| Age | Commit message (Collapse) | Author |
|---|
|
This reverts commit 97823ea15ca277ec723a02bc9d4081be5dc3037c.
Reason for revert: no longer needed after bionic header update
Change-Id: If9641bbc2462a43e91f26d59957d66e55dea42c9
|
|
* 'master' of https://git.netfilter.org/iptables:
extensions: string: Clarify description of --to
libiptc: Fix for another segfault due to chain index NULL pointer
Generated via:
git fetch git://git.netfilter.org/iptables master
git merge --log=999 FETCH_HEAD
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I48d98fcfc9345d212db6313e8fcd8ceeca229d30
|
|
iptables 1.8.10 release
* tag 'v1.8.10' of https://git.netfilter.org/iptables:
configure: Bump version for 1.8.10 release
build: Bump dependency on libnftnl
include: linux: Update kernel.h
nft: Fix for useless meta expressions in rule
tests: shell: Fix for ineffective 0007-mid-restore-flush_0
extensions: Fix checking of conntrack --ctproto 0
Revert --compat option related commits
doc: fix example of xt_cpu
tests: Test compat mode
Add --compat option to *tables-nft and *-nft-restore commands
nft: Introduce and use bool nft_handle::compat
nft: Pass nft_handle to add_{target,action}()
Use SOCK_CLOEXEC/O_CLOEXEC where available
tests: shell: Test chain policy counter behaviour
Revert "libiptc: fix wrong maptype of base chain counters on restore"
nft: Create builtin chains with counters enabled
tests: iptables-test: Fix command segfault reports
nft-ruleparse: parse meta mark set as MARK target
nft-ruleparse: Introduce nft_create_target()
extensions: libip6t_icmp: Add names for mld-listener types
nft: move processing logic out of asserts
man: iptables-save.8: Start paragraphs in upper-case
man: iptables-save.8: Fix --modprobe description
man: iptables-save.8: Clarify 'available tables'
man: Trivial: Missing space after comma
man: iptables-restore.8: Start paragraphs in upper-case
man: iptables-restore.8: Put 'file' in italics in synopsis
man: iptables-restore.8: Drop -W option from synopsis
man: iptables-restore.8: Consistently document -w option
man: iptables-restore.8: Fix --modprobe description
man: iptables.8: Trivial font fixes
man: Use HTTPS for links to netfilter.org
man: iptables.8: Clarify --goto description
man: iptables.8: Fix intra page reference
man: iptables.8: Trivial spelling fixes
man: iptables.8: Extend exit code description
tests: libipt_icmp.t: Enable tests with numeric output
extensions: libipt_icmp: Fix confusion between 255/255 and any
iptables-apply: Eliminate shellcheck warnings
iptables-restore: Drop dead code
tests: shell: Fix and extend chain rename test
ebtables: Improve invalid chain name detection
*tables: Reject invalid chain names when renaming
*tables-restore: Enforce correct counters syntax if present
nft: Include sets in debug output
nft: Do not pass nft_rule_ctx to add_nft_among()
nft: More verbose extension comparison debugging
nft: Special casing for among match in compare_matches()
tests: shell: Sanitize nft-only/0009-needless-bitwise_0
nft-bridge: pass context structure to ops->add() to improve anonymous set support
iptables: Fix handling of non-existent chains
iptables: Fix setting of ipv6 counters
xshared: dissolve should_load_proto
nft: use payload matching for layer 4 protocol
man: string: document BM false negatives
nft: check for source and destination address in first place
nft: ruleparse: Create family-specific source files
nft: Extract rule parsing callbacks from nft_family_ops
nft: Introduce nft-ruleparse.{c,h}
xshared: Fix parsing of option arguments in same word
arptables: Don't omit standard matches if inverted
arptables: Fix parsing of inverted 'arp operation' match
nft-shared: Drop unused include
utils: nfbpf_compile: Replace pcap_compile_nopcap()
tests: shell: Test for false-positive rule check
ebtables-nft: add broute table emulation
include: update nf_tables uapi header
build: use pkg-config for libpcap
ip6tables: Fix checking existence of rule
iptables-test.py: make explicit use of python3
iptables-nft: remove unused function argument
iptables-nft: make builtin tables static
xtables-eb: fix crash when opts isn't reallocated
nft-restore: Fix for deletion of new, referenced rule
include: Add missing linux/netfilter/xt_LOG.h
xt_sctp: add the missing chunk types in sctp_help
xtables-translate: Support insert with index
ebtables: ip and ip6 matches depend on protocol match
extensions: libebt_ip: Translation has to match on ether type
extensions: libebt_ip: Do not use 'ip dscp' for translation
extensions: libebt_redirect: Fix for wrong syntax in translation
extensions: libebt_redirect: Fix target translation
tests: xlate: Print file names even if specified
tests: xlate: Properly split input in replay mode
nft-shared: Simplify using nft_create_match()
nft-shared: Use nft_create_match() in one more spot
nft-shared: Lookup matches in iptables_command_state
tests: CLUSTERIP: Drop test file
tests: xlate: Support testing multiple individual files
ebtables-translate: Print flush command after parsing is finished
ebtables-translate: Ignore '-j CONTINUE'
ebtables-translate: Use OPT_* from xshared.h
ebtables-translate: Drop exec_style
ebtables: Refuse unselected targets' options
Proper fix for "unknown argument" error message
etc: Drop xtables.conf
Generated via:
git fetch git://git.netfilter.org/iptables v1.8.10
git merge --log=999 FETCH_HEAD
Test: with follow up
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia4ce7e3670706ee0905228cfd147fa6499ca08bb
|
|
This is based on looking at:
https://git.netfilter.org/iptables/commit/?h=v1.8.10&id=87e4f1bf0b87b23f0fe29e5f9976d64843de8785
Test: builds, but the following fail:
$ atest NetdBinderTest IptablesRestoreControllerTest
NetdBinderTest#TetherGetStats
NetdBinderTest#StrictSetUidCleartextPenalty
NetdBinderTest#FirewallSetFirewallType
NetdBinderTest#FirewallSetInterfaceRule
NetdBinderTest#TetherForwardAddRemove
IptablesRestoreControllerTest#TestCommandTimeout
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id55f855d05c8f0e9b7a01a881da3cc4b211341ae
|
|
ed4082a7405a5838c205a34c1559e289949200cc
This simply pulls in commit ed4082a7405a5838c205a34c1559e289949200cc:
extensions: NAT: Fix for -Werror=format-security
which is needed to prevent build error.
Test: with series
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I651c744775b9d3dc6637c720dbfc7794feb40687
|
|
iptables 1.8.9 release
* tag 'v1.8.9' of https://git.netfilter.org/iptables:
configure: Bump version for 1.8.9 release
Makefile: Replace brace expansion
ebtables-translate: Install symlink
gitignore: Ignore generated ip6tables man pages
gitignore: Ignore utils/nfsynproxy
nft: Reject tcp/udp extension without proper protocol match
nft: Make rule parsing errors fatal
nft: Increase rule parser strictness
arptables: Check the mandatory ar_pln match
nft: Parse icmp header matches
Makefile.am: Integrate testsuites
tests: Adjust testsuite return codes to automake guidelines
include/Makefile: xtables-version.h is generated
Makefile: Generate .tar.xz archive with 'make dist'
Makefile: Fix for 'make distcheck'
iptables/Makefile: Split nft-variant man page list
iptables/Makefile: Reorg variable assignments
extensions: Makefile: Merge initext targets
Makefile: Generate ip6tables man pages on the fly
Drop libiptc/linux_stddef.h
Drop INCOMPATIBILITIES file
Makefile: Create LZMA-compressed dist-files
ebtables: Fix MAC address match translation
xtables-translate: Fix for interfaces with asterisk mid-string
nft: Recognize INVAL/D interface name
nft: Fix match generator for '! -i +'
nft: Fix for comparing ifname matches against nft-generated ones
tests: xlate: Use --check to verify replay
ebtables: Implement --check command
libiptc: Eliminate garbage access
xshared: Free data after printing help
iptables: Properly clear iptables_command_state object
xtables: Introduce xtables_clear_iptables_command_state()
iptables: Plug memleaks in print_firewall()
nft: Plug memleak in nft_rule_zero_counters()
iptables-xml: Free allocated chain strings
iptables-restore: Free handle with --test also
tests: shell: Fix valgrind mode for 0008-unprivileged_0
extensions: add xt_statistics random mode translation
nft-bridge: work around recent "among" decode breakage
xlate-test: avoid shell entanglements
extensions: change expected output for new format
xlate: get rid of escape_quotes
tests: shell: Test selective ebtables flushing
extensions: xlate: Format sets consistently
extensions: libxt_conntrack: Drop extra whitespace in xlate
extensions: Leverage xlate auto-spacing
libxtables: xt_xlate_add() to take care of spacing
extensions: ipcomp: Add comment to clarify xlate callback
extensions: frag: Add comment to clarify xlate callback
extensions: libebt_log: Add comment to clarify xlate callback
extensions: tcp: Translate TCP option match
extensions: ecn: Sanitize xlate callback
extensions: TOS: Fix v1 xlate callback
extensions: TCPMSS: Use xlate callback for IPv6, too
extensions: MARK: Sanitize MARK_xlate()
extensions: CONNMARK: Fix xlate callback
extensions: libipt_ttl: Sanitize xlate callback
extensions: libebt_redirect: Fix xlate return code
extensions: libebt_mark: Fix xlate test case
extensions: libebt_mark: Fix mark target xlate
iptables-nft: exit nonzero when iptables-save cannot decode all expressions
nft: check for unknown meta keys
extensions: mark: Test double bitwise in a rule
nft-shared: replace nftnl_expr_get_data() by nftnl_expr_get()
nft: replace nftnl_.*_nlmsg_build_hdr() by nftnl_nlmsg_build_hdr()
Drop extra newline from xtables_error() calls
extensions: Unify ICMP parser into libxt_icmp.h
extensions: Collate ICMP types/codes in libxt_icmp.h
extensions: libebt_arp, libebt_ip: Use xtables_ipparse_any()
extensions: libebt_ip: Include kernel header
extensions: libip*t_LOG: Merge extensions
nft-shared: Introduce port_match_single_to_range()
xshared: Share make_delete_mask() between ip{,6}tables
tests: xlate-test: Replay results for reverse direction testing
tests: xlate-test.py: Introduce run_proc()
tests: xlate-test: Cleanup file reading loop
extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE
extensions: DNAT: Rename some symbols
extensions: DNAT: Generate print, save and xlate callbacks
extensions: DNAT: Use __DNAT_xlate for REDIRECT, too
extensions: *NAT: Drop NF_NAT_RANGE_PROTO_RANDOM* flag checks
extensions: DNAT: Fix bad IP address error reporting
tests: *.t: Add missing all-one's netmasks to expected output
tests: libxt_connlimit.t: Add missing default values
tests: libebt_vlan.t: Drop trailing whitespace from rules
tests: libxt_tos.t, libxt_TOS.t: Add missing masks in output
tests: libxt_recent.t: Add missing default values
tests: libxt_length.t: Fix odd use-case output
tests: libebt_redirect.t: Plain redirect prints with trailing whitespace
tests: *.t: Fix for hexadecimal output
tests: *.t: Fix expected output for simple calls
tests: iptables-test: Cover for obligatory -j CONTINUE in ebtables
tests: iptables-test: Implement fast test mode
extensions: NFQUEUE: Document queue-balance limitation
nft: Fix compile with -DDEBUG
libiptc: Fix for segfault when renaming a chain
tests: shell: Fix expected ebtables log target output
tests: shell: Fix expected output for ip6tables dst match
tests: libebt_stp.t: Drop duplicate whitespace
tests: IDLETIMER.t: Fix syntax, support for restore input
extensions: libebt_log: Avoid empty log-prefix in output
extensions: TCPOPTSTRIP: Do not print empty options
extensions: libip6t_dst: Fix output for empty options
extensions: libebt_stp: Eliminate duplicate space in output
extensions: among: Fix for use with ebtables-restore
extensions: among: Remove pointless fall through
tests: iptables-test: Test both variants by default
tests: iptables-test: Pass netns to execute_cmd()
tests: iptables-test: Simplify execute_cmd() calling
tests: iptables-test: Simplify '-N' option a bit
nft-bridge: Drop 'sreg_count' variable
nft: Fix meta statement parsing
ebtables: Fix among match
ebtables: Support '-p Length'
nft-shared: Introduce __get_cmp_data()
ebtables: Merge OPT_* flags with xshared ones
ebtables: Eliminate OPT_TABLE
ebtables: Drop unused OPT_* defines
tests: extend native delinearize script
nft: track each register individually
tests: shell: Test delinearization of native nftables expressions
Revert "nft: prefer payload to ttl/hl module"/'meta pkttype' match.
nft: un-break among match with concatenation
nft: prefer payload to ttl/hl module
nft: support ttl/hoplimit dissection
extensions: libxt_pkttype: support otherhost
nft: prefer native 'meta pkttype' instead of xt match
nft: support dissection of meta pkktype mode
nft: Expand extended error reporting to nft_cmd, too
xtables-restore: Extend failure error message
tests: add ebtables among testcase
nft: fix ebtables among match when mac+ip addresses are used
xshared: Print protocol numbers if --numeric was given
xshared: Fix for missing space after 'prot' column
tests: shell: Fix testcases for changed ip6tables opts output
iptables: xshared: Ouptut '--' in the opt field in ipv6's fake mode
extensions: libxt_conntrack: remove always-false conditionals
xt_sctp: support a couple of new chunk types
libxtables: Fix unsupported extension warning corner case
netfilter: add nf_log.h
libxtables: Define XT_OPTION_OFFSET_SCALE in xtables.h
libxtables: Move struct xtables_afinfo into xtables.h
xtables-monitor: add missing spaces in printed str
nft: Exit if nftnl_alloc_expr fails
iptables.8: mention that iptables exits when setuid
extensions: string: Fix and enable tests
extensions: string: Review parse_string() function
extensions: string: Do not print default --to value
ebtables-restore: Deny --init-table
extensions: libebt_standard.t: Test logical-{in,out} as well
tests: shell: Extend zero counters test a bit further
tests: shell: Extend iptables-xml test a bit
tests: shell: Add some more rules to 0002-verbose-output_0
Makefile: Add --enable-profiling configure option
xshared: Make some functions static
iptables-legacy: Drop redundant include of xtables-multi.h
arptables: Support -x/--exact flag
libxtables: Unexport init_extensions*() declarations
tests: shell: Check overhead in iptables-save and -restore
build: Fix error during out of tree build
Revert "fix build for missing ETH_ALEN definition"
treewide: use uint* instead of u_int*
Generated via:
git fetch git://git.netfilter.org/iptables v1.8.9
git merge --log=999 FETCH_HEAD
Test: with follow up
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3968bfa48aefd8d8c0adcfb4da27a1507299548b
|
|
iptables 1.8.8 release
* tag 'v1.8.8' of https://git.netfilter.org/iptables:
configure: bump version for 1.8.8 release
nft: Fix EPERM handling for extensions without rev 0
extensions: LOG: Document --log-macdecode in man page
man: *NAT: Review --random* option descriptions
extensions: DNAT: Merge core printing functions
libxtables: Revert change to struct xtables_pprot
libxtables: Drop xtables_globals 'optstring' field
xshared: Extend xtables_printhelp() for arptables
xshared: Move arp_opcodes into shared space
extensions: MARK: Drop extra newline at end of help
nft: split gen_payload() to allocate register and initialize expression
nft: prepare for dynamic register allocation
nft: pass handle to helper functions to build netlink payload
nft: native mark matching support
nft: pass struct nft_xt_ctx to parse_meta()
nft-shared: update context register for bitwise expression
extensions: man: Document service name support in DNAT and REDIRECT
extensions: Merge REDIRECT into DNAT
extensions: Merge IPv4 and IPv6 DNAT targets
extensions: DNAT: Rename from libipt to libxt
extensions: ipt_DNAT: Combine xlate functions also
extensions: ipt_DNAT: Merge v1/v2 print/save code
extensions: ipt_DNAT: Merge v1 and v2 parsers
Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified"
man: DNAT: Describe shifted port range feature
xlate-test: Fix for empty source line on failure
libxtables: Boost rule target checks by announcing chain names
libxtables: Implement notargets hash table
nft: Reject standard targets as chain names when restoring
tests: shell: Fix 0004-return-codes_0 for static builds
nft: Review static extension loading
xtables: Call init_extensions{,a,b}() for static builds
Simplify static build extension loading
libxtables: Fix for warning in xtables_ipmask_to_numeric
nft: Don't pass command state opaque to family ops callbacks
xshared: Prefer xtables_chain_protos lookup over getprotoent
nft: Speed up immediate parsing
nft: Simplify immediate parsing
Improve error messages for unsupported extensions
libxtables: Register only the highest revision extension
xshared: Implement xtables lock timeout using signals
tests: NFLOG: enable `--nflog-range` tests
tests: support explicit variant test result
tests: add `NOMATCH` test result
tests: iptables-test: rename variable
iptables.8: Describe the effect of multiple -v flags
tests: iptables-test: Support variant deviation
nft: cache: Dump rules if debugging
nft: Add debug output to table creation
ebtables: Support verbose mode
nft: Set NFTNL_CHAIN_FAMILY in new chains
iptables-restore: Support for extra debug output
nft: Use verbose flag to toggle debug output
nft: add support for native tcp flag matching
nft-shared: add tcp flag dissection
nft: prefer native expressions instead of tcp match
nft: prefer native expressions instead of udp match
nft-shared: support native udp port delinearize
nft-shared: support native tcp port range delinearize
nft-shared: support native tcp port delinearize
extensions: libxt_NFLOG: fix typo
xshared: Fix response to unprivileged users
build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT`
extensions: libxt_NFLOG: remove extra space when saving targets with prefixes
extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases
extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases
extensions: libxt_NFLOG: don't truncate log prefix on print/save
extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG
extensions: *NAT: Kill multiple IPv4 range support
tests: iptables-test: correct misspelt variable
nft: fix indentation error.
ip6tables: Use the shared do_parse, too
iptables: Use xtables' do_parse() function
nft: Move proto_parse and post_parse callbacks to xshared
xshared: Store parsed wait and wait_interval in xtables_args
xshared: Move do_parse to shared space
xtables: Do not pass nft_handle to do_parse()
xtables: Pass xtables_args to check_inverse()
xtables: Pass xtables_args to check_empty_interface()
xtables: Move struct nft_xt_cmd_parse to xshared.h
xtables: Pull table validity check out of do_parse()
xtables: Drop xtables' family on demand feature
nft-shared: set correct register value
iptables-*-restore: Drop pointless line reference
libxtables: Extend basic_exit_err()
xtables_globals: Embed variant name in .program_version
xshared: Share exit_tryhelp()
xshared: Share a common printhelp function
xshared: Share print_match_save() between legacy ip*tables
extensions: tcpmss: add iptables-translate support
xshared: Make load_proto() static
nft-shared: Drop unused function print_proto()
xshared: Share print_header() with legacy iptables
xshared: Share print_fragment() with legacy
xshared: Share print_rule_details() with legacy
xshared: Share save_ipv{4,6}_addr() with legacy
xshared: Share save_rule_details() with legacy
xshared: Share print_iface() function
nft: Change whitespace printing in save_rule callback
xshared: Merge and share parse_chain()
extensions: hashlimit: Fix tests with HZ=1000
xlate-test: Print full path if testing all files
Unbreak xtables-translate
nft: Merge xtables-arp-standalone.c into xtables-standalone.c
xtables: arptables accepts empty interface names
xtables: Derive xtables_globals from family
nft-shared: Make nft_check_xt_legacy() family agnostic
nft-arp: Introduce post_parse callback
arptables: Use standard data structures when parsing
libxtables: Introduce xtables_globals print_help callback
xtables-standalone: Drop version number from init errors
nft: Add family ops callbacks wrapping different nft_cmd_* functions
xtables: Simplify addr_mask freeing
nft-shared: Introduce init_cs family ops callback
xshared: Store optstring in xtables_globals
nft: Introduce builtin_tables_lookup()
tests: shell: fix bashism
nft: Delete builtin chains compatibly
nft-chain: Introduce base_slot field
nft: Check base-chain compatibility when adding to cache
nft: cache: Avoid double free of unrecognized base-chains
xtables-translate: add missing argument and option to usage
tests: iptables-test: Fix conditional colors on stderr
ebtables: Avoid dropping policy when flushing
iptables-test.py: print with color escapes only when stdout isatty
tests: shell: Return non-zero on error
tests: iptables-test: Exit non-zero on error
tests: xlate-test: Exit non-zero on error
tests: iptables-test: Print errors to stderr
tests: xlate-test: Print errors to stderr
tests: xlate-test: Don't skip any input after the first empty line
tests: iptables-test: Fix missing chain case
iptables-nft: allow removal of empty builtin chains
Fix a few doc typos
nft: Use xtables_{m,c}alloc() everywhere
nft: Use xtables_malloc() in mnl_err_list_node_add()
extensions: libxt_mac: Fix for missing space in listing
iptables-test: Make netns spawning more robust
extensions: hashlimit: Fix tests with HZ=100
ip6tables: masquerade: use fully-random so that nft can understand the rule
libxtables: exit if called by setuid executeable
tests/shell: Assert non-verbose mode is silent
nft: Fix for non-verbose check command
ebtables: Dump atomic waste
doc: ebtables-nft.8: Adjust for missing atomic-options
xtables: Call init_extensions6() for static builds
extensions: libxt_multiport: add translation for -m multiport --ports
extensions: libxt_conntrack: simplify translation using negation
extensions: libxt_tcp: rework translation to use flags match representation
extensions: libxt_connlimit: add translation
tests: xlate-test: support multiline expectation
libxtables: extend xlate infrastructure
extensions: libxt_string: Avoid buffer size warning for strncpy()
libxtables: Introduce xtables_strdup() and use it everywhere
extensions: libebt_ip6: Use xtables_ip6parse_any()
iptables-apply: Drop unused variable
nft: Avoid buffer size warnings copying iface names
nft: Avoid memleak in error path of nft_cmd_new()
libxtables: Fix memleak in xtopt_parse_hostmask()
extensions: libebt_ip6: Drop unused variables
libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
extensions: sctp: Translate --chunk-types option
extensions: sctp: Fix nftables translation
Use proto_to_name() from xshared in more places
ebtables-translate: Use shared ebt_get_current_chain() function
xshared: Merge invflags handling code
xshared: Eliminate iptables_command_state->invert
xtables: Make invflags 16bit wide
extensions: SECMARK: Implement revision 1
nft-arp: Make use of ipv4_addr_to_string()
Eliminate inet_aton() and inet_ntoa()
extensions: sctp: Explain match types in man page
nft: Increase BATCH_PAGE_SIZE to support huge rulesets
nft: cache: Sort chains on demand only
fix build for missing ETH_ALEN definition
extensions: libxt_conntrack: use bitops for status negation
extensions: libxt_conntrack: use bitops for state negation
libxtables: Simplify xtables_ipmask_to_cidr() a bit
xtables-translate: Fix translation of odd netmasks
nft: Fix bitwise expression avoidance detection
iptables-nft: fix -Z option
include: Drop libipulog.h
ebtables: Exit gracefully on invalid table names
Generated via:
git fetch git://git.netfilter.org/iptables v1.8.8
git merge --log=999 FETCH_HEAD
Test: with follow up
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7f10813f886cc0530245aca27e051435e3bb53fe
|
|
(this does not seem to be needed any more)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I38949223393736d97623359b253fdfa1bcf222a2
|
|
String match indeed returns a match as long as the given pattern starts
in the range of --from and --to, update the text accordingly.
Also add a note regarding fragment boundaries.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1707
|
|
A relict of legacy iptables' mandatory matching on interfaces and IP
addresses is support for the '-i +' notation, basically a "match any
input interface". Trying to make things better than its predecessor,
iptables-nft boldly optimizes that nop away - not entirely though, the
meta expression loading the interface name was left in place. While not
a problem (apart from pointless overhead) in current HEAD, v1.8.7 would
trip over this as a following cmp expression (for another match) was
incorrectly linked to that stale meta expression, loading strange values
into the respective interface name field.
While being at it, merge and generalize the functions into a common one
for use with ebtables' NFT_META_BRI_(I|O)IFNAME matches, too.
Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1702
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
There are three issues in the code:
1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
2) in conntrack_mt_parse it is testing (info->invert_flags &
XT_INV_PROTO) before the invert bit has been set.
3) the sense of the error message is the wrong way round
1) To get the error, ! -ctstatus XXX has to be specified, since
XT_INV_PROTO == XT_CONNTRACK_STATUS e.g.
| iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...
3) Unlike --proto 0 (where 0 means all protocols), in the conntrack
match --ctproto 0 appears to mean protocol 0, which can never be.
Therefore --ctproto 0 could never match and ! --ctproto 0 will always
match. Both of these should be rejected, since the user clearly
cannot be intending what was specified.
The attached patch resolves the issue, and also produces an error
message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since
--ctproto 0 will never match, and ! --ctproto 0 will always match.
[Phil: - Added Fixes: tag - it's a day 1 bug
- Copied patch description from Bugzilla
- Reorganized changes to reduce diff
- Added test cases]
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874
Fixes: 5054e85be3068 ("general conntrack match module userspace support files")
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
REDIRECT uses --to-ports instead of --to-port.
Fixes: 2d59208943a3 ("extension: add xt_cpu match")
Signed-off-by: Victor Julien <victor@inliniac.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
No need for the explicit fcntl() call, request the behaviour when
opening the descriptor.
One fcntl() call setting FD_CLOEXEC remains in extensions/libxt_bpf.c,
the indirect syscall seems not to support passing the flag directly.
Reported-by: Gaurav Gupta <g.gupta@samsung.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1104
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Add the three names (plus one alias) just as in nftables.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1250
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
The browser is redirected there anyway, but who cares about such minor
details nowadays.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Unrelated to the question whether numeric (save) output is desired or
not, enable the tests and expect the known format.
Using --list without --numeric prints the names, BTW.
Fixes: 49d5b7277c7f2 ("extensions: libipt_icmp: add unit test")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Per definition, ICMP type "any" is type 255 and the full range of codes
(0-255). Save callback though ignored the actual code values, printing
"any" for every type 255 match. This at least confuses users as they
can't find their rule added as '--icmp-type 255/255' anymore.
It is not entirely clear what the fixed commit was trying to establish,
but the save output is certainly not correct (especially since print
callback gets things right).
Reported-by: Amelia Downs <adowns@vmware.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1600
Fixes: fc9237da4e845 ("Fix '-p icmp -m icmp' issue (Closes: #37)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
For non-linear skb's there's a possibility that the kernel's Boyer-Moore
text-search implementation may miss matches. There's a warning about
this in the kernel source. Include that warning in the man-page.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
When merging commandline parsers, a decision between 'argv[optind - 1]'
and 'optarg' had to be made in some spots. While the implementation of
check_inverse() required the former, use of the latter allows for the
common syntax of '--opt=arg' or even '-oarg' as 'optarg' will point at
the suffix while 'argv[optind - 1]' will just point at the following
option.
Fix the mess by making check_inverse() update optarg pointer if needed
so calling code may refer to and always correct 'optarg'.
Fixes: 0af80a91b0a98 ("nft: Merge xtables-arp-standalone.c into xtables-standalone.c")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1677
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Add the missing chunk types in sctp_help(), so that the help cmd can
display these chunk types as below:
# iptables -p sctp --help
chunktypes - ... I_DATA RE_CONFIG PAD ... I_FORWARD_TSN ALL NONE
Fixes: 6b04d9c34e25 ("xt_sctp: support a couple of new chunk types")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Translation is pretty simple due to nft's 'insert rule ... index'
support. Testing the translation is sadly not: index 1 vanishes (as it
should), higher indexes are rejected in replay mode since no rules
previously exist.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
On one hand, nft refuses th expression in bridge family if layer3
protocol has not been assured by a previous match. On the other, ebt_ip
kernel module will only match on IPv4 packets, so there might be a
functional change in the translation versus the original.
Instead of just always emitting an 'ether type' match, decide whether
it's actually needed - explicit "ip <something>" payload matches (or
icmp ones) cause implicit creation of a match on IPv4 by nft.
Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Converting from TOS field match to DSCP one is irreversible, so replay
testing is not possible. Use a raw payload expression to produce
something that translates 1:1 back into an 'ip' match.
Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Meta key comes before 'set' in meta statement.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
While EBT_ACCEPT is the default verdict for ebtables targets, omitting
it from translation implicitly converts it into 'continue'. Omit the
non-default EBT_CONTINUE instead.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
The extension was removed from kernel, do not test for it anymore. Keep
the code alive though, to not break existing setups.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Unlike legacy, ebtables-nft would allow e.g.:
| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be
While the result is correct, it may mislead users into believing
multiple targets are possible per rule. Better follow legacy's behaviour
and reject target options unless they have been "enabled" by a previous
'-j' option.
To achieve this, one needs to distinguish targets from watchers also
attached to 'xtables_targets' and otherwise behaving like regular
matches. Introduce XTABLES_EXT_WATCHER to mark the two.
The above works already, but error messages are misleading when using
the now unsupported syntax since target options have been merged
already. Solve this by not pre-loading the targets at all, code will
just fall back to loading ad '-j' parsing time as iptables does.
Note how this also fixes for 'counter' statement being in wrong position
of ebtables-translate output.
Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Have to pass either a string literal or format string to xt_xlate_add().
Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
According to bash(1), it is not supported by "historical versions of
sh". Dash seems to be such a historical version.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fixes: 3822a992bc277 ("Makefile: Fix for 'make distcheck'")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Internally, 'th' expression is used, which works but matches both
protocols. Since users won't expect '-m tcp --dport 1' to match UDP
packets, catch missing/wrong '-p' argument.
Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Since extensions/ directory does not use automake, some targets have to
be added manually. Apart from that, several Makefiles either missed to
specify relevant files or did not specify them correctly for 'make dist'
to add them to the tarball.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Abstract initext*.c and .initext*.dd stamp file recipes so a single one
serves for all variants.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
If a mask was present, ebtables-translate would emit illegal syntax.
Fixes: 5e2b473a64bc7 ("xtables-compat: extend generic tests for masks and wildcards")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
For nft, asterisk is special at end of the interface name only. Escaping
it mid-string makes the escape char part of the interface name, so avoid
this.
In the test case, also drop the ticks around interface names in
*-translate command - since there's no shell involved which would eat
them, they become part of the interface name.
Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Use meta random and bitops to replicate what xt_statistics
is doing.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
Now that xtables-translate encloses the entire command line in ', update
the test cases accordingly.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Its not necessary to escape " characters, we can let xtables-translate
print the entire translation/command enclosed in '' chracters, i.e. nft
'add rule ...', this also takes care of [, { and other special characters
that some shells might parse otherwise (when copy-pasting translated output).
The escape_quotes struct member is retained to avoid an ABI breakage.
This breaks all xlate test cases, fixup in followup patches.
v3: no need to escape ', replace strcmp(x, "") with x[0] (Phil Sutter)
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Print a space after separating commas.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
No point in having this. Interestingly, other test cases even made up
for it.
Fixes: 0afd957f6bc03 ("extensions: libxt_state: add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Drop code which is used explicitly to deal with spacing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Try to eliminate most of the whitespace issues by separating strings
from separate xt_xlate_add() calls by whitespace if needed.
Cover the common case of consecutive range, list or MAC/IP address
printing by inserting whitespace only if the string to be appended
starts with an alphanumeric character or a brace. The latter helps to
make spacing in anonymous sets consistent.
Provide *_nospc() variants which disable the auto-spacing for the
mandatory exception to the rule.
Make things round by dropping any trailing whitespace before returning
the buffer via xt_xlate_get().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Kernel ignores 'hdrres' field, this matching on reserved field value was
never effective.
While being at it, drop its description from man page. Continue to parse
and print it for compatibility reasons, but avoid attracting new users.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Matching on fragmentation header length is ineffective in kernel, xlate
callback correctly ignores it. Add a comment as a hint for reviewers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Several log flags are ignored by the function. Add a comment explaining
why this is correct.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
A simple task since 'tcp option' expression exists.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Catch unexpected values in einfo->ip_ect.
Fixes: ca42442093d3d ("iptables: extensions: libxt_ecn: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Translation entirely ignored tos_mask field.
Fixes: b669e18489709 ("extensions: libxt_TOS: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Data structures are identical and the translation is layer3-agnostic.
Fixes: bebce197adb42 ("iptables: iptables-compat translation for TCPMSS")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Since markinfo->mode might contain unexpected values, add a default case
returning zero.
Fixes: afefc7a134ca0 ("extensions: libxt_MARK: Add translation for revision 1 to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Bail out if nfmask != ctmask with XT_CONNMARK_SAVE and
XT_CONNMARK_RESTORE. Looks like this needs a similar implementation to
the one for XT_CONNMARK_SET.
Fix shift mark translation: xt_connmark_shift_ops does not contain
useful strings for nftables. Also add needed braces around the term
being shifted.
Fixes: db7b4e0de960c ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
