Cross Reference: /external/iptables/iptables/nft-ipv6.c

Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
f1cd86ddcf1726b91aedb9ef916b380edc8c2b61	25-Nov-2016	Phil Sutter <phil@nwl.cc>	nft_ipv{4,6}_xlate: Respect prefix lengths This was an annoying bug in the translator since it silently dropped crucial information which is easily overlooked: \| $ iptables-translate -A INPUT -s 192.168.0.0/24 -j ACCEPT \| nft add rule ip filter INPUT ip saddr 192.168.0.0 counter accept \| $ ip6tables-translate -A INPUT -s feed:babe::/64 -j ACCEPT \| nft add rule ip6 filter INPUT ip6 saddr feed:babe:: counter accept To my surprise, this fix works really well in all kinds of situations: \| $ iptables-translate -A INPUT -s 1.2.3.4/0 -j ACCEPT \| nft add rule ip filter INPUT counter accept \| \| $ iptables-translate -A INPUT -s 1.2.3.4/23 -j ACCEPT \| nft add rule ip filter INPUT ip saddr 1.2.2.0/23 counter accept \| \| $ iptables-translate -A INPUT -s 1.2.3.4/24 -j ACCEPT \| nft add rule ip filter INPUT ip saddr 1.2.3.0/24 counter accept \| \| $ iptables-translate -A INPUT -s 1.2.3.4/32 -j ACCEPT \| nft add rule ip filter INPUT ip saddr 1.2.3.4 counter accept \| \| $ iptables-translate -A INPUT -s 1.2.3.4/255.255.0.0 -j ACCEPT \| nft add rule ip filter INPUT ip saddr 1.2.0.0/16 counter accept Ditto for IPv6. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
b2b811ed4a8261430def40b7d600ccb0f4927492	22-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-translate: add escape_quotes option to comment_xlate The comment_xlate function was not supporting this option that is necessary in some situations. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
0ddd663e9c167f9f0451dac8c02bbfcda25fe15e	30-Jul-2016	Liping Zhang <liping.zhang@spreadtrum.com>	iptables-translate: add in/out ifname wildcard match translation to nft In iptables, "-i eth+" means match all in ifname with the prefix "eth". But in nftables, this was changed to "iifname eth". So we should handle this subtle difference. Apply this patch, translation will become: # iptables-translate -A INPUT -i eth+ nft add rule ip filter INPUT iifname eth counter # ip6tables-translate -A OUTPUT ! -o eth+ nft add rule ip6 filter OUTPUT oifname != eth* counter Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
d64ef34a99610a6fb54d43660ac31555da858231	22-Jun-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	iptables-compat: use nft built-in comments support After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
063759767279aaba0a4f1d213d3cce5079ce32f4	21-Feb-2016	Shivani Bhardwaj <shivanib134@gmail.com>	iptables: nft-ipv6: Use meta l4proto instead of nexthdr Use meta l4proto in place of nexthdr for ipv6 protocols as it is not necessary that all protocols be next header. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
a9a599ab675b8feb942355a24934901a9adcef1b	23-Feb-2016	Shivani Bhardwaj <shivanib134@gmail.com>	comment: Add translation to nft Add translation for match comment to nftables. This patch also adds the relevant infrastructure for carrying out the translation. Example: $ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block" nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\" Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
5d9c5a3559f3abe922d9a51b966e459d30ffb355	10-Feb-2016	Shivani Bhardwaj <shivanib134@gmail.com>	iptables: nft-ipv6: Fix ipv6 flags Replace the flags with the correct ipv6 flags. Details: Ana found out the bug and submitted the patch, Shivani applied it on the latest tree and compile tested it. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
6b60dc5be58a5781cacc4e6f238454d5e8421760	01-Feb-2016	Pablo Neira Ayuso <pablo@netfilter.org>	extensions: rename xt_buf to xt_xlate Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
1e1c582ff0b502c49a87c945da351fbd5c0c6fe9	30-Dec-2015	Shivani Bhardwaj <shivanib134@gmail.com>	iptables: nft-ipv6: Replace ip with ip6 Replace ip with ip6 to avoid conflict between the protocols in the results obtained from ip6tables-translate utility. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
933400b37d0966980d07d32b64403830429761ed	11-Apr-2014	Pablo Neira Ayuso <pablo@netfilter.org>	nft: xtables: add the infrastructure to translate from iptables to nft This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
742baabd185c326cc2125e648e240894362eb31c	15-Sep-2015	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: use new symbols in libnftnl Adapt this code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
6c8db125b258da070313f20cdf9bc4124bba5383	19-Feb-2015	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: unset context flags in netlink delinearize step Once the data that the compare expression provides have been digested. For example: -A INPUT -i noexist -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT doesn't show anymore the following broken output via iptables-compat-save: -A INPUT -i +t -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> /external/iptables/iptables/nft-ipv6.c
c82bf9f79bbc299de428fdc2e204d571b6cbc50d	12-Nov-2014	Arturo Borrero <arturo.borrero.glez@gmail.com>	iptables-compat: kill add_*() invflags parameter Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ. The caller must calculate which kind of cmp operation requires. BTW, this patch solves absence of inversion in some arptables-compat builtin matches. Thus, translating arptables inv flags is no longer needed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
2dde9356888733a98867a4e769609f9f59a3bf65	16-Oct-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft-ipv46: replace offset var with ctx->payload.offset The offset variable (undefined) is passed to DEBUGP function, so you get a compilation error if you try to build iptables with debug enabled Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
4272426912b0951b4dc7f40179d5217b513775e1	09-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	arptables-compat: get output in sync with arptables -L -n --line-numbers # arptables-compat -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination <-- This header is not shown by arptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
2c4a34c30cb4db93653dbd139e04f7df963c3a41	30-Sep-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: fix address prefix This patch fixes: # iptables-compat -I INPUT -s 1.2.3.0/24 generates this bytecode: ip filter INPUT 20 [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x00030201 ] [ counter pkts 0 bytes 0 ] and it displays: # iptables-compat-save ... -A INPUT -s 1.2.3.0/24 ip6tables-compat and arptables-compat are also fixed. This patch uses the new context structure to annotate payload, meta and bitwise, so it interprets the cmp expression based on the context. This provides a rudimentary way to delinearize the iptables-compat rule-set, but it should be enough for the built-in xtables selectors since we still use the xtables extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
d579c3cba69ec958ca93216a77f15acfa1487e09	22-Aug-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft: compare layer 4 protocol in first place Currently the protocol is tested after the ip address, this fixes the order testing the protocol before the ip address. Now the code generated is incorrect: ip filter INPUT 16 [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] With this patch, the code generated is: ip filter INPUT 16 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
1aefddd07ca8e51f0528366835cf466d57bd459f	11-Jun-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft: save: fix the printing of the counters This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
d007e1a59e4beaddab430992302d43b122ffc801	11-Feb-2014	Pablo Neira Ayuso <pablo@netfilter.org>	nft-compat: fix IP6T_F_GOTO flag handling IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
8877968858a8dd6b7ae096988d57a7511c81733d	10-Feb-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft: adds save_matches_and_target This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
ee595bc702ca80f72c522406f6a06ba7c31eb8df	18-Nov-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: fix inversion of built-in selectors (0ab045f xtables: fix missing ipt_entry for MASQUERADE target) broke inversion of built-in selectors, such as -s, -d, etc. We need to refresh the invflags if -p is used or set it for first time if -p is not used, otherwise inversion is ignored. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
4b7a4afaa240e5d2039e612e125b045d5d1cb7fa	08-Oct-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables: fix missing ipt_entry for MASQUERADE target The MASQUERADE target relies on the ipt_entry information that is set in ->post_parse, which is too late. Add a new hook called ->pre_parse, that sets the protocol information accordingly. Thus: xtables -4 -A POSTROUTING -t nat -p tcp \ -j MASQUERADE --to-ports 1024 works again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
c6836c19592dbe1a8be9b0ad76c0ae09abcb82e7	18-Sep-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: consolidate nft_rule_new to support ARP This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
e2a2c72277b49ac611809b3978365ab3010e1597	18-Sep-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: consolidate nft_rule_find for ARP, IPv4 and IPv6 This patch kills nft_arp_rule_find, which is almost a copy and paste of the original nft_rule_find function. Refactor this function to move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
217f021925872dcbce4187408762845ae3f6f182	16-Sep-2013	Giuseppe Longo <giuseppelng@gmail.com>	xtables: nft-arp: implements is_same op for ARP family The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
e83e35e236a33dfdf3e401adb7d7e18362cf1961	08-Sep-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: generalize rule addition family hook This should help Giuseppe with his ARP support works, this change was missing in (618309c nft: refactoring parse operations for more genericity). Based on patch from Giuseppe. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
04d9ad94a40e795dfa8d4cfd0bf3f092d60ecc47	04-Sep-2013	Giuseppe Longo <giuseppelng@gmail.com>	nft: refactoring parse operations for more genericity This allows to reuse the nft_parse_* function for the bridge and arp family (not yet supported). Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
eb4b65c49994e44e6ad617fe3f60c063d0c331c4	20-Aug-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: fix wrong flags handling in print_firewall_details Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357	19-Aug-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: convert rule into a command state structure This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
e23e66f9d1a25c75df684850b7cd99053708c4d0	07-Aug-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Generalize nft_rule_list() against current family Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
6838a7f51e6d95f904093e05e8bdc75ada70b93f	12-May-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables: add new nft_ops->post_parse hook Move specific layer 3 protocol post argument parsing code to the respective nft-ipv[4\|6].c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
4ef77b6d1b52e1fe52a7fd48d38d9233f0961640	24-Mar-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables: fix missing protocol and invflags xtables -I INPUT -p tcp --dport 22 -j ACCEPT iptables: Target problem. Run `dmesg' for more information x_tables: ip_tables: tcp match: only valid for protocol Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c
077785df023ad8947d44d19769bc6d91e3917633	23-Feb-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Split nft core to become family independant This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft-ipv6.c