Thu, 1 Feb 2024 16:42:12 +0000 (17:42 +0100)] 
extensions: tcp/udp: Save/xlate inverted full ranges

Also translate a bare '-m tcp/udp' to 'meta l4proto' match.

Fixes: 04f569ded54a7 ("extensions: libxt_udp: add translation to nft")
Fixes: fb2593ebbf656 ("extensions: libxt_tcp: add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agonft: Do not omit full ranges if inverted
Phil Sutter [Fri, 2 Feb 2024 12:14:29 +0000 (13:14 +0100)] 
nft: Do not omit full ranges if inverted

Otherwise this turns a never matching rule into an always matching one.

Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: ipcomp: Save inverted full ranges
Phil Sutter [Thu, 1 Feb 2024 14:57:46 +0000 (15:57 +0100)] 
extensions: ipcomp: Save inverted full ranges

Fixes: 0bb8765cc28cf ("iptables: Add IPv4/6 IPcomp match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: esp: Save/xlate inverted full ranges
Phil Sutter [Thu, 1 Feb 2024 14:47:09 +0000 (15:47 +0100)] 
extensions: esp: Save/xlate inverted full ranges

Also add a translation for plain '-m esp' match which depends on the
address family: While ip6tables-translate may emit an exthdr exists
match, iptables-translate must stick to meta l4proto.

Fixes: 6cfa723a83d45 ("extensions: libxt_esp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: rt: Save/xlate inverted full ranges
Phil Sutter [Thu, 1 Feb 2024 14:45:42 +0000 (15:45 +0100)] 
extensions: rt: Save/xlate inverted full ranges

Also translate plain '-m rt' match into an exthdr exists one.

Fixes: 9dbb616c2f0c3 ("extensions: libip6t_rt.c: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: mh: Save/xlate inverted full ranges
Phil Sutter [Thu, 1 Feb 2024 14:42:10 +0000 (15:42 +0100)] 
extensions: mh: Save/xlate inverted full ranges

Also translate '-m mh' into an exthdr exists match unless '-p mh' is
also present. The latter is converted into 'meta l4proto mh' which might
need fixing itself at a later point.

Fixes: 6d4b93485055a ("extensions: libip6t_mh: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: frag: Save/xlate inverted full ranges
Phil Sutter [Thu, 1 Feb 2024 14:39:52 +0000 (15:39 +0100)] 
extensions: frag: Save/xlate inverted full ranges

Also translate plain '-m frag' match into an exthdr exists one.

Fixes: bd5bbc7a0fbd8 ("extensions: libip6t_frag: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: ah: Save/xlate inverted full ranges
Phil Sutter [Thu, 1 Feb 2024 14:27:03 +0000 (15:27 +0100)] 
extensions: ah: Save/xlate inverted full ranges

While at it, fix xlate output for plain '-m ah' matches: With
ip6tables-translate, one should emit an extdhr exists match since
ip6t_ah.c in kernel also uses ipv6_find_hdr(). With iptables-translate,
a simple 'meta l4proto ah' was missing.

Fixes: bb498c8ba7bb3 ("extensions: libip6t_ah: Fix translation of plain '-m ah'")
Fixes: b9a46ee406165 ("extensions: libipt_ah: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agolibxtables: Reject negative port ranges
Phil Sutter [Thu, 25 Jan 2024 17:14:23 +0000 (18:14 +0100)] 
libxtables: Reject negative port ranges

Analogous to XTTYPE_UINT*RC value parsing, assert consecutive port
values are not lower than previous ones.

Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agolibxtables: xtoptions: Assert ranges are monotonic increasing
Phil Sutter [Wed, 24 Jan 2024 22:29:46 +0000 (23:29 +0100)] 
libxtables: xtoptions: Assert ranges are monotonic increasing

Extensions commonly require the upper range value to be larger or equal
to the lower one. Performing this check in the parser is easier and
covers all extensions at once.

One notable exception is NFQUEUE which requires strict monotonicity.
Hence leave its checks in place.

Signed-off-by: Phil Sutter <phil@nwl.cc>
16 months agoextensions: *.t/*.txlate: Test range corner-cases
Phil Sutter [Thu, 25 Jan 2024 01:12:24 +0000 (02:12 +0100)] 
extensions: *.t/*.txlate: Test range corner-cases

For every extension option accepting a range, test open and half-open as
well as single element and invalid (negative) ranges.

The added tests merely reflect the status quo, not the expected outcome.
Following patches will fix results and the already existing test cases
highlight the fixes' effects.

Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoebtables: Fix for memleak with change counters command
Phil Sutter [Wed, 31 Jan 2024 21:45:07 +0000 (22:45 +0100)] 
ebtables: Fix for memleak with change counters command

Just like with check command, change counters command creates a
temporary rule from rulespec on command line for a search by spec in
rule cache. It is not used anymore afterwards, so nft_cmd_free() should
free it.

Fixes: f340b7b6816be ("ebtables: Implement --change-counters command")
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoxshared: Introduce xtables_clear_args()
Phil Sutter [Wed, 31 Jan 2024 20:40:19 +0000 (21:40 +0100)] 
xshared: Introduce xtables_clear_args()

Perform struct xtables_args object deinit in a common place, even though
it merely consists of freeing any IP addresses and masks.

This fixes for a memleak in arptables-translate as the check for
h->family didn't catch the value NFPROTO_ARP.

Fixes: 5b7324e0675e3 ("nft-arp: add arptables-translate")
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoxshared: Fix for memleak in option merging with ebtables
Phil Sutter [Wed, 31 Jan 2024 17:08:43 +0000 (18:08 +0100)] 
xshared: Fix for memleak in option merging with ebtables

The crucial difference in ebtables is that all extensions are loaded up
front instead of while parsing -m/-j flags. Since this loading of all
extensions before every call to do_parse() is pointless overhead (cf.
ebtables-restore), other tools' mechanism of freeing all merged options
in xtables_free_opts() after handling each command and resetting
xt_params->opts at the start of the parser loop is problematic.

Fixed commit entailed a hack to defeat the xt_params->opts happening at
start of do_parse() by assigning to xt_params->orig_opts after loading
all extensions. This approach caused a memleak though since
xtables_free_opts() called from xtables_merge_options() will free the
opts pointer only if it differs from orig_opts.

Resolve this via a different approach which eliminates the
xt_params->opts reset at the start of do_parse():

Make xt_params->opts be NULL until the first extension is loaded. Option
merging in command_match() and command_jump() tolerates a NULL pointer
there after minimal adjustment. Deinit in xtables_free_opts() is already
fine as it (re)turns xt_params->opts to a NULL pointer. With do_parse()
expecting that and falling back to xt_params->orig_opts, no explicit
initialization is required anymore and thus ebtables' init is not
mangled by accident.

A critical part is that do_parse() checks xt_params->opts pointer upon
each call to getopt_long() as it may get assigned while parsing.

Fixes: 58d364c7120b5 ("ebtables: Use do_parse() from xshared")
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoxtables-eb: Eliminate 'opts' define
Phil Sutter [Wed, 31 Jan 2024 20:03:25 +0000 (21:03 +0100)] 
xtables-eb: Eliminate 'opts' define

It is more harm than good as it hides assignments to xt_params->opts
field and does funny things if statements actually use xt_params->opts
instead of the define.

Replace it by local variables where sensible (cf. command_match() and
command_jump() in xshared.c).

Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agolibxtables: Fix memleak of matches' udata
Phil Sutter [Wed, 31 Jan 2024 13:58:17 +0000 (14:58 +0100)] 
libxtables: Fix memleak of matches' udata

If the extension specifies a non-zero udata_size, field 'udata' points
to an allocated buffer which needs to be freed upon extension deinit.

Interestingly, this bug was identified by ASAN and missed by valgrind.

Fixes: 2dba676b68ef8 ("extensions: support for per-extension instance "global" variable space")
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agonft: ruleparse: Add missing braces around ternary
Phil Sutter [Fri, 26 Jan 2024 17:43:10 +0000 (18:43 +0100)] 
nft: ruleparse: Add missing braces around ternary

The expression evaluated the sum before the ternay, consequently not
adding target->size if tgsize was zero.

Identified by ASAN for a simple rule using standard target:
| # ebtables -A INPUT -s de:ad:be:ef:0:00 -j RETURN
| # ebtables -D INPUT -s de:ad:be:ef:0:00 -j RETURN
| =================================================================
| ==18925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000120 at pc 0x7f627a4c75c5 bp 0x7ffe882b5180 sp 0x7ffe882b4928
| READ of size 8 at 0x603000000120 thread T0
| [...]

Fixes: 2a6eee89083c8 ("nft-ruleparse: Introduce nft_create_target()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agotests: iptables-test: Increase non-fast mode strictness
Phil Sutter [Fri, 26 Jan 2024 15:59:56 +0000 (16:59 +0100)] 
tests: iptables-test: Increase non-fast mode strictness

The simple search for the rule in save output accepted arbitrary leading
and trailing rule parts. This was partly desired as it allowed to omit
the leading '-A' flag or ignore the mandatory '-j CONTINUE' in ebtables
rules, though it could hide bugs.

Introduction of fast mode mitigated this due to the way how it searches
for multiple rules at the same time, but there are cases which fast mode
does not support yet (e.g. test cases containing variant-specific rule
output).

Given save output format will never contain the rule in first or last
line, so enclosing the searched rule in newline characters is sufficient
to make the search apply to full lines only. The only drawback is having
to add '-A' and '-j CONTINUE' parts if needed.

The hidden bugs this revealed were:
- Long --nflog-prefix strings are not cut to 64 chars with iptables-nft
- The TCPMSS rule supposed to fail with legacy only must specify an
  expected save output

Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoextensions: libebt_stp: fix range checking
Florian Westphal [Tue, 23 Jan 2024 16:49:33 +0000 (17:49 +0100)] 
extensions: libebt_stp: fix range checking

This has to either consider ->nvals > 1 or check the values
post-no-range-fixup:

./iptables-test.py  extensions/libebt_stp.t
extensions/libebt_stp.t: ERROR: line 12 (cannot load: ebtables -A INPUT --stp-root-cost 1)

(it tests 0 < 1 and fails, but test should be 1 < 1).

Fixes: dc6efcfeac38 ("extensions: libebt_stp: Use guided option parser")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoiptables: Add missing error codes
Jacek Tomasiak [Tue, 23 Jan 2024 10:14:27 +0000 (11:14 +0100)] 
iptables: Add missing error codes

Without these, commands like `iptables -n -L CHAIN` sometimes print
"Incompatible with this kernel" instead of "No chain/target/match
by that name".

Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoebtables: Default to extrapositioned negations
Phil Sutter [Thu, 21 Dec 2023 12:24:09 +0000 (13:24 +0100)] 
ebtables: Default to extrapositioned negations

ebtables-nft has always supported both intra- and extrapositioned
negations but defaulted to intrapositioned when printing/saving rules.

With commit 58d364c7120b5 ("ebtables: Use do_parse() from xshared")
though, it started to warn about intrapositioned negations. So change
the default to avoid mandatory warnings when e.g. loading previously
dumped rulesets.

Also adjust test cases, help texts and ebtables-nft.8 accordingly.

Cc: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
17 months agoextensions: libxt_HMARK: Review HMARK_parse()
Phil Sutter [Wed, 20 Dec 2023 01:54:07 +0000 (02:54 +0100)] 
extensions: libxt_HMARK: Review HMARK_parse()

* With XTOPT_NBO support in UINT types, the manual byteorder conversion
  calls are no longer needed
* Setting bits in cb->xflags is done by xtables_option_parse() already
* Since O_HMARK_* values match XT_HMARK_* ones, all but the O_HMARK_TYPE
  case fold together into a single default one

17 months agoextensions: libebt_mark_m: Use guided option parser
Phil Sutter [Wed, 29 Nov 2023 16:35:48 +0000 (17:35 +0100)] 
extensions: libebt_mark_m: Use guided option parser

Can't use XTTYPE_MARKMASK32 here because in 'val/mask', 'val' is
optional. Would have to extend xtopt_parse_markmask() to accept this,
maybe guarded by a new XTOPT_ flag to avoid unexpected changes in
behaviour?

17 months agoextensions: libebt_pkttype: Use guided option parser
Phil Sutter [Wed, 29 Nov 2023 16:25:36 +0000 (17:25 +0100)] 
extensions: libebt_pkttype: Use guided option parser

Not much to gain here. Maybe implement number parsing with fallback to
get rid of that part from extension parsers?

17 months agoextensions: libxt_limit: Use guided option parser for NFPROTO_BRIDGE, too
Phil Sutter [Tue, 28 Nov 2023 13:27:27 +0000 (14:27 +0100)] 
extensions: libxt_limit: Use guided option parser for NFPROTO_BRIDGE, too

17 months agoextensions: libebt_arp: Use guided option parser
Phil Sutter [Tue, 28 Nov 2023 13:16:03 +0000 (14:16 +0100)] 
extensions: libebt_arp: Use guided option parser

17 months agoextensions: libebt_vlan: Use guided option parser
Phil Sutter [Tue, 28 Nov 2023 12:43:56 +0000 (13:43 +0100)] 
extensions: libebt_vlan: Use guided option parser

17 months agoextensions: libebt_802_3: Use guided option parser
Phil Sutter [Sun, 26 Nov 2023 16:36:16 +0000 (17:36 +0100)] 
extensions: libebt_802_3: Use guided option parser

17 months agoextensions: libebt_redirect: Use guided option parser
Phil Sutter [Sun, 26 Nov 2023 16:17:12 +0000 (17:17 +0100)] 
extensions: libebt_redirect: Use guided option parser

17 months agoextensions: libebt_snat: Use guided option parser
Phil Sutter [Sun, 26 Nov 2023 16:04:14 +0000 (17:04 +0100)] 
extensions: libebt_snat: Use guided option parser

17 months agoextensions: libebt_nflog: Use guided option parser
Phil Sutter [Wed, 12 Oct 2022 00:47:44 +0000 (02:47 +0200)] 
extensions: libebt_nflog: Use guided option parser

17 months agoextensions: libebt_mark: Use guided option parser
Phil Sutter [Wed, 12 Oct 2022 00:25:04 +0000 (02:25 +0200)] 
extensions: libebt_mark: Use guided option parser

17 months agoextensions: libebt_log: Use guided option parser
Phil Sutter [Sun, 9 Oct 2022 12:17:53 +0000 (14:17 +0200)] 
extensions: libebt_log: Use guided option parser

17 months agoextensions: libebt_ip: Use guided option parser
Phil Sutter [Sun, 9 Oct 2022 11:34:55 +0000 (13:34 +0200)] 
extensions: libebt_ip: Use guided option parser

17 months agoextensions: libebt_ip6: Use guided option parser
Phil Sutter [Sun, 9 Oct 2022 11:01:45 +0000 (13:01 +0200)] 
extensions: libebt_ip6: Use guided option parser

17 months agoextensions: libebt_dnat: Use guided option parser
Phil Sutter [Sun, 9 Oct 2022 11:00:23 +0000 (13:00 +0200)] 
extensions: libebt_dnat: Use guided option parser

17 months agoextensions: libebt_arpreply: Use guided option parser
Phil Sutter [Sun, 9 Oct 2022 09:51:36 +0000 (11:51 +0200)] 
extensions: libebt_arpreply: Use guided option parser

17 months agoextensions: libebt_stp: Use guided option parser
Phil Sutter [Fri, 7 Oct 2022 20:47:06 +0000 (22:47 +0200)] 
extensions: libebt_stp: Use guided option parser

17 months agoextensions: libebt_*: Drop some needless init callbacks
Phil Sutter [Wed, 13 Dec 2023 20:43:10 +0000 (21:43 +0100)] 
extensions: libebt_*: Drop some needless init callbacks

Extension data is zero by default.

17 months agoebtables: Support for guided option parser
Phil Sutter [Fri, 7 Oct 2022 20:23:59 +0000 (22:23 +0200)] 
ebtables: Support for guided option parser

Adjust ebt_load_match() and ebt_command_default() to expect
x6_options/x6_parse fiels to be set instead of the traditional ones.

Much of this is c'n'p from command_default() in xshared.c, but due to
ebtables' custom match data structure (combining matches and watchers),
sharing the code is probably not feasible.

17 months agolibxtables: xtoptions: Treat NFPROTO_BRIDGE as IPv4
Phil Sutter [Wed, 13 Dec 2023 20:14:58 +0000 (21:14 +0100)] 
libxtables: xtoptions: Treat NFPROTO_BRIDGE as IPv4

When parsing for XTTYPE_HOST(MASK), the return value of afinfo_family()
is used to indicate the expected address family.

Make guided option parser expect IPv4 by default for ebtables as this is
the more common case. The exception is libebt_ip6, which will
temporarily adjust afinfo->family while parsing.

17 months agolibxtables: xtoptions: Implement XTTYPE_ETHERMACMASK
Phil Sutter [Sun, 17 Dec 2023 14:10:15 +0000 (15:10 +0100)] 
libxtables: xtoptions: Implement XTTYPE_ETHERMACMASK

Accept an Ethernet MAC address with optional mask in the format
xtables_parse_mac_and_mask() expects it. Does not support XTOPT_PUT (for
now) due to the lack of defined data structure.

17 months agolibxtables: xtoptions: Support XTOPT_NBO with XTTYPE_UINT*
Phil Sutter [Tue, 19 Dec 2023 22:46:16 +0000 (23:46 +0100)] 
libxtables: xtoptions: Support XTOPT_NBO with XTTYPE_UINT*

Value conversion into Big Endian byteorder is pretty straightforward,
merely needed a small helper for uint64.

17 months agolibxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
Phil Sutter [Sun, 17 Dec 2023 12:02:36 +0000 (13:02 +0100)] 
libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK

Do as the comment in xtopt_parse_hostmask() claims and omit
XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
will catch the incompatibility.

Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
18 months agotests: iptables-test: Use difflib if dumps differ
Phil Sutter [Tue, 28 Nov 2023 21:26:44 +0000 (22:26 +0100)] 
tests: iptables-test: Use difflib if dumps differ

Improve log readability by printing a unified diff of the expected vs.
actual iptables-save output.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoiptables-legacy: Fix for mandatory lock waiting
Phil Sutter [Mon, 18 Dec 2023 23:56:07 +0000 (00:56 +0100)] 
iptables-legacy: Fix for mandatory lock waiting

Parameter 'wait' passed to xtables_lock() signals three modes of
operation, depending on its value:

 0: --wait not specified, do not wait if lock is busy
-1: --wait specified without value, wait indefinitely until lock becomes
    free
>0: Wait for 'wait' seconds for lock to become free, abort otherwise

Since fixed commit, the first two cases were treated the same apart from
calling alarm(0), but that is a nop if no alarm is pending. Fix the code
by requesting a non-blocking flock() in the second case. While at it,
restrict the alarm setup to the third case only.

Cc: Jethro Beekman <jethro@fortanix.com>
Cc: howardjohn@google.com
Cc: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728
Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agobuild: replace `echo -e` with `printf`
Jeremy Sowden [Thu, 14 Dec 2023 16:44:05 +0000 (16:44 +0000)] 
build: replace `echo -e` with `printf`

`echo -e` is not portable and we can end up with:

      GEN      matches.man
    -e      + ./libxt_addrtype.man
    -e      + ./libip6t_ah.man
    -e      + ./libipt_ah.man
    -e      + ./libxt_bpf.man
    -e      + ./libxt_cgroup.man
    -e      + ./libxt_cluster.man
    -e      + ./libxt_comment.man
    -e      + ./libxt_connbytes.man
    -e      + ./libxt_connlabel.man
    -e      + ./libxt_connlimit.man
    -e      + ./libxt_connmark.man
    -e      + ./libxt_conntrack.man
    [...]

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agobuild: add an automake verbosity variable for `ln`
Jeremy Sowden [Thu, 14 Dec 2023 16:44:04 +0000 (16:44 +0000)] 
build: add an automake verbosity variable for `ln`

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agobuild: use standard automake verbosity variables
Jeremy Sowden [Thu, 14 Dec 2023 16:44:03 +0000 (16:44 +0000)] 
build: use standard automake verbosity variables

The previous implementation ignored the default verbosity defined by
configure, and controlled by --{enable,disable}-silent-rules, and
treated V="" as V=0.  Instead, follow the guide-lines given in the
automake manual.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agobuild: remove unused `AM_VERBOSE_CXX*` variables
Jeremy Sowden [Thu, 14 Dec 2023 16:44:02 +0000 (16:44 +0000)] 
build: remove unused `AM_VERBOSE_CXX*` variables

There is no C++, so these variables are not required.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agobuild: remove obsolete `AM_LIBTOOL_SILENT` variable
Jeremy Sowden [Thu, 14 Dec 2023 16:44:01 +0000 (16:44 +0000)] 
build: remove obsolete `AM_LIBTOOL_SILENT` variable

It doesn't do anything, so get rid of it.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agobuild: format `AM_CPPFLAGS` variables
Jeremy Sowden [Thu, 14 Dec 2023 16:44:00 +0000 (16:44 +0000)] 
build: format `AM_CPPFLAGS` variables

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoFix spelling mistakes
Jeremy Sowden [Mon, 11 Dec 2023 14:08:48 +0000 (14:08 +0000)] 
Fix spelling mistakes

Corrections for several spelling mistakes, typo's and non-native usages in
man-pages and error-messages.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoebtables: Use do_parse() from xshared
Phil Sutter [Thu, 9 Nov 2023 15:59:51 +0000 (16:59 +0100)] 
ebtables: Use do_parse() from xshared

Drop the custom commandline parsers from ebtables and
ebtables-translate, extend and use the shared one instead.

ebtables gains a few new features from doing this:

- Rule counters may be specified in the '-c N,M' syntax
- Support for --replace command
- Support for --list-rules command
- Zero individual rules

There is one known regression in this patch, namely maximum chain name
length shrinks to 28 characters (from 32). Since this limit changed for
iptables in the past as well (e.g. with commit 5429b41c2bb4a), assume
nobody really relies upon it anyway.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoxshared: Introduce option_test_and_reject()
Phil Sutter [Tue, 28 Nov 2023 23:30:02 +0000 (00:30 +0100)] 
xshared: Introduce option_test_and_reject()

Just a small helper eliminating the repetitive code there.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoebtables: Use struct xt_cmd_parse
Phil Sutter [Fri, 24 Nov 2023 22:49:51 +0000 (23:49 +0100)] 
ebtables: Use struct xt_cmd_parse

This is merely to reduce size of the parser merge patch, no functional
change intended.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoebtables: Make 'h' case just a call to print_help()
Phil Sutter [Fri, 24 Nov 2023 19:22:44 +0000 (20:22 +0100)] 
ebtables: Make 'h' case just a call to print_help()

Move the special ebtables help parameter handling into its print_help()
function to prepare for it turning into a callback. Add new field 'argc'
to struct iptables_command_state to make this possible. It is actually
kind of consistent as it holds 'argv' already.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoebtables: Pass struct iptables_command_state to print_help()
Phil Sutter [Fri, 24 Nov 2023 18:14:23 +0000 (19:14 +0100)] 
ebtables: Pass struct iptables_command_state to print_help()

Parameters passed by the sole caller came from there already, apart from
'table' which is not used (ebtables-nft does not have per-table help
texts).

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoebtables: Change option values to avoid clashes
Phil Sutter [Wed, 22 Nov 2023 02:05:19 +0000 (03:05 +0100)] 
ebtables: Change option values to avoid clashes

In order to parse input using do_parse(), distinct ebtables option's
values have to be distinct from others. Since arptables uses values 2-8
already, resort to values >10.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoebtables{,-translate}: Convert if-clause to switch()
Phil Sutter [Tue, 21 Nov 2023 23:58:02 +0000 (00:58 +0100)] 
ebtables{,-translate}: Convert if-clause to switch()

Parser merge prep work, align final do_commandeb*() parts with
do_commandx().

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoxshared: Support for ebtables' --change-counters command
Phil Sutter [Fri, 24 Nov 2023 17:13:00 +0000 (18:13 +0100)] 
xshared: Support for ebtables' --change-counters command

This is tricky because the short-option clashes with the --check
command. OTOH, ebtables supports --check as well (though without
short-option), so making do_parse() detect ebtables based on struct
xtables_args::family is probably still the least messy option.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoxshared: Support rule range deletion in do_parse()
Phil Sutter [Wed, 15 Nov 2023 12:09:27 +0000 (13:09 +0100)] 
xshared: Support rule range deletion in do_parse()

This is a distinct ebtables feature. Introduce struct
xt_cmd_parse::rule_ranges boolean indicating support for it and bail
otherwise if a range was specified by the user.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoxshared: Introduce print_help callback (again)
Phil Sutter [Sun, 19 Nov 2023 11:23:47 +0000 (12:23 +0100)] 
xshared: Introduce print_help callback (again)

Prep work for ebtables parser to use do_parse(). Adding more special
casing to xtables_printhelp() causes a mess, so work with a callback
again.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoxshared: Turn command_default() into a callback
Phil Sutter [Wed, 15 Nov 2023 15:58:15 +0000 (16:58 +0100)] 
xshared: Turn command_default() into a callback

Ebtables' variant is pretty different since all extensions are loaded up
front and some targets serve as "watcher" extensions, so let variants
specify the function to call for extension parameters.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoxshared: Perform protocol value parsing in callback
Phil Sutter [Wed, 15 Nov 2023 14:43:42 +0000 (15:43 +0100)] 
xshared: Perform protocol value parsing in callback

The code is same in iptables and ip6tables, but different in ebtables.
Therefore move it into the callback to keep that part of do_parse()
generic.

Signed-off-by: Phil Sutter <phil@nwl.cc>
18 months agoxshared: do_parse: Skip option checking for CMD_DELETE_NUM
Phil Sutter [Fri, 24 Nov 2023 19:54:28 +0000 (20:54 +0100)] 
xshared: do_parse: Skip option checking for CMD_DELETE_NUM

This command will delete a rule by its number, not rule spec. No -i/-o
options are expected on commandline.

Signed-off-by: Phil Sutter <phil@nwl.cc>
19 months agolibxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
Phil Sutter [Tue, 28 Nov 2023 19:21:49 +0000 (20:21 +0100)] 
libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks

In order to parse the mask, xtopt_parse_hostmask() calls
xtopt_parse_plenmask() thereby limiting netmask support to prefix
lengths (alternatively specified in IP address notation).

In order to lift this impractical restriction, make
xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
fall back to xtopt_parse_mask() which correctly initializes val.hmask
itself and indicates non-CIDR-compatible masks by setting val.hlen to
-1.

So in order to support these odd masks, it is sufficient for
xtopt_parse_plenmask() to skip its mask building from val.hlen value and
take whatever val.hmask contains.

Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
19 months agolibxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()
Phil Sutter [Tue, 28 Nov 2023 19:11:57 +0000 (20:11 +0100)] 
libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()

Allocation of the temporary array did not account for a terminating NULL
entry, causing array boundary overstepping in the called
xtables_merge_options(), causing spurious errors in extension parameter
parsing.

Fixes: ed8c3ea4015f0 ("libxtables: Combine the two extension option mergers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
19 months agoman: Do not escape exclamation marks
Phil Sutter [Tue, 28 Nov 2023 12:29:17 +0000 (13:29 +0100)] 
man: Do not escape exclamation marks

This appears to be not necessary, also mandoc complains about it:

| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \!

Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage")
Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage")
Signed-off-by: Phil Sutter <phil@nwl.cc>
19 months agonft: Leave interface masks alone when parsing from kernel
Phil Sutter [Fri, 17 Nov 2023 16:27:56 +0000 (17:27 +0100)] 
nft: Leave interface masks alone when parsing from kernel

The mask is entirely unused by nft-variants in general and legacy ones
when printing. It is relevant only when inserting a legacy rule into
kernel as it doesn't detect the '+'-suffix.

Signed-off-by: Phil Sutter <phil@nwl.cc>
19 months agoxshared: Do not populate interface masks per default
Phil Sutter [Sat, 18 Nov 2023 03:28:25 +0000 (04:28 +0100)] 
xshared: Do not populate interface masks per default

These are needed by legacy variants only, so introduce a simplified
xtables_parse_interface() replacement which does not deal with them and
a small function which sets the mask based on given interface name for
use by legacy tools.

Signed-off-by: Phil Sutter <phil@nwl.cc>
19 months agoxshared: Entirely ignore interface masks when saving rules
Phil Sutter [Wed, 15 Nov 2023 12:55:08 +0000 (13:55 +0100)] 
xshared: Entirely ignore interface masks when saving rules

Rule printing code does this for more than 20 years now, assume it's
safe to rely upon the wildcard interface name to contain a '+' suffix.

Signed-off-by: Phil Sutter <phil@nwl.cc>
19 months agoxshared: Simplify generic_opt_check()
Phil Sutter [Fri, 17 Nov 2023 12:33:15 +0000 (13:33 +0100)] 
xshared: Simplify generic_opt_check()

The option/command matrix does not contain any '+' entries anymore, so
each option/command combination is either allowed (and optional) or not.

Reduce the matrix to an array of unsigned ints which specify the
commands a given option is allowed with.

Signed-off-by: Phil Sutter <phil@nwl.cc>