ef2a7e9fe0d82c691aeee1cbd61095841231974f |
|
26-Aug-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-compat: add rule cache This patch adds a cache of rules within the nft handle. This feature is useful since the whole ruleset was brought from the kernel for every chain during listing operations. In addition with the new checks of ruleset compatibility, the rule list is loaded one more time. Now all the operations causing changes in the ruleset must invalidate the cache, a function called flush_rule_cache has been introduced for this purpose. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
4b791044cd0984c9a1771e86fa77fce9d309d9e7 |
|
26-Aug-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-compat: check if nft ruleset is compatible This patch adds a verification of the compatibility between the nft ruleset and iptables. Nft tables, chains and rules are checked to be compatible with iptables. If something is not compatible, the execution stops and an error message is displayed to the user. This checking is triggered by xtables-compat -L and xtables-compat-save commands. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
2abd049177fa42993e4b1de588e92282a200ee43 |
|
21-Aug-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-compat: remove useless functions The static function nft_rule_list_get was exposed outside nft.c through the nft_rule_list_create function, but this was never used out there. A similar situation occurs with nftnl_rule_list_free and nft_rule_list_destroy. This patch removes nft_rule_list_create and nft_rule_list_destroy for the sake of simplicity. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
a44bee8c3582cb72868a3b7f703494dd2b24bf7d |
|
02-Aug-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-compat: fix comments listing ip[6]tables-compat -L was not printing the comments since commit d64ef34a9961 ("iptables-compat: use nft built-in comments support"). This patch solves the issue. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
d64ef34a99610a6fb54d43660ac31555da858231 |
|
22-Jun-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
iptables-compat: use nft built-in comments support After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
742baabd185c326cc2125e648e240894362eb31c |
|
15-Sep-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: use new symbols in libnftnl Adapt this code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
34344db9878ed53b387180362b1be77001e03e45 |
|
21-Jul-2015 |
Thomas Woerner <twoerner@redhat.com> |
iptables-compat: Increase rule number only for the selected table and chain This patch fixes the rule number handling in nft_rule_find and __nft_rule_list. The rule number is only valid in the selected table and chain and therefore may not be increased for other tables or chains. Signed-off-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
8e1522698a7495002e5154f5643abb68e9c3a89a |
|
21-Jul-2015 |
Thomas Woerner <twoerner@redhat.com> |
iptables-compat: Allow to insert into rule_count+1 position iptables allows to insert a rule into the next non existing rule number but iptables-compat does not allow to do this Signed-off-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
51e83a4deb4849152a29c160893f0823846d47a0 |
|
16-Oct-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
ebtables-compat: fix print_header This prints the header like ebtables. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
da871de2a6efb576b6378a66222c0871f4282e96 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: bootstrap ebtables-compat This patch bootstraps ebtables-compat, the ebtables compatibility software upon nf_tables. [ Original patches: http://patchwork.ozlabs.org/patch/395544/ http://patchwork.ozlabs.org/patch/395545/ http://patchwork.ozlabs.org/patch/395546/ I have also forward port them on top of the current git HEAD, otherwise compilation breaks. This bootstrap is experimental, this still needs more work. --Pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
d87b76cfc3b1c003fec75b8a4ea639aa444014f3 |
|
24-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
nft-compat: create a separated object update type to rename chains This patch adds an explicit object update type to rename chains, so we avoid calling the nf_tables API with NLM_F_EXCL. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
c82bf9f79bbc299de428fdc2e204d571b6cbc50d |
|
12-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
iptables-compat: kill add_*() invflags parameter Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ. The caller must calculate which kind of cmp operation requires. BTW, this patch solves absence of inversion in some arptables-compat builtin matches. Thus, translating arptables inv flags is no longer needed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
b92426faab5101bc250832fca85ee8fa3548572d |
|
05-Nov-2014 |
Ana Rey <anarey@gmail.com> |
iptables-compat: homogenize error messages with 'R' option There is a difference between error messages in iptables and iptables-compat: # iptables -R INPUT 23 -s 192.168.2.140 -j ACCEPT iptables: Index of replacement too big. # iptables-compat -R INPUT 23 -s 192.168.2.140 -j ACCEPT iptables: No chain/target/match by that name. Now, iptables-compat shows the same error message than iptables in this case. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
7bc5f6c133bf38c696dc8c14cb479167711437c2 |
|
30-Oct-2014 |
Ana Rey <anarey@gmail.com> |
iptables-compat: homogenize error messages There are some differences between error messages in iptables and iptables-compat: # iptables -C INPUT -s 192.168.2.102 -j ACCEPT iptables: Bad rule (does a matching rule exist in that chain?). # iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT iptables: No chain/target/match by that name. # iptables -N new_chain # iptables -N new_chain iptables: Chain already exists. # iptables-compat -N new_chain # iptables-compat -N new_chain iptables: File exists. Now, iptables-compat shows the same error messages than iptables in those cases. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
a4e78370af8498e2de65fcb8aafed39a4482966c |
|
23-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: fix empty chains after first invocation of iptables-compat -L # iptables-compat -L # iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Note that the second (and follow up) invocations after the first one display the chains. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
3599c617f6509d120dfddf78a024bdd32633cf2d |
|
23-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove extra unused chain parameter and rename nft_chain_builtin_init to nft_xt_builtin_init too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
63f1391a5441bb092f7a1a4023e2f158ee9231a2 |
|
23-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: statify unused built-in table/chain functions The functions that allows you to create built-in table and chains are required out of the scope of nft.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
b06fcdb858deefe35baaaf2f2f912616fb38644b |
|
23-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: fix chain policy reset with iptables -L -n Initialize built-in tables/chains if they don't exists, otherwise simply skip. This avoids the chain policy reset to NF_ACCEPT by when you call iptables -L -n. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Ana Rey <anarey@gmail.com>
/external/iptables/iptables/nft.c
|
4272426912b0951b4dc7f40179d5217b513775e1 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: get output in sync with arptables -L -n --line-numbers # arptables-compat -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination <-- This header is not shown by arptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
3f37696b7ce5bea29e742f7d8efc33dd82fb878c |
|
08-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: nft: fix error reporting This fixes # iptables-compat -X test4345 iptables: No chain/target/match by that name. # iptables-compat -N test4345 # iptables-compat -N test4345 iptables: File exists. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
1d395bcb585dd941859f2206eed89da23d19909c |
|
08-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: nft: fix user chain addition, deletion and rename Add the glue code to use the chain batching for user chain commands. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
cbe036db892c298c33e77dec2c5129dbb4dccc2c |
|
30-Sep-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: get rid of error reporting via perror The compat layer should report problems in the iptables way instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
9470040d53ca7136b54f32507fe3d31d12736d22 |
|
30-Sep-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: fix use after free in the batch send path Release the batch pages once they have been sent via sendmsg(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
1f932f08a17c55f1689a432433f9f2a0cf6f014f |
|
30-Sep-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl Use the existing functions in libnftnl to begin and end a batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
1aefddd07ca8e51f0528366835cf466d57bd459f |
|
11-Jun-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: save: fix the printing of the counters This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
f1299b98d7ff200eb50ca574278bfeb1368de01b |
|
09-Jun-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: add tables and chains to the batch Since kernel changes: 55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure to handle chain"). it is possible to put tables and chains in the same batch (which was already including rules). This patch probes the kernel to check if if the new transaction is available, otherwise it falls back to the previous non-transactional approach to handle these two objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
ee85b1bc1bb9f91daf2004823dfa204dbc52f52a |
|
09-Jun-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: remove unused code Remove code to set table in dormant state, this is not required from the iptables over nft compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
495f1e8cc1753a3577a0b6c790b96b34859cd9bd |
|
09-Jun-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: generalize batch infrastructure Prepare inclusion of tables and chain objects in the batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
60f00639ca42a95fd5425d6bb6ac08e5b29c6b18 |
|
24-Mar-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: replace nft_rule_attr_get_u8 Since the family declaration has been modified in libnftnl, from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16 the assertion is failed for {ip,ip6,arp}tables-compat when printing rules. iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 ip6tables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
1835790d7f7517f4c101e1c1f3df5519a6c228e7 |
|
11-Feb-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Pass a line after printing out a debug message In this specific places, libnftnl gives back a string on which iptables should not assume any line break, thus it's up to iptables to add it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
2e256aa818ba5ddf13a4e85f071ef1bf3c485558 |
|
11-Feb-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Remove useless error message These are not helpful. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
e6b8e172fca48f5d80699afe80947b0fc1f23fd6 |
|
11-Feb-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Initialize a table only once This helps to remove some runtime overhead, especially when running xtables-restore. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
690ea18fdd6f8bc12322a729a2f7c97d8e731c43 |
|
11-Feb-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: A builtin chain might be created when restoring nft_chain_set() is directly used in xtables-restore.c, however at that point no builtin chains have been created yet thus the need to request to build it relevantly. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
837629fed24af7298fbf4cd28c7a51f24b70ee93 |
|
11-Feb-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Add useful debug output when a builtin table is created This is useful to know if a builtin table is requested to be created. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
d007e1a59e4beaddab430992302d43b122ffc801 |
|
11-Feb-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft-compat: fix IP6T_F_GOTO flag handling IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
8877968858a8dd6b7ae096988d57a7511c81733d |
|
10-Feb-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: adds save_matches_and_target This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
a4e1098169a67716a81316c36ce22ddcb33df1c0 |
|
20-Jan-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Use new libnftnl library name against former libnftables Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
504119fe14bffde5800a631da89b80ed6043cecb |
|
04-Dec-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix wrong function to release iterator nft.c: In function ‘nft_xtables_config_load’: nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default] In file included from nft.c:41:0: /usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’ Introduced in (12eb85b nft: fix memory leaks in nft_xtables_config_load) but that was my fault indeed since Ana sent a v2 patch that I have overlook. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
b0194cea194b510c675ca05415da15cff57afe47 |
|
02-Dec-2013 |
Ana Rey <anarey@gmail.com> |
iptables: nft: fix memory leaks in nft_fini Those errors are shown with valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) ==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) These objects are allocated from nft_init but they were not released appropriately in the exit path. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
6a4033b70dfdcc2df66f4ea51c901786a2b6131c |
|
02-Dec-2013 |
Ana Rey <anarey@gmail.com> |
nft: fix memory leaks in nft_xtables_config_load Those errors are shown with the valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5955B02: nft_table_list_alloc (table.c:425) ==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888) ==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) Fix these leaks and consolidate error handling in the exit path of nft_xtables_config_load Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
5eed9118f2620ac07edd553599e2415f00d6f8f3 |
|
26-Nov-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix out of bound memory copy Valgrind reports an invalid read after a memory block: ==11114== Invalid read of size 8 ==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877) ==11114== by 0x41788E: add_match (nft.c:781) ==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72) ==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945) ==11114== by 0x418ACE: nft_rule_append (nft.c:1000) ==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424) ==11114== by 0x4152DE: do_commandx (xtables.c:1184) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) ==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd ==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==11114== by 0x52448C8: xtables_calloc (xtables.c:272) ==11114== by 0x410AC2: command_default (xshared.c:150) ==11114== by 0x4149A2: do_commandx (xtables.c:1075) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) m->u.match_size also contains the size of the xt_entry_match structure. Fix also the target path which is very similar. Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
5f6e384ac2a3d7b647a909654a3bdee1c0bcb3eb |
|
08-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: pass ipt_entry to ->save_firewall hook The extension needs the ipt_entry not to crash. Since cs->fw actually points to an union that also contains cs->fw6, just pass cs->fw to make it work. This fixes: -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
d6a127cd5710f8c60e95bfd0378ca352c07140a9 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: batch rule-set updates into one single netlink message With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
b756cf08d6eff885d808504c674bd7eb5ebabfbb |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_* functions to support ARP This should help to avoid code duplication to support ARP. As a result, we have a common generic infrastructure for IPv4, IPv6 and ARP. This patch removes nft_arp_rule_append and nft_arp_rule_insert, which were very similar to their original nft_rule_append and nft_rule_insert. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
c6836c19592dbe1a8be9b0ad76c0ae09abcb82e7 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_new to support ARP This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
e2a2c72277b49ac611809b3978365ab3010e1597 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_find for ARP, IPv4 and IPv6 This patch kills nft_arp_rule_find, which is almost a copy and paste of the original nft_rule_find function. Refactor this function to move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
217f021925872dcbce4187408762845ae3f6f182 |
|
16-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: nft-arp: implements is_same op for ARP family The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
84909d171585d77fe769f03e2b1b96eab0aa0213 |
|
09-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: bootstrap ARP compatibility layer for nftables This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
67da6075a4e7ced0e8cc452d73ce8ab06cbf8cd9 |
|
13-Sep-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: skip unset tables on table configuration emulation The ARP family has less tables, so skip iteration once we find a null one. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
a69cc575295eedb44f0fa33cd5fcf1cc0114133a |
|
19-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: allow to reset the counters of an existing rule Now that we convert nft rules to native xt command structure, it's easier to reset the counters by replacing the existing rule by a new one with all counters set to zero. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
36cba824e1689c6255d4e33b7fa82541a774609b |
|
20-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: use xtables_print_num So we can kill our own implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357 |
|
19-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: convert rule into a command state structure This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
e23e66f9d1a25c75df684850b7cd99053708c4d0 |
|
07-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Generalize nft_rule_list() against current family Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
7a1026f59c101a67233c65dd5ef9b0ae15945ca5 |
|
07-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Remove useless test on rulenum in nft_rule_list() Rulenum is already handled before the loop, making this test useless. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
8aa384a7d54734fd830840a2593cd4f07749976f |
|
01-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Make internal rule listing callback more generic This will be useful for reusing nft_rule_list in other tools such as xtables-arptables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
b08836a33bac28860400e1e34c8244249f651a6f |
|
01-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Optimize rule listing when chain and rulenum are provided Thus, we can save some cycles by not dumping the entire chain list and looping on it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
c846f1ab08906c7673dfc5b79cd3d20219f0b359 |
|
25-Jul-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Remove useless function Likely to be a leftover from the initial bootstrap. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
cea310bd1d078618e87b83410f8c6f75b34de450 |
|
30-Jul-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: load only the tables of the current family This changes nft_xtables_config_load() permit to load only the tables of the current family. [ This patch includes a fix for the configuration parser that I detected while testing this patch --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
85512f09680a798ebe92e96ad62eeae863fbc791 |
|
30-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix match revision lookup for IPv6 IPT_SO_GET_REVISION_MATCH != IP6T_SO_GET_REVISION_MATCH, thus, the revision infrastructure was looking for targets instead matches.
/external/iptables/iptables/nft.c
|
afae1f841bc2c4b39a38fa97d271f3877d00bf3a |
|
26-Jul-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: associate table configuration to handle via nft_init We need family dependent built-in table/chain configuration. This patch is a step forward making nft family independent in order to support arptables and ebtables compatibility layers. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
66a5399b6a4383ea4081d99ae852eebc1d65f265 |
|
24-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: no need for rule lookup if no position specified via -I Improve (dc3d8a6 xtables: add -I chain rulenum) to avoid a look up for the rule if no rule number is specified via -I. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
cf95f347e52ca8badc6a7149045d9c09f4fa666d |
|
19-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add -I chain rulenum This patch adds the nft_rule_insert function, which allows us to insert rules at a given position. The function nft_rule_add has been renamed to nft_rule_append. This is possible thanks to Eric Leblond's (netfilter: nf_tables: add insert operation) kernel patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
8dd2627afc462a2591c2f621743cae1a6b98d771 |
|
17-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix selective chain display via -S Before: % xtables -S INPUT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -p tcp -j ACCEPT After: $ xtables -S INPUT -P INPUT ACCEPT -A INPUT -p tcp -j ACCEPT Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
da07c930b9e2aaf8df24022a175b1774aa0bdd8b |
|
17-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: break chain listing if only one if looked for Break looping on the chain list if it finds the chain that the user requested. Based on patch from Tomasz Bursztyka. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
f77e1aca9aa8851b469f79c2db80ddb6f49253b2 |
|
16-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
src: use nft_*_list_add_tail Adapt it to the semantic fix that has been applied to libnftable nft_*_list_add now inserts nodes, instead of appending them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
86eed10c9f2c42e0f50eb4e527a48ee9e63146f4 |
|
16-Jul-2013 |
Pablo Neira Ayuso <pablo@soleta.eu> |
nft: fix built-in chain ordering of the nat table Should be: % iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination instead of: % xtables -L -n -t nat Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
/external/iptables/iptables/nft.c
|
e9a0ef8f1e27f5ef13a27f6cc984e8f2e05afd72 |
|
16-Jul-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Fix small memory leaks Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
7244bef43f350ab31ef54db8a81905f6c68acac0 |
|
16-Jul-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: add function to test for a builtin chain Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
e127d223d01aaa0886c7f279110ac36651b9a057 |
|
16-Jul-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: Remove useless parameter to nft_chain_list_find Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
f6b30db46e5e3d32c76b186361853b5a5ecaf99f |
|
16-Jul-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Handle error on adding rule expressions If adding one of match/target/jumpto/verdit/counters fails, adding a rule will return an error. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
/external/iptables/iptables/nft.c
|
d370c4ad803c37eedfbee5963fac6f7e9968939c |
|
16-Jul-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Set the rule family when creating a new one Fixes the debug output from (in case of ipv4 rule): DEBUG: rule: arp filter INPUT 0 to: DEBUG: rule: ip filter INPUT 0 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
/external/iptables/iptables/nft.c
|
10f92fce0a2ea1805c8b269543b8f1738d22bf3d |
|
15-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: nft: display rule number via -S Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
0b3bafcedff19b69ff5a51855da28e8e83c05b71 |
|
12-Jul-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: nft: display rule by number via -L This patch fixes the display of rule by number. [ Mangled this patch not to display the header, to mimic iptables --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
137cc981906f356c971da6de13e777a419382ff4 |
|
25-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: fix another memleak in nft_rule_list_cb Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
0a5f6c302f2f596f6e6aa0241a7772cf441b026f |
|
25-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: print counter issues The patch fixes the counter print, missing line, and delete warnings. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
36ca9bdb288f7ba528307b7695ab94f7fa8e9a2d |
|
19-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: break loop after found matching chain This patch breaks looping in nft_chain_user_del, nft_chain_zero_counters and nft_rule_flush after the chain is found. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
b6d90619891e9a2f804af6af9860da8f95878abf |
|
18-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: nft: remove lots of useless debugging messages While at it, fix several memleaks of list objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
b48126ca92cc44e88aa024e6da7ff245914d6a53 |
|
18-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: allow to zero chains via -Z Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
2c5850147937cd3da104adf654cc7b2d1f0c0a0b |
|
12-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix leaks in nft_xtables_config_load Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
34c59adfae98515468ec50c644c30115fee0b97e |
|
08-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: fix leak of chain iterator in nft_rule_list Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
d01b2c28c8101f0d24e1db3f146fd845c2a634e8 |
|
08-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: fix leak of rule and chain iterators This patch fixes the leak of chain and rule iterators. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
f041efe3c26e3059df1ac8f1775f77423d4be5f6 |
|
31-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: output the same error message that iptables-restore uses Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
55bca4aa60c0027a39e635b2f05274058a2dcf2f |
|
31-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: don't call nft_init in nft_xtables_config_load Otherwise we keep initializing the handle over and over again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
20c156f9f4c43857a622f015a3022517601c3600 |
|
14-May-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: policy can be changed only on builtin chain Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
aa1601423175c90c37c3e6a3d6975d3e2eb74d1e |
|
14-May-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: initialize xtables defaults even on listing rules Output of the tool should be the same as for iptables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
4ef77b6d1b52e1fe52a7fd48d38d9233f0961640 |
|
24-Mar-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing protocol and invflags xtables -I INPUT -p tcp --dport 22 -j ACCEPT iptables: Target problem. Run `dmesg' for more information x_tables: ip_tables: tcp match: only valid for protocol Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
8b9ea2e3f8d685a6b940691cabf5e82c96254747 |
|
10-Mar-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: load tables and chains based on /etc/xtables.conf If /etc/xtables.conf is available, use the configuration there to autoload the xtables built-in table and chain so you can define custom configurations. Otherwise, rely on default common table/chain configuration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
3f7877e6be987bb94897c03a45945725389a6f5c |
|
23-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: add -4 and -6 support Now you can specify: xtables-restore -6 < my-ip6tables-ruleset to restore the IPv6 rule-set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
077785df023ad8947d44d19769bc6d91e3917633 |
|
23-Feb-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Split nft core to become family independant This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
1ff21a68502d67e056100da7e0da074467bc08ed |
|
09-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
add xtables-events Add new program to listen to rule updates: shell$ xtables-events -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT -D INPUT -m state --state ESTABLISHED -j ACCEPT You can use `-c' option to display counters. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
af11340016320d73dc88fa377a2d2aa21173ba07 |
|
09-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: ipv6: fix -D with -p Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
946f22238350a1506b7fe57b2b27e9e5427f0583 |
|
09-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: ipv6: add missing break in nft_parse_payload_ipv6 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
c51b85f995caebd41e6d063c8bcab513b305bcaa |
|
27-Jan-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix crash if TRACE is used And any other match and target with no save function defined. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
2a87a024e1f77407e332086a4fa664e048280195 |
|
25-Jan-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: nft: add protocol and flags for xtables over nf_tables Add protocol and flags for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
9e62dc8637f210cdeaed784396fecab9b6e5f043 |
|
20-Jan-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: support atomic commit Use new services in nf_tables to support atomic commit. Commit per table, although we support global commit at once, call commit for each table to emulate iptables-restore behaviour by now. Keep table dormant/wake up code in iptables/nft.c as it can be used in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
0aad20f3979e3b6becd40e4ed5bba8d09d90706e |
|
20-Jan-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: purge out user-define chains from the kernel xtables-restore has to purge out user-defined chains that are not defined in the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
0391677c1a0b28c14d01febd9628a543e8e5fd62 |
|
13-Jan-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: add IPv6 support Summary of changes to add IPv6 support to the xtables utility: * modify all commands (add, delete, replace, check and listing) to support IPv6 addresses. And for the internal nft library: * add family to struct nft_handle and modify all caller to use this family instead of the hardcoded AF_INET. * move code that we can re-use for IPv4 and IPv6 into helper functions. * add IPv6 rule printing support. * add support to parse IPv6 address. Pablo added several improvements to this patch: * added basic xtables-save and xtables-restore support (so it defaults to IPv4) * fixed a couple of bugs found while testing * added reference when -f is used to point to -m frag (until we can make this consistent with IPv4). Note that we use one single xtables binary utility for IPv4 and IPv6. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
9c541721d318598db45986ee2fd61491fadb53d0 |
|
29-Dec-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: adapt chain rename to recent Patrick's updates This patch gets existing code in sync with Patrick's chain renaming new approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
5705ea1f4e3c9cd3d5d9cbcf84b9733ce1f07e57 |
|
19-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: add support for dormant tables This patch adds support for dormant tables for xtables-restore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
890fd9ef76ad0c11695fb0d09a88169e6e46584f |
|
03-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: use chain types We use the new special chain types defined in the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
1298a1014bc14c45de50cc242779dfa382c456c9 |
|
03-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: use 64-bits handle Now that we use that in kernel space and in libnftables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
3aea037f359795edeb69426e2dde63c59540ba5f |
|
03-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: remove __nft_check_rule Rework code to remove __nft_check_rule and split it into logical fragments. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
5b414b85c33912aec912d260502c8b0c0df794a1 |
|
03-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: move priority to chain instead of table NAT table uses different chain priorities, adapt the existing code to allow this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
06fc595fa99ab0036d87b259b0d20e4916522969 |
|
01-Nov-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix missing rule listing in custom chains with -L Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
0a366d8696582e979d55f6832a797d1217f4b908 |
|
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
iptables: nft: Add support for -R option Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
/external/iptables/iptables/nft.c
|
16db62f9187ec1d62310efea8f0f7f378aee1e89 |
|
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
iptables: nft: Refactor __nft_rule_check to return rule handle when relevant Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
/external/iptables/iptables/nft.c
|
4acee778f5712c4cc574e328183a3252ad81a802 |
|
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
iptables: nft: Fix -D chain rulenum option Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
/external/iptables/iptables/nft.c
|
4493582ccb60a443fc7efeca78edafbefc689aa3 |
|
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Add support for chain rename options (-E) Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
/external/iptables/iptables/nft.c
|
2f1fbab67157624c0171e55bde08e7e5c8d99fff |
|
29-Oct-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables: nft: add -f support Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
e17b5f15c2beda86565a8f4e55fdf12ceb20dd59 |
|
29-Oct-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
rework automatic creation of built-in table and chains This patch reworks the automatic creation of built-in table and chains. Now it initializes all built-in chains belonging a table at once. This happens with commands: -P, -A, -I, -N Note that xtables skips chain initialization if it notices that the table already exists in the kernel. Thanks to Tomasz Bursztyka for spotting problems with -N. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
c74f398c58e7b77ca1c82a15d0b2e9eed4fb82ad |
|
24-Oct-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
automatic creation of built-in table and chains In order to emulate the iptables behaviour, this patch changes the current behaviour to: 1st) check if the table and chains are built-in. 2nd) If they don't exists, create them. If they exists, don't touch them. The automatic creation happens in the -I and -P paths. We should provide a new command to allow to delete (unregister) built-in tables and chains. It would be similar to unloading the iptable_X module that registers the custom table. This is not done for other commands like -C or -D since they will fail while trying to find the rule in the kernel if such combination of chain and table does not exists. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|
384958620abab397062b67fb2763e813b63f74f0 |
|
27-Sep-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
use nf_tables and nf_tables compatibility interface This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft.c
|