Phil Sutter [Wed, 23 Apr 2025 10:36:13 +0000 (12:36 +0200)]
xshared: Accept an option if any given command allows it
Fixed commit made option checking overly strict: Some commands may be
commbined (foremost --list and --zero), reject a given option only if it
is not allowed by any of the given commands.
Reported-by: Adam Nielsen <a.nielsen@shikadi.net> Fixes: 9c09d28102bb4 ("xshared: Simplify generic_opt_check()") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 31 Jul 2024 19:28:11 +0000 (21:28 +0200)]
nft: Embed compat extensions in rule userdata
If enabled (via --compat flag or XTABLES_COMPAT env variable), attach
any extensions for which native nftables expressions are generated to
userdata. An earlier version of the tool trying to parse the
kernel-dumped ruleset may then fall back to these extensions if native
expression parsing fails.
Phil Sutter [Fri, 4 Oct 2024 19:23:25 +0000 (21:23 +0200)]
nft-ruleparse: Fallback to compat expressions in userdata
If parsing of a rule fails (e.g. due to an unknown native expression),
check if userdata contains a UDATA_TYPE_COMPAT_EXT attribute and retry
parsing the rule preferring the contained extensions instead of native
expressions.
Phil Sutter [Wed, 31 Jul 2024 13:56:12 +0000 (15:56 +0200)]
nft: __add_{match,target}() can't fail
These functions either call xtables_error() which terminates the process
or succeed - make them return void. While at it, export them as rule
parsing code will call them in future. Also make input parameter const,
they're not supposed to alter extension data.
Phil Sutter [Fri, 15 Nov 2024 18:55:32 +0000 (19:55 +0100)]
nft: Drop interface mask leftovers from post_parse callbacks
Fixed commit only adjusted the IPv4-specific callback for unclear
reasons.
Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Jeremy Sowden <jeremy@azazel.net>
Jeremy Sowden [Mon, 18 Nov 2024 13:56:50 +0000 (13:56 +0000)]
nft: fix interface comparisons in `-C` commands
Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
kernel") removed code which explicitly set interface masks to all ones. The
result of this is that they are zero. However, they are used to mask interfaces
in `is_same_interfaces`. Consequently, the masked values are alway zero, the
comparisons are always true, and check commands which ought to fail succeed:
# iptables -N test
# iptables -A test -i lo \! -o lo -j REJECT
# iptables -v -L test
Chain test (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable
# iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
Remove the mask parameters from `is_same_interfaces`. Add a test-case.
Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
Jeremy Sowden [Fri, 8 Nov 2024 17:34:43 +0000 (17:34 +0000)]
ip[6]tables-translate: fix test failures when WESP is defined
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
Security Payload. This is listed in Debian's /etc/protocols, which leads to
test failures:
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD -p 141
exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
Phil Sutter [Wed, 6 Nov 2024 14:24:45 +0000 (15:24 +0100)]
Makefile.am: Revert to old serial test harness
Running the different testsuites in parallel is dangerous since despite
running in different netns, legacy iptables still synchronizes via the
common XTABLES_LOCKFILE.
Fixes: e1eaa04e31e44 ("Makefile.am: Integrate testsuites") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 6 Nov 2024 14:18:36 +0000 (15:18 +0100)]
tests: iptables-test: Fix for 'make distcheck'
This was a tricky one: Since called from VPATH topdir, extensions/ do
not contain test files at all. The script consequently passed since 0
tests failed (of 0 in total).
Fix this by introducing TESTS_PATH which is extensions/ below the directory
of the running iptables-test.py. Keep EXTENSIONS_PATH as-is: The built
extensions are indeed there and XTABLES_LIBDIR must point to them.
Phil Sutter [Wed, 6 Nov 2024 14:55:29 +0000 (15:55 +0100)]
tests: shell: iptables/0010-wait_0 is unreliable
Sometimes the test would fail, especially after removing
/run/xtables.lock file. Looks like the supposedly blocking
iptables-restore coproc sometimes takes a moment to set things up.
Fixes: 63ab5b8906f69 ("iptables-legacy: Fix for mandatory lock waiting") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Thu, 31 Oct 2024 15:18:13 +0000 (16:18 +0100)]
ebtables: Clone extensions before modifying them
Upon identifying an extension option, ebt_command_default() would have
the extension parse the option prior to creating a copy for attaching to
the iptables_command_state object. After copying, the (modified)
initial extension's data was cleared.
This somewhat awkward process breaks with among match which increases
match_size if needed (but never reduces it). This change is not undone,
hence leaks into following instances. This in turn is problematic with
ebtables-restore only (as multiple rules are parsed) and specifically
when deleting rules as the potentially over-sized match_size won't match
the one parsed from the kernel.
A workaround would be to make bramong_parse() realloc the match also if
new size is smaller than the old one. This patch attempts a proper fix
though, by making ebt_command_default() copy the extension first and
parsing the option into the copy afterwards.
No Fixes tag: Prior to commit 24bb57d3f52ac ("ebtables: Support for
guided option parser"), ebtables relied upon the extension's parser
return code instead of checking option_offset, so copying the extension
opportunistically wasn't feasible.
Phil Sutter [Tue, 29 Oct 2024 11:21:54 +0000 (12:21 +0100)]
tests: shell: Fix for 'make distcheck'
The target performs a "VPATH build", so built binaries are not put into
the same directory tree as the test script itself. For lack of a better
way to detect this, assume $PWD in this situation remains being the
build tree's TLD and check if binaries are present in there.
tests: iptables-test: extend coverage for ip6tables
Update iptables-test.py to run libxt_*.t both for iptables and
ip6tables. For libxt_*.t tests, append the command name to status output
line. This update requires changes in the existing tests.
* Rename libxt_*.t into libipt_*.t and add libip6_*.t variant.
Phil Sutter [Tue, 22 Oct 2024 14:56:21 +0000 (16:56 +0200)]
tests: iptables-test: Fix for duplicate supposed-to-fail errors
Unexpected results for lines which are supposed to fail are reported
twice: Once when fast mode runs them individually to clear the path
before batch-handling all others, a second time when non-fast mode takes
over after fast mode had failed and runs all tests individually again.
Sort this nuisance by running these tests silently in fast mode, knowing
that they will run again if failing anyway.
Fixes: 0e80cfea3762b ("tests: iptables-test: Implement fast test mode") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 9 Oct 2024 16:43:34 +0000 (18:43 +0200)]
nft: Fix for -Z with bogus rule number
The command is supposed to fail if no rule at given index is found.
While at it, drop the goto and label which are unused since commit 9b896224e0bfc ("xtables: rework rule cache logic").
Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 1 Oct 2024 19:43:18 +0000 (21:43 +0200)]
tests: shell: Adjust for recent changes in libnftnl
libnftnl commit a96d5a338f24e ("rule: Don't append a newline when
printing a rule") affected nft (and iptables-nft) debug output in that
no extra newline is appended to rule bytecode output anymore. Tolerate
this in the sole test case it breaks by ignoring changes to blank lines.
Joshua Lant [Wed, 28 Aug 2024 12:47:31 +0000 (13:47 +0100)]
configure: Determine if musl is used for build
Error compiling with musl-libc:
The commit hash 810f8568f44f5863c2350a39f4f5c8d60f762958
introduces the netinet/ether.h header into xtables.h, which causes an error due
to the redefinition of the ethhdr struct, defined in linux/if_ether.h and
netinet/ether.h. This is fixed by the inclusion of -D__UAPI_DEF_ETHHDR=0 in
CFLAGS for musl. Automatically check for this macro, since it is defined
in musl but not in glibc.
Signed-off-by: Joshua Lant joshualant@gmail.com Signed-off-by: Phil Sutter <phil@nwl.cc>
Joshua Lant [Fri, 23 Aug 2024 09:22:06 +0000 (10:22 +0100)]
iptables: align xt_CONNMARK with current kernel headers
libxt_CONNMARK.c declares enum which is declared in the kernel header.
Modify the version of the header in the repo's include dir to match the
current kernel, and remove the enum declaration from xt_CONNMARK.c.
Phil Sutter [Wed, 31 Jul 2024 00:16:05 +0000 (02:16 +0200)]
nft: Reduce overhead in nft_rule_find()
When iterating through the list of rules in a chain comparing against a
sample, there is no point in carrying that sample as nftnl_rule object
and converting into iptables_command_state object prior to each
comparison. Just do it up front and adjust the callback accordingly.
Phil Sutter [Wed, 31 Jul 2024 21:07:48 +0000 (23:07 +0200)]
ebtables: Introduce nft_bridge_init_cs()
The custom init done by nft_rule_to_ebtables_command_state() (which is
also the reason for its existence in the first place) should better go
into an ebtables-specific init_cs callback. Properly calling it from
do_commandeb() then removes the need for that custom rule_to_cs
callback.
Phil Sutter [Wed, 31 Jul 2024 21:02:23 +0000 (23:02 +0200)]
ebtables: Zero freed pointers in ebt_cs_clean()
Trying to recycle an iptables_command_state object by calling first
clear_cs then init_cs callbacks causes invalid data accesses with
ebtables otherwise.
Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 26 Jul 2024 18:43:20 +0000 (20:43 +0200)]
ebtables: Omit all-wildcard interface specs from output
Regular code path doesn't hit this because the conversion to
libnftnl_rule takes care of it already. Future changes though will cause
iptables_command_state objects to be printed directly, making this
relevant.
The checks were wrong: nft_arp_init_cs() initializes masks to 65535, not
0. This went on unnoticed because nft_arp_add() does it right and
init_cs callback was not used in e.g. nft_arp_print_rule(). The last
patch adding init_cs() calls in potentially required spots exposed this
though.
Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Sat, 27 Jul 2024 13:08:08 +0000 (15:08 +0200)]
nft: Add potentially missing init_cs calls
The callback is there for arptables only, so other family specific code
does not need it. Not calling it from family-agnostic code is wrong
though, as is ignoring it in arptables-specific code.
Fixes: cfdda18044d81 ("nft-shared: Introduce init_cs family ops callback") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 23 Jul 2024 19:31:34 +0000 (21:31 +0200)]
nft: cmd: Init struct nft_cmd::head early
Calling nft_cmd_free() in error case segfaults otherwise if the to be
freed object is not part of a list yet.
Exposed by commit eab75ed36a4f2 ("nft: Avoid memleak in error path of
nft_cmd_new()"), but belongs to commit a7f1e208cdf9c (and may go well
along with it).
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 26 Jul 2024 11:41:52 +0000 (13:41 +0200)]
extensions: conntrack: Use the right callbacks
These version-agnostic conntrack match aliases emulating the 'state'
extension introduced by commit 0d70163162589 ("libxt_state: replace as
an alias to xt_conntrack") had incompatible print and save callbacks
assigned. These callbacks expected struct xt_state_info in match->data
which is incompatible to any of the actual xt_conntrack_mtinfo* structs
used.
Fixes: b28d4dcc9f555 ("iptables: state match incompatibilty across versions") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Sat, 27 Jul 2024 14:04:31 +0000 (16:04 +0200)]
nft: Fix for zeroing existent builtin chains
Previous attempt at fixing for non-existent chains actually broke
functionality by adding a check for NFTNL_CHAIN_HANDLE right after
unsetting the attribute.
The approach was flawed for another reason, too: Base chains added in
the same batch (cf. iptables-restore) have no handle either but zeroing
them may still be sensible.
Instead, make use of the new fake chain annotation which identifies
fakes more reliably.
Fixes: f462975fb8049 ("nft: Fix for zeroing non-existent builtin chains") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Sat, 27 Jul 2024 17:13:40 +0000 (19:13 +0200)]
nft: cache: Annotate faked base chains as such
To avoid pointless kernel ruleset modifications without too many
workarounds in user space, code sometimes adds "fake" base chains to
cache. Yet these fake entries happen to prevent base chain creation for
a following command which actually requires them. Fix this by annotating
the fake entries as such so *_builtin_init() functions may convert them
into real ones.
Phil Sutter [Sat, 20 Jul 2024 00:23:28 +0000 (02:23 +0200)]
extensions: recent: New kernels support 999 hits
Since kernel commit f4ebd03496f6 ("netfilter: xt_recent: Lift
restrictions on max hitcount value"), the max supported hitcount value
has increased significantly. Adjust the test to use a value which fails
on old as well as new kernels.
Phil Sutter [Tue, 16 Jul 2024 19:07:31 +0000 (21:07 +0200)]
nft: Fix for zeroing non-existent builtin chains
Trying to zero a specific rule in an entirely empty ruleset caused an
error:
| # nft flush ruleset
| # iptables-nft -Z INPUT
| iptables v1.8.10 (nf_tables): CHAIN_ZERO failed (No such file or directory): chain INPUT
To fix this, start by faking any non-existing builtin chains so verbose
mode prints all the would-be-flushed chains. Later set 'skip' flag if
given chain is a fake one (indicated by missing HANDLE attribute).
Finally cover for concurrent ruleset updates by checking whether the
chain exists.
This bug seems to exist for a long time already, Fixes tag identified
via git-bisect. This patch won't apply to such old trees though, but
calling nft_xt_builtin_init() from nft_chain_zero_counters() should work
there.
Fixes: a6ce0c65d3a39 ("xtables: Optimize nft_chain_zero_counters()") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 12 Jul 2024 18:30:10 +0000 (20:30 +0200)]
xtables-monitor: Print commands instead of -4/-6/-0 flags
The '-4' and '-6' flags are a rarely used feature of iptables-restore.
The '-0' flag is purely artificial and not recognized anywhere (at least
not as an arptables rule prefix in this sense). Finally, there is no
such flag for ebtables in the first place. Go with a more intuitively
clear approach and instead print the typical command which added the
rule being printed.
Phil Sutter [Fri, 12 Jul 2024 12:01:45 +0000 (14:01 +0200)]
xtables-monitor: Fix for ebtables rule events
Bridge family wasn't recognized in rule_cb(), so merely an empty
"EVENT:" line was printed for ebtables rule changes. For lack of a
well-known family modifier flag for bridge family, simply prefix rules
by "ebtables".
Phil Sutter [Fri, 12 Jul 2024 11:03:18 +0000 (13:03 +0200)]
xtables-monitor: Flush stdout after all lines of output
Writing an xtables-monitor testsuite is pretty much impossible without
this due to unreliable output flushing. Just move the fflush() call from
trace_cb() to its caller so monitor events benefit from it as well.
Fixes: 07af4da52ab30 ("xtables-monitor: fix rule printing") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 12 Jul 2024 10:49:22 +0000 (12:49 +0200)]
xtables-monitor: Proper re-init for rule's family
When not running for a specific family only (via -4/-6 flags),
xtables-monitor potentially sees events/traces for all families. To
correctly parse rules when printing for NEWRULE, DELRULE or TRACE
messages, nft_handle has to be reinitialized for the rule's family.
It is not sufficient to reset nft_handle::ops: Some expression parsers
rely upon nft_handle::family to be properly set, too (cf. references to
'ctx->h->family in nft-ruleparse.c). Adjusting the 'afinfo' pointer
provided by libxtables is even more crucial, as e.g. do_parse() in
xshared.c relies upon it for the proper optstring.
This is actually a day-1 bug in xtables-monitor which surfaced due to
commit 9075c3aa983d9 ("nft: Increase rule parser strictness"). Therefore
make this fix the commit it is following-up.
Phil Sutter [Wed, 12 Jun 2024 12:22:54 +0000 (14:22 +0200)]
ebtables: Include 'bitmask' value when comparing rules
The former FIXME comment pointed at the fact that struct ebt_entry does
not have a 'flags' field (unlike struct ipt_ip). In fact, ebt_entry's
equivalent is 'bitmask' field. Comparing that instead is the right
thing to do, even though it does not seem to make a difference in
practice: No rule options alter just the bitmask value, nor is it
possible to fill an associated field with default values (e.g. all-zero
MAC and mask).
Since the situation described above might change and there is a slight
performance improvement in some cases (e.g. comparing rules differing
only by specified/omitted source/dest MAC address), add the check
anyway.
Suggested-by: Michael Estner <michaelestner@web.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
Maxin B. John [Thu, 25 Apr 2024 08:51:02 +0000 (10:51 +0200)]
configure: Add option to enable/disable libnfnetlink
Default behavior (autodetecting) does not change, but specifying
either option would explicitly disable or enable libnfnetlink support,
and if the library is not found in the latter case, ./configure will error
out.
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 9 Apr 2024 13:38:14 +0000 (15:38 +0200)]
libxtables: Attenuate effects of functions' internal static buffers
While functions returning pointers to internal static buffers have
obvious limitations, users are likely unaware how they call each other
internally and thus won't notice unsafe use. One such case is calling
both xtables_ipaddr_to_numeric() and xtables_ipmask_to_numeric() as
parameters for a single printf() call.
Defuse this trap by avoiding the internal calls to
xtables_ip{,6}addr_to_numeric() which is easily doable since callers
keep their own static buffers already.
While being at it, make use of inet_ntop() everywhere and also use
INET_ADDRSTRLEN/INET6_ADDRSTRLEN defines for correct (and annotated)
static buffer sizes.
Phil Sutter [Tue, 9 Apr 2024 11:18:12 +0000 (13:18 +0200)]
xshared: Fix parsing of empty string arg in '-c' option
Calling iptables with '-c ""' resulted in a call to strchr() with an
invalid pointer as 'optarg + 1' points to past the buffer. The most
simple fix is to drop the offset: The global optstring part specifies a
single colon after 'c', so getopt() enforces a valid pointer in optarg.
If it contains a comma at first position, packet counter value parsing
will fail so all cases are covered.
Phil Sutter [Tue, 5 Mar 2024 16:02:56 +0000 (17:02 +0100)]
xlate: libip6t_mh: Fix and simplify plain '-m mh' match
Since core xlate code now ignores '-p mh' if an mh extension is also
present in the rule, mh extension has to emit the l4proto match itself.
Therefore emit the exthdr match irrespective of '-p' argument value just
like other IPv6 extension header matches do.
Fixes: 83f60fb37d594 ("extensions: mh: Save/xlate inverted full ranges") Signed-off-by: Phil Sutter <phil@nwl.cc>
This worked by searching protocol name in loaded matches, but that
approach is flawed as the protocol name and corresponding extension may
differ ("mobility-header" vs. "mh"). Improve this by searching for all
names (cached or resolved) for a given protocol number.
Phil Sutter [Thu, 29 Feb 2024 16:55:32 +0000 (17:55 +0100)]
xtables-translate: Leverage stored protocol names
Align output of ip(6)tables-translate for --protocol arguments with that
of ip(6)tables -L/-S by calling proto_to_name() from xshared.c. The
latter will consult xtables_chain_protos list first to make sure (the
right) names are used for "common" protocol values and otherwise falls
back to getprotobynumber() which it replaces here.
Phil Sutter [Tue, 27 Feb 2024 17:47:39 +0000 (18:47 +0100)]
nft: Fix for broken recover_rule_compat()
When IPv4 rule generator was changed to emit payload instead of
meta expressions for l4proto matches, the code reinserting
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
zeroing was broken by accident.
Make rule compat recovery aware of the alternative match, basically
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
with NFTA_RULE_COMPAT") but add a test case this time to make sure
things stay intact.
Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 10 Jan 2024 14:26:59 +0000 (15:26 +0100)]
iptables-save: Avoid /etc/protocols lookups
Instrument proto_to_name() to abort if given protocol number is not
among the well-known ones in xtables_chain_protos. Along with
xtables_parse_protocol() preferring said array for lookups as well, this
ensures reliable dump'n'restore regardless of /etc/protocols contents.
Another benefit is rule dump performance. A simple test-case dumping
100k rules matching on dccp protocol shows an 8s delta (2s vs. 10s for
legacy, 0.5s vs. 8s for nft) with this patch applied. For reference:
| for variant in nft legacy; do
| (
| echo "*filter"
| for ((i = 0; i < 100000; i++)); do
| echo "-A FORWARD -p dccp -j ACCEPT"
| done
| echo "COMMIT"
| ) | iptables-${variant}-restore
| time iptables-${variant}-save | wc -l
| iptables-${variant} -F
| done
Phil Sutter [Wed, 10 Jan 2024 22:22:32 +0000 (23:22 +0100)]
libxtables: Add dccp and ipcomp to xtables_chain_protos
There are "protocol extensions" for both just like with TCP or UDP.
Caching their values allows for implicit extension lookup after '-p'
flag, for instance:
| iptables -A FORWARD -p dccp --dport 1
| iptables -A FORWARD -p ipcomp --ipcompspi 18
The patch's original intention is not entirely clear anymore. If it was
to reduce delays involved by calling getprotobynumber() though, commit b6196c7504d4d ("xshared: Prefer xtables_chain_protos lookup over
getprotoent") avoids those if --numeric flag was given already. Also,
this numeric protocol output did not cover iptables-save which is a more
relevant candidate for such optimizations anyway.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1729 Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 26 Jan 2024 00:50:22 +0000 (01:50 +0100)]
libxtables: xtoptions: Respect min/max values when completing ranges
If an extension defines a minimum/maximum valid value for an option's
range argument, treat this as the lower/upper boundary to use when
completing (half) open ranges.
Phil Sutter [Thu, 1 Feb 2024 14:47:09 +0000 (15:47 +0100)]
extensions: esp: Save/xlate inverted full ranges
Also add a translation for plain '-m esp' match which depends on the
address family: While ip6tables-translate may emit an exthdr exists
match, iptables-translate must stick to meta l4proto.
Fixes: 6cfa723a83d45 ("extensions: libxt_esp: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Thu, 1 Feb 2024 14:42:10 +0000 (15:42 +0100)]
extensions: mh: Save/xlate inverted full ranges
Also translate '-m mh' into an exthdr exists match unless '-p mh' is
also present. The latter is converted into 'meta l4proto mh' which might
need fixing itself at a later point.
Fixes: 6d4b93485055a ("extensions: libip6t_mh: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Thu, 1 Feb 2024 14:27:03 +0000 (15:27 +0100)]
extensions: ah: Save/xlate inverted full ranges
While at it, fix xlate output for plain '-m ah' matches: With
ip6tables-translate, one should emit an extdhr exists match since
ip6t_ah.c in kernel also uses ipv6_find_hdr(). With iptables-translate,
a simple 'meta l4proto ah' was missing.
Fixes: bb498c8ba7bb3 ("extensions: libip6t_ah: Fix translation of plain '-m ah'") Fixes: b9a46ee406165 ("extensions: libipt_ah: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 24 Jan 2024 22:29:46 +0000 (23:29 +0100)]
libxtables: xtoptions: Assert ranges are monotonic increasing
Extensions commonly require the upper range value to be larger or equal
to the lower one. Performing this check in the parser is easier and
covers all extensions at once.
One notable exception is NFQUEUE which requires strict monotonicity.
Hence leave its checks in place.
Phil Sutter [Thu, 25 Jan 2024 01:12:24 +0000 (02:12 +0100)]
extensions: *.t/*.txlate: Test range corner-cases
For every extension option accepting a range, test open and half-open as
well as single element and invalid (negative) ranges.
The added tests merely reflect the status quo, not the expected outcome.
Following patches will fix results and the already existing test cases
highlight the fixes' effects.
projects / thirdparty / iptables.git / log
