Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 25 Dec 2016 12:27:51 +0000 (20:27 +0800)]
extensions: libxt_connbytes: Add translation to nft
For example:
# iptables-translate -A OUTPUT -m connbytes --connbytes 200 \
--connbytes-dir original --connbytes-mode packets
nft add rule ip filter OUTPUT ct original packets ge 200 counter
Keno Fischer [Fri, 30 Dec 2016 05:43:37 +0000 (00:43 -0500)]
build: Fix two compile errors during out-of-tree build
The first:
```
iptables/extensions/libebt_limit.c:21:26: fatal error: iptables/nft.h: No such file or directory
#include "iptables/nft.h"
```
The second:
```
/data/keno/sandbox/iptables/iptables/xtables-config-parser.y:19:32: fatal error: libiptc/linux_list.h: No such file or directory
#include <libiptc/linux_list.h>
^
```
Simply fixed by adding the relevant `-I` directives.
Signed-off-by: Keno Fischer <keno@juliacomputing.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 29 Nov 2016 11:47:25 +0000 (12:47 +0100)]
tcp_xlate: Enclose LH flag values in parentheses
This fixes TCP flags matches:
| $ iptables-translate -A invalid -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
| nft add rule ip filter invalid tcp flags & fin|syn == fin|syn counter drop
Although the generated rule is syntactically correct and accepted by
nft, it will be interpreted in a different way than expected since
binary AND takes precedence over OR.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 25 Nov 2016 17:06:46 +0000 (18:06 +0100)]
xtables-translate: Support setting standard chain policy
Looks like this bit was simply forgotten when implementing
xlate_chain_set() as everything needed was there to just print the
desired policy along with the chain definition.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch (ab)uses the 'space' variable to check if a parameter to the
'ah' match was present and if not translates the match into an extension
header check:
| $ ip6tables-translate -A INPUT -m ah -j ACCEPT
| add rule ip6 filter INPUT meta l4proto ah counter accept
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Clang's static analyzer flagged the shift this patch removes as
shifting a garbage value. Looks like `m` isn't used at all anyway, so
we can simply remove it.
Signed-off-by: George Burgess IV <gbiv@google.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Liping Zhang [Fri, 7 Oct 2016 11:08:56 +0000 (19:08 +0800)]
extensions: libxt_statistic: add translation to nft
For example:
# iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
--packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
# iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
--packet 5
nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter
Note, mode random is not completely supported in nft, so:
# iptables-translate -A OUTPUT -m statistic --mode random \
--probability 0.1
nft # -A OUTPUT -m statistic --mode random --probability 0.1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:53 +0000 (19:08 +0800)]
extensions: libxt_ipcomp: add range support in translation
When translate to nft rules, ipcompspi range is not supported, so:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1-2 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3-30 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:52 +0000 (19:08 +0800)]
extensions: libxt_devgroup: handle the invert flag properly in translation
We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup default counter
Apply this patch:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup != default counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:51 +0000 (19:08 +0800)]
extensions: libxt_iprange: handle the invert flag properly in translation
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
Liping Zhang [Fri, 7 Oct 2016 11:08:50 +0000 (19:08 +0800)]
extensions: libxt_iprange: rename "ip saddr" to "ip6 saddr" in ip6tables-xlate
nft will complain the syntax error if we use "ip saddr" or "ip daddr" in
ip6 family, so the current translation is wrong:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip saddr 2003::1-2003::3 counter
^^
Liping Zhang [Fri, 7 Oct 2016 11:08:49 +0000 (19:08 +0800)]
extensions: libipt_realm: add a missing space in translation
We missed a blank space when do translate to nft, so if rt_realm can be
mapped to name, the result looks ugly:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassidcosmos counter
^
Apply this patch:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassid cosmos counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Mon, 26 Sep 2016 19:08:52 +0000 (15:08 -0400)]
extensions: libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2
and xt_hashlimit_mtinfo2 and also create newer versions of all the
functions for match, checkentry and destory.
Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Mon, 26 Sep 2016 19:08:17 +0000 (15:08 -0400)]
extensions: libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2
I am planning to add a revision 2 for the hashlimit xtables module to
support higher packets per second rates. This patch renames all the
functions and variables related to revision 1 by adding _v1 at the
end of the names.
Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds a cache of rules within the nft handle. This feature is
useful since the whole ruleset was brought from the kernel for every
chain during listing operations. In addition with the new checks of
ruleset compatibility, the rule list is loaded one more time.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache has been introduced for
this purpose.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 28 Aug 2016 08:50:48 +0000 (16:50 +0800)]
extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate
After commit "parser_bison: redirect to :port for consistency with
nat/masq statement" in nftables tree, we should recommend the end
user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to 1
Apply this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to :1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 28 Aug 2016 08:50:46 +0000 (16:50 +0800)]
extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft
When I want to translate SNAT target to nft rule, an error message
was printed out:
# iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
iptables-translate v1.6.0: OOM
Because ipt_natinfo{} started with a xt_entry_target{}, so when we
get the ipt_natinfo pointer, we should use the target itself,
not its data pointer. Yes, it is a little tricky and it's different
with other targets.
xtables-compat: check if nft ruleset is compatible
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 21 Aug 2016 14:34:55 +0000 (22:34 +0800)]
extensions: libxt_CLASSIFY: Add translation to nft
For examples:
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0
nft add rule ip filter OUTPUT counter meta priority set none
# iptables-translate -A OUTPUT -j CLASSIFY --set-class ffff:ffff
nft add rule ip filter OUTPUT counter meta priority set root
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 1:234
nft add rule ip filter OUTPUT counter meta priority set 1:234
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Willem de Bruijn [Wed, 10 Aug 2016 19:23:07 +0000 (15:23 -0400)]
extensions/libxt_bpf.man: clarify BPF code generation with tcpdump
The xt_bpf module applies BPF bytecode to the packet. Depending on
where the module is invoked, the kernel may pass a packet with or
without link layer header. Iptables has no such header.
A common `tcpdump -ddd <string>` compilation command may revert to
a physical device that generates code for packets starting from the
mac layer up (e.g., E10MB data link type: Ethernet).
Clarify in the man page that when using this tool for code generation,
a suitable target device must be chosen.
Netfilter Bugzilla Bug #1048
Reported-by: Lorenzo Pistone <blaffablaffa@gmail.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables-translate: add in/out ifname wildcard match translation to nft
In iptables, "-i eth+" means match all in ifname with the prefix "eth".
But in nftables, this was changed to "iifname eth*". So we should handle
this subtle difference.
Apply this patch, translation will become:
# iptables-translate -A INPUT -i eth+
nft add rule ip filter INPUT iifname eth* counter
# ip6tables-translate -A OUTPUT ! -o eth+
nft add rule ip6 filter OUTPUT oifname != eth* counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add some unit tests for connlabel match extension:
# ./iptables-test.py extensions/libxt_connlabel.t
extensions/libxt_connlabel.t: OK
1 test files, 7 unit tests, 7 passed
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified
The nflog-size was introduced by commit 7070b1f3c88a ("extensions:
libxt_NFLOG: nflog-range does not truncate packets"). Then make
the nflog-range become deprecated, because it has no effect from
the beginning.
So when we do translation, nft log snaplen is translated only if the
nflog-size is specified.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_NFLOG: display nflog-size even if it is zero
The following iptables rules have the different semantics:
# iptables -A INPUT -j NFLOG
# iptables -A INPUT -j NFLOG --nflog-size 0
But they are all displayed as "-A INPUT -j NFLOG", so if
the user input the following commands, the original semantics
will be broken.
# iptables-save | iptables-restore
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_connlabel: fix crash when connlabel.conf is empty
When connlabel.conf is empty, nfct_labelmap_new will return NULL and
set errno to 0. So we will miss to check this situation, and cause NULL
deference in nfct_labelmap_get_bit.
Input the following commands will reproduce this crash:
# echo > /etc/xtables/connlabel.conf
# iptables -A INPUT -m connlabel --label abc
Segmentation fault (core dumped)
xtables: Add an interval option for xtables lock wait
ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduce a new option 'W' to specify the wait interval in microseconds.
If this option is not specified, the command sleeps for 1 second by
default.
v1->v2: Change behavior to take millisecond sleep as an argument to
-w as suggested by Pablo. Also maintain current behavior for -w to
sleep for 1 second as mentioned by Liping.
v2->v3: Move the millisecond behavior to a new option as suggested
by Pablo.
v3->v4: Use select instead of usleep. Sleep every iteration for
the time specified in the "-W" argument. Update man page.
v4->v5: Fix compilation error when enabling nftables
v5->v6: Simplify -W so it only takes the interval wait in microseconds.
Bail out if -W is specific but -w is not.
Joint work with Pablo Neira.
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jordan Yelloz [Fri, 24 Jun 2016 19:18:45 +0000 (12:18 -0700)]
extensions: added AR substitution
This is to ensure that the correct AR is run in cross-compile jobs.
Often a cross-compile build will succeed without this change but it
fails on my Gentoo Linux system when I have binutils installed with the
"multitarget" USE flag.
This change substitues AR with the autotools-supplied AR for the
extensions subdirectory.
Signed-off-by: Jordan Yelloz <jordan@yelloz.me> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Fri, 24 Jun 2016 20:42:31 +0000 (16:42 -0400)]
extensions: libxt_NFLOG: nflog-range does not truncate packets
The option --nflog-range has never worked, but we cannot just fix this
because users might be using this feature option and their behavior would
change. Instead add a new option --nflog-size. This option works the same
way nflog-range should have, and both of them are mutually exclusive. When
someone uses --nflog-range we print a warning message informing them that
this feature has no effect.
To indicate the kernel that the user has set --nflog-size we have to pass a
new flag XT_NFLOG_F_COPY_LEN.
Also updated the man page to reflect the new option and added tests to
extensions/libxt_NFLOG.t
Reported-by: Joe Dollard <jdollard@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shivani Bhardwaj [Wed, 22 Jun 2016 19:41:39 +0000 (01:11 +0530)]
configure: Fix assignment statement
The assignment statement was interpreted as executing enable_connlabel
command with the argument "no". This was due to the whitespaces in the
assignment.
Fixes the trivial bug introduced in commit 3b7a227 (configure: Show
support for connlabel)
Roberto García [Wed, 22 Jun 2016 12:31:31 +0000 (14:31 +0200)]
iptables: extensions: libxt_MARK: Fix translation of --set-xmark option
Fix translation of MARK target's --set-xmark option.
Before:
#iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf
After:
# iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark and 0xffffff50 \
xor 0x64
Signed-off-by: Roberto García <rodanber@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-xmark 0x16/0x12
nft add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and
0xffffffed
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --and-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --or-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark
nft add rule ip mangle PREROUTING counter ct mark set mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
nft add rule ip mangle PREROUTING counter meta mark set ct mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12
Signed-off-by: Roberto García <rodanber@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shivani Bhardwaj [Mon, 20 Jun 2016 17:36:34 +0000 (23:06 +0530)]
configure: Remove flex check warning
Remove the warning about outdated version of flex as it is not needed
anymore. This check was introduced back in 2008 to skip a broken flex
version that doesn't seem to be packaged by any distribution anymore.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_connmark: Fix order of mask and mark
The order of mask and mark in the output is wrong. This has been pointed
out: http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang <liping.zhang@spreadtrum.com>.
This patch fixes the same issue with connmark.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Wed, 1 Jun 2016 12:07:17 +0000 (20:07 +0800)]
extensions: libxt_mark: fix a wrong translation to nft when mask is specified
The mask and mark's order is reversed, so when we specify the mask, we will
get the wrong translation result:
# iptables-translate -A INPUT -m mark --mark 0x1/0xff
nft add rule ip filter INPUT mark and 0x1 == 0xff counter
Apply this patch, translation will become:
# iptables-translate -A INPUT -m mark --mark 0x1/0xff
nft add rule ip filter INPUT mark and 0xff == 0x1 counter
extensions: NETMAP: add ' to:' prefix when printing NETMAP target
NETMAP .print function doesn't insert the ' ' character needed to seperate
earlier output from the target network, i.e. iptables -L prints
something like
2.2.2.5-2.2.2.103.3.3.64/28
instead of
2.2.2.5-2.2.2.10 3.3.3.64/28
Add a ' to:' prefix just like we do for S/DNAT targets.
Liping Zhang [Sat, 21 May 2016 10:07:16 +0000 (18:07 +0800)]
extensions: libxt_limit: fix a wrong translation to nft rule
The default burst value is 5 in iptables limit extension while it is 0 in
nft limit expression, if the burst value is default, it will not be
displayed when we dump the rules. But when we do translation from iptables
rules to nft rules, we should keep the limit burst value unchanged, even if
it is not displayed in iptables rules.
And now, if the limit-burst value in the iptables rule is 5 or 0, they are
all translated to nft rule without burst, this is wrong:
extensions: libxt_NFQUEUE: Fix bug with order of fanout and bypass
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
whenever it was used before bypass because then flags would be 1.
projects / thirdparty / iptables.git / log
