Thierry Du Tre [Tue, 16 Jan 2018 12:44:37 +0000 (13:44 +0100)]
extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
This patch is fixing the detection of multiple '--to-destination' in a
DNAT rule and '--to-source' in SNAT rule for IPv6. Currently, when
defining multiple values for these, only the last will be used and
others ignored silently.
The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the
flags are never set before. It seems to be a copy-paste artefact since
introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.
I also removed the kernel_version checks because they seem useless.
Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1. That
seems only added since kernel version 3.7-rc1 and therefore the check
for > v2.6.10 will always return true. The check is probably also
coming from the IPv4 copy-paste.
Add tests to cover this too, including the IPv4 side.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr
mod 7 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta
mark set 0xffff
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ahmed Abdelsalam [Thu, 11 Jan 2018 17:12:41 +0000 (18:12 +0100)]
extensions: add support for 'srh' match
This patch adds a new exetension to iptables to supprt 'srh' match
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Harsha Sharma [Thu, 28 Dec 2017 07:28:33 +0000 (12:58 +0530)]
extensions: libxt_hashlimit: Do not print default timeout and burst
Do not print timeout and burst in case default values are used.
For e.g.
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 21 Dec 2017 03:35:45 +0000 (09:05 +0530)]
extensions: Add macro _DEFAULT_SOURCE.
Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated.
https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes
This patch fixes the following warning:
warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
_DEFAULT_SOURCE" [-Wcpp]
# warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
# _DEFAULT_SOURCE"
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 21 Dec 2017 03:35:45 +0000 (09:05 +0530)]
iptables: Remove const qualifier from struct option.
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning:
warning: initialization discards ‘const’ qualifier from pointer target
type [-Wdiscarded-qualifiers]
.orig_opts = original_opts,
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Yogesh Prasad [Wed, 29 Nov 2017 06:10:54 +0000 (00:10 -0600)]
iptables: patch to correct linker flag sequence
Description
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared. If -pie is provided after -shared, the linker throws an
error shown below as example.
-------------------------------------------------------------------------
/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
+ ./libxt_SYNPROXY.man
make[4]: *** [libxt_TCPOPTSTRIP.so] Error 1
+ ./libip6t_mh.man
/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
undefined reference to `main'
/host/lib/gcc/powerpc-buildroot-linux-gnu + ./libxt_TCPMSS.man
/6.4.0/../../../../powerpc-buildroot-linux-gnu/bin/ld:
BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923
collect2: error: ld returned 1 exit status
-------------------------------------------------------------------------
Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 30 Nov 2017 13:48:05 +0000 (19:18 +0530)]
iptables: xtables-eb: Remove const qualifier from struct option
As opts is reassigned multiple times, it cannot be made constant.
So remove const qualifier from structure option. This patch fixes the
following warning.
xtables-eb.c: In function ‘ebt_load_match_extensions’:
xtables-eb.c:653:7: warning: assignment discards ‘const’ qualifier
from pointer target type
opts = ebt_original_options;
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
huaibin Wang [Mon, 13 Nov 2017 13:27:54 +0000 (14:27 +0100)]
libxt_sctp: fix array out of range in print_chunk
For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type
is not equal to the corresponding index in sctp_chunk_names[]. Using this field
leads to a segmentation fault (index out of range).
Example
$ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Segmentation fault
Signed-off-by: huaibin Wang <huaibin.wang@6wind.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Harsha Sharma [Sun, 22 Oct 2017 12:49:09 +0000 (18:19 +0530)]
tests: xlate: print output in same way as nft-test.py
Print errors and total no. of tests, tests passed, failed and errors for
testfile argument
Remove option "--all"
Print file names for which all tests are passed with OK
For e.g -
sudo ./xlate-test.py
generic.txlate: OK
libip6t_DNAT.txlate: OK
...
libxt_TCPMSS.txlate: Fail
src: iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
exp: nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter
tcp option maxseg size set rt mtu
res: nft # -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
...
libxt_connlabel.txlate: Error: iptables-translate failure
iptables-translate v1.6.1: Couldn't load match `connlabel':No such file
or directory
...
64 test files, 246 tests, 242 tests passed, 2 tests failed, 2 errors
Phil Sutter [Fri, 20 Oct 2017 11:24:36 +0000 (13:24 +0200)]
libxt_recent: Remove ineffective checks for info->name
In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a
pointer. So there is no point in comparing it against NULL. Changing the
check to make sure it's content is not an empty string is pointless
either, since a non-empty default string is used and the argument parser
will refuse empty strings as --name argument. So simply get rid of the
checks altogether.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Mon, 9 Oct 2017 13:47:39 +0000 (15:47 +0200)]
extensions: libxt_tcpmss: Detect invalid ranges
Previously, an MSS range of e.g. 65535:1000 was silently accepted but
would then never match a packet since the kernel checks whether the MSS
value is greater than or equal to the first *and* less than or equal to
the second value.
Detect this as a parameter problem and update the man page accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The configure script handles the "--*-largefile" parameter badly. It
always disables largefile support if given (and it doesn't matter if
'enable' or 'disable' was used).
Signed-off-by: Juergen Borleis <jbe@pengutronix.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The struct of type option is only used to initialise a field inside
the xtables_globals struct and is not modified anywhere.
Done using following coccinelle semantic patch
@r1 disable optional_qualifier@
identifier s,i;
position p;
@@
static struct option i@p[] ={...};
@ok1@
identifier r1.i;
expression e;
position p;
@@
e = i@p
@bad@
position p != {r1.p,ok1.p};
identifier r1.i;
@@
e@i@p
Phil Sutter [Wed, 20 Sep 2017 16:54:08 +0000 (18:54 +0200)]
utils: nfnl_osf: Fix synopsis in help text
* -d is optional
* -h is not really a flag, just anything not recognized triggers the
help output.
* That '<del rules>' bit is rather confusing than helpful.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Fri, 18 Aug 2017 20:59:06 +0000 (16:59 -0400)]
netfilter: xt_hashlimit: add rate match mode
This patch adds a new feature to hashlimit that allows matching on the
current packet/byte rate without rate limiting. This can be enabled
with a new flag --hashlimit-rate-match. The match returns true if the
current rate of packets is above/below the user specified value.
The main difference between the existing algorithm and the new one is
that the existing algorithm rate-limits the flow whereas the new algorithm
does not. Instead it *classifies* the flow based on whether it is above or
below a certain rate. I will demonstrate this with an example below. Let
us assume this rule:
iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain
If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets
every second and send 5 packets to "new_chain".
But with the new algorithm, as long as the rate of 15/s is sustained, all
packets will continue to match and every packet is sent to new_chain.
This new functionality will let us classify different flows based on their
current rate, so that further decisions can be made on them based on what
the current rate is.
This is how the new algorithm works:
We divide time into intervals of 1 (sec/min/hour) as specified by
the user. We keep track of the number of packets/bytes processed in the
current interval. After each interval we reset the counter to 0.
When we receive a packet for match, we look at the packet rate
during the current interval and the previous interval to make a decision:
if [ prev_rate < user and cur_rate < user ]
return Below
else
return Above
Where cur_rate is the number of packets/bytes seen in the current
interval, prev is the number of packets/bytes seen in the previous
interval and 'user' is the rate specified by the user.
We also provide flexibility to the user for choosing the time
interval using the option --hashilmit-interval. For example the user can
keep a low rate like x/hour but still keep the interval as small as 1
second.
To preserve backwards compatibility we have to add this feature in a new
revision, so I've created revision 3 for hashlimit. The two new options
we add are:
--hashlimit-rate-match
--hashlimit-rate-interval
I have updated the help text to add these new options. Also added a few
tests for the new options.
Suggested-by: Igor Lubashev <ilubashe@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The following memory leaks are detected by valgrind when
ip[6]tables-compat is used for listing operations:
==1604== 1,064 (120 direct, 944 indirect) bytes in 5 blocks are definitely lost in loss record 21 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x56ABB78: xtables_malloc (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x56AC7D3: xtables_find_match (in /usr/local/lib/libxtables.so.12.0.0)
==1604== by 0x11F502: nft_parse_match (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x11FC7B: nft_rule_to_iptables_command_state (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x1218C0: nft_ipv4_print_firewall (nft-ipv4.c:301)
==1604== by 0x11CBEB: __nft_rule_list (nft.c:2042)
==1604== by 0x11CEA4: nft_rule_list (nft.c:2126)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 25 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11A311: nft_init (nft.c:777)
==1604== by 0x115A71: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
==1604==
==1604== 135,168 bytes in 1 blocks are definitely lost in loss record 26 of 27
==1604== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==1604== by 0x119072: mnl_nftnl_batch_alloc (nft.c:102)
==1604== by 0x11910C: mnl_nftnl_batch_page_add (nft.c:122)
==1604== by 0x11D8FE: nft_action (nft.c:2402)
==1604== by 0x11D957: nft_commit (nft.c:2413)
==1604== by 0x11CCB7: nft_rule_list (nft.c:2076)
==1604== by 0x116A7F: list_entries (xtables.c:592)
==1604== by 0x118B26: do_commandx (xtables.c:1233)
==1604== by 0x115AE8: xtables_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x115BCB: xtables_ip4_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x12F911: subcmd_main (in /usr/local/sbin/xtables-compat-multi)
==1604== by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==2548== 16 bytes in 1 blocks are definitely lost in loss record 1 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x4E39D67: __mnl_socket_open (socket.c:110)
==2548== by 0x4E39DDE: mnl_socket_open (socket.c:133)
==2548== by 0x11A48E: nft_init (nft.c:765)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 16 bytes in 1 blocks are definitely lost in loss record 2 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11B2DB: nftnl_chain_list_get (nft.c:1194)
==2548== by 0x11B377: nft_chain_dump (nft.c:1210)
==2548== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2548== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 5 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x56ABB99: xtables_calloc (xtables.c:291)
==2548== by 0x116DA7: command_jump (xtables.c:623)
==2548== by 0x117D5B: do_parse (xtables.c:923)
==2548== by 0x1188BA: do_commandx (xtables.c:1183)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 6 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x4E3AE07: mnl_nlmsg_batch_start (nlmsg.c:441)
==2548== by 0x1192B7: mnl_nftnl_batch_alloc (nft.c:106)
==2548== by 0x11931A: mnl_nftnl_batch_page_add (nft.c:122)
==2548== by 0x11DB0C: nft_action (nft.c:2402)
==2548== by 0x11DB65: nft_commit (nft.c:2413)
==2548== by 0x114FBB: xtables_restore_parse (xtables-restore.c:238)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 8 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x50496FE: nftnl_table_list_alloc (table.c:433)
==2548== by 0x11DF88: nft_xtables_config_load (nft.c:2539)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 9 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11DF91: nft_xtables_config_load (nft.c:2540)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 135,168 bytes in 1 blocks are definitely lost in loss record 19 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x119280: mnl_nftnl_batch_alloc (nft.c:102)
==2548== by 0x11A51F: nft_init (nft.c:777)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
An additional leak occurs if a rule-set already exits:
==2735== 375 (312 direct, 63 indirect) bytes in 3 blocks are definitely lost in loss record 19 of 24
==2735== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2735== by 0x504AAE9: nftnl_chain_alloc (chain.c:92)
==2735== by 0x11B1F1: nftnl_chain_list_cb (nft.c:1172)
==2735== by 0x4E3A2E8: __mnl_cb_run (callback.c:78)
==2735== by 0x4E3A4A7: mnl_cb_run (callback.c:162)
==2735== by 0x11920D: mnl_talk (nft.c:70)
==2735== by 0x11B343: nftnl_chain_list_get (nft.c:1203)
==2735== by 0x11B377: nft_chain_dump (nft.c:1210)
==2735== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2735== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2735== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2735== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Oliver Ford [Fri, 2 Jun 2017 15:34:37 +0000 (15:34 +0000)]
iptables-xml: Fix segfault on jump without a target
As reported in Bugzilla #1152, a segfault occurs in iptables-xml if a
jump or goto argument lacks a target argument. The following input will
segfault:
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 2200 -j
Problem occurs in do_rule_part, where the existsChain() function is called
with argv[arg + 1]. If the jump/goto argument is the last argument, then
arg + 1 is out of the array bounds. The fix ensures that arg + 1 is within
the array bounds before the call to existsChain() is made.
Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
xtables-translate: fix double space before comment
When a comment translation immediately follows a counter statement, two
spaces are printed between "counter" and "comment" keywords.
The counter statement is almost always followed by a target, so we need
to move the space following "counter" to the beginning of the target
translation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The owner name was hard-coded in the owner extension translation test.
The translation process requires the user to exist in the system, so
this commit replaces it with the usual UID_MIN value (1000).
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Oliver Ford [Fri, 19 May 2017 12:02:26 +0000 (12:02 +0000)]
iptables: Fix crash on malformed iptables-restore
Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
specifies the table option during a restore can create an invalid pointer.
It was discovered during fuzz testing that options like '-ftf'
can cause a segfault. A parameter that includes a 't' is not currently
filtered correctly.
Improves the filtering to:
Filter a beginning '-' followed by a character other than '-' and then a 't'
anywhere in the parameter. This filters parameters like '-ftf'.
Filter '--t'.
Filter '--table', stopping when the parameter length is reached. Because the
getopt_long function allows abbreviations, any unique abbreviation of '--table'
will be treated as '--table'. This filters parameters like '--t', '--ta', but not
'--ttl' or '--target'.
Signed-off-by: Oliver Ford <ojford@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Lorenzo Colitti [Fri, 19 May 2017 07:08:59 +0000 (16:08 +0900)]
iptables: insist that the lock is held.
Currently, iptables programs will exit with an error if the
iptables lock cannot be acquired, but will silently continue if
the lock cannot be opened at all. This can cause unexpected
failures (with unhelpful error messages) in the presence of
concurrent updates, which can be very difficult to find in a
complex or multi-administrator system.
Instead, refuse to do anything if the lock cannot be acquired.
The behaviour is not affected by command-line flags because:
1. In order to reliably avoid concurrent modification, all
invocations of iptables commands must follow this behaviour.
2. Whether or not the lock can be opened is typically not
a run-time condition but is likely to be a configuration
error.
Existing systems that depended on things working mostly correctly
even if there was no lock might be affected by this change.
However, that is arguably a configuration error, and now that the
iptables lock is configurable, it is trivial to provide a lock
file that is always accessible: if nothing else, the iptables
binary itself can be used. The lock does not have to be writable,
only readable.
Tested by configuring the system to use an xtables.lock file in
a non-existent directory and observing that all commands failed.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vincent Bernat [Sat, 15 Apr 2017 10:16:47 +0000 (12:16 +0200)]
iptables-restore/save: exit when given an unknown option
When an unknown option is given, iptables-restore should exit instead of
continue its operation. For example, if `--table` was misspelled, this
could lead to an unwanted change. Moreover, exit with a status code of
1. Make the same change for iptables-save.
OTOH, exit with a status code of 0 when requesting help.
Signed-off-by: Vincent Bernat <vincent@bernat.im> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Dan Williams [Mon, 10 Apr 2017 17:35:18 +0000 (12:35 -0500)]
iptables-restore.8: document -w/-W options
Fixes: 999eaa241212 ("iptables-restore: support acquiring the lock.") Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
hashlimit was using "%lu" in a lot of printf format specifiers to print
64-bit integers. This is incorrect on 32-bit architectures because
"long int" is 32-bits there. On MIPS, it was causing iptables to
segfault when printing these integers.
Fix by using the correct format specifier.
Signed-off-by: James Cowgill <James.Cowgill@imgtec.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arushi Singhal [Thu, 30 Mar 2017 09:04:05 +0000 (14:34 +0530)]
iptables: extensions: Remove typedef in struct.
The Linux kernel coding style guidelines suggest not using typedefs for
structure. This patch gets rid of the typedefs for "_code".
The following Coccinelle semantic patch detects the cases for struct
type:
@tn@
identifier i;
type td;
@@
-typedef
struct i { ... }
-td
;
@@
type tn.td;
identifier tn.i;
@@
-td
+ struct i
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This test suite is intended to detect regressions in the translation
infrastructure. The script checks if ip[6]tables-translate produces the
expected output, otherwise it prints the wrong translation and the
expected one.
** Arguments
--all # Show also passed tests
[test] # Run only the specified test file
** Test files structure
Test files are located under extensions directory. Every file contains
tests about specific extension translations. A test file name must end
with ".txlate".
Inside the files, every single test is defined by two consecutive lines:
ip[6]tables-translate command and expected result. One blank line is left
between tests by convention.
e.g.
$ cat extensions/libxt_cpu.txlate
iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept
iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Lorenzo Colitti [Thu, 16 Mar 2017 07:55:02 +0000 (16:55 +0900)]
iptables-restore: support acquiring the lock.
Currently, ip[6]tables-restore does not perform any locking, so it
is not safe to use concurrently with ip[6]tables.
This patch makes ip[6]tables-restore wait for the lock if -w
was specified. Arguments to -w and -W are supported in the same
was as they are in ip[6]tables.
The lock is not acquired on startup. Instead, it is acquired when
a new table handle is created (on encountering '*') and released
when the table is committed (COMMIT). This makes it possible to
keep long-running iptables-restore processes in the background
(for example, reading commands from a pipe opened by a system
management daemon) and simultaneously run iptables commands.
If -w is not specified, then the command proceeds without taking
the lock.
Tested as follows:
1. Run iptables-restore -w, and check that iptables commands work
with or without -w.
2. Type "*filter" into the iptables-restore input. Verify that
a) ip[6]tables commands without -w fail with "another app is
currently holding the xtables lock...".
b) ip[6]tables commands with "-w 2" fail after 2 seconds.
c) ip[6]tables commands with "-w" hang until "COMMIT" is
typed into the iptables-restore window.
3. With the lock held by an ip6tables-restore process:
strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000
shows 11 calls to flock and fails.
4. Run an iptables-restore with -w and one without -w, and check:
a) Type "*filter" in the first and then the second, and the
second exits with an error.
b) Type "*filter" in the second and "*filter" "-S" "COMMIT"
into the first. The rules are listed only when the first
copy sees "COMMIT".
Signed-off-by: Narayan Kamath <narayan@google.com> Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Lorenzo Colitti [Thu, 16 Mar 2017 07:55:01 +0000 (16:55 +0900)]
iptables: remove duplicated argument parsing code
1. Factor out repeated code to a new xs_has_arg function.
2. Add a new parse_wait_time option to parse the value of -w.
3. Make parse_wait_interval take argc and argv so its callers
can be simpler.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Lorenzo Colitti [Tue, 14 Mar 2017 08:55:50 +0000 (17:55 +0900)]
iptables: set the path of the lock file via a configure option.
Currently the iptables lock is hardcoded as "/run/xtables.lock".
Allow users to change this path using the --with-xt-lock-name
option to ./configure option. This is useful on systems like
Android which do not have /run.
Tested on Ubuntu, as follows:
1. By default, the lock is placed in /run/xtables.lock:
$ make distclean-recursive && ./autogen.sh &&
./configure --disable-nftables --prefix /tmp/iptables &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
2. Specifying the lock results in the expected location being
used:
$ make distclean-recursive && ./autogen.sh && \
./configure --disable-nftables --prefix /tmp/iptables \
--with-xt-lock-name=/tmp/iptables/run/xtables.lock &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables-translate: print nft iff there are more expanded rules to print
$ iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
nft
This extra 'nft' print is incorrect, just print it if there are more
rules to be printed.
Reported-by: Alexander Alemayhu <alexander@alemayhu.com> Tested-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 8 Mar 2017 15:43:25 +0000 (16:43 +0100)]
xtables-translate: Avoid querying the kernel
This originally came up when accidentally calling iptables-translate as
unprivileged user - nft_compatible_revision() then fails every time,
making the translator fall back to using revision 0 only which often
leads to failed translations (due to missing xlate callback).
The bottom line is there is no need to check what revision of a given
iptables match the kernel supports when it is only to be translated into
an nftables equivalent. So just assign a dummy callback returning good
for any revision being asked for.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Baruch Siach [Thu, 2 Mar 2017 07:35:07 +0000 (09:35 +0200)]
utils: nfsynproxy: fix build with musl libc
The musl libc exposes some struct tcphdr field only when _GNU_SOURCE is
defined. Fix the following build failure:
nfsynproxy.c: In function ‘parse_packet’:
nfsynproxy.c:34:9: error: ‘const struct tcphdr’ has no member named ‘syn’
if (!th->syn || !th->ack)
^
nfsynproxy.c:34:21: error: ‘const struct tcphdr’ has no member named ‘ack’
if (!th->syn || !th->ack)
^
nfsynproxy.c:42:8: error: ‘const struct tcphdr’ has no member named ‘res2’
if (th->res2 == 0x1)
^
nfsynproxy.c:45:13: error: ‘const struct tcphdr’ has no member named ‘doff’
length = th->doff * 4 - sizeof(*th);
^
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Dan Williams [Sun, 26 Feb 2017 04:02:03 +0000 (22:02 -0600)]
libiptc: don't set_changed() when checking rules with module jumps
Checking a rule that includes a jump to a module-based target currently
sets the "changed" flag on the handle, which then causes TC_COMMIT() to
run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This
seems wrong for simply checking rules, an operation which is documented
as "...does not alter the existing iptables configuration..." but yet
it clearly could do so.
Fix that by ensuring that rule check operations for module targets
don't set the changed flag, and thus exit early from TC_COMMIT().
Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Elise Lennion [Mon, 27 Feb 2017 17:43:08 +0000 (14:43 -0300)]
extensions: libxt_hashlimit: Add translation to nft
Hashlimit has similar functionality to flow tables in nftables. Some
usage examples are:
$ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \
--hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip \
--hashlimit-name https --hashlimit-dstmask 24 -m state --state NEW \
-j DROP
nft add rule ip filter OUTPUT tcp dport 443 flow table https { ip \
daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second \
burst 1 mbytes} ct state new counter drop
$ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \
--hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode \
srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 \
-m state --state NEW -j DROP
nft add rule ip filter OUTPUT tcp dport 443 flow table https { ip \
daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} \
ct state new counter drop
The translation isn't supported when --hashlimit-mode isn't specified.
Also, the following options don't apply to flow tables:
Liping Zhang [Mon, 6 Feb 2017 11:47:47 +0000 (19:47 +0800)]
xshared: using the blocking file lock request when we wait indefinitely
When using "-w" to avoid concurrent instances, we try to do flock() every
one second until it success. But one second maybe too long in some
situations, and it's hard to select a suitable interval time. So when
using "iptables -w" to wait indefinitely, it's better to block until
it become success.
Now do some performance tests. First, flush all the iptables rules in
filter table, and run "iptables -w -S" endlessly:
# iptables -F
# iptables -X
# while : ; do
iptables -w -S >&- &
done
Second, after adding and deleting the iptables rules 100 times, measure
the time cost:
# time for i in $(seq 100); do
iptables -w -A INPUT
iptables -w -D INPUT
done
Before this patch:
real 1m15.962s
user 0m0.224s
sys 0m1.475s
Apply this patch:
real 0m1.830s
user 0m0.168s
sys 0m1.130s
Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 5 Feb 2017 13:57:34 +0000 (21:57 +0800)]
xshared: do not lock again and again if "-w" option is not specified
After running the following commands, some confusing messages was printed
out:
# while : ; do
iptables -A INPUT &
iptables -D INPUT &
done
[...]
Another app is currently holding the xtables lock; still -9s 0us time
ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still -29s 0us time
ahead to have a chance to grab the lock...
If "-w" option is not specified, the "wait" will be zero, so we should
check whether the timer_left is less than wait_interval before we call
select to sleep.
Also remove unused "BASE_MICROSECONDS" and "struct timeval waited_time"
introduced by commit e8f857a5a151 ("xtables: Add an interval option for
xtables lock wait").
Fixes: e8f857a5a151 ("xtables: Add an interval option for xtables lock wait") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 25 Dec 2016 12:27:51 +0000 (20:27 +0800)]
extensions: libxt_connbytes: Add translation to nft
For example:
# iptables-translate -A OUTPUT -m connbytes --connbytes 200 \
--connbytes-dir original --connbytes-mode packets
nft add rule ip filter OUTPUT ct original packets ge 200 counter
Keno Fischer [Fri, 30 Dec 2016 05:43:37 +0000 (00:43 -0500)]
build: Fix two compile errors during out-of-tree build
The first:
```
iptables/extensions/libebt_limit.c:21:26: fatal error: iptables/nft.h: No such file or directory
#include "iptables/nft.h"
```
The second:
```
/data/keno/sandbox/iptables/iptables/xtables-config-parser.y:19:32: fatal error: libiptc/linux_list.h: No such file or directory
#include <libiptc/linux_list.h>
^
```
Simply fixed by adding the relevant `-I` directives.
Signed-off-by: Keno Fischer <keno@juliacomputing.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 29 Nov 2016 11:47:25 +0000 (12:47 +0100)]
tcp_xlate: Enclose LH flag values in parentheses
This fixes TCP flags matches:
| $ iptables-translate -A invalid -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
| nft add rule ip filter invalid tcp flags & fin|syn == fin|syn counter drop
Although the generated rule is syntactically correct and accepted by
nft, it will be interpreted in a different way than expected since
binary AND takes precedence over OR.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 25 Nov 2016 17:06:46 +0000 (18:06 +0100)]
xtables-translate: Support setting standard chain policy
Looks like this bit was simply forgotten when implementing
xlate_chain_set() as everything needed was there to just print the
desired policy along with the chain definition.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch (ab)uses the 'space' variable to check if a parameter to the
'ah' match was present and if not translates the match into an extension
header check:
| $ ip6tables-translate -A INPUT -m ah -j ACCEPT
| add rule ip6 filter INPUT meta l4proto ah counter accept
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Clang's static analyzer flagged the shift this patch removes as
shifting a garbage value. Looks like `m` isn't used at all anyway, so
we can simply remove it.
Signed-off-by: George Burgess IV <gbiv@google.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Liping Zhang [Fri, 7 Oct 2016 11:08:56 +0000 (19:08 +0800)]
extensions: libxt_statistic: add translation to nft
For example:
# iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
--packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
# iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
--packet 5
nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter
Note, mode random is not completely supported in nft, so:
# iptables-translate -A OUTPUT -m statistic --mode random \
--probability 0.1
nft # -A OUTPUT -m statistic --mode random --probability 0.1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:53 +0000 (19:08 +0800)]
extensions: libxt_ipcomp: add range support in translation
When translate to nft rules, ipcompspi range is not supported, so:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1-2 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3-30 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:52 +0000 (19:08 +0800)]
extensions: libxt_devgroup: handle the invert flag properly in translation
We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup default counter
Apply this patch:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup != default counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:51 +0000 (19:08 +0800)]
extensions: libxt_iprange: handle the invert flag properly in translation
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
Liping Zhang [Fri, 7 Oct 2016 11:08:50 +0000 (19:08 +0800)]
extensions: libxt_iprange: rename "ip saddr" to "ip6 saddr" in ip6tables-xlate
nft will complain the syntax error if we use "ip saddr" or "ip daddr" in
ip6 family, so the current translation is wrong:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip saddr 2003::1-2003::3 counter
^^
projects / thirdparty / iptables.git / log
