diff options
author | Maciej Żenczykowski <maze@google.com> | 2021-03-23 17:17:13 -0700 |
---|---|---|
committer | Maciej Żenczykowski <maze@google.com> | 2021-03-23 17:17:21 -0700 |
commit | de7a62aa82e5b2e2d2faf72a6fa1fe719f27b749 (patch) | |
tree | 2cd21395992487f6f20217809c449090af29f882 /extensions | |
parent | 903e1da7b137e2d7990453e70063107c00948dc2 (diff) | |
parent | 06a2eb727b0f350fcfea95839fc8c4674763a35d (diff) | |
download | iptables-de7a62aa82e5b2e2d2faf72a6fa1fe719f27b749.tar.gz |
Merge tag 'v1.8.6' of git://git.netfilter.org/iptables
iptables 1.8.6 release
Test: part of series, see followup commits
Bug: 183485987
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iec08e6fc411268f5f1caaed1352b0b1649a70a6c
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/GNUmakefile.in | 15 | ||||
-rw-r--r-- | extensions/libip6t_REJECT.man | 20 | ||||
-rw-r--r-- | extensions/libipt_REJECT.man | 20 | ||||
-rw-r--r-- | extensions/libipt_icmp.c | 5 | ||||
-rw-r--r-- | extensions/libipt_icmp.txlate | 3 | ||||
-rw-r--r-- | extensions/libxt_conntrack.c | 18 | ||||
-rw-r--r-- | extensions/libxt_conntrack.txlate | 7 |
7 files changed, 82 insertions, 6 deletions
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 0842a553..956ccb38 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -79,7 +79,7 @@ targets_install := .SECONDARY: -.PHONY: all install clean distclean FORCE +.PHONY: all install uninstall clean distclean FORCE all: ${targets} @@ -92,6 +92,19 @@ install: ${targets_install} ${symlinks_install} cp -P ${symlinks_install} "${DESTDIR}${xtlibdir}/"; \ fi; +uninstall: + dir=${DESTDIR}${xtlibdir}; { \ + test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; \ + } || { \ + test -z "${targets_install}" || ( \ + cd "$$dir" && rm -f ${targets_install} \ + ); \ + test -z "${symlinks_install}" || ( \ + cd "$$dir" && rm -f ${symlinks_install} \ + ); \ + rmdir -p --ignore-fail-on-non-empty "$$dir"; \ + } + clean: rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c initextb.c initexta.c; rm -f .*.d .*.dd; diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man index 0030a51f..3c42768e 100644 --- a/extensions/libip6t_REJECT.man +++ b/extensions/libip6t_REJECT.man @@ -30,3 +30,23 @@ TCP RST packet to be sent back. This is mainly useful for blocking hosts (which won't accept your mail otherwise). \fBtcp\-reset\fP can only be used with kernel versions 2.6.14 or later. +.PP +\fIWarning:\fP You should not indiscriminately apply the REJECT target to +packets whose connection state is classified as INVALID; instead, you should +only DROP these. +.PP +Consider a source host transmitting a packet P, with P experiencing so much +delay along its path that the source host issues a retransmission, P_2, with +P_2 being successful in reaching its destination and advancing the connection +state normally. It is conceivable that the late-arriving P may be considered +not to be associated with any connection tracking entry. Generating a reject +response for a packet so classed would then terminate the healthy connection. +.PP +So, instead of: +.PP +-A INPUT ... -j REJECT +.PP +do consider using: +.PP +-A INPUT ... -m conntrack --ctstate INVALID -j DROP +-A INPUT ... -j REJECT diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man index 8a360ce7..cc47aead 100644 --- a/extensions/libipt_REJECT.man +++ b/extensions/libipt_REJECT.man @@ -30,3 +30,23 @@ TCP RST packet to be sent back. This is mainly useful for blocking hosts (which won't accept your mail otherwise). .IP (*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT +.PP +\fIWarning:\fP You should not indiscriminately apply the REJECT target to +packets whose connection state is classified as INVALID; instead, you should +only DROP these. +.PP +Consider a source host transmitting a packet P, with P experiencing so much +delay along its path that the source host issues a retransmission, P_2, with +P_2 being successful in reaching its destination and advancing the connection +state normally. It is conceivable that the late-arriving P may be considered +not to be associated with any connection tracking entry. Generating a reject +response for a packet so classed would then terminate the healthy connection. +.PP +So, instead of: +.PP +-A INPUT ... -j REJECT +.PP +do consider using: +.PP +-A INPUT ... -m conntrack --ctstate INVALID -j DROP +-A INPUT ... -j REJECT diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c index e76257c5..e5e23661 100644 --- a/extensions/libipt_icmp.c +++ b/extensions/libipt_icmp.c @@ -256,6 +256,11 @@ static int icmp_xlate(struct xt_xlate *xl, if (!type_xlate_print(xl, info->type, info->code[0], info->code[1])) return 0; + } else { + /* '-m icmp --icmp-type any' is a noop by itself, + * but it eats a (mandatory) previous '-p icmp' so + * emit it here */ + xt_xlate_add(xl, "ip protocol icmp"); } return 1; } diff --git a/extensions/libipt_icmp.txlate b/extensions/libipt_icmp.txlate index 434f8cc4..a2aec8e2 100644 --- a/extensions/libipt_icmp.txlate +++ b/extensions/libipt_icmp.txlate @@ -6,3 +6,6 @@ nft add rule ip filter INPUT icmp type destination-unreachable counter accept iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT nft add rule ip filter INPUT icmp type != destination-unreachable counter accept + +iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT +nft add rule ip filter INPUT ip protocol icmp counter accept diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 6f350393..7734509c 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -1249,11 +1249,19 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, } if (sinfo->match_flags & XT_CONNTRACK_STATE) { - xt_xlate_add(xl, "%sct state %s", space, - sinfo->invert_flags & XT_CONNTRACK_STATE ? - "!= " : ""); - state_xlate_print(xl, sinfo->state_mask); - space = " "; + if ((sinfo->state_mask & XT_CONNTRACK_STATE_SNAT) || + (sinfo->state_mask & XT_CONNTRACK_STATE_DNAT)) { + xt_xlate_add(xl, "%sct status %s%s", space, + sinfo->invert_flags & XT_CONNTRACK_STATUS ? "!=" : "", + sinfo->state_mask & XT_CONNTRACK_STATE_SNAT ? "snat" : "dnat"); + space = " "; + } else { + xt_xlate_add(xl, "%sct state %s", space, + sinfo->invert_flags & XT_CONNTRACK_STATE ? + "!= " : ""); + state_xlate_print(xl, sinfo->state_mask); + space = " "; + } } if (sinfo->match_flags & XT_CONNTRACK_STATUS) { diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate index 8a3d0181..d374f8a0 100644 --- a/extensions/libxt_conntrack.txlate +++ b/extensions/libxt_conntrack.txlate @@ -42,3 +42,10 @@ nft add rule ip filter INPUT ct direction original counter accept iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW --ctproto tcp --ctorigsrc 192.168.0.1 --ctorigdst 192.168.0.1 --ctreplsrc 192.168.0.1 --ctrepldst 192.168.0.1 --ctorigsrcport 12 --ctorigdstport 14 --ctreplsrcport 16 --ctrepldstport 18 --ctexpire 10 --ctstatus SEEN_REPLY --ctdir ORIGINAL -j ACCEPT nft add rule ip filter INPUT ct direction original ct original protocol 6 ct state new ct status seen-reply ct expiration 10 ct original saddr 192.168.0.1 ct original daddr 192.168.0.1 ct reply saddr 192.168.0.1 ct reply daddr 192.168.0.1 ct original proto-src 12 ct original proto-dst 14 ct reply proto-src 16 ct reply proto-dst 18 counter accept + +iptables-translate -t filter -A INPUT -m conntrack --ctstate SNAT -j ACCEPT +nft add rule ip filter INPUT ct status snat counter accept + +iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT +nft add rule ip filter INPUT ct status dnat counter accept + |