shell$ xtables -6 -I INPUT -p tcp --dport 22 -j ACCEPT
xtables v1.4.15: -f is not valid on IPv6
Try `xtables -h' or 'xtables --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables-standalone.c: In function ‘xtables_main’:
xtables-standalone.c:64:2: warning: implicit declaration of function ‘do_commandx’ [-Wimplicit-function-declaration]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tomasz Bursztyka [Sun, 13 Jan 2013 15:42:11 +0000 (16:42 +0100)]
xtables: add IPv6 support
Summary of changes to add IPv6 support to the xtables utility:
* modify all commands (add, delete, replace, check and listing) to
support IPv6 addresses.
And for the internal nft library:
* add family to struct nft_handle and modify all caller to use this
family instead of the hardcoded AF_INET.
* move code that we can re-use for IPv4 and IPv6 into helper functions.
* add IPv6 rule printing support.
* add support to parse IPv6 address.
Pablo added several improvements to this patch:
* added basic xtables-save and xtables-restore support (so it defaults
to IPv4)
* fixed a couple of bugs found while testing
* added reference when -f is used to point to -m frag (until we can make
this consistent with IPv4).
Note that we use one single xtables binary utility for IPv4 and IPv6.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
In order to emulate the iptables behaviour, this patch changes
the current behaviour to:
1st) check if the table and chains are built-in.
2nd) If they don't exists, create them. If they exists, don't touch
them.
The automatic creation happens in the -I and -P paths.
We should provide a new command to allow to delete (unregister)
built-in tables and chains. It would be similar to unloading
the iptable_X module that registers the custom table.
This is not done for other commands like -C or -D since they
will fail while trying to find the rule in the kernel if such
combination of chain and table does not exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Wed, 28 Aug 2013 07:32:44 +0000 (09:32 +0200)]
utils: add nfsynproxy tool
[ Originally synconf, but Jesper D. Brouer suggested to change
the name to avoid a possible filename clash. I also include
nfsynproxy in the final configure report --pablo ]
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_cluster: add note on arptables-jf
Gao feng reported problems while getting the cluster match working with
arptables. This patch adds a note in the manpage to warn about the arptables-jf
syntax, which is different from mainstream arptables.
Reported-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Kevin Cernekee [Sat, 2 Nov 2013 04:08:34 +0000 (21:08 -0700)]
ip6tables: Use consistent exit code for EAGAIN
As of commit 056564f6a (Add new exit value to indicate concurrency
issues), the IPv4 iptables binary returns exit status 4 to indicate that
the kernel returned EAGAIN when trying to update a table. But ip6tables
still returns exit status 1 under the same circumstances. Update
ip6tables to bring it in line with iptables behavior.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Tue, 8 Oct 2013 16:20:15 +0000 (09:20 -0700)]
iptables: spurious error in load_extension
In commit 927385017047d (iptables: improve error reporting with extension
loading troubles), a new error message was added in an attempt to handle
the case where a match does not support a particular protocol family.
For instance, attempting to use the osf match on IPv6.
Unfortunately, this error message now triggers when creating a new chain
which has the same name as a match extension, because iptables calls
xtables_find_target with the name of the new chain to verify it does not
clash with an existing target. For example:
# iptables -N tcp
/usr/lib/xtables/libxt_tcp.so: no "tcp" extension found for this protocol
I attempted to resolve this by adding a new XTF flag, but that required changes
in many different places (including -j handling). It seems easiest just to
remove this warning and stick with the original error message of ENOENT, even
if less than precise.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Sat, 5 Oct 2013 16:33:15 +0000 (09:33 -0700)]
iptables: improve chain name validation
As pointed out by Andrew Domaszek, iptables allows whitespace to be included in
chain names. This causes issues with iptables-restore, and later iptables
actions on the chain. Attached patch disallows whitespace, and also consolidates
all chain name checking into a new function.
This closes netfilter bugzilla #855.
[ Included ip6tables changed as well --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Thu, 26 Sep 2013 16:06:58 +0000 (09:06 -0700)]
libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks
As pointed out by Peter Hoelsken, rules created with non-standard
masks such as 0.255.0.0, 0.0.255.0, etc. are displayed when output
with iptables -L in CIDR notation as -1. This is because the cidr
variable in xtables_ipmask_to_numeric is unsigned, and the return
value of -1 from xtables_ipmask_to_cidr is therefore converted to
UINT_MAX. Add a cast to workaround the issue.
This closes netfilter bugzilla #854.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jan Engelhardt [Tue, 13 Aug 2013 19:02:06 +0000 (21:02 +0200)]
iptables: link against libnetfilter_conntrack
Linking currently fails in --enable-static case:
../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name':
iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name'
[..]
It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack.
If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@
and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty,
therefore producing no harm to include unconditionally.
Laurence J. Lane [Sun, 18 Aug 2013 23:41:40 +0000 (19:41 -0400)]
iptables: libip(6)t_REJECT.man default icmp types
The extension man page shows "port-unreach" and "port-unreachable" as
default icmpv6 and icomp reject-with types. Either and variations work
fine for writing rules, but they are displayed as "icmp6-port-unreachable"
and "icmp-port-unreachable". Let's make that consistent.
http://bugs.debian.org/644819
Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ip[6]tables: fix incorrect alignment in commands_v_options
CMD_ZERO_NUM is 14, so it has to be defined in position 15 in the
commands_v_options array. This does not manifests easily since
commands from 9 to 14 have a very similar pattern in such array.
Based on this patch: http://patchwork.ozlabs.org/patch/188153/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Wed, 7 Aug 2013 23:44:49 +0000 (16:44 -0700)]
iptables: state match incompatibilty across versions
As reported in Debian bug #718810 [1], state match rules added in < 1.4.16
iptables versions are incorrectly displayed by >= 1.4.16 iptables versions.
Issue bisected to commit 0d701631 (libxt_state: replace as an alias to
xt_conntrack).
Fix this by adding the missing .print and .save functions for state match
aliases in the conntrack match.
Lutz Jaenicke [Wed, 7 Aug 2013 08:09:16 +0000 (10:09 +0200)]
iptables: correctly reference generated file
Since (14bca55 iptables: use autoconf to process .in man pages),
the file "iptables-extensions.8.tmpl" is generated from
"iptables-extensions.8.tmpl.in" and is consequently no
longer found in ${srcdir} but in the build directory.
(Becomes visible with builddir != srcdir)
Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
a couple of improvements to the iptables man page never made it into
ip6tables version.
The number of differences between these two files is so small that
it seems preferable to alias the ipv6 man pages to their ipv4 counterpart
and change iptables man page to specifically document differences
(e.g. lack of ip6tables -f, etc).
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
doc: add libnetfilter_queue pointer to libxt_NFQUEUE.man
... and remove the QUEUE snippets from ip(6)tables man page,
the queue target was replaced by nfqueue years ago.
Fix up a couple of needless differences in ip(6)tables.8, too.
Phil Oester [Sun, 21 Jul 2013 15:30:49 +0000 (08:30 -0700)]
build: additional include path required after UAPI changes
After kernel commit 607ca46e (UAPI: (Scripted) Disintegrate
include/linux), using the "--with-kernel" argument to build iptables
stopped working due to the missing #ifdefs in the original files.
We need to make sure the UAPI include dir is listed before the
original location. Leaving both allows support for old and new
kernels.
This fixes bug #833.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_connlabel: use libnetfilter_conntrack
Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.
The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).
Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.
So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.
Russell Senior [Sat, 13 Jul 2013 10:08:07 +0000 (10:08 +0000)]
libxt_recent: restore reap functionality to recent module
The reap functionality appears to have been accidentally disabled
by (74ded72 libxt_recent: add --mask netmask) since iptables 1.4.15
and later. This adds a patch to restore reap functionality for
recent_opts_v1.
ip{6}tables-restore: fix breakage due to new locking approach
Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances),
ip{6}tables-restore does not work anymore:
iptables-restore < x
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
do_command{6}(...) is called from ip{6}tables-restore for every iptables
command contained in the rule-set file. Thus, hitting the lock error
after the second command.
Fix it by bypassing the locking in the ip{6}tables-restore path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Mon, 10 Jun 2013 09:35:44 +0000 (05:35 -0400)]
iptables: Fix connlabel.conf install location
As reported by Danny Rawlins in bug #828, connlabel.conf is
unconditionally installed in /etc/xtables instead of using
prefix set at configure time. Fix to use sysconfdir variable.
This closes bugzilla #828.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Fri, 31 May 2013 13:07:04 +0000 (09:07 -0400)]
ip[6]tables: Add locking to prevent concurrent instances
There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously. Currently
open bug reports which are related:
325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts
As Patrick notes in 325: "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."
I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile. But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up. And this also requires a writable filesystem. Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.
Starting in 2.2, Linux added support for abstract sockets. These sockets
require no filesystem, and automatically disappear once the application
terminates. This is the locking solution I chose to implement in ip[6]tables.
As an added bonus, since each network namespace has its own socket pool, an
ip[6]tables instance running in one namespace will not lock out an ip[6]tables
instance running in another namespace. A filesystem approach would have
to recognize and handle multiple network namespaces.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Introduce a new revision for the set match with the counters support
The revision add the support of matching the packet/byte counters
if the set was defined with the extension. Also, a new flag is
introduced to suppress updating the packet/byte counters if required.
Phil Oester [Mon, 27 May 2013 06:55:11 +0000 (06:55 +0000)]
xtables: improve get_modprobe handling
In bug #455, Dmitry V. Levin proposed a more robust get_modprobe
implementation. The patch below is a version of his patch,
updated to apply to current git.
This closes bug #455.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
Andy Spencer [Sun, 19 May 2013 17:01:06 +0000 (17:01 +0000)]
iptables: use autoconf to process .in man pages
This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@
was not processed in the VERSION section. It also simplifies the
Makefile by avoiding some sed commands.
[ Mangled this patch to rename iptables-extensions.8.in to
iptables-extensions.8.tmpl.in to avoid having a file whose name
is terminated by .in.in --pablo ]
Signed-off-by: Andy Spencer <andy753421@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
