Phil Sutter [Wed, 1 Jun 2022 17:24:41 +0000 (19:24 +0200)]
xshared: Make some functions static
With all ip(6)tables variants using the same do_parse() function, quite
a bunch of functions are not used outside of xshared.c anymore. Make them
static.
Phil Sutter [Tue, 7 Jun 2022 16:07:00 +0000 (18:07 +0200)]
arptables: Support -x/--exact flag
Legacy arptables accepts but ignores the flag. Yet there are remains of
the functionality in sources, like OPT_EXPANDED define and a print_num()
function which acts on FMT_KILOMEGAGIGA flag being set or not. So
instead of mimicking legacy behaviour by explicitly ignoring -x flag for
arptables, just enable the feature for it.
The functions are used for static builds to initialize extensions after
libxtables init. Regular library users should not need them, but the
empty declarations introduced in #else case (and therefore present in
user's env) may clash with existing symbol names.
Avoid problems and guard the whole block declaring the function
prototypes and mangling extensions' _init functions by XTABLES_INTERNAL.
Reported-by: Nick Hainke <vincent@systemli.org> Fixes: 6c689b639cf8e ("Simplify static build extension loading") Signed-off-by: Phil Sutter <phil@nwl.cc>
Ben Brown [Wed, 25 May 2022 15:26:13 +0000 (16:26 +0100)]
build: Fix error during out of tree build
Fixes the following error:
../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory
52 | #include <libiptc/linux_list.h>
Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table") Signed-off-by: Ben Brown <ben@demerara.io> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 18 May 2022 14:04:09 +0000 (16:04 +0200)]
Revert "fix build for missing ETH_ALEN definition"
This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke
compiling against musl libc. Might be a bug in the latter, but for the
time being try to please both by avoiding the include and instead
defining ETH_ALEN if unset.
While being at it, move netinet/ether.h include up.
Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Maciej Żenczykowski <maze@google.com>
Nick Hainke [Mon, 16 May 2022 16:16:41 +0000 (18:16 +0200)]
treewide: use uint* instead of u_int*
Gcc complains about missing types. Some commits introduced u_int* instead
of uint*. Use uint treewide.
Fixes errors in the form of:
In file included from xtables-legacy-multi.c:5:
xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
| ^~~~~~~~~
| uint16_t
make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
Avoid libipq API breakage by adjusting libipq.h include accordingly. For
arpt_mangle.h kernel uAPI header, apply same change as in kernel commit e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
Signed-off-by: Nick Hainke <vincent@systemli.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 4 May 2022 09:19:16 +0000 (11:19 +0200)]
nft: Fix EPERM handling for extensions without rev 0
Treating revision 0 as compatible in EPERM case works fine as long as
there is a revision 0 of that extension defined in DSO. Fix the code for
others: Extend the EPERM handling to all revisions and keep the existing
warning for revision 0.
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Sat, 16 Apr 2022 12:21:51 +0000 (14:21 +0200)]
man: *NAT: Review --random* option descriptions
Stating the option again in the first (single?) sentence is pointless.
Get rid of that initial half-sentence in MASQUERADE options and unify
the texts a bit.
Phil Sutter [Thu, 14 Apr 2022 15:44:08 +0000 (17:44 +0200)]
extensions: DNAT: Merge core printing functions
Have a versatile __NAT_print() function providing enough flexibility for
DNAT and REDIRECT, IPv4 and IPv6 and 'print' and 'save' output. Then
define macros to simplify calling it.
As a side effect, this fixes ip6tables DNAT revision 1 print output.
Fixes: 14d77c8aa29a7 ("extensions: Merge IPv4 and IPv6 DNAT targets") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Thu, 5 May 2022 22:11:47 +0000 (00:11 +0200)]
libxtables: Revert change to struct xtables_pprot
While protocol values may exceed eight bits, the data structure is
indeed used only to store the static list of name/value pairs for faster
lookups. None of those has such a value and if one is added in future,
the compiler will complain about it.
So restore the old field type to retain binary compatibility.
Fixes: 556f704458cdb ("Use proto_to_name() from xshared in more places") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Thu, 5 May 2022 16:13:12 +0000 (18:13 +0200)]
xshared: Extend xtables_printhelp() for arptables
The function checks afinfo->family already to cover ip6tables specifics,
doing the same for arptables does not make things much worse.
This changes arptables-nft help output slightly:
* List possible negations extrapositioned, which is preferred anyway
(arptables-nft supports both)
* List --out-interface option at lexically sorted position
* Print --wait option, it's ignored just like with iptables
* Restore default target option printing as with legacy arptables (not
sure if arptables-nft ever did this) by explicitly loading them.
While being at it, add --set-counters short option '-c' to help output
for ip(6)tables.
This effectively removes the need for (and all users of)
xtables_global's 'print_help' callback, thus effectively reverts commit fe83b12fc910e ("libxtables: Introduce xtables_globals print_help
callback") which broke libxtables' ABI compatibility.
Phil Sutter [Wed, 19 Jan 2022 00:59:09 +0000 (01:59 +0100)]
extensions: Merge IPv4 and IPv6 DNAT targets
Make parse_to() family-aware so it serves for both IPv4 and IPv6. Have a
core _DNAT_parse() function which parses into the most modern
(nf_nat_range2) data structure and a bunch of wrappers to copy into
legacy data structures if needed. Treat other callbacks analogous.
Phil Sutter [Tue, 29 Mar 2022 22:11:14 +0000 (00:11 +0200)]
extensions: ipt_DNAT: Merge v1/v2 print/save code
Turn print_range() function into sprint_range() so it becomes more
versatile. Make it accept the new nf_nat_range2 data structure and
make v1 callers convert their nf_nat_ipv4_multi_range_compat structs
to that.
This allows to introduce an inner __DNAT_print() which acts for v1 and
v2 and prints either 'print' or 'save' syntax.
Phil Sutter [Mon, 10 Jan 2022 15:39:53 +0000 (16:39 +0100)]
extensions: ipt_DNAT: Merge v1 and v2 parsers
Use v2 parser for both and copy field values into v1 data structure if
needed.
While being at it:
* Introduce parse_ports() function similar to the one in
libipt_REDIRECT.c.
* Use xtables_strtoui() in the above instead of atoi() for integrated
range checking.
* Parse IP addresses using inet_pton(), writing directly into
struct nf_nat_range2 fields.
The workaround is not needed anymore since commit 30b178b9bf11e
("extensions: *NAT: Kill multiple IPv4 range support").
While being at it, drop the same hidden flag logic from
libip6t_[SD]NAT extensions as well and just don't set XTOPT_MULTI so
guided option parser will reject multiple parameters automatically.
Phil Sutter [Tue, 15 Dec 2020 14:40:56 +0000 (15:40 +0100)]
libxtables: Implement notargets hash table
Target lookup is relatively costly due to the filesystem access. Avoid
this overhead in huge rulesets which contain many chain jumps by caching
the failed lookups into a hashtable for later.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Wed, 16 Mar 2022 16:14:07 +0000 (17:14 +0100)]
nft: Reject standard targets as chain names when restoring
Reuse parse_chain() called from do_parse() for '-N' and rename it for a
better description of what it does.
Note that by itself, this patch will likely kill iptables-restore
performance for big rulesets due to the extra extension lookup for chain
lines. A following patch announcing those chains to libxtables will
alleviate that.
Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 15 Mar 2022 11:45:04 +0000 (12:45 +0100)]
nft: Review static extension loading
Combine the init_extensions() call common to all families, do not load
IPv6 extensions for iptables and vice versa, drop the outdated comment
about "same table".
xtables: Call init_extensions{,a,b}() for static builds
Add calls to arp- and ebtables-specific extension loaders where missing.
Also consistently call init_extensions() for them, as some extensions
(ebtables 'limit' and arptables 'CLASSIFY' and 'MARK') live in libxt_*
files.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 15 Mar 2022 11:17:25 +0000 (12:17 +0100)]
libxtables: Fix for warning in xtables_ipmask_to_numeric
Gcc complains:
| xtables.c: In function 'xtables_ipmask_to_numeric':
| xtables.c:1491:34: warning: '__builtin___sprintf_chk' may write a terminating nul past the end of the destination [-Wformat-overflow=]
| 1491 | sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask));
| | ^
Indeed, xtables_ipaddr_to_numeric() returns a pointer to a 20 byte
buffer and xtables_ipmask_to_numeric() writes its content into a buffer
of same size at offset 1. Yet length of returned string is deterministic
as it is an IPv4 address. So shrink it to the minimum of 16 bytes which
eliminates the warning as well.
Fixes: a96166c24eaac ("libxtables: add xtables_ip[6]mask_to_cidr") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 1 Mar 2022 22:19:59 +0000 (23:19 +0100)]
nft: Don't pass command state opaque to family ops callbacks
There are no family-specific versions of struct iptables_command_state
anymore, so no need to hide it behind void pointer. Pass the type as-is
and save a few casts.
While at it, drop unused callbacks parse_bitwise and parse_cmp.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 1 Mar 2022 22:05:29 +0000 (23:05 +0100)]
xshared: Prefer xtables_chain_protos lookup over getprotoent
When dumping a large ruleset, common protocol matches such as for TCP
port number significantly slow down rule printing due to repeated calls
for getprotobynumber(). The latter does not involve any caching, so
/etc/protocols is consulted over and over again.
As a simple countermeasure, make functions converting between proto
number and name prefer the built-in list of "well-known" protocols. This
is not a perfect solution, repeated rules for protocol names libxtables
does not cache (e.g. igmp or dccp) will still be slow. Implementing
getprotoent() result caching could solve this.
As a side-effect, explicit check for pseudo-protocol "all" may be
dropped as it is contained in the built-in list and therefore immutable.
Also update xtables_chain_protos entries a bit to align with typical
/etc/protocols contents. The testsuite assumes those names, so the
preferred ones prior to this patch are indeed uncommon nowadays.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 1 Mar 2022 17:59:31 +0000 (18:59 +0100)]
nft: Simplify immediate parsing
Implementations of parse_immediate callback are mostly trivial, the only
relevant part is access to family-specific parts of struct
iptables_command_state when setting goto flag for iptables and
ip6tables. Refactor them into simple set_goto_flag callbacks.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
Avoid this by pretending extension revision 0 is always supported. It is
the same hack as used to successfully print extension help texts as
unprivileged user, extended to all error codes to serve privileged ones
as well.
In addition, print a warning if kernel rejected revision 0 and it's not
a permissions problem. This helps users find out which extension in a
rule the kernel didn't like.
Finally, the above commands result in these messages:
| Warning: Extension LOG revision 0 not supported, missing kernel module?
| iptables: No chain/target/match by that name.
Or, for iptables-nft:
| Warning: Extension LOG revision 0 not supported, missing kernel module?
| iptables v1.8.7 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain FORWARD
Phil Sutter [Fri, 11 Feb 2022 16:39:24 +0000 (17:39 +0100)]
libxtables: Register only the highest revision extension
When fully registering extensions, ignore all consecutive ones with same
name and family value. Since commit b3ac87038f4e4 ("libxtables: Make
sure extensions register in revision order"), one may safely assume the
list of pending extensions has highest revision numbers first. Since
iptables is only interested in the highest revision the kernel supports,
registration and compatibility checks may be skipped once the first
matching extension in pending list has validated.
Jethro Beekman [Mon, 14 Feb 2022 09:35:56 +0000 (10:35 +0100)]
xshared: Implement xtables lock timeout using signals
Previously, if a lock timeout is specified using `-wN `, flock() is
called using LOCK_NB in a loop with a sleep. This results in two issues.
The first issue is that the process may wait longer than necessary when
the lock becomes available. For this the `-W` option was added, but this
requires fine-tuning.
The second issue is that if lock contention is high, invocations using
`-w` (without a timeout) will always win lock acquisition from
invocations that use `-w N`. This is because invocations using `-w` are
actively waiting on the lock whereas those using `-w N` only check from
time to time whether the lock is free, which will never be the case.
This patch removes the sleep loop and deprecates the `-W` option (making
it non-functional). Instead, flock() is always called in a blocking
fashion, but the alarm() function is used with a non-SA_RESTART signal
handler to cancel the system call.
Jeremy Sowden [Sat, 12 Feb 2022 16:58:32 +0000 (16:58 +0000)]
tests: NFLOG: enable `--nflog-range` tests
iptables-legacy and iptable-nft have different results for these tests.
Now that it is possible to specify the expected results correctly, we
can enable the tests.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
Jeremy Sowden [Sat, 12 Feb 2022 16:58:30 +0000 (16:58 +0000)]
tests: add `NOMATCH` test result
Currently, there are two supported test results: `OK` and `FAIL`. It is
expected that either the iptables command fails, or it succeeds and
dumping the rule has the correct output. However, it is possible that
the command may succeed but the output may not be correct. Add a
`NOMATCH` result to cover this outcome.
Make a few white-space improvements at the same time.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Fri, 4 Feb 2022 17:45:22 +0000 (18:45 +0100)]
tests: iptables-test: Support variant deviation
Some test results are not consistent between variants:
* CLUSTERIP is not supported with nft_compat, so all related tests fail
with iptables-nft.
* iptables-legacy mandates TCPMSS be combined with SYN flag match,
iptables-nft does not care. (Or precisely, xt_TCPMSS.ko can't validate
match presence.)
Introduce an optional fourth test spec field to specify the variant it
applies to. Consequently, the opposite result is expected with the other
variant.
Phil Sutter [Fri, 4 Feb 2022 13:44:26 +0000 (14:44 +0100)]
nft: cache: Dump rules if debugging
If verbose flag was given twice, dump rules while populating the cache.
This not only applies to list commands, but all requiring a rule cache -
e.g. insert with position.
Phil Sutter [Fri, 4 Feb 2022 12:27:51 +0000 (13:27 +0100)]
ebtables: Support verbose mode
Accept '-v' flag in both ebtables-nft and ebtables-nft-restore. Mostly
interesting because it allows for netlink debug output when specified
multiple times.
Phil Sutter [Fri, 28 Jan 2022 14:32:10 +0000 (15:32 +0100)]
iptables-restore: Support for extra debug output
Treat --verbose just like iptables itself, increasing debug level with
number of invocations.
To propagate the level into do_command() callback, insert virtual '-v'
flags into rule lines.
The only downside of this is that simple verbose output is changed and
now also prints the rules as they are added - which would be useful if
the lines contained the chain they apply to.
Phil Sutter [Fri, 28 Jan 2022 18:35:54 +0000 (19:35 +0100)]
nft: Use verbose flag to toggle debug output
Copy legacy iptables' behaviour, printing debug output if verbose flag
is given more than once.
Since nft debug output applies to netlink messages which are not created
until nft_action() phase, carrying verbose value is non-trivial -
introduce a field in struct nft_handle for that.
Florian Westphal [Tue, 25 Jan 2022 16:52:59 +0000 (17:52 +0100)]
nft: prefer native expressions instead of tcp match
Instead of using nft_compat+xtables tcp match, prefer to
emit payload+cmp or payload+range expression.
Unlike udp, tcp has flag bits that can be matched too but
we have to fall back to the xt expression for now.
We also don't support tcp option match, but thats a rarely
used feature anyway.
Delinearization support for ports was added in previous patches.
Phil Sutter [Tue, 18 Jan 2022 21:39:08 +0000 (22:39 +0100)]
xshared: Fix response to unprivileged users
Expected behaviour in both variants is:
* Print help without error, append extension help if -m and/or -j
options are present
* Indicate lack of permissions in an error message for anything else
With iptables-nft, this was broken basically from day 1. Shared use of
do_parse() then somewhat broke legacy: it started complaining about
inability to create a lock file.
Fix this by making iptables-nft assume extension revision 0 is present
if permissions don't allow to verify. This is consistent with legacy.
Second part is to exit directly after printing help - this avoids having
to make the following code "nop-aware" to prevent privileged actions.
Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
nft has no equivalent to `--nflog-range`, so we cannot emulate it and
the Python unit-tests for it fail. However, since `--nflog-range` is
broken and doesn't do anything, the tests are not testing anything
useful.
Signed-off-by: Kyle Bowman <kbowman@cloudflare.com> Signed-off-by: Alex Forster <aforster@cloudflare.com> Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
Kyle Bowman [Fri, 1 Oct 2021 17:41:37 +0000 (18:41 +0100)]
extensions: libxt_NFLOG: don't truncate log prefix on print/save
When parsing the rule, use a struct with a layout compatible to that of
struct xt_nflog_info, but with a buffer large enough to contain the
whole 128-character nft prefix.
We always send the nflog-group to the kernel since, for nft, log and
nflog targets are handled by the same kernel module, and are
distinguished by whether they define an nflog-group. Therefore, we must
send the group even if it is zero, or the kernel will configure the
target as a log, not an nflog.
Changes to nft_is_expr_compatible were made since only targets which
have an `nflog-group` are compatible. Since nflog targets are
distinguished by having an nflog-group, we ignore targets without one.
We also set the copy-len flag if the snap-len is set since without this,
iptables will mistake `nflog-size` for `nflog-range`.
Signed-off-by: Kyle Bowman <kbowman@cloudflare.com> Signed-off-by: Alex Forster <aforster@cloudflare.com> Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
Kyle Bowman [Fri, 1 Oct 2021 17:41:36 +0000 (18:41 +0100)]
extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG
Replaces the use of xt_NFLOG with the nft built-in log statement.
This additionally adds support for using longer log prefixes of 128
characters in size. Until now NFLOG has truncated the log-prefix to the
64-character limit supported by iptables-legacy. We now use the struct
xtables_target's udata member to store the longer 128-character prefix
supported by iptables-nft.
Signed-off-by: Kyle Bowman <kbowman@cloudflare.com> Signed-off-by: Alex Forster <aforster@cloudflare.com> Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Thu, 23 Dec 2021 18:03:37 +0000 (19:03 +0100)]
xshared: Move do_parse to shared space
Small adjustments were needed:
- Pass line variable via xt_cmd_parse, xshared.c does not have it in
namespace.
- Replace opts, prog_name and prog_vers defines by the respective
xt_params field reference.
Phil Sutter [Thu, 23 Dec 2021 17:55:53 +0000 (18:55 +0100)]
xtables: Do not pass nft_handle to do_parse()
Make it fit for sharing with legacy iptables, drop nft-specific
parameter. This requires to mirror proto_parse and post_parse callbacks
from family_ops somewhere reachable - use xt_cmd_parse, it holds other
"parser setup data" as well.
Phil Sutter [Fri, 26 Nov 2021 17:26:07 +0000 (18:26 +0100)]
xtables: Drop xtables' family on demand feature
This conditional h->family assignment was added by commit 3f7877e6be987
("xtables-restore: add -4 and -6 support") with the intention to support
something like 'xtables-restore -6 <ip6tables.dump', i.e. having
family-agnostic commands which accept flags to set the family. Yet
commit be70918eab26e ("xtables: rename xt-multi binaries to -nft,
-legacy") removed support for such command names back in 2018 and nobody
has complained so far. Therefore drop this leftover as it makes
do_parse() more generic.
Phil Sutter [Fri, 26 Nov 2021 20:45:12 +0000 (21:45 +0100)]
iptables-*-restore: Drop pointless line reference
There's no need to mention the offending line number in error message
when calling xtables_error() with a status of PARAMETER_PROBLEM as that
will cause a call to xtables_exit_tryhelp() which in turn prints "Error
occurred at line: N".
Phil Sutter [Thu, 21 Oct 2021 11:04:45 +0000 (13:04 +0200)]
xshared: Share a common printhelp function
Help texts in legacy and nft variants are supposed to be identical, but
those of iptables and ip6tables largely overlapped already. By referring
to xt_params and afinfo pointers, it is relatively trivial to craft a
suitable help text on demand, so duplicated help texts can be
eliminated.
As a side-effect, this fixes ip6tables-nft help text - it was identical
to that of iptables-nft.
Phil Sutter [Thu, 21 Oct 2021 01:00:57 +0000 (03:00 +0200)]
xshared: Share print_match_save() between legacy ip*tables
The only difference between the former two copies was the type of
ip*_entry parameter. But since it is treated opaque, just hide that
detail by casting to void.
projects / thirdparty / iptables.git / log
