097d6bee9cb25c94e288ad72099c51bab7fe113c |
|
16-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
iptables: remove duplicated argument parsing code 1. Factor out repeated code to a new xs_has_arg function. 2. Add a new parse_wait_time option to parse the value of -w. 3. Make parse_wait_interval take argc and argv so its callers can be simpler. Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 6e2e169eb66b63d2991e1c7ada931e3cdb0ced32) Bug: 36108349 Test: see top of change stack. Change-Id: Iae185e267d90806dac2cbfdad2a066a2929947fc
/external/iptables/iptables/xtables.c
|
4b791044cd0984c9a1771e86fa77fce9d309d9e7 |
|
26-Aug-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-compat: check if nft ruleset is compatible This patch adds a verification of the compatibility between the nft ruleset and iptables. Nft tables, chains and rules are checked to be compatible with iptables. If something is not compatible, the execution stops and an error message is displayed to the user. This checking is triggered by xtables-compat -L and xtables-compat-save commands. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 |
|
24-Jun-2016 |
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> |
xtables: Add an interval option for xtables lock wait ip[6]tables currently waits for 1 second for the xtables lock to be freed if the -w option is used. We have seen that the lock is held much less than that resulting in unnecessary delay when trying to acquire the lock. This problem is even severe in case of latency sensitive applications. Introduce a new option 'W' to specify the wait interval in microseconds. If this option is not specified, the command sleeps for 1 second by default. v1->v2: Change behavior to take millisecond sleep as an argument to -w as suggested by Pablo. Also maintain current behavior for -w to sleep for 1 second as mentioned by Liping. v2->v3: Move the millisecond behavior to a new option as suggested by Pablo. v3->v4: Use select instead of usleep. Sleep every iteration for the time specified in the "-W" argument. Update man page. v4->v5: Fix compilation error when enabling nftables v5->v6: Simplify -W so it only takes the interval wait in microseconds. Bail out if -W is specific but -w is not. Joint work with Pablo Neira. Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
50b056ce99517939cc4c0f5e278d32a252b71ee6 |
|
11-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables: add generic parsing infrastructure to interpret commands Split the code to parse arguments and to issue command so we reuse this for the iptables to nft translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
aaa4ace72ba1d195bbf436134a336816c33f7bd0 |
|
04-Jul-2014 |
Jiri Popelka <jpopelka@redhat.com> |
iptables: add optional [seconds] argument to -w This patch adds an optional numeric argument to -w option (added with 93587a0) so one can specify how long to wait for an exclusive lock. If the value isn't specified it works as before, i.e. program waits indefinitely. If user specifies it, program exits after the given time interval passes. This patch also adds the -w/--wait to nftables compat code, so the parser doesn't complain. [ In the original patch, iptables-compat -w X was not working, I have fixed by adding the dummy code not to break scripts using the new optional argument --pablo ] Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
5cab9c3c8209e9491f0f252e03dd48ae4cb5ab63 |
|
11-Feb-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft-compat: fix wrong protocol context in initialization This fixes matches/targets that are dependent on that IPv4/Ipv6 context, eg. # ip6tables-compat -I INPUT -j REJECT --reject-with icmp6-addr-unreachable # ip6tables-compat-save ... -A INPUT -j REJECT --reject-with icmp6-port-unreachable Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
7851975e5055381d30f0788d90671485695928e1 |
|
10-Feb-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: Add backward compatibility with -w option Just to keep aligned with iptables legacy tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
4b7a4afaa240e5d2039e612e125b045d5d1cb7fa |
|
08-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing ipt_entry for MASQUERADE target The MASQUERADE target relies on the ipt_entry information that is set in ->post_parse, which is too late. Add a new hook called ->pre_parse, that sets the protocol information accordingly. Thus: xtables -4 -A POSTROUTING -t nat -p tcp \ -j MASQUERADE --to-ports 1024 works again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
a69cc575295eedb44f0fa33cd5fcf1cc0114133a |
|
19-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: allow to reset the counters of an existing rule Now that we convert nft rules to native xt command structure, it's easier to reset the counters by replacing the existing rule by a new one with all counters set to zero. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
c11ad7cce0d7195e12347bd4a3092ac24e19f8b4 |
|
09-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: use xtables_rule_matches_free Thus, we can kill clear_rule_matches. Not required since we are based upon 1.4.19.1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
c0c3cf9cf8065ade1d525da417e08d0f8d6bc359 |
|
26-Jul-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: fix family operation lookup xtables-restore -6 was using the IPv4 family, instead of IPv6 as it should be. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
96180491d51853a4315ba4eeb29a53505b6515e5 |
|
30-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix typo in add_entry for the IPv6 case It should pass zero, instead of the 'append' boolean. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
71871d0a5981d2f8781307852d4f7ee66fe87600 |
|
19-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: remove bogus comment regarding rule replacement We support rule replacement since quite some time, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
cf95f347e52ca8badc6a7149045d9c09f4fa666d |
|
19-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add -I chain rulenum This patch adds the nft_rule_insert function, which allows us to insert rules at a given position. The function nft_rule_add has been renamed to nft_rule_append. This is possible thanks to Eric Leblond's (netfilter: nf_tables: add insert operation) kernel patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
10f92fce0a2ea1805c8b269543b8f1738d22bf3d |
|
15-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: nft: display rule number via -S Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
0b3bafcedff19b69ff5a51855da28e8e83c05b71 |
|
12-Jul-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: nft: display rule by number via -L This patch fixes the display of rule by number. [ Mangled this patch not to display the header, to mimic iptables --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
457819b952418501918b6e906bf5e21e3b4f9af8 |
|
30-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing afinfo configuration I noticed that the iprange match in IPv6 was broken, fix it by overriding the default family (IPv4) if -6 is passed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
31c46a3b9dcd1adcdd8caa6a5fe607c098e27e16 |
|
18-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: remove bogus comment on chain rename No longer true since Patrick added the chain rename approach back in September 2012. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
b48126ca92cc44e88aa024e6da7ff245914d6a53 |
|
18-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: allow to zero chains via -Z Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
93373d52cb2d2963a2f3cbcec2092dcf6bddd0cf |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: remove unused leftover definitions Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
6838a7f51e6d95f904093e05e8bdc75ada70b93f |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new nft_ops->post_parse hook Move specific layer 3 protocol post argument parsing code to the respective nft-ipv[4|6].c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
26d3a0d77c67289341361bbd3254f2257eec69a0 |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new container xtables_args structure Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
5231faea0fd5f5d4538a99d8234103a8297ff82f |
|
09-Mar-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing xtables_exit_error definition iptables_exit_error is defined in iptables/iptables.c, that symbol cannot be used by iptables/xtables.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
3f7877e6be987bb94897c03a45945725389a6f5c |
|
23-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: add -4 and -6 support Now you can specify: xtables-restore -6 < my-ip6tables-ruleset to restore the IPv6 rule-set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
077785df023ad8947d44d19769bc6d91e3917633 |
|
23-Feb-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Split nft core to become family independant This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
5e6244b2ad70d7a59508aa9cf33efcd69bcde45c |
|
09-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: ipv6: fix wrong error if -p is used shell$ xtables -6 -I INPUT -p tcp --dport 22 -j ACCEPT xtables v1.4.15: -f is not valid on IPv6 Try `xtables -h' or 'xtables --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
0391677c1a0b28c14d01febd9628a543e8e5fd62 |
|
13-Jan-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: add IPv6 support Summary of changes to add IPv6 support to the xtables utility: * modify all commands (add, delete, replace, check and listing) to support IPv6 addresses. And for the internal nft library: * add family to struct nft_handle and modify all caller to use this family instead of the hardcoded AF_INET. * move code that we can re-use for IPv4 and IPv6 into helper functions. * add IPv6 rule printing support. * add support to parse IPv6 address. Pablo added several improvements to this patch: * added basic xtables-save and xtables-restore support (so it defaults to IPv4) * fixed a couple of bugs found while testing * added reference when -f is used to point to -m frag (until we can make this consistent with IPv4). Note that we use one single xtables binary utility for IPv4 and IPv6. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
5a1b519d1e26767fa1f0de15b0f7e125531a1719 |
|
30-Dec-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix crash due to using wrong globals Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
0a366d8696582e979d55f6832a797d1217f4b908 |
|
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
iptables: nft: Add support for -R option Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
/external/iptables/iptables/xtables.c
|
384958620abab397062b67fb2763e813b63f74f0 |
|
27-Sep-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
use nf_tables and nf_tables compatibility interface This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
8816e91cddef785c78b3598c7c41a1f88be08f5a |
|
18-Sep-2011 |
Jan Engelhardt <jengelh@medozas.de> |
build: restore build order of modules iptables(exe) requires libext.a, but extensions/ require libxtables.la (in iptables/). This circular dependency does not work out, so separate libxtables into its own directory and put it in front. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
f56b8a8bf4b1041cb875fd8439778f35276bdb30 |
|
03-Sep-2011 |
Jan Engelhardt <jengelh@medozas.de> |
iptables: move kernel version find routing into libxtables That way, the remaining unreferenced symbols that do appear in libipt_DNAT and libipt_SNAT as part of the new check can be resolved, and the ugly -rdynamic hack can finally be removed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
2ca6273c73b42e8c74afd5f8b1fe10c5c93ce363 |
|
27-Aug-2011 |
Richard Weinberger <richard@nod.at> |
xtoptions: simplify xtables_parse_interface mask is already filled with zeros, there is no need to zero it again. References: http://marc.info/?l=netfilter-devel&m=131445196526269&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
41a9b481693b4c43c16d0588cc558dd455168af0 |
|
01-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
build: workaround broken linux-headers on RHEL-5 maigc.h was not invented yet, but they do not ship proc_fs.h either, duh. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
3eab786d6a687187556c92b3dc0f0664d8352471 |
|
10-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: set clone's initial data to NULL Avoid a crash in xs_init_match when a clone's m->udata points at the parent. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
option: remove last traces of intrapositional negation Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
0c384449ae9511157cd9b34d73f8f4cb71123a45 |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: ignore whitespace in the multiaddress argument parser References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
c0e69db337540b22a3b3f739b1143341e7b759b7 |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: properly reject empty hostnames An empty hostname in the address list of an -s/-d argument, which may be the result of a typo, is interpreted as 0/0, which, when combined with -j ACCEPT, leads to an undesired opening of the firewall. References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
3c871010888e1479ef8fca2048485b979ec2661a |
|
24-Jun-2011 |
Jan Engelhardt <jengelh@medozas.de> |
build: attempt to fix building under Linux 2.4 iptables no longer compiles for Linux 2.4 because it uses linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for Linux 2.6. xtables.c:35:52: error: linux/magic.h: No such file or directory xtables.c: In function 'proc_file_exists': xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in this function) xtables.c:389: error: (Each undeclared identifier is reported only once for each function it appears in.) References: http://bugzilla.netfilter.org/show_bug.cgi?id=720 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
f53710b16c2bae1843c3f5fee390f496dfa82526 |
|
10-Jun-2011 |
Jiri Popelka <jpopelka@redhat.com> |
iptables: Coverity: RESOURCE_LEAK xtables.c:320: alloc_fn: Calling allocation function "get_modprobe". xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc". xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)". xtables.c:304: return_alloc: Returning allocated memory "ret". xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()". xtables.c:323: var_assign: Assigning: "modprobe" = "buf". xtables.c:348: leaked_storage: Variable "buf" going out of scope leaks the storage it points to. xtables.c:348: leaked_storage: Returning without freeing "modprobe" leaks the storage that it points to. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
d0101690d9ae347d8a8ee9e340c5db72480046a3 |
|
10-Jun-2011 |
Jiri Popelka <jpopelka@redhat.com> |
iptables: Coverity: VARARGS xtables.c:931: va_init: Initializing va_list "args". xtables.c:938: missing_va_end: va_end was not called for "args". xtables.c:947: missing_va_end: va_end was not called for "args". xtables.c:961: missing_va_end: va_end was not called for "args". Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
033e25a3ad215ee3f5a07f0a3315f74c4abfaced |
|
07-Jun-2011 |
Jan Engelhardt <jengelh@medozas.de> |
src: move all iptables pieces into a separate directory (Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|