| 097d6bee9cb25c94e288ad72099c51bab7fe113c |
|
16-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
iptables: remove duplicated argument parsing code
1. Factor out repeated code to a new xs_has_arg function.
2. Add a new parse_wait_time option to parse the value of -w.
3. Make parse_wait_interval take argc and argv so its callers
can be simpler.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 6e2e169eb66b63d2991e1c7ada931e3cdb0ced32)
Bug: 36108349
Test: see top of change stack.
Change-Id: Iae185e267d90806dac2cbfdad2a066a2929947fc
/external/iptables/iptables/xtables.c
|
| 4b791044cd0984c9a1771e86fa77fce9d309d9e7 |
|
26-Aug-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-compat: check if nft ruleset is compatible
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 |
|
24-Jun-2016 |
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> |
xtables: Add an interval option for xtables lock wait
ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduce a new option 'W' to specify the wait interval in microseconds.
If this option is not specified, the command sleeps for 1 second by
default.
v1->v2: Change behavior to take millisecond sleep as an argument to
-w as suggested by Pablo. Also maintain current behavior for -w to
sleep for 1 second as mentioned by Liping.
v2->v3: Move the millisecond behavior to a new option as suggested
by Pablo.
v3->v4: Use select instead of usleep. Sleep every iteration for
the time specified in the "-W" argument. Update man page.
v4->v5: Fix compilation error when enabling nftables
v5->v6: Simplify -W so it only takes the interval wait in microseconds.
Bail out if -W is specific but -w is not.
Joint work with Pablo Neira.
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 50b056ce99517939cc4c0f5e278d32a252b71ee6 |
|
11-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables: add generic parsing infrastructure to interpret commands
Split the code to parse arguments and to issue command so we reuse this
for the iptables to nft translation infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| aaa4ace72ba1d195bbf436134a336816c33f7bd0 |
|
04-Jul-2014 |
Jiri Popelka <jpopelka@redhat.com> |
iptables: add optional [seconds] argument to -w
This patch adds an optional numeric argument
to -w option (added with 93587a0) so one can
specify how long to wait for an exclusive lock.
If the value isn't specified it works as before,
i.e. program waits indefinitely.
If user specifies it, program exits after
the given time interval passes.
This patch also adds the -w/--wait to nftables
compat code, so the parser doesn't complain.
[ In the original patch, iptables-compat -w X was not working,
I have fixed by adding the dummy code not to break scripts
using the new optional argument --pablo ]
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 5cab9c3c8209e9491f0f252e03dd48ae4cb5ab63 |
|
11-Feb-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft-compat: fix wrong protocol context in initialization
This fixes matches/targets that are dependent on that IPv4/Ipv6
context, eg.
# ip6tables-compat -I INPUT -j REJECT --reject-with icmp6-addr-unreachable
# ip6tables-compat-save
...
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 7851975e5055381d30f0788d90671485695928e1 |
|
10-Feb-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: Add backward compatibility with -w option
Just to keep aligned with iptables legacy tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 4b7a4afaa240e5d2039e612e125b045d5d1cb7fa |
|
08-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing ipt_entry for MASQUERADE target
The MASQUERADE target relies on the ipt_entry information that is
set in ->post_parse, which is too late.
Add a new hook called ->pre_parse, that sets the protocol
information accordingly.
Thus:
xtables -4 -A POSTROUTING -t nat -p tcp \
-j MASQUERADE --to-ports 1024
works again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| a69cc575295eedb44f0fa33cd5fcf1cc0114133a |
|
19-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: allow to reset the counters of an existing rule
Now that we convert nft rules to native xt command structure, it's
easier to reset the counters by replacing the existing rule by a
new one with all counters set to zero.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| c11ad7cce0d7195e12347bd4a3092ac24e19f8b4 |
|
09-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: use xtables_rule_matches_free
Thus, we can kill clear_rule_matches. Not required since we are based
upon 1.4.19.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| c0c3cf9cf8065ade1d525da417e08d0f8d6bc359 |
|
26-Jul-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: fix family operation lookup
xtables-restore -6 was using the IPv4 family, instead of IPv6
as it should be.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 96180491d51853a4315ba4eeb29a53505b6515e5 |
|
30-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix typo in add_entry for the IPv6 case
It should pass zero, instead of the 'append' boolean.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 71871d0a5981d2f8781307852d4f7ee66fe87600 |
|
19-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: remove bogus comment regarding rule replacement
We support rule replacement since quite some time, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| cf95f347e52ca8badc6a7149045d9c09f4fa666d |
|
19-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add -I chain rulenum
This patch adds the nft_rule_insert function, which allows
us to insert rules at a given position.
The function nft_rule_add has been renamed to nft_rule_append.
This is possible thanks to Eric Leblond's (netfilter: nf_tables:
add insert operation) kernel patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 10f92fce0a2ea1805c8b269543b8f1738d22bf3d |
|
15-Jul-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: nft: display rule number via -S
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 0b3bafcedff19b69ff5a51855da28e8e83c05b71 |
|
12-Jul-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: nft: display rule by number via -L
This patch fixes the display of rule by number.
[ Mangled this patch not to display the header, to mimic iptables
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 457819b952418501918b6e906bf5e21e3b4f9af8 |
|
30-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing afinfo configuration
I noticed that the iprange match in IPv6 was broken, fix it
by overriding the default family (IPv4) if -6 is passed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 31c46a3b9dcd1adcdd8caa6a5fe607c098e27e16 |
|
18-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: remove bogus comment on chain rename
No longer true since Patrick added the chain rename approach back in
September 2012.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| b48126ca92cc44e88aa024e6da7ff245914d6a53 |
|
18-Jun-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: allow to zero chains via -Z
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 93373d52cb2d2963a2f3cbcec2092dcf6bddd0cf |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: remove unused leftover definitions
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 6838a7f51e6d95f904093e05e8bdc75ada70b93f |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new nft_ops->post_parse hook
Move specific layer 3 protocol post argument parsing code
to the respective nft-ipv[4|6].c files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 26d3a0d77c67289341361bbd3254f2257eec69a0 |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new container xtables_args structure
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 5231faea0fd5f5d4538a99d8234103a8297ff82f |
|
09-Mar-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing xtables_exit_error definition
iptables_exit_error is defined in iptables/iptables.c, that
symbol cannot be used by iptables/xtables.c
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 3f7877e6be987bb94897c03a45945725389a6f5c |
|
23-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables-restore: add -4 and -6 support
Now you can specify:
xtables-restore -6 < my-ip6tables-ruleset
to restore the IPv6 rule-set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 077785df023ad8947d44d19769bc6d91e3917633 |
|
23-Feb-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Split nft core to become family independant
This makes nft core code independant from the family. Each family needs
to implement and provide a struct nft_family_ops {}.
This split will ease the future support of bridge and arp rules manipulations.
[ updated header files and rebased upon the current tree --pablo ]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 5e6244b2ad70d7a59508aa9cf33efcd69bcde45c |
|
09-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: ipv6: fix wrong error if -p is used
shell$ xtables -6 -I INPUT -p tcp --dport 22 -j ACCEPT
xtables v1.4.15: -f is not valid on IPv6
Try `xtables -h' or 'xtables --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 0391677c1a0b28c14d01febd9628a543e8e5fd62 |
|
13-Jan-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: add IPv6 support
Summary of changes to add IPv6 support to the xtables utility:
* modify all commands (add, delete, replace, check and listing) to
support IPv6 addresses.
And for the internal nft library:
* add family to struct nft_handle and modify all caller to use this
family instead of the hardcoded AF_INET.
* move code that we can re-use for IPv4 and IPv6 into helper functions.
* add IPv6 rule printing support.
* add support to parse IPv6 address.
Pablo added several improvements to this patch:
* added basic xtables-save and xtables-restore support (so it defaults
to IPv4)
* fixed a couple of bugs found while testing
* added reference when -f is used to point to -m frag (until we can make
this consistent with IPv4).
Note that we use one single xtables binary utility for IPv4 and IPv6.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 5a1b519d1e26767fa1f0de15b0f7e125531a1719 |
|
30-Dec-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix crash due to using wrong globals
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 0a366d8696582e979d55f6832a797d1217f4b908 |
|
31-Oct-2012 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
iptables: nft: Add support for -R option
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
/external/iptables/iptables/xtables.c
|
| 384958620abab397062b67fb2763e813b63f74f0 |
|
27-Sep-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
use nf_tables and nf_tables compatibility interface
This patch adds the following utilities:
* xtables
* xtables-restore
* xtables-save
* xtables-config
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xtables.c
|
| 8816e91cddef785c78b3598c7c41a1f88be08f5a |
|
18-Sep-2011 |
Jan Engelhardt <jengelh@medozas.de> |
build: restore build order of modules
iptables(exe) requires libext.a, but extensions/ require libxtables.la
(in iptables/). This circular dependency does not work out, so
separate libxtables into its own directory and put it in front.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| f56b8a8bf4b1041cb875fd8439778f35276bdb30 |
|
03-Sep-2011 |
Jan Engelhardt <jengelh@medozas.de> |
iptables: move kernel version find routing into libxtables
That way, the remaining unreferenced symbols that do appear in
libipt_DNAT and libipt_SNAT as part of the new check can be resolved,
and the ugly -rdynamic hack can finally be removed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| 2ca6273c73b42e8c74afd5f8b1fe10c5c93ce363 |
|
27-Aug-2011 |
Richard Weinberger <richard@nod.at> |
xtoptions: simplify xtables_parse_interface
mask is already filled with zeros, there is no need to zero it again.
References: http://marc.info/?l=netfilter-devel&m=131445196526269&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| 41a9b481693b4c43c16d0588cc558dd455168af0 |
|
01-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
build: workaround broken linux-headers on RHEL-5
maigc.h was not invented yet, but they do not
ship proc_fs.h either, duh.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| 3eab786d6a687187556c92b3dc0f0664d8352471 |
|
10-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: set clone's initial data to NULL
Avoid a crash in xs_init_match when a clone's m->udata points at the
parent.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
option: remove last traces of intrapositional negation
Intrapositional negation was deprecated in 1.4.3.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| 0c384449ae9511157cd9b34d73f8f4cb71123a45 |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: ignore whitespace in the multiaddress argument parser
References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| c0e69db337540b22a3b3f739b1143341e7b759b7 |
|
09-Jul-2011 |
Jan Engelhardt <jengelh@medozas.de> |
libxtables: properly reject empty hostnames
An empty hostname in the address list of an -s/-d argument, which may
be the result of a typo, is interpreted as 0/0, which, when combined
with -j ACCEPT, leads to an undesired opening of the firewall.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| 3c871010888e1479ef8fca2048485b979ec2661a |
|
24-Jun-2011 |
Jan Engelhardt <jengelh@medozas.de> |
build: attempt to fix building under Linux 2.4
iptables no longer compiles for Linux 2.4 because it uses
linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for
Linux 2.6.
xtables.c:35:52: error: linux/magic.h: No such file or directory
xtables.c: In function 'proc_file_exists':
xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in
this function)
xtables.c:389: error: (Each undeclared identifier is reported only
once for each function it appears in.)
References: http://bugzilla.netfilter.org/show_bug.cgi?id=720
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| f53710b16c2bae1843c3f5fee390f496dfa82526 |
|
10-Jun-2011 |
Jiri Popelka <jpopelka@redhat.com> |
iptables: Coverity: RESOURCE_LEAK
xtables.c:320: alloc_fn: Calling allocation function "get_modprobe".
xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc".
xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)".
xtables.c:304: return_alloc: Returning allocated memory "ret".
xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()".
xtables.c:323: var_assign: Assigning: "modprobe" = "buf".
xtables.c:348: leaked_storage: Variable "buf" going out of scope
leaks the storage it points to.
xtables.c:348: leaked_storage: Returning without freeing "modprobe"
leaks the storage that it points to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| d0101690d9ae347d8a8ee9e340c5db72480046a3 |
|
10-Jun-2011 |
Jiri Popelka <jpopelka@redhat.com> |
iptables: Coverity: VARARGS
xtables.c:931: va_init: Initializing va_list "args".
xtables.c:938: missing_va_end: va_end was not called for "args".
xtables.c:947: missing_va_end: va_end was not called for "args".
xtables.c:961: missing_va_end: va_end was not called for "args".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|
| 033e25a3ad215ee3f5a07f0a3315f74c4abfaced |
|
07-Jun-2011 |
Jan Engelhardt <jengelh@medozas.de> |
src: move all iptables pieces into a separate directory
(Unclutter top-level dir)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xtables.c
|