Vincent Bernat [Sat, 15 Apr 2017 10:16:47 +0000 (12:16 +0200)]
iptables-restore/save: exit when given an unknown option
When an unknown option is given, iptables-restore should exit instead of
continue its operation. For example, if `--table` was misspelled, this
could lead to an unwanted change. Moreover, exit with a status code of
1. Make the same change for iptables-save.
OTOH, exit with a status code of 0 when requesting help.
Signed-off-by: Vincent Bernat <vincent@bernat.im> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Dan Williams [Mon, 10 Apr 2017 17:35:18 +0000 (12:35 -0500)]
iptables-restore.8: document -w/-W options
Fixes: 999eaa241212 ("iptables-restore: support acquiring the lock.") Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
hashlimit was using "%lu" in a lot of printf format specifiers to print
64-bit integers. This is incorrect on 32-bit architectures because
"long int" is 32-bits there. On MIPS, it was causing iptables to
segfault when printing these integers.
Fix by using the correct format specifier.
Signed-off-by: James Cowgill <James.Cowgill@imgtec.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arushi Singhal [Thu, 30 Mar 2017 09:04:05 +0000 (14:34 +0530)]
iptables: extensions: Remove typedef in struct.
The Linux kernel coding style guidelines suggest not using typedefs for
structure. This patch gets rid of the typedefs for "_code".
The following Coccinelle semantic patch detects the cases for struct
type:
@tn@
identifier i;
type td;
@@
-typedef
struct i { ... }
-td
;
@@
type tn.td;
identifier tn.i;
@@
-td
+ struct i
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This test suite is intended to detect regressions in the translation
infrastructure. The script checks if ip[6]tables-translate produces the
expected output, otherwise it prints the wrong translation and the
expected one.
** Arguments
--all # Show also passed tests
[test] # Run only the specified test file
** Test files structure
Test files are located under extensions directory. Every file contains
tests about specific extension translations. A test file name must end
with ".txlate".
Inside the files, every single test is defined by two consecutive lines:
ip[6]tables-translate command and expected result. One blank line is left
between tests by convention.
e.g.
$ cat extensions/libxt_cpu.txlate
iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept
iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Lorenzo Colitti [Thu, 16 Mar 2017 07:55:02 +0000 (16:55 +0900)]
iptables-restore: support acquiring the lock.
Currently, ip[6]tables-restore does not perform any locking, so it
is not safe to use concurrently with ip[6]tables.
This patch makes ip[6]tables-restore wait for the lock if -w
was specified. Arguments to -w and -W are supported in the same
was as they are in ip[6]tables.
The lock is not acquired on startup. Instead, it is acquired when
a new table handle is created (on encountering '*') and released
when the table is committed (COMMIT). This makes it possible to
keep long-running iptables-restore processes in the background
(for example, reading commands from a pipe opened by a system
management daemon) and simultaneously run iptables commands.
If -w is not specified, then the command proceeds without taking
the lock.
Tested as follows:
1. Run iptables-restore -w, and check that iptables commands work
with or without -w.
2. Type "*filter" into the iptables-restore input. Verify that
a) ip[6]tables commands without -w fail with "another app is
currently holding the xtables lock...".
b) ip[6]tables commands with "-w 2" fail after 2 seconds.
c) ip[6]tables commands with "-w" hang until "COMMIT" is
typed into the iptables-restore window.
3. With the lock held by an ip6tables-restore process:
strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000
shows 11 calls to flock and fails.
4. Run an iptables-restore with -w and one without -w, and check:
a) Type "*filter" in the first and then the second, and the
second exits with an error.
b) Type "*filter" in the second and "*filter" "-S" "COMMIT"
into the first. The rules are listed only when the first
copy sees "COMMIT".
Signed-off-by: Narayan Kamath <narayan@google.com> Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Lorenzo Colitti [Thu, 16 Mar 2017 07:55:01 +0000 (16:55 +0900)]
iptables: remove duplicated argument parsing code
1. Factor out repeated code to a new xs_has_arg function.
2. Add a new parse_wait_time option to parse the value of -w.
3. Make parse_wait_interval take argc and argv so its callers
can be simpler.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Lorenzo Colitti [Tue, 14 Mar 2017 08:55:50 +0000 (17:55 +0900)]
iptables: set the path of the lock file via a configure option.
Currently the iptables lock is hardcoded as "/run/xtables.lock".
Allow users to change this path using the --with-xt-lock-name
option to ./configure option. This is useful on systems like
Android which do not have /run.
Tested on Ubuntu, as follows:
1. By default, the lock is placed in /run/xtables.lock:
$ make distclean-recursive && ./autogen.sh &&
./configure --disable-nftables --prefix /tmp/iptables &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
2. Specifying the lock results in the expected location being
used:
$ make distclean-recursive && ./autogen.sh && \
./configure --disable-nftables --prefix /tmp/iptables \
--with-xt-lock-name=/tmp/iptables/run/xtables.lock &&
make -j64 &&
make install &&
sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo
...
open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
iptables: No chain/target/match by that name.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables-translate: print nft iff there are more expanded rules to print
$ iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
nft
This extra 'nft' print is incorrect, just print it if there are more
rules to be printed.
Reported-by: Alexander Alemayhu <alexander@alemayhu.com> Tested-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 8 Mar 2017 15:43:25 +0000 (16:43 +0100)]
xtables-translate: Avoid querying the kernel
This originally came up when accidentally calling iptables-translate as
unprivileged user - nft_compatible_revision() then fails every time,
making the translator fall back to using revision 0 only which often
leads to failed translations (due to missing xlate callback).
The bottom line is there is no need to check what revision of a given
iptables match the kernel supports when it is only to be translated into
an nftables equivalent. So just assign a dummy callback returning good
for any revision being asked for.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Baruch Siach [Thu, 2 Mar 2017 07:35:07 +0000 (09:35 +0200)]
utils: nfsynproxy: fix build with musl libc
The musl libc exposes some struct tcphdr field only when _GNU_SOURCE is
defined. Fix the following build failure:
nfsynproxy.c: In function ‘parse_packet’:
nfsynproxy.c:34:9: error: ‘const struct tcphdr’ has no member named ‘syn’
if (!th->syn || !th->ack)
^
nfsynproxy.c:34:21: error: ‘const struct tcphdr’ has no member named ‘ack’
if (!th->syn || !th->ack)
^
nfsynproxy.c:42:8: error: ‘const struct tcphdr’ has no member named ‘res2’
if (th->res2 == 0x1)
^
nfsynproxy.c:45:13: error: ‘const struct tcphdr’ has no member named ‘doff’
length = th->doff * 4 - sizeof(*th);
^
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Dan Williams [Sun, 26 Feb 2017 04:02:03 +0000 (22:02 -0600)]
libiptc: don't set_changed() when checking rules with module jumps
Checking a rule that includes a jump to a module-based target currently
sets the "changed" flag on the handle, which then causes TC_COMMIT() to
run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This
seems wrong for simply checking rules, an operation which is documented
as "...does not alter the existing iptables configuration..." but yet
it clearly could do so.
Fix that by ensuring that rule check operations for module targets
don't set the changed flag, and thus exit early from TC_COMMIT().
Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Elise Lennion [Mon, 27 Feb 2017 17:43:08 +0000 (14:43 -0300)]
extensions: libxt_hashlimit: Add translation to nft
Hashlimit has similar functionality to flow tables in nftables. Some
usage examples are:
$ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \
--hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip \
--hashlimit-name https --hashlimit-dstmask 24 -m state --state NEW \
-j DROP
nft add rule ip filter OUTPUT tcp dport 443 flow table https { ip \
daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second \
burst 1 mbytes} ct state new counter drop
$ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \
--hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode \
srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 \
-m state --state NEW -j DROP
nft add rule ip filter OUTPUT tcp dport 443 flow table https { ip \
daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} \
ct state new counter drop
The translation isn't supported when --hashlimit-mode isn't specified.
Also, the following options don't apply to flow tables:
Liping Zhang [Mon, 6 Feb 2017 11:47:47 +0000 (19:47 +0800)]
xshared: using the blocking file lock request when we wait indefinitely
When using "-w" to avoid concurrent instances, we try to do flock() every
one second until it success. But one second maybe too long in some
situations, and it's hard to select a suitable interval time. So when
using "iptables -w" to wait indefinitely, it's better to block until
it become success.
Now do some performance tests. First, flush all the iptables rules in
filter table, and run "iptables -w -S" endlessly:
# iptables -F
# iptables -X
# while : ; do
iptables -w -S >&- &
done
Second, after adding and deleting the iptables rules 100 times, measure
the time cost:
# time for i in $(seq 100); do
iptables -w -A INPUT
iptables -w -D INPUT
done
Before this patch:
real 1m15.962s
user 0m0.224s
sys 0m1.475s
Apply this patch:
real 0m1.830s
user 0m0.168s
sys 0m1.130s
Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 5 Feb 2017 13:57:34 +0000 (21:57 +0800)]
xshared: do not lock again and again if "-w" option is not specified
After running the following commands, some confusing messages was printed
out:
# while : ; do
iptables -A INPUT &
iptables -D INPUT &
done
[...]
Another app is currently holding the xtables lock; still -9s 0us time
ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still -29s 0us time
ahead to have a chance to grab the lock...
If "-w" option is not specified, the "wait" will be zero, so we should
check whether the timer_left is less than wait_interval before we call
select to sleep.
Also remove unused "BASE_MICROSECONDS" and "struct timeval waited_time"
introduced by commit e8f857a5a151 ("xtables: Add an interval option for
xtables lock wait").
Fixes: e8f857a5a151 ("xtables: Add an interval option for xtables lock wait") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 25 Dec 2016 12:27:51 +0000 (20:27 +0800)]
extensions: libxt_connbytes: Add translation to nft
For example:
# iptables-translate -A OUTPUT -m connbytes --connbytes 200 \
--connbytes-dir original --connbytes-mode packets
nft add rule ip filter OUTPUT ct original packets ge 200 counter
Keno Fischer [Fri, 30 Dec 2016 05:43:37 +0000 (00:43 -0500)]
build: Fix two compile errors during out-of-tree build
The first:
```
iptables/extensions/libebt_limit.c:21:26: fatal error: iptables/nft.h: No such file or directory
#include "iptables/nft.h"
```
The second:
```
/data/keno/sandbox/iptables/iptables/xtables-config-parser.y:19:32: fatal error: libiptc/linux_list.h: No such file or directory
#include <libiptc/linux_list.h>
^
```
Simply fixed by adding the relevant `-I` directives.
Signed-off-by: Keno Fischer <keno@juliacomputing.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 29 Nov 2016 11:47:25 +0000 (12:47 +0100)]
tcp_xlate: Enclose LH flag values in parentheses
This fixes TCP flags matches:
| $ iptables-translate -A invalid -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
| nft add rule ip filter invalid tcp flags & fin|syn == fin|syn counter drop
Although the generated rule is syntactically correct and accepted by
nft, it will be interpreted in a different way than expected since
binary AND takes precedence over OR.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 25 Nov 2016 17:06:46 +0000 (18:06 +0100)]
xtables-translate: Support setting standard chain policy
Looks like this bit was simply forgotten when implementing
xlate_chain_set() as everything needed was there to just print the
desired policy along with the chain definition.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch (ab)uses the 'space' variable to check if a parameter to the
'ah' match was present and if not translates the match into an extension
header check:
| $ ip6tables-translate -A INPUT -m ah -j ACCEPT
| add rule ip6 filter INPUT meta l4proto ah counter accept
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Clang's static analyzer flagged the shift this patch removes as
shifting a garbage value. Looks like `m` isn't used at all anyway, so
we can simply remove it.
Signed-off-by: George Burgess IV <gbiv@google.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Liping Zhang [Fri, 7 Oct 2016 11:08:56 +0000 (19:08 +0800)]
extensions: libxt_statistic: add translation to nft
For example:
# iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
--packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
# iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
--packet 5
nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter
Note, mode random is not completely supported in nft, so:
# iptables-translate -A OUTPUT -m statistic --mode random \
--probability 0.1
nft # -A OUTPUT -m statistic --mode random --probability 0.1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:53 +0000 (19:08 +0800)]
extensions: libxt_ipcomp: add range support in translation
When translate to nft rules, ipcompspi range is not supported, so:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1-2 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp cpi != 3-30 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:52 +0000 (19:08 +0800)]
extensions: libxt_devgroup: handle the invert flag properly in translation
We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup default counter
Apply this patch:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup != default counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Fri, 7 Oct 2016 11:08:51 +0000 (19:08 +0800)]
extensions: libxt_iprange: handle the invert flag properly in translation
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
Liping Zhang [Fri, 7 Oct 2016 11:08:50 +0000 (19:08 +0800)]
extensions: libxt_iprange: rename "ip saddr" to "ip6 saddr" in ip6tables-xlate
nft will complain the syntax error if we use "ip saddr" or "ip daddr" in
ip6 family, so the current translation is wrong:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip saddr 2003::1-2003::3 counter
^^
Liping Zhang [Fri, 7 Oct 2016 11:08:49 +0000 (19:08 +0800)]
extensions: libipt_realm: add a missing space in translation
We missed a blank space when do translate to nft, so if rt_realm can be
mapped to name, the result looks ugly:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassidcosmos counter
^
Apply this patch:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassid cosmos counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Mon, 26 Sep 2016 19:08:52 +0000 (15:08 -0400)]
extensions: libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2
and xt_hashlimit_mtinfo2 and also create newer versions of all the
functions for match, checkentry and destory.
Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Mon, 26 Sep 2016 19:08:17 +0000 (15:08 -0400)]
extensions: libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2
I am planning to add a revision 2 for the hashlimit xtables module to
support higher packets per second rates. This patch renames all the
functions and variables related to revision 1 by adding _v1 at the
end of the names.
Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds a cache of rules within the nft handle. This feature is
useful since the whole ruleset was brought from the kernel for every
chain during listing operations. In addition with the new checks of
ruleset compatibility, the rule list is loaded one more time.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache has been introduced for
this purpose.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 28 Aug 2016 08:50:48 +0000 (16:50 +0800)]
extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate
After commit "parser_bison: redirect to :port for consistency with
nat/masq statement" in nftables tree, we should recommend the end
user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to 1
Apply this patch:
# iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
nft add rule ip nat PREROUTING ip protocol tcp counter redirect to :1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 28 Aug 2016 08:50:46 +0000 (16:50 +0800)]
extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft
When I want to translate SNAT target to nft rule, an error message
was printed out:
# iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
iptables-translate v1.6.0: OOM
Because ipt_natinfo{} started with a xt_entry_target{}, so when we
get the ipt_natinfo pointer, we should use the target itself,
not its data pointer. Yes, it is a little tricky and it's different
with other targets.
xtables-compat: check if nft ruleset is compatible
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 21 Aug 2016 14:34:55 +0000 (22:34 +0800)]
extensions: libxt_CLASSIFY: Add translation to nft
For examples:
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0
nft add rule ip filter OUTPUT counter meta priority set none
# iptables-translate -A OUTPUT -j CLASSIFY --set-class ffff:ffff
nft add rule ip filter OUTPUT counter meta priority set root
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 1:234
nft add rule ip filter OUTPUT counter meta priority set 1:234
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Willem de Bruijn [Wed, 10 Aug 2016 19:23:07 +0000 (15:23 -0400)]
extensions/libxt_bpf.man: clarify BPF code generation with tcpdump
The xt_bpf module applies BPF bytecode to the packet. Depending on
where the module is invoked, the kernel may pass a packet with or
without link layer header. Iptables has no such header.
A common `tcpdump -ddd <string>` compilation command may revert to
a physical device that generates code for packets starting from the
mac layer up (e.g., E10MB data link type: Ethernet).
Clarify in the man page that when using this tool for code generation,
a suitable target device must be chosen.
Netfilter Bugzilla Bug #1048
Reported-by: Lorenzo Pistone <blaffablaffa@gmail.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables-translate: add in/out ifname wildcard match translation to nft
In iptables, "-i eth+" means match all in ifname with the prefix "eth".
But in nftables, this was changed to "iifname eth*". So we should handle
this subtle difference.
Apply this patch, translation will become:
# iptables-translate -A INPUT -i eth+
nft add rule ip filter INPUT iifname eth* counter
# ip6tables-translate -A OUTPUT ! -o eth+
nft add rule ip6 filter OUTPUT oifname != eth* counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add some unit tests for connlabel match extension:
# ./iptables-test.py extensions/libxt_connlabel.t
extensions/libxt_connlabel.t: OK
1 test files, 7 unit tests, 7 passed
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified
The nflog-size was introduced by commit 7070b1f3c88a ("extensions:
libxt_NFLOG: nflog-range does not truncate packets"). Then make
the nflog-range become deprecated, because it has no effect from
the beginning.
So when we do translation, nft log snaplen is translated only if the
nflog-size is specified.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_NFLOG: display nflog-size even if it is zero
The following iptables rules have the different semantics:
# iptables -A INPUT -j NFLOG
# iptables -A INPUT -j NFLOG --nflog-size 0
But they are all displayed as "-A INPUT -j NFLOG", so if
the user input the following commands, the original semantics
will be broken.
# iptables-save | iptables-restore
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
extensions: libxt_connlabel: fix crash when connlabel.conf is empty
When connlabel.conf is empty, nfct_labelmap_new will return NULL and
set errno to 0. So we will miss to check this situation, and cause NULL
deference in nfct_labelmap_get_bit.
Input the following commands will reproduce this crash:
# echo > /etc/xtables/connlabel.conf
# iptables -A INPUT -m connlabel --label abc
Segmentation fault (core dumped)
xtables: Add an interval option for xtables lock wait
ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduce a new option 'W' to specify the wait interval in microseconds.
If this option is not specified, the command sleeps for 1 second by
default.
v1->v2: Change behavior to take millisecond sleep as an argument to
-w as suggested by Pablo. Also maintain current behavior for -w to
sleep for 1 second as mentioned by Liping.
v2->v3: Move the millisecond behavior to a new option as suggested
by Pablo.
v3->v4: Use select instead of usleep. Sleep every iteration for
the time specified in the "-W" argument. Update man page.
v4->v5: Fix compilation error when enabling nftables
v5->v6: Simplify -W so it only takes the interval wait in microseconds.
Bail out if -W is specific but -w is not.
Joint work with Pablo Neira.
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jordan Yelloz [Fri, 24 Jun 2016 19:18:45 +0000 (12:18 -0700)]
extensions: added AR substitution
This is to ensure that the correct AR is run in cross-compile jobs.
Often a cross-compile build will succeed without this change but it
fails on my Gentoo Linux system when I have binutils installed with the
"multitarget" USE flag.
This change substitues AR with the autotools-supplied AR for the
extensions subdirectory.
Signed-off-by: Jordan Yelloz <jordan@yelloz.me> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Vishwanath Pai [Fri, 24 Jun 2016 20:42:31 +0000 (16:42 -0400)]
extensions: libxt_NFLOG: nflog-range does not truncate packets
The option --nflog-range has never worked, but we cannot just fix this
because users might be using this feature option and their behavior would
change. Instead add a new option --nflog-size. This option works the same
way nflog-range should have, and both of them are mutually exclusive. When
someone uses --nflog-range we print a warning message informing them that
this feature has no effect.
To indicate the kernel that the user has set --nflog-size we have to pass a
new flag XT_NFLOG_F_COPY_LEN.
Also updated the man page to reflect the new option and added tests to
extensions/libxt_NFLOG.t
Reported-by: Joe Dollard <jdollard@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shivani Bhardwaj [Wed, 22 Jun 2016 19:41:39 +0000 (01:11 +0530)]
configure: Fix assignment statement
The assignment statement was interpreted as executing enable_connlabel
command with the argument "no". This was due to the whitespaces in the
assignment.
Fixes the trivial bug introduced in commit 3b7a227 (configure: Show
support for connlabel)
Roberto García [Wed, 22 Jun 2016 12:31:31 +0000 (14:31 +0200)]
iptables: extensions: libxt_MARK: Fix translation of --set-xmark option
Fix translation of MARK target's --set-xmark option.
Before:
#iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf
After:
# iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark and 0xffffff50 \
xor 0x64
Signed-off-by: Roberto García <rodanber@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-xmark 0x16/0x12
nft add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and
0xffffffed
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --and-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --or-mark 0x16
nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark
nft add rule ip mangle PREROUTING counter ct mark set mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
nft add rule ip mangle PREROUTING counter meta mark set ct mark
# iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark \
--mask 0x12
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12
Signed-off-by: Roberto García <rodanber@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / iptables.git / log
