| 742baabd185c326cc2125e648e240894362eb31c |
|
15-Sep-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: use new symbols in libnftnl
Adapt this code to use the new symbols in libnftnl. This patch contains quite
some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 1749f443d79f01c6ae1512cff63a5e02cf5149c1 |
|
11-Mar-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix rule deleting with -D in rules with no target
Before this patch, rule deleting with -D produces segfault in rules
with no target.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| bdc668637bc1e71020db4ec83d116821ef07d183 |
|
03-Mar-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: support nflog extension
Let's give support for the nflog extension (a watcher).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| fe97f60e5d2a968638286036db67e3a4e17f095d |
|
09-Feb-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: add watchers support
ebtables watchers are targets which always return EBT_CONTINUE.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 8acf8315a44fbee8227433daabb262b6de1e70f6 |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix nft payload bases
ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information
from packets in the bridge family.
Let's allow the add_payload() function to know in which base it should work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| cd414abfd21dae0288f53669672f057c0630c78a |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: include rule counters in ebtables rules
Counters are missing in ebtables rules.
This patch includes them just before the target, so counters are incremented
when the rule is about to take his action.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 4143a08819a076507abaee0ee18e291b65e5997c |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: add nft rule compat information to bridge rules
The compat information is required by some ebtables extensions to properly
work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 457ed5e1231cf433b239fd10ccf3d976805eb4d8 |
|
13-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix ACCEPT printing by simplifying logic
The commit bc543af ("ebtables-compat: fix segfault in rules w/o target")
doesn't handle all possible cases of target printing, and ACCEPT is left
behind.
BTW, the logic of target (-j XXX) printing is a bit weird. This patch
simplifies it.
I assume:
* cs->jumpto is only filled by nft_immediate.
* cs->target is only filled by nft_target.
So we end with these cases:
* nft_immediate contains a 'standard' target (ACCEPT, DROP, CONTINUE, RETURN, chain)
Then cs->jumpto contains the target already. We have the rule.
* No standard target. If nft_target contains a target, try to load it.
* Neither nft_target nor nft_immediate exist. Then, assume CONTINUE.
The printing path is then straight forward: either cs.jumpto or cs.target
contains the target.
As there isn't support for target extensions yet, there is no way to test the
nft_target (cs.target) path.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| bc543af074cf4372162eb330b914d2b0fdb6b6c7 |
|
05-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix segfault in rules w/o target
This patch fixes a segfault in rules without target.
Now, these two rules are allowed:
% ebtables-compat -A FORWARD -p 0x0600 -j CONTINUE
% ebtables-compat -A FORWARD -p 0x0600
And both are printed:
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-p 0x600 -j CONTINUE
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 42cfeee024d0ba0c6b15645f829273ee3dcfa5c6 |
|
26-Dec-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix printing of extension
This patch fix printing of ebt extensions:
% sudo ebtables-compat -L
[...]
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
--802_3-type 0x0012 -j ACCEPT
[...]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 0e65c922fc0d51a8dff1a779863d4ae559aa9a4a |
|
23-Dec-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix counter listing
With this patch:
% sudo ebtables-compat -L --Lc
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
-j ACCEPT , pcnt = 123 -- bcnt = 123
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 6aa7d1c26d0a3b0c909bbf13aa0ef6b179615433 |
|
17-Dec-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
extensions: add ebt 802_3 extension
This patch adds the first ebtables extension to ebtables-compat.
The original 802_3 code is adapted to the xtables environment.
I tried to mimic as much as possible the original ebtables code paths.
With this patch, ebtables-compat is able to send the 802_3 match to the kernel,
but the kernel-to-userspace path is not tested and should be adjusted
in follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 4a48ec94c233a125a371eced5dc161df557576d9 |
|
24-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
iptables: xtables-eb: user-defined chains default policy is always RETURN
The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.
So, with this patch, ebtables-compat ends with:
Command: Result:
-L Always RETURN for user-defined chains
-P builtin RETURN Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP ok
-P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
-N userdefined ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 29b5492b339efe4635c18ac9f61873a590139c51 |
|
12-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
nft-bridge: fix inversion of builtin matches
This patch fixes inversion of builtin matches by updating the use of add_*()
functions and using nft_invflags2cmp() as well.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 04ff786c7a42f3ad16535fa5d7aa20346217917b |
|
08-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
nft-bridge: fix printing of inverted protocols, addresses
Previous to this patch, no '!' is printed in payload comparisions.
This patch solves it, so we can print for example inverted protocols:
% ebtables-compat -L
[...]
-p ! 0x800 -j ACCEPT
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 51e83a4deb4849152a29c160893f0823846d47a0 |
|
16-Oct-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
ebtables-compat: fix print_header
This prints the header like ebtables.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| 902e92ceedba96d3241fa8ff701c061cd53a197d |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
ebtables-compat: use ebtables_command_state in bootstrap code
And introduce fake ebt_entry.
This gets the code in sync in other existing compat tools. This
will likely allow to consolidate common infrastructure.
This code is still quite experimental.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
| da871de2a6efb576b6378a66222c0871f4282e96 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: bootstrap ebtables-compat
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|