Cross Reference: /external/iptables/iptables/nft.c

History log of /external/iptables/iptables/nft.c
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
ef2a7e9fe0d82c691aeee1cbd61095841231974f	26-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: add rule cache This patch adds a cache of rules within the nft handle. This feature is useful since the whole ruleset was brought from the kernel for every chain during listing operations. In addition with the new checks of ruleset compatibility, the rule list is loaded one more time. Now all the operations causing changes in the ruleset must invalidate the cache, a function called flush_rule_cache has been introduced for this purpose. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
4b791044cd0984c9a1771e86fa77fce9d309d9e7	26-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: check if nft ruleset is compatible This patch adds a verification of the compatibility between the nft ruleset and iptables. Nft tables, chains and rules are checked to be compatible with iptables. If something is not compatible, the execution stops and an error message is displayed to the user. This checking is triggered by xtables-compat -L and xtables-compat-save commands. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
2abd049177fa42993e4b1de588e92282a200ee43	21-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: remove useless functions The static function nft_rule_list_get was exposed outside nft.c through the nft_rule_list_create function, but this was never used out there. A similar situation occurs with nftnl_rule_list_free and nft_rule_list_destroy. This patch removes nft_rule_list_create and nft_rule_list_destroy for the sake of simplicity. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
a44bee8c3582cb72868a3b7f703494dd2b24bf7d	02-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: fix comments listing ip[6]tables-compat -L was not printing the comments since commit d64ef34a9961 ("iptables-compat: use nft built-in comments support"). This patch solves the issue. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
d64ef34a99610a6fb54d43660ac31555da858231	22-Jun-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	iptables-compat: use nft built-in comments support After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
742baabd185c326cc2125e648e240894362eb31c	15-Sep-2015	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: use new symbols in libnftnl Adapt this code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
34344db9878ed53b387180362b1be77001e03e45	21-Jul-2015	Thomas Woerner <twoerner@redhat.com>	iptables-compat: Increase rule number only for the selected table and chain This patch fixes the rule number handling in nft_rule_find and __nft_rule_list. The rule number is only valid in the selected table and chain and therefore may not be increased for other tables or chains. Signed-off-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
8e1522698a7495002e5154f5643abb68e9c3a89a	21-Jul-2015	Thomas Woerner <twoerner@redhat.com>	iptables-compat: Allow to insert into rule_count+1 position iptables allows to insert a rule into the next non existing rule number but iptables-compat does not allow to do this Signed-off-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
51e83a4deb4849152a29c160893f0823846d47a0	16-Oct-2014	Giuseppe Longo <giuseppelng@gmail.com>	ebtables-compat: fix print_header This prints the header like ebtables. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
da871de2a6efb576b6378a66222c0871f4282e96	09-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	nft: bootstrap ebtables-compat This patch bootstraps ebtables-compat, the ebtables compatibility software upon nf_tables. [ Original patches: http://patchwork.ozlabs.org/patch/395544/ http://patchwork.ozlabs.org/patch/395545/ http://patchwork.ozlabs.org/patch/395546/ I have also forward port them on top of the current git HEAD, otherwise compilation breaks. This bootstrap is experimental, this still needs more work. --Pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
d87b76cfc3b1c003fec75b8a4ea639aa444014f3	24-Nov-2014	Arturo Borrero <arturo.borrero.glez@gmail.com>	nft-compat: create a separated object update type to rename chains This patch adds an explicit object update type to rename chains, so we avoid calling the nf_tables API with NLM_F_EXCL. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
c82bf9f79bbc299de428fdc2e204d571b6cbc50d	12-Nov-2014	Arturo Borrero <arturo.borrero.glez@gmail.com>	iptables-compat: kill add_*() invflags parameter Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ. The caller must calculate which kind of cmp operation requires. BTW, this patch solves absence of inversion in some arptables-compat builtin matches. Thus, translating arptables inv flags is no longer needed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
b92426faab5101bc250832fca85ee8fa3548572d	05-Nov-2014	Ana Rey <anarey@gmail.com>	iptables-compat: homogenize error messages with 'R' option There is a difference between error messages in iptables and iptables-compat: # iptables -R INPUT 23 -s 192.168.2.140 -j ACCEPT iptables: Index of replacement too big. # iptables-compat -R INPUT 23 -s 192.168.2.140 -j ACCEPT iptables: No chain/target/match by that name. Now, iptables-compat shows the same error message than iptables in this case. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
7bc5f6c133bf38c696dc8c14cb479167711437c2	30-Oct-2014	Ana Rey <anarey@gmail.com>	iptables-compat: homogenize error messages There are some differences between error messages in iptables and iptables-compat: # iptables -C INPUT -s 192.168.2.102 -j ACCEPT iptables: Bad rule (does a matching rule exist in that chain?). # iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT iptables: No chain/target/match by that name. # iptables -N new_chain # iptables -N new_chain iptables: Chain already exists. # iptables-compat -N new_chain # iptables-compat -N new_chain iptables: File exists. Now, iptables-compat shows the same error messages than iptables in those cases. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
a4e78370af8498e2de65fcb8aafed39a4482966c	23-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: fix empty chains after first invocation of iptables-compat -L # iptables-compat -L # iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Note that the second (and follow up) invocations after the first one display the chains. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
3599c617f6509d120dfddf78a024bdd32633cf2d	23-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove extra unused chain parameter and rename nft_chain_builtin_init to nft_xt_builtin_init too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
63f1391a5441bb092f7a1a4023e2f158ee9231a2	23-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: statify unused built-in table/chain functions The functions that allows you to create built-in table and chains are required out of the scope of nft.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
b06fcdb858deefe35baaaf2f2f912616fb38644b	23-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: fix chain policy reset with iptables -L -n Initialize built-in tables/chains if they don't exists, otherwise simply skip. This avoids the chain policy reset to NF_ACCEPT by when you call iptables -L -n. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Ana Rey <anarey@gmail.com> /external/iptables/iptables/nft.c
4272426912b0951b4dc7f40179d5217b513775e1	09-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	arptables-compat: get output in sync with arptables -L -n --line-numbers # arptables-compat -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination <-- This header is not shown by arptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
3f37696b7ce5bea29e742f7d8efc33dd82fb878c	08-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: nft: fix error reporting This fixes # iptables-compat -X test4345 iptables: No chain/target/match by that name. # iptables-compat -N test4345 # iptables-compat -N test4345 iptables: File exists. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
1d395bcb585dd941859f2206eed89da23d19909c	08-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: nft: fix user chain addition, deletion and rename Add the glue code to use the chain batching for user chain commands. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
cbe036db892c298c33e77dec2c5129dbb4dccc2c	30-Sep-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: get rid of error reporting via perror The compat layer should report problems in the iptables way instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
9470040d53ca7136b54f32507fe3d31d12736d22	30-Sep-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: fix use after free in the batch send path Release the batch pages once they have been sent via sendmsg(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
1f932f08a17c55f1689a432433f9f2a0cf6f014f	30-Sep-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl Use the existing functions in libnftnl to begin and end a batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
1aefddd07ca8e51f0528366835cf466d57bd459f	11-Jun-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft: save: fix the printing of the counters This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
f1299b98d7ff200eb50ca574278bfeb1368de01b	09-Jun-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: nft: add tables and chains to the batch Since kernel changes: 55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure to handle chain"). it is possible to put tables and chains in the same batch (which was already including rules). This patch probes the kernel to check if if the new transaction is available, otherwise it falls back to the previous non-transactional approach to handle these two objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
ee85b1bc1bb9f91daf2004823dfa204dbc52f52a	09-Jun-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: nft: remove unused code Remove code to set table in dormant state, this is not required from the iptables over nft compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
495f1e8cc1753a3577a0b6c790b96b34859cd9bd	09-Jun-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: nft: generalize batch infrastructure Prepare inclusion of tables and chain objects in the batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
60f00639ca42a95fd5425d6bb6ac08e5b29c6b18	24-Mar-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft: replace nft_rule_attr_get_u8 Since the family declaration has been modified in libnftnl, from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16 the assertion is failed for {ip,ip6,arp}tables-compat when printing rules. iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 ip6tables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
1835790d7f7517f4c101e1c1f3df5519a6c228e7	11-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Pass a line after printing out a debug message In this specific places, libnftnl gives back a string on which iptables should not assume any line break, thus it's up to iptables to add it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
2e256aa818ba5ddf13a4e85f071ef1bf3c485558	11-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Remove useless error message These are not helpful. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
e6b8e172fca48f5d80699afe80947b0fc1f23fd6	11-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Initialize a table only once This helps to remove some runtime overhead, especially when running xtables-restore. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
690ea18fdd6f8bc12322a729a2f7c97d8e731c43	11-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: A builtin chain might be created when restoring nft_chain_set() is directly used in xtables-restore.c, however at that point no builtin chains have been created yet thus the need to request to build it relevantly. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
837629fed24af7298fbf4cd28c7a51f24b70ee93	11-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Add useful debug output when a builtin table is created This is useful to know if a builtin table is requested to be created. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
d007e1a59e4beaddab430992302d43b122ffc801	11-Feb-2014	Pablo Neira Ayuso <pablo@netfilter.org>	nft-compat: fix IP6T_F_GOTO flag handling IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
8877968858a8dd6b7ae096988d57a7511c81733d	10-Feb-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft: adds save_matches_and_target This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
a4e1098169a67716a81316c36ce22ddcb33df1c0	20-Jan-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Use new libnftnl library name against former libnftables Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
504119fe14bffde5800a631da89b80ed6043cecb	04-Dec-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: fix wrong function to release iterator nft.c: In function ‘nft_xtables_config_load’: nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default] In file included from nft.c:41:0: /usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter ’ but argument is of type ‘struct nft_chain_list_iter ’ Introduced in (12eb85b nft: fix memory leaks in nft_xtables_config_load) but that was my fault indeed since Ana sent a v2 patch that I have overlook. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
b0194cea194b510c675ca05415da15cff57afe47	02-Dec-2013	Ana Rey <anarey@gmail.com>	iptables: nft: fix memory leaks in nft_fini Those errors are shown with valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) ==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) These objects are allocated from nft_init but they were not released appropriately in the exit path. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c
6a4033b70dfdcc2df66f4ea51c901786a2b6131c	02-Dec-2013	Ana Rey <anarey@gmail.com>	nft: fix memory leaks in nft_xtables_config_load Those errors are shown with the valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5955B02: nft_table_list_alloc (table.c:425) ==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888) ==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) Fix these leaks and consolidate error handling in the exit path of nft_xtables_config_load Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.c