Phil Sutter [Thu, 2 Apr 2026 14:20:09 +0000 (16:20 +0200)]
arptables: Warn when ignoring '-p' option
Legacy arptables has been silently ignoring this flag (plus mandatory
argument) since day 1. Retain compatibility to that behaviour but inform
users that a part of their rule does nothing.
Since arp is the only family which didn't provide a proto_parse
callback, implement one for the sole purpose of printing the warning. As
a side-effect, caller no longer has to check callback's existence.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 10 Mar 2026 16:22:52 +0000 (17:22 +0100)]
xtables-translate: Return non-zero if translation fails
Untranslated parts in output are easily overlooked and also don't disrupt
piping into nft (which is a bad idea to begin with), so make a little
noise if things go sideways:
| # iptables-translate -A FORWARD -m recent --set
| nft # -A FORWARD -m recent --set
| Translation not (fully) implemented
| # cat /tmp/input.ipt
| *filter
| -A FORWARD -s 1.2.3.4
| -A FORWARD -m recent --set
| COMMIT
| # iptables-restore-translate -f /tmp/input.ipt
| # Translated by iptables-restore-translate v1.8.13 on Tue Mar 10 17:29:17 2026
| add table ip filter
| add rule ip filter FORWARD ip saddr 1.2.3.4 counter
| # -t filter -A FORWARD -m recent --set
| iptables-translate-restore: line 3 failed
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
Rudi Heitbaum [Fri, 20 Feb 2026 09:37:46 +0000 (09:37 +0000)]
src: fix discards 'const' qualifier
argv is passed by parse_change_counters_rule and do_parse to parse_rule_range
as a const char. parse_rule_range modifies thepassed in argv, so pass as
non const so that it can be modified without warning.
Fixes:
iptables/xshared.c: In function 'parse_rule_range':
iptables/xshared.c:912:23: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
912 | char *colon = strchr(argv, ':'), *buffer;
| ^~~~~~
p is used as the return from strchr(sctp_chunk_names[i].valid_flags)
which is a const char. Declare p as a const char * pointer for use
addressing the warning.
Fixes:
extensions/libxt_sctp.c: In function 'parse_sctp_chunk':
extensions/libxt_sctp.c:211:40: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
211 | if ((p = strchr(sctp_chunk_names[i].valid_flags,
| ^
next is used as the return from strchr(loop) which is a const char.
Declare next as a const char * pointer for use addressing the warning.
Fixes:
libxtables/xtables.c: In function 'xtables_ipparse_multiple':
libxtables/xtables.c:1767:22: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
1767 | next = strchr(loop, ',');
| ^
libxtables/xtables.c: In function 'xtables_ip6parse_multiple':
libxtables/xtables.c:2066:22: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
2066 | next = strchr(loop, ',');
| ^
Iptables binary only understands NFT_BITWISE_MASK_XOR bitwise operation and
assumes its attributes are always present without actually checking, which
leads to a segfault in some cases.
This commit introduces this missing check.
| /**
| * enum nft_bitwise_ops - nf_tables bitwise operations
| *
| * @NFT_BITWISE_MASK_XOR: mask-and-xor operation used to implement NOT, AND, OR
| * and XOR boolean operations
| * @NFT_BITWISE_LSHIFT: left-shift operation \
| * @NFT_BITWISE_RSHIFT: right-shift operation |
| * @NFT_BITWISE_AND: and operation | These all are affected
| * @NFT_BITWISE_OR: or operation |
| * @NFT_BITWISE_XOR: xor operation /
| */
From iptables/nft-ruleparse.c:
| static void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
| {
| [...]
|
| data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_XOR, &len); // <-- this attribute may not be present
|
| if (len > sizeof(dreg->bitwise.xor)) {
| ctx->errmsg = "bitwise xor too large";
| return;
| }
|
| memcpy(dreg->bitwise.xor, data, len); // <-- zero dereference happens here
|
| data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_MASK, &len);
|
| if (len > sizeof(dreg->bitwise.mask)) {
| ctx->errmsg = "bitwise mask too large";
| return;
| }
|
| memcpy(dreg->bitwise.mask, data, len);
|
| dreg->bitwise.set = true;
|
| }
The bug can be reproduced by creating a rule like this:
Alan Ross [Thu, 12 Feb 2026 13:35:21 +0000 (08:35 -0500)]
libxtables: refuse to run under file capabilities
Extend the existing setuid guard in xtables_init() to also detect
file capabilities via getauxval(AT_SECURE).
Some container runtimes and minimal distributions grant cap_net_admin
via file capabilities (setcap cap_net_admin+ep /usr/sbin/iptables)
rather than running through sudo. In that configuration the kernel
sets AT_SECURE and the dynamic linker strips LD_PRELOAD, but
getuid() == geteuid() so the existing setuid check passes.
Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
execution as the capability-elevated user.
getauxval(AT_SECURE) is nonzero whenever the kernel has set AT_SECURE
in the auxiliary vector -- this covers both classic setuid/setgid and
file capabilities. Exit with status 111, matching the existing
setuid behavior.
Signed-off-by: Alan Ross <alan@sleuthco.ai> Signed-off-by: Florian Westphal <fw@strlen.de>
The main intended user for '--compat' will likely go away. It is also
unlikely the 'iptables-only-emits-native-nft' will ever come to pass.
If there is ever a demand of iptables-to-native-nft that can list rules
even if decompilation step fails then we can always resurrect this again
if needed be.
If user did not pass --with-zlib and it is not available, simply turn
off rule compat expression compression. It is not strictly necessary and
users may not care.
While at it, drop the conditional AC_DEFINE() call: In fact,
AC_CHECK_LIB() does that already.
Fixes: ff5f6a208efcc ("nft-ruleparse: Fallback to compat expressions in userdata") Signed-off-by: Phil Sutter <phil@nwl.cc>
- Avoid calling host's nft binary, use double-verbose mode with *tables
tools instead
- Update expected payloads to match new byteorder-aware libnftnl output
- Drop '-x' flag from shell
Phil Sutter [Wed, 28 Jan 2026 19:29:51 +0000 (20:29 +0100)]
ruleparse: arp: Fix for all-zero mask on Big Endian
With 16bit mask values, the first two bytes of bitwise.mask in struct
nft_xt_ctx_reg are significant. Reading the first 32bit-sized field
works only on Little Endian, on Big Endian the mask appears in the upper
two bytes which are discarded when assigning to a 16bit variable.
Phil Sutter [Thu, 22 Jan 2026 17:06:07 +0000 (18:06 +0100)]
libxtables: Store all requested target types
Repeat the change in commit 1a696c99d278c ("libxtables: store all
requested match types") for target registration. An obvious use-case
affected as described in that commit is an 'nft list ruleset' process
translating different families' extensions in one go. If the same
extension is used in multiple families, only the first one is being
found.
Phil Sutter [Thu, 20 Nov 2025 12:55:38 +0000 (13:55 +0100)]
nft: Support replacing a rule added in the same batch
As reported in nfbz#1820, trying to add a rule and replacing it in the
same batch would crash iptables due to a stale rule pointer left in an
obj_update.
Doing this is perfectly fine in legacy iptables, so implement the
missing feature instead of merely preventing the crash.
Florian Westphal [Mon, 25 Aug 2025 09:07:35 +0000 (11:07 +0200)]
man: iptables-restore.8: document flush behaviour for user-defined chains
There is no way we can change this after two decades.
Add an example and document that declaring a user defined chain
will flush its contents in --noflush mode.
Phil Sutter [Tue, 22 Jul 2025 10:43:26 +0000 (12:43 +0200)]
xtables-monitor: Print -X command for base chains, too
Since commit 61e85e3192dea ("iptables-nft: allow removal of empty
builtin chains"), the command may be applied to "builtin" chains as
well, so the output is basically valid.
Apart from that, since kernel commit a1050dd07168 ("netfilter:
nf_tables: Reintroduce shortened deletion notifications") the base chain
deletion notification does not contain NFTNL_CHAIN_PRIO (actually:
NFTA_HOOK_PRIORITY) attribute anymore so this implicitly fixes for
changed kernel behaviour.
The internal routine xtopt_esize_by_type() is *not* just a fancy wrapper
around direct xtop_psize array access, as clearly indicated by the
comment right above it: It will return the single field size for
range-value types (XTTYPE_UINT*RC).
Using it in xtables_option_metavalidate() leads to spurious "memory
block of wrong size" complaints.
Fixes: 786b75f7c9b9f ("libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 14 May 2025 17:36:01 +0000 (19:36 +0200)]
libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter
Apart from supporting range-types, this getter is convenient to sanitize
array out of bounds access. Use it in xtables_option_metavalidate() to
simplify the code a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
Miao Wang [Thu, 17 Jul 2025 08:27:37 +0000 (16:27 +0800)]
extensions: libebt_redirect: prevent translation
The redirect target in ebtables do two things: 1. set skb->pkt_type to
PACKET_HOST, and 2. set the destination mac address to the address of
the receiving bridge device (when not used in BROUTING chain), or the
receiving physical device (otherwise). However, the later cannot be
implemented in nftables not given the translated mac address. So it is
not appropriate to give a specious translation.
This patch disables the translation to prevent possible misunderstanding.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension") Signed-off-by: Miao Wang <shankerwangmiao@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 2 Jul 2025 14:20:06 +0000 (16:20 +0200)]
extensions: sctp: Translate bare '-m sctp' match
Just like with TCP and UDP protocol matches, emit a simple 'meta
l4proto' match if no specific header detail is to be matched.
Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
sctp' is not and the translation is deferred to the extension in that
case. Keep things stu^Wsimple and translate unconditionally.
Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 23 Apr 2025 10:36:13 +0000 (12:36 +0200)]
xshared: Accept an option if any given command allows it
Fixed commit made option checking overly strict: Some commands may be
commbined (foremost --list and --zero), reject a given option only if it
is not allowed by any of the given commands.
Reported-by: Adam Nielsen <a.nielsen@shikadi.net> Fixes: 9c09d28102bb4 ("xshared: Simplify generic_opt_check()") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 31 Jul 2024 19:28:11 +0000 (21:28 +0200)]
nft: Embed compat extensions in rule userdata
If enabled (via --compat flag or XTABLES_COMPAT env variable), attach
any extensions for which native nftables expressions are generated to
userdata. An earlier version of the tool trying to parse the
kernel-dumped ruleset may then fall back to these extensions if native
expression parsing fails.
Phil Sutter [Fri, 4 Oct 2024 19:23:25 +0000 (21:23 +0200)]
nft-ruleparse: Fallback to compat expressions in userdata
If parsing of a rule fails (e.g. due to an unknown native expression),
check if userdata contains a UDATA_TYPE_COMPAT_EXT attribute and retry
parsing the rule preferring the contained extensions instead of native
expressions.
Phil Sutter [Wed, 31 Jul 2024 13:56:12 +0000 (15:56 +0200)]
nft: __add_{match,target}() can't fail
These functions either call xtables_error() which terminates the process
or succeed - make them return void. While at it, export them as rule
parsing code will call them in future. Also make input parameter const,
they're not supposed to alter extension data.
Phil Sutter [Fri, 15 Nov 2024 18:55:32 +0000 (19:55 +0100)]
nft: Drop interface mask leftovers from post_parse callbacks
Fixed commit only adjusted the IPv4-specific callback for unclear
reasons.
Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Jeremy Sowden <jeremy@azazel.net>
Jeremy Sowden [Mon, 18 Nov 2024 13:56:50 +0000 (13:56 +0000)]
nft: fix interface comparisons in `-C` commands
Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
kernel") removed code which explicitly set interface masks to all ones. The
result of this is that they are zero. However, they are used to mask interfaces
in `is_same_interfaces`. Consequently, the masked values are alway zero, the
comparisons are always true, and check commands which ought to fail succeed:
# iptables -N test
# iptables -A test -i lo \! -o lo -j REJECT
# iptables -v -L test
Chain test (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable
# iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
Remove the mask parameters from `is_same_interfaces`. Add a test-case.
Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
Jeremy Sowden [Fri, 8 Nov 2024 17:34:43 +0000 (17:34 +0000)]
ip[6]tables-translate: fix test failures when WESP is defined
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
Security Payload. This is listed in Debian's /etc/protocols, which leads to
test failures:
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD -p 141
exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
Phil Sutter [Wed, 6 Nov 2024 14:24:45 +0000 (15:24 +0100)]
Makefile.am: Revert to old serial test harness
Running the different testsuites in parallel is dangerous since despite
running in different netns, legacy iptables still synchronizes via the
common XTABLES_LOCKFILE.
Fixes: e1eaa04e31e44 ("Makefile.am: Integrate testsuites") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 6 Nov 2024 14:18:36 +0000 (15:18 +0100)]
tests: iptables-test: Fix for 'make distcheck'
This was a tricky one: Since called from VPATH topdir, extensions/ do
not contain test files at all. The script consequently passed since 0
tests failed (of 0 in total).
Fix this by introducing TESTS_PATH which is extensions/ below the directory
of the running iptables-test.py. Keep EXTENSIONS_PATH as-is: The built
extensions are indeed there and XTABLES_LIBDIR must point to them.
Phil Sutter [Wed, 6 Nov 2024 14:55:29 +0000 (15:55 +0100)]
tests: shell: iptables/0010-wait_0 is unreliable
Sometimes the test would fail, especially after removing
/run/xtables.lock file. Looks like the supposedly blocking
iptables-restore coproc sometimes takes a moment to set things up.
Fixes: 63ab5b8906f69 ("iptables-legacy: Fix for mandatory lock waiting") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Thu, 31 Oct 2024 15:18:13 +0000 (16:18 +0100)]
ebtables: Clone extensions before modifying them
Upon identifying an extension option, ebt_command_default() would have
the extension parse the option prior to creating a copy for attaching to
the iptables_command_state object. After copying, the (modified)
initial extension's data was cleared.
This somewhat awkward process breaks with among match which increases
match_size if needed (but never reduces it). This change is not undone,
hence leaks into following instances. This in turn is problematic with
ebtables-restore only (as multiple rules are parsed) and specifically
when deleting rules as the potentially over-sized match_size won't match
the one parsed from the kernel.
A workaround would be to make bramong_parse() realloc the match also if
new size is smaller than the old one. This patch attempts a proper fix
though, by making ebt_command_default() copy the extension first and
parsing the option into the copy afterwards.
No Fixes tag: Prior to commit 24bb57d3f52ac ("ebtables: Support for
guided option parser"), ebtables relied upon the extension's parser
return code instead of checking option_offset, so copying the extension
opportunistically wasn't feasible.
Phil Sutter [Tue, 29 Oct 2024 11:21:54 +0000 (12:21 +0100)]
tests: shell: Fix for 'make distcheck'
The target performs a "VPATH build", so built binaries are not put into
the same directory tree as the test script itself. For lack of a better
way to detect this, assume $PWD in this situation remains being the
build tree's TLD and check if binaries are present in there.
tests: iptables-test: extend coverage for ip6tables
Update iptables-test.py to run libxt_*.t both for iptables and
ip6tables. For libxt_*.t tests, append the command name to status output
line. This update requires changes in the existing tests.
* Rename libxt_*.t into libipt_*.t and add libip6_*.t variant.
Phil Sutter [Tue, 22 Oct 2024 14:56:21 +0000 (16:56 +0200)]
tests: iptables-test: Fix for duplicate supposed-to-fail errors
Unexpected results for lines which are supposed to fail are reported
twice: Once when fast mode runs them individually to clear the path
before batch-handling all others, a second time when non-fast mode takes
over after fast mode had failed and runs all tests individually again.
Sort this nuisance by running these tests silently in fast mode, knowing
that they will run again if failing anyway.
Fixes: 0e80cfea3762b ("tests: iptables-test: Implement fast test mode") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 9 Oct 2024 16:43:34 +0000 (18:43 +0200)]
nft: Fix for -Z with bogus rule number
The command is supposed to fail if no rule at given index is found.
While at it, drop the goto and label which are unused since commit 9b896224e0bfc ("xtables: rework rule cache logic").
Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 1 Oct 2024 19:43:18 +0000 (21:43 +0200)]
tests: shell: Adjust for recent changes in libnftnl
libnftnl commit a96d5a338f24e ("rule: Don't append a newline when
printing a rule") affected nft (and iptables-nft) debug output in that
no extra newline is appended to rule bytecode output anymore. Tolerate
this in the sole test case it breaks by ignoring changes to blank lines.
Joshua Lant [Wed, 28 Aug 2024 12:47:31 +0000 (13:47 +0100)]
configure: Determine if musl is used for build
Error compiling with musl-libc:
The commit hash 810f8568f44f5863c2350a39f4f5c8d60f762958
introduces the netinet/ether.h header into xtables.h, which causes an error due
to the redefinition of the ethhdr struct, defined in linux/if_ether.h and
netinet/ether.h. This is fixed by the inclusion of -D__UAPI_DEF_ETHHDR=0 in
CFLAGS for musl. Automatically check for this macro, since it is defined
in musl but not in glibc.
Signed-off-by: Joshua Lant joshualant@gmail.com Signed-off-by: Phil Sutter <phil@nwl.cc>
Joshua Lant [Fri, 23 Aug 2024 09:22:06 +0000 (10:22 +0100)]
iptables: align xt_CONNMARK with current kernel headers
libxt_CONNMARK.c declares enum which is declared in the kernel header.
Modify the version of the header in the repo's include dir to match the
current kernel, and remove the enum declaration from xt_CONNMARK.c.
Phil Sutter [Wed, 31 Jul 2024 00:16:05 +0000 (02:16 +0200)]
nft: Reduce overhead in nft_rule_find()
When iterating through the list of rules in a chain comparing against a
sample, there is no point in carrying that sample as nftnl_rule object
and converting into iptables_command_state object prior to each
comparison. Just do it up front and adjust the callback accordingly.
Phil Sutter [Wed, 31 Jul 2024 21:07:48 +0000 (23:07 +0200)]
ebtables: Introduce nft_bridge_init_cs()
The custom init done by nft_rule_to_ebtables_command_state() (which is
also the reason for its existence in the first place) should better go
into an ebtables-specific init_cs callback. Properly calling it from
do_commandeb() then removes the need for that custom rule_to_cs
callback.
Phil Sutter [Wed, 31 Jul 2024 21:02:23 +0000 (23:02 +0200)]
ebtables: Zero freed pointers in ebt_cs_clean()
Trying to recycle an iptables_command_state object by calling first
clear_cs then init_cs callbacks causes invalid data accesses with
ebtables otherwise.
Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 26 Jul 2024 18:43:20 +0000 (20:43 +0200)]
ebtables: Omit all-wildcard interface specs from output
Regular code path doesn't hit this because the conversion to
libnftnl_rule takes care of it already. Future changes though will cause
iptables_command_state objects to be printed directly, making this
relevant.
The checks were wrong: nft_arp_init_cs() initializes masks to 65535, not
0. This went on unnoticed because nft_arp_add() does it right and
init_cs callback was not used in e.g. nft_arp_print_rule(). The last
patch adding init_cs() calls in potentially required spots exposed this
though.
Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Sat, 27 Jul 2024 13:08:08 +0000 (15:08 +0200)]
nft: Add potentially missing init_cs calls
The callback is there for arptables only, so other family specific code
does not need it. Not calling it from family-agnostic code is wrong
though, as is ignoring it in arptables-specific code.
Fixes: cfdda18044d81 ("nft-shared: Introduce init_cs family ops callback") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 23 Jul 2024 19:31:34 +0000 (21:31 +0200)]
nft: cmd: Init struct nft_cmd::head early
Calling nft_cmd_free() in error case segfaults otherwise if the to be
freed object is not part of a list yet.
Exposed by commit eab75ed36a4f2 ("nft: Avoid memleak in error path of
nft_cmd_new()"), but belongs to commit a7f1e208cdf9c (and may go well
along with it).
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 26 Jul 2024 11:41:52 +0000 (13:41 +0200)]
extensions: conntrack: Use the right callbacks
These version-agnostic conntrack match aliases emulating the 'state'
extension introduced by commit 0d70163162589 ("libxt_state: replace as
an alias to xt_conntrack") had incompatible print and save callbacks
assigned. These callbacks expected struct xt_state_info in match->data
which is incompatible to any of the actual xt_conntrack_mtinfo* structs
used.
Fixes: b28d4dcc9f555 ("iptables: state match incompatibilty across versions") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Sat, 27 Jul 2024 14:04:31 +0000 (16:04 +0200)]
nft: Fix for zeroing existent builtin chains
Previous attempt at fixing for non-existent chains actually broke
functionality by adding a check for NFTNL_CHAIN_HANDLE right after
unsetting the attribute.
The approach was flawed for another reason, too: Base chains added in
the same batch (cf. iptables-restore) have no handle either but zeroing
them may still be sensible.
Instead, make use of the new fake chain annotation which identifies
fakes more reliably.
Fixes: f462975fb8049 ("nft: Fix for zeroing non-existent builtin chains") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Sat, 27 Jul 2024 17:13:40 +0000 (19:13 +0200)]
nft: cache: Annotate faked base chains as such
To avoid pointless kernel ruleset modifications without too many
workarounds in user space, code sometimes adds "fake" base chains to
cache. Yet these fake entries happen to prevent base chain creation for
a following command which actually requires them. Fix this by annotating
the fake entries as such so *_builtin_init() functions may convert them
into real ones.
Phil Sutter [Sat, 20 Jul 2024 00:23:28 +0000 (02:23 +0200)]
extensions: recent: New kernels support 999 hits
Since kernel commit f4ebd03496f6 ("netfilter: xt_recent: Lift
restrictions on max hitcount value"), the max supported hitcount value
has increased significantly. Adjust the test to use a value which fails
on old as well as new kernels.
Phil Sutter [Tue, 16 Jul 2024 19:07:31 +0000 (21:07 +0200)]
nft: Fix for zeroing non-existent builtin chains
Trying to zero a specific rule in an entirely empty ruleset caused an
error:
| # nft flush ruleset
| # iptables-nft -Z INPUT
| iptables v1.8.10 (nf_tables): CHAIN_ZERO failed (No such file or directory): chain INPUT
To fix this, start by faking any non-existing builtin chains so verbose
mode prints all the would-be-flushed chains. Later set 'skip' flag if
given chain is a fake one (indicated by missing HANDLE attribute).
Finally cover for concurrent ruleset updates by checking whether the
chain exists.
This bug seems to exist for a long time already, Fixes tag identified
via git-bisect. This patch won't apply to such old trees though, but
calling nft_xt_builtin_init() from nft_chain_zero_counters() should work
there.
Fixes: a6ce0c65d3a39 ("xtables: Optimize nft_chain_zero_counters()") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 12 Jul 2024 18:30:10 +0000 (20:30 +0200)]
xtables-monitor: Print commands instead of -4/-6/-0 flags
The '-4' and '-6' flags are a rarely used feature of iptables-restore.
The '-0' flag is purely artificial and not recognized anywhere (at least
not as an arptables rule prefix in this sense). Finally, there is no
such flag for ebtables in the first place. Go with a more intuitively
clear approach and instead print the typical command which added the
rule being printed.
Phil Sutter [Fri, 12 Jul 2024 12:01:45 +0000 (14:01 +0200)]
xtables-monitor: Fix for ebtables rule events
Bridge family wasn't recognized in rule_cb(), so merely an empty
"EVENT:" line was printed for ebtables rule changes. For lack of a
well-known family modifier flag for bridge family, simply prefix rules
by "ebtables".
Phil Sutter [Fri, 12 Jul 2024 11:03:18 +0000 (13:03 +0200)]
xtables-monitor: Flush stdout after all lines of output
Writing an xtables-monitor testsuite is pretty much impossible without
this due to unreliable output flushing. Just move the fflush() call from
trace_cb() to its caller so monitor events benefit from it as well.
Fixes: 07af4da52ab30 ("xtables-monitor: fix rule printing") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 12 Jul 2024 10:49:22 +0000 (12:49 +0200)]
xtables-monitor: Proper re-init for rule's family
When not running for a specific family only (via -4/-6 flags),
xtables-monitor potentially sees events/traces for all families. To
correctly parse rules when printing for NEWRULE, DELRULE or TRACE
messages, nft_handle has to be reinitialized for the rule's family.
It is not sufficient to reset nft_handle::ops: Some expression parsers
rely upon nft_handle::family to be properly set, too (cf. references to
'ctx->h->family in nft-ruleparse.c). Adjusting the 'afinfo' pointer
provided by libxtables is even more crucial, as e.g. do_parse() in
xshared.c relies upon it for the proper optstring.
This is actually a day-1 bug in xtables-monitor which surfaced due to
commit 9075c3aa983d9 ("nft: Increase rule parser strictness"). Therefore
make this fix the commit it is following-up.
Phil Sutter [Wed, 12 Jun 2024 12:22:54 +0000 (14:22 +0200)]
ebtables: Include 'bitmask' value when comparing rules
The former FIXME comment pointed at the fact that struct ebt_entry does
not have a 'flags' field (unlike struct ipt_ip). In fact, ebt_entry's
equivalent is 'bitmask' field. Comparing that instead is the right
thing to do, even though it does not seem to make a difference in
practice: No rule options alter just the bitmask value, nor is it
possible to fill an associated field with default values (e.g. all-zero
MAC and mask).
Since the situation described above might change and there is a slight
performance improvement in some cases (e.g. comparing rules differing
only by specified/omitted source/dest MAC address), add the check
anyway.
Suggested-by: Michael Estner <michaelestner@web.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
Maxin B. John [Thu, 25 Apr 2024 08:51:02 +0000 (10:51 +0200)]
configure: Add option to enable/disable libnfnetlink
Default behavior (autodetecting) does not change, but specifying
either option would explicitly disable or enable libnfnetlink support,
and if the library is not found in the latter case, ./configure will error
out.
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
projects / thirdparty / iptables.git / log
