742baabd185c326cc2125e648e240894362eb31c |
|
15-Sep-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: use new symbols in libnftnl Adapt this code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
1749f443d79f01c6ae1512cff63a5e02cf5149c1 |
|
11-Mar-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix rule deleting with -D in rules with no target Before this patch, rule deleting with -D produces segfault in rules with no target. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
bdc668637bc1e71020db4ec83d116821ef07d183 |
|
03-Mar-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: support nflog extension Let's give support for the nflog extension (a watcher). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
fe97f60e5d2a968638286036db67e3a4e17f095d |
|
09-Feb-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: add watchers support ebtables watchers are targets which always return EBT_CONTINUE. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
8acf8315a44fbee8227433daabb262b6de1e70f6 |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix nft payload bases ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information from packets in the bridge family. Let's allow the add_payload() function to know in which base it should work. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
cd414abfd21dae0288f53669672f057c0630c78a |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: include rule counters in ebtables rules Counters are missing in ebtables rules. This patch includes them just before the target, so counters are incremented when the rule is about to take his action. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
4143a08819a076507abaee0ee18e291b65e5997c |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: add nft rule compat information to bridge rules The compat information is required by some ebtables extensions to properly work. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
457ed5e1231cf433b239fd10ccf3d976805eb4d8 |
|
13-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix ACCEPT printing by simplifying logic The commit bc543af ("ebtables-compat: fix segfault in rules w/o target") doesn't handle all possible cases of target printing, and ACCEPT is left behind. BTW, the logic of target (-j XXX) printing is a bit weird. This patch simplifies it. I assume: * cs->jumpto is only filled by nft_immediate. * cs->target is only filled by nft_target. So we end with these cases: * nft_immediate contains a 'standard' target (ACCEPT, DROP, CONTINUE, RETURN, chain) Then cs->jumpto contains the target already. We have the rule. * No standard target. If nft_target contains a target, try to load it. * Neither nft_target nor nft_immediate exist. Then, assume CONTINUE. The printing path is then straight forward: either cs.jumpto or cs.target contains the target. As there isn't support for target extensions yet, there is no way to test the nft_target (cs.target) path. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
bc543af074cf4372162eb330b914d2b0fdb6b6c7 |
|
05-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix segfault in rules w/o target This patch fixes a segfault in rules without target. Now, these two rules are allowed: % ebtables-compat -A FORWARD -p 0x0600 -j CONTINUE % ebtables-compat -A FORWARD -p 0x0600 And both are printed: Bridge chain: FORWARD, entries: 1, policy: ACCEPT -p 0x600 -j CONTINUE Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
42cfeee024d0ba0c6b15645f829273ee3dcfa5c6 |
|
26-Dec-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix printing of extension This patch fix printing of ebt extensions: % sudo ebtables-compat -L [...] Bridge chain: FORWARD, entries: 1, policy: ACCEPT --802_3-type 0x0012 -j ACCEPT [...] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
0e65c922fc0d51a8dff1a779863d4ae559aa9a4a |
|
23-Dec-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix counter listing With this patch: % sudo ebtables-compat -L --Lc Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT -j ACCEPT , pcnt = 123 -- bcnt = 123 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
6aa7d1c26d0a3b0c909bbf13aa0ef6b179615433 |
|
17-Dec-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
extensions: add ebt 802_3 extension This patch adds the first ebtables extension to ebtables-compat. The original 802_3 code is adapted to the xtables environment. I tried to mimic as much as possible the original ebtables code paths. With this patch, ebtables-compat is able to send the 802_3 match to the kernel, but the kernel-to-userspace path is not tested and should be adjusted in follow-up patches. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
4a48ec94c233a125a371eced5dc161df557576d9 |
|
24-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
iptables: xtables-eb: user-defined chains default policy is always RETURN The RETURN default policy is mandatory in user-defined chains. Builtin chains must have one of ACCEPT or DROP. So, with this patch, ebtables-compat ends with: Command: Result: -L Always RETURN for user-defined chains -P builtin RETURN Policy RETURN only allowed for user defined chains -P builtin ACCEPT|DROP ok -P userdefined RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains -N userdefined ok -N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
29b5492b339efe4635c18ac9f61873a590139c51 |
|
12-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
nft-bridge: fix inversion of builtin matches This patch fixes inversion of builtin matches by updating the use of add_*() functions and using nft_invflags2cmp() as well. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
04ff786c7a42f3ad16535fa5d7aa20346217917b |
|
08-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
nft-bridge: fix printing of inverted protocols, addresses Previous to this patch, no '!' is printed in payload comparisions. This patch solves it, so we can print for example inverted protocols: % ebtables-compat -L [...] -p ! 0x800 -j ACCEPT Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
51e83a4deb4849152a29c160893f0823846d47a0 |
|
16-Oct-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
ebtables-compat: fix print_header This prints the header like ebtables. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
902e92ceedba96d3241fa8ff701c061cd53a197d |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
ebtables-compat: use ebtables_command_state in bootstrap code And introduce fake ebt_entry. This gets the code in sync in other existing compat tools. This will likely allow to consolidate common infrastructure. This code is still quite experimental. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|
da871de2a6efb576b6378a66222c0871f4282e96 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: bootstrap ebtables-compat This patch bootstraps ebtables-compat, the ebtables compatibility software upon nf_tables. [ Original patches: http://patchwork.ozlabs.org/patch/395544/ http://patchwork.ozlabs.org/patch/395545/ http://patchwork.ozlabs.org/patch/395546/ I have also forward port them on top of the current git HEAD, otherwise compilation breaks. This bootstrap is experimental, this still needs more work. --Pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-bridge.c
|