#IPTABLES_SAVE = ['xtables-save','-4']
#IP6TABLES_SAVE = ['xtables-save','-6']
-COMPAT_ARG = ""
-
EXTENSIONS_PATH = "extensions"
LOGFILE="/tmp/iptables-test.log"
log_file = None
'''
ret = 0
- cmd = iptables + COMPAT_ARG + " -A " + rule
+ cmd = iptables + " -A " + rule
ret = execute_cmd(cmd, filename, lineno, netns)
#
# load all rules via iptables_restore
- command = EXECUTABLE + " " + iptables + "-restore" + COMPAT_ARG
+ command = EXECUTABLE + " " + iptables + "-restore"
if netns:
command = "ip netns exec " + netns + " " + command
help='Check for missing tests')
parser.add_argument('-n', '--nftables', action='store_true',
help='Test iptables-over-nftables')
- parser.add_argument('-c', '--nft-compat', action='store_true',
- help='Test iptables-over-nftables in compat mode')
parser.add_argument('-N', '--netns', action='store_const',
const='____iptables-container-test',
help='Test netnamespace path')
variants.append("legacy")
if args.nftables:
variants.append("nft")
- if args.nft_compat:
- variants.append("nft_compat")
if len(variants) == 0:
- variants = [ "legacy", "nft", "nft_compat" ]
+ variants = [ "legacy", "nft" ]
if os.getuid() != 0:
print("You need to be root to run this, sorry", file=sys.stderr)
total_tests = 0
for variant in variants:
global EXECUTABLE
- global COMPAT_ARG
- if variant == "nft_compat":
- EXECUTABLE = "xtables-nft-multi"
- COMPAT_ARG = " --compat"
- else:
- EXECUTABLE = "xtables-" + variant + "-multi"
+ EXECUTABLE = "xtables-" + variant + "-multi"
test_files = 0
tests = 0
.SH NAME
arptables-restore \- Restore ARP Tables (nft-based)
.SH SYNOPSIS
-.BR arptables\-restore " [" --compat ]
+\fBarptables\-restore
.SH DESCRIPTION
+.PP
.B arptables-restore
is used to restore ARP Tables from data specified on STDIN or
via a file as first argument.
-Use I/O redirection provided by your shell to read from a file.
-.P
+Use I/O redirection provided by your shell to read from a file
+.TP
.B arptables-restore
flushes (deletes) all previous contents of the respective ARP Table.
-.TP
-.BR -C , " --compat"
-Create rules in a mostly compatible way, enabling older versions of
-\fBarptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
-
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
\fBarptables\-save\fP(8), \fBarptables\fP(8)
+.PP
.B APPEND,
.B REPLACE
operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-\fB\-\-compat\fP
-Create rules in a mostly compatible way, enabling older versions of
-\fBarptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
.SS RULE-SPECIFICATIONS
The following command line arguments make up a rule specification (as used
.TP
.B --concurrent
Use a file lock to support concurrent scripts updating the ebtables kernel tables.
-.TP
-.B --compat
-Create rules in a mostly compatible way, enabling older versions of
-\fBebtables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
.SS
RULE SPECIFICATIONS
.P
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP]
+\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP]
[\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
[\fIfile\fP]
.P
-\fBip6tables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP]
+\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP]
[\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
[\fIfile\fP]
.SH DESCRIPTION
.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
-.TP
-\fB\-C\fP, \fB\-\-compat\fP
-This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If
-set, rules will be created in a mostly compatible way, enabling older versions
-of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
.SH BUGS
None known as of iptables-1.2.1 release
.SH AUTHORS
\fB\-\-modprobe=\fP\fIcommand\fP
When adding or inserting rules into a chain, use \fIcommand\fP
to load any necessary modules (targets, match extensions, etc).
-.TP
-\fB\-\-compat\fP
-This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If
-set, rules will be created in a mostly compatible way, enabling older versions
-of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
.SH LOCK FILE
iptables uses the \fI@XT_LOCK_NAME@\fP file to take an exclusive lock at
else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0)
ret = add_verdict(r, NFT_RETURN);
else
- ret = add_target(h, r, cs->target->t);
+ ret = add_target(r, cs->target->t);
} else if (strlen(cs->jumpto) > 0) {
/* No goto in arptables */
ret = add_jumpto(r, cs->jumpto, NFT_JUMP);
return 0;
}
-static int _add_action(struct nft_handle *h, struct nftnl_rule *r,
- struct iptables_command_state *cs)
+static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
{
const char *table = nftnl_rule_get_str(r, NFTNL_RULE_TABLE);
}
}
- return add_action(h, r, cs, false);
+ return add_action(r, cs, false);
}
static int
if (nft_bridge_add_match(h, fw, ctx, r, iter->u.match->m))
break;
} else {
- if (add_target(h, r, iter->u.watcher->t))
+ if (add_target(r, iter->u.watcher->t))
break;
}
}
if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
return -1;
- return _add_action(h, r, cs);
+ return _add_action(r, cs);
}
static bool nft_rule_to_ebtables_command_state(struct nft_handle *h,
if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
return -1;
- return add_action(h, r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
+ return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
}
static bool nft_ipv4_is_same(const struct iptables_command_state *a,
if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
return -1;
- return add_action(h, r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
+ return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
}
static bool nft_ipv6_is_same(const struct iptables_command_state *a,
for (i = 0; i < len; i++) {
if (m[i] != 0xff) {
- bitwise = h->compat || m[i] != 0;
+ bitwise = m[i] != 0;
break;
}
}
case NFT_COMPAT_RULE_APPEND:
case NFT_COMPAT_RULE_INSERT:
case NFT_COMPAT_RULE_REPLACE:
- if (!strcmp(m->u.user.name, "among"))
- return add_nft_among(h, r, m);
- else if (h->compat)
- break;
- else if (!strcmp(m->u.user.name, "limit"))
+ if (!strcmp(m->u.user.name, "limit"))
return add_nft_limit(r, m);
+ else if (!strcmp(m->u.user.name, "among"))
+ return add_nft_among(h, r, m);
else if (!strcmp(m->u.user.name, "udp"))
return add_nft_udp(h, r, m);
else if (!strcmp(m->u.user.name, "tcp"))
return 0;
}
-int add_target(struct nft_handle *h, struct nftnl_rule *r,
- struct xt_entry_target *t)
+int add_target(struct nftnl_rule *r, struct xt_entry_target *t)
{
struct nftnl_expr *expr;
int ret;
- if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0)
+ if (strcmp(t->u.user.name, "TRACE") == 0)
return add_meta_nftrace(r);
expr = nftnl_expr_alloc("target");
return 0;
}
-int add_action(struct nft_handle *h, struct nftnl_rule *r,
- struct iptables_command_state *cs, bool goto_set)
+int add_action(struct nftnl_rule *r, struct iptables_command_state *cs,
+ bool goto_set)
{
int ret = 0;
else if (strcmp(cs->jumpto, "NFLOG") == 0)
ret = add_log(r, cs);
else
- ret = add_target(h, r, cs->target->t);
+ ret = add_target(r, cs->target->t);
} else if (strlen(cs->jumpto) > 0) {
/* Not standard, then it's a go / jump to chain */
if (goto_set)
struct list_head cmd_list;
bool cache_init;
int verbose;
- bool compat;
/* meta data, for error reporting */
struct {
int add_verdict(struct nftnl_rule *r, int verdict);
int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
struct nftnl_rule *r, struct xt_entry_match *m);
-int add_target(struct nft_handle *h, struct nftnl_rule *r,
- struct xt_entry_target *t);
+int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
-int add_action(struct nft_handle *h, struct nftnl_rule *r,
- struct iptables_command_state *cs, bool goto_set);
+int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
int add_log(struct nftnl_rule *r, struct iptables_command_state *cs);
char *get_comment(const void *data, uint32_t data_len);
+++ /dev/null
-#!/bin/bash
-
-[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
-
-set -e
-
-# reduce noise in debug output
-$XT_MULTI iptables -t raw -A OUTPUT
-$XT_MULTI iptables -t raw -F
-
-# add all the things which were "optimized" here
-RULE='-t raw -A OUTPUT'
-
-# prefix matches on class (actually: byte) boundaries no longer need a bitwise
-RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16'
-
-# these were turned into native matches meanwhile
-# (plus -m tcp, but it conflicts with -m udp)
-RULE+=' -m limit --limit 1/min'
-RULE+=' -p udp -m udp --sport 1024:65535'
-RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe'
-RULE+=' -j TRACE'
-
-EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe
-ip raw OUTPUT'
-
-EXPECT="$EXPECT_COMMON
- [ payload load 1b @ network header + 12 => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 2b @ network header + 16 => reg 1 ]
- [ cmp eq reg 1 0x0000a8c0 ]
- [ payload load 1b @ network header + 9 => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ limit rate 1/minute burst 5 type packets flags 0x0 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ range eq reg 1 0x00000004 0x0000ffff ]
- [ meta load mark => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ]
- [ cmp eq reg 1 0xfeedcafe ]
- [ counter pkts 0 bytes 0 ]
- [ immediate reg 9 0x00000001 ]
- [ meta set nftrace with reg 9 ]
-"
-
-diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE)
-
-EXPECT="$EXPECT_COMMON
- [ payload load 4b @ network header + 12 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ]
- [ cmp eq reg 1 0x0000a8c0 ]
- [ payload load 1b @ network header + 9 => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ match name limit rev 0 ]
- [ match name udp rev 0 ]
- [ match name mark rev 1 ]
- [ counter pkts 0 bytes 0 ]
- [ target name TRACE rev 0 ]
-"
-
-diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE)
printf(
" --modprobe=<command> try to insert modules using this command\n"
" --set-counters -c PKTS BYTES set the counter during insert/append\n"
-"[!] --version -V print package version\n"
-" --compat create rules compatible for parsing with old binaries\n");
+"[!] --version -V print package version.\n");
if (afinfo->family == NFPROTO_ARP) {
int i;
exit_tryhelp(2, p->line);
- case 15: /* --compat */
- p->compat = true;
- break;
-
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
if (invert)
int line;
int verbose;
bool xlate;
- bool compat;
struct xt_cmd_parse_ops *ops;
};
{ "line-numbers", 0, 0, '0' },
{ "modprobe", 1, 0, 'M' },
{ "set-counters", 1, 0, 'c' },
- { "compat", 0, 0, 15 },
{ 0 }
};
{ "init-table" , no_argument , 0, 11 },
{ "concurrent" , no_argument , 0, 13 },
{ "check" , required_argument, 0, 14 },
- { "compat" , no_argument , 0, 15 },
{ 0 }
};
"--modprobe -M program : try to insert modules using this program\n"
"--concurrent : use a file lock to support concurrent scripts\n"
"--verbose -v : verbose mode\n"
-"--version -V : print package version\n"
-"--compat : create rules compatible for parsing with old binaries\n\n"
+"--version -V : print package version\n\n"
"Environment variable:\n"
/*ATOMIC_ENV_VARIABLE " : if set <FILE> (see above) will equal its value"*/
"\n\n");
return 1;
case 13 :
break;
- case 15:
- h->compat = true;
- break;
case 1 :
if (!strcmp(optarg, "!"))
ebt_check_inverse2(optarg, argc, argv);
/* Keeping track of external matches and targets. */
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
- {.name = "compat", .has_arg = false, .val = 'C'},
{.name = "verbose", .has_arg = false, .val = 'v'},
{.name = "version", .has_arg = 0, .val = 'V'},
{.name = "test", .has_arg = false, .val = 't'},
static void print_usage(const char *name, const char *version)
{
- fprintf(stderr, "Usage: %s [-c] [-C] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6] [file]\n"
+ fprintf(stderr, "Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6] [file]\n"
" [ --counters ]\n"
- " [ --compat ]\n"
" [ --verbose ]\n"
" [ --version]\n"
" [ --test ]\n"
.cb = &restore_cb,
};
bool noflush = false;
- bool compat = false;
struct nft_handle h;
int c;
exit(1);
}
- while ((c = getopt_long(argc, argv, "bcCvVthnM:T:wW", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "bcvVthnM:T:wW", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
case 'c':
counters = 1;
break;
- case 'C':
- compat = true;
- break;
case 'v':
verbose++;
break;
}
h.noflush = noflush;
h.restore = true;
- h.compat = compat;
xtables_restore_parse(&h, &p);
};
static const struct option ebt_restore_options[] = {
- {.name = "compat", .has_arg = 0, .val = 'C'},
{.name = "noflush", .has_arg = 0, .val = 'n'},
{.name = "verbose", .has_arg = 0, .val = 'v'},
{ 0 }
.cb = &ebt_restore_cb,
};
bool noflush = false;
- bool compat = false;
struct nft_handle h;
int c;
- while ((c = getopt_long(argc, argv, "Cnv",
+ while ((c = getopt_long(argc, argv, "nv",
ebt_restore_options, NULL)) != -1) {
switch(c) {
- case 'C':
- compat = true;
- break;
case 'n':
noflush = 1;
break;
break;
default:
fprintf(stderr,
- "Usage: ebtables-restore [ --compat ] [ --verbose ] [ --noflush ]\n");
+ "Usage: ebtables-restore [ --verbose ] [ --noflush ]\n");
exit(1);
break;
}
nft_init_eb(&h, "ebtables-restore");
h.noflush = noflush;
- h.compat = compat;
xtables_restore_parse(&h, &p);
nft_fini_eb(&h);
.chain_restore = nft_cmd_chain_restore,
};
-static const struct option arp_restore_options[] = {
- {.name = "compat", .has_arg = 0, .val = 'C'},
- { 0 }
-};
-
int xtables_arp_restore_main(int argc, char *argv[])
{
struct nft_xt_restore_parse p = {
.in = stdin,
.cb = &arp_restore_cb,
};
- bool compat = false;
struct nft_handle h;
- int c;
-
- while ((c = getopt_long(argc, argv, "C",
- arp_restore_options, NULL)) != -1) {
- switch(c) {
- case 'C':
- compat = true;
- break;
- default:
- fprintf(stderr,
- "Usage: arptables-restore [ --compat ]\n");
- exit(1);
- break;
- }
- }
nft_init_arp(&h, "arptables-restore");
- h.compat = compat;
xtables_restore_parse(&h, &p);
nft_fini(&h);
xtables_fini();
{.name = "goto", .has_arg = 1, .val = 'g'},
{.name = "ipv4", .has_arg = 0, .val = '4'},
{.name = "ipv6", .has_arg = 0, .val = '6'},
- {.name = "compat", .has_arg = 0, .val = 15 },
{NULL},
};
do_parse(argc, argv, &p, &cs, &args);
h->verbose = p.verbose;
- h->compat = p.compat;
if (!nft_table_builtin_find(h, p.table))
xtables_error(VERSION_PROBLEM,
projects / thirdparty / iptables.git / commitdiff
