Age | Commit message (Collapse) | Author |
|
|
|
Android 6.0.0 release 26
* tag 'android-6.0.0_r26':
extensions: libxt_socket: add --restore-skmark option
xt_socket: add --nowildcard flag
Change-Id: I40423d9feace8d9ac76bbdc1b288520fd58127e6
|
|
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Change-Id: I962e87f32c241cb8d056dfd62f296fa312b05162
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
xt_socket module can be a nice replacement to conntrack module
in some cases (SYN filtering for example)
But it lacks the ability to match the 3rd packet of TCP
handshake (ACK coming from the client).
Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism
The wildcard is the legacy socket match behavior, that ignores
LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent)
iptables -I INPUT -p tcp --syn -j SYN_CHAIN
iptables -I INPUT -m socket -j ACCEPT
Change-Id: Ic5bbebbfccc1ccede0157cd3b5ea4863c1ed2fa7
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Add the extension plugin for the HARDIDLETIMER x_tables target
Change-Id: I318bc9f69f845b273c198bec80754eb5886e77d1
|
|
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Bug: 20663075
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3b20fc71c99acd604d635deacef99769e36191b5)
Change-Id: If746841dea9db9f1c7ad1d74ed37fa13109e37ff
|
|
|
|
xt_socket module can be a nice replacement to conntrack module
in some cases (SYN filtering for example)
But it lacks the ability to match the 3rd packet of TCP
handshake (ACK coming from the client).
Add a XT_SOCKET_NOWILDCARD flag to disable the wildcard mechanism
The wildcard is the legacy socket match behavior, that ignores
LISTEN sockets bound to INADDR_ANY (or ipv6 equivalent)
iptables -I INPUT -p tcp --syn -j SYN_CHAIN
iptables -I INPUT -m socket -j ACCEPT
Bug: 20663075
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
master_merge
|
|
|
|
Correct trimming of userspacesize to fix deletions.
Fixes: Bugzilla #884.
The rule having TEE target with '--oif' option cannot be deleted by iptables command.
$ iptables -I INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
$ iptables -D INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
iptables: No chain/target/match by that name.
[Cherry-pick of iptables df3741332d86629a8fdd267930e0a249803f6aa8]
Signed-off-by: Loganaden Velvindron <logan@elandsys.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ieb43487811669d502074330a0cba7c8d4c9c7446
|
|
Correct trimming of userspacesize to fix deletions.
Fixes: Bugzilla #884.
The rule having TEE target with '--oif' option cannot be deleted by iptables command.
$ iptables -I INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
$ iptables -D INPUT -i foo -j TEE --gateway x.x.x.x --oif bar
iptables: No chain/target/match by that name.
[Cherry-pick of iptables df3741332d86629a8fdd267930e0a249803f6aa8]
Signed-off-by: Loganaden Velvindron <logan@elandsys.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ieb43487811669d502074330a0cba7c8d4c9c7446
|
|
|
|
calling local-intermediates-dir before LOCAL_MODULE and LOCAL_MODULE_CLASS
have been set will break the build system when using the mm option
( build modules in the current directory )
Change-Id: Ib89dc80fb6f7ca77207d2114d1237477ac2d7a1f
|
|
|
|
libxt_recent.c compares address of array 'info->name' with null.
Change-Id: I3be0763ab261439cb9d6881ef2b6ba0ea29e7f4e
|
|
|
|
This variable is unused, and will actually break the build system if
this makefile is included first, since `local-intermediates-dir`
requires LOCAL_MODULE and LOCAL_MODULE_CLASS to be set before calling.
Change-Id: I326e9f184bb00f53bf81c59cdbeddb4be801e1e3
|
|
|
|
Change-Id: Ie9bb0aec937692906ad013dee1c0959595a9b4f4
|
|
* Keep the generated files needed for building.
Used
./configure --enable-static --disable-shared
make
* Update the various Android *.mk files.
Change-Id: If0e45cf6289f0e3dcf3adf73e6ccff86d640f1c0
Signed-off-by: JP Abgrall <jpa@google.com>
|
|
Conflicts:
.gitignore
include/linux/types.h
libiptc/libiptc.c
Change-Id: I2c949ba9de090db9ae09d914f4ac5c13e5b7d4da
|
|
|
|
We can just use the uapi headers now.
(This is probably true for most of these header files, but I just want
to undo the changes we made during the uapi transition.)
Change-Id: I4ab0c6f782f73699595a2ce24809a2c0187c98f8
|
|
|
|
local-intermediates-dir doesn't work for multiarch builds, because
each architecture needs a separate intermediates dir. Use
local-generated-sources-dir, which gives a directory under $OUT/gen
that can be shared by both architectures. Files installed into
$OUT/gen/*/*_intermediates and listed in LOCAL_GENERATED_SOURCES
will be copied into $OUT/obj*/*/*_intermediates automatically as
necessary.
(cherry picked from commit b4ad8a418b48b6a7df8f88a276c52f00c1bb43af)
Change-Id: I35ed4bc51e694ca4dc8343bc59977f1daeae3abc
|
|
|
|
This reverts commit b4ad8a418b48b6a7df8f88a276c52f00c1bb43af.
Change-Id: I7870513ad908957a1370cd8e1f7c0a80d8fbb7bb
|
|
* changes:
external/iptables: use local-generated-sources-dir
iptables: rewrite extensions makefile to avoid duplication
|
|
local-intermediates-dir doesn't work for multiarch builds, because
each architecture needs a separate intermediates dir. Use
local-generated-sources-dir, which gives a directory under $OUT/gen
that can be shared by both architectures. Files installed into
$OUT/gen/*/*_intermediates and listed in LOCAL_GENERATED_SOURCES
will be copied into $OUT/obj*/*/*_intermediates automatically as
necessary.
Change-Id: I78e7898147a0e2303e814e8b93f7cd0edbd2914e
|
|
Move the duplicated parts of the extensions makefile into a
separate libext.mk, and include it 3 times from the main makefile.
Change-Id: Idcbe1da8e024af895da33e396595e616f52e25ad
|
|
|
|
The kernel headers are already in the include path, and manually
adding them again will break on a multiarch build, where the
kernel headers may be different for each arch.
Change-Id: I20867af3061bbc86d2205f5479c40f6034a61b72
|
|
|
|
Change-Id: I9d180c2da268117a8774290ba49c8774fabd3272
|
|
|
|
Bug: 11559337
Change-Id: Iefb938b87e1f29cbf45d8833e9416c38004d9b5e
|
|
Linking currently fails in --enable-static case:
../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name':
iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name'
[..]
It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack.
If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@
and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty,
therefore producing no harm to include unconditionally.
Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
As reported in Debian bug #718810 [1], state match rules added in < 1.4.16
iptables versions are incorrectly displayed by >= 1.4.16 iptables versions.
Issue bisected to commit 0d701631 (libxt_state: replace as an alias to
xt_conntrack).
Fix this by adding the missing .print and .save functions for state match
aliases in the conntrack match.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718810
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since (14bca55 iptables: use autoconf to process .in man pages),
the file "iptables-extensions.8.tmpl" is generated from
"iptables-extensions.8.tmpl.in" and is consequently no
longer found in ${srcdir} but in the build directory.
(Becomes visible with builddir != srcdir)
Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Similar to (2165f38 iptables-restore: fix parameter parsing
(shows up with gcc-4.7)), make sure iptables-xml doesn't hit
the same problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:
1) Ignore "-A <chain>" instead of just "-A"
2) When checking to see if we need a <match> tag, inversion needs to be taken
into account
This closes netfilter bugzilla #679.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The build of utils/nfbpf_compile depends on libpcap. If configure is
run with --enable-bpf-compiler, the script succeeds, but make fails.
This small patch adds a test for the dependency (libpcap) in configure
and fails hard if not found.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
After kernel commit 607ca46e (UAPI: (Scripted) Disintegrate
include/linux), using the "--with-kernel" argument to build iptables
stopped working due to the missing #ifdefs in the original files.
We need to make sure the UAPI include dir is listed before the
original location. Leaving both allows support for old and new
kernels.
This fixes bug #833.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Available since Linux kernel 3.8.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
libipt_LOG is using the xtables_save_string func, which
escapes unsafe characters as needed. libip6t_LOG should
do the same.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This checking was accidentally removed in (74ded72 libxt_recent:
add --mask netmask).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.
The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).
Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.
So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
|