| 6b60dc5be58a5781cacc4e6f238454d5e8421760 |
|
01-Feb-2016 |
Pablo Neira Ayuso <pablo@netfilter.org> |
extensions: rename xt_buf to xt_xlate
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 933400b37d0966980d07d32b64403830429761ed |
|
11-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables: add the infrastructure to translate from iptables to nft
This patch provides the infrastructure and two new utilities to
translate iptables commands to nft, they are:
1) iptables-restore-translate which basically takes a file that contains
the ruleset in iptables-restore format and converts it to the nft
syntax, eg.
% iptables-restore-translate -f ipt-ruleset > nft-ruleset
% cat nft-ruleset
# Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter INPUT iifname lo counter accept
# -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid:
...
The rules that cannot be translated are left commented. Users should be able
to run this to track down the nft progress to see at what point it can fully
replace iptables and their filtering policy.
2) iptables-translate which suggests a translation for an iptables
command:
$ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| d13b60c9ddb48e651b92f13579e236c530658176 |
|
13-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables-restore: add generic parsing infrastructure
This allows us to reuse the xtables-restore parser code in the
translation infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 50b056ce99517939cc4c0f5e278d32a252b71ee6 |
|
11-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables: add generic parsing infrastructure to interpret commands
Split the code to parse arguments and to issue command so we reuse this
for the iptables to nft translation infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 742baabd185c326cc2125e648e240894362eb31c |
|
15-Sep-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: use new symbols in libnftnl
Adapt this code to use the new symbols in libnftnl. This patch contains quite
some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| fe97f60e5d2a968638286036db67e3a4e17f095d |
|
09-Feb-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: add watchers support
ebtables watchers are targets which always return EBT_CONTINUE.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 8acf8315a44fbee8227433daabb262b6de1e70f6 |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix nft payload bases
ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information
from packets in the bridge family.
Let's allow the add_payload() function to know in which base it should work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 51e83a4deb4849152a29c160893f0823846d47a0 |
|
16-Oct-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
ebtables-compat: fix print_header
This prints the header like ebtables.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 902e92ceedba96d3241fa8ff701c061cd53a197d |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
ebtables-compat: use ebtables_command_state in bootstrap code
And introduce fake ebt_entry.
This gets the code in sync in other existing compat tools. This
will likely allow to consolidate common infrastructure.
This code is still quite experimental.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| da871de2a6efb576b6378a66222c0871f4282e96 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: bootstrap ebtables-compat
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| c82bf9f79bbc299de428fdc2e204d571b6cbc50d |
|
12-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
iptables-compat: kill add_*() invflags parameter
Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ.
The caller must calculate which kind of cmp operation requires.
BTW, this patch solves absence of inversion in some arptables-compat
builtin matches. Thus, translating arptables inv flags is no longer needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 4272426912b0951b4dc7f40179d5217b513775e1 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: get output in sync with arptables -L -n --line-numbers
# arptables-compat -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination <--
This header is not shown by arptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| ab1e03849d7fb60e861b9715d90681f7120c3bbb |
|
08-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: allow to not specify a target
arptables allows this:
# arptables -I INPUT
however, arptables-compat says:
arptables v1.4.21: No target provided or initalization failed
Try `arptables -h' or 'arptables --help' for more information.
the compat utility must mimic the same behaviour.
Fix this by introducing the arptables_command_state abstraction that
is already available in ip{6}tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 2c4a34c30cb4db93653dbd139e04f7df963c3a41 |
|
30-Sep-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: fix address prefix
This patch fixes:
# iptables-compat -I INPUT -s 1.2.3.0/24
generates this bytecode:
ip filter INPUT 20
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00030201 ]
[ counter pkts 0 bytes 0 ]
and it displays:
# iptables-compat-save
...
-A INPUT -s 1.2.3.0/24
ip6tables-compat and arptables-compat are also fixed.
This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 1cc84d47766ad74be8609477d3496544848b75b1 |
|
22-Aug-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: add nft_xt_ctx struct
This patch provides the context used to transfer
information between different nft_parse_* function calls.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 1aefddd07ca8e51f0528366835cf466d57bd459f |
|
11-Jun-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: save: fix the printing of the counters
This patch prints the counters of a rule before the details,
like iptables-save syntax.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 8877968858a8dd6b7ae096988d57a7511c81733d |
|
10-Feb-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: adds save_matches_and_target
This patch permits to save matches and target for ip/ip6/arp/eb
family, required for xtables-events.
Also, generalizes nft_rule_print_save to be reused for all protocol
families.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| a4e1098169a67716a81316c36ce22ddcb33df1c0 |
|
20-Jan-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Use new libnftnl library name against former libnftables
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 4b7a4afaa240e5d2039e612e125b045d5d1cb7fa |
|
08-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing ipt_entry for MASQUERADE target
The MASQUERADE target relies on the ipt_entry information that is
set in ->post_parse, which is too late.
Add a new hook called ->pre_parse, that sets the protocol
information accordingly.
Thus:
xtables -4 -A POSTROUTING -t nat -p tcp \
-j MASQUERADE --to-ports 1024
works again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 0363995ef12c2377875f9ab60a43b9b601cb2560 |
|
02-Oct-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: arp: Store target entry properly and compare them relevantly
Fixes a segfault issue when deleting a rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| e2a2c72277b49ac611809b3978365ab3010e1597 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 217f021925872dcbce4187408762845ae3f6f182 |
|
16-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: nft-arp: implements is_same op for ARP family
The following patch implements the is_same operation
for ARP family needed for searching arp rule.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 84909d171585d77fe769f03e2b1b96eab0aa0213 |
|
09-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: bootstrap ARP compatibility layer for nftables
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| e83e35e236a33dfdf3e401adb7d7e18362cf1961 |
|
08-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: generalize rule addition family hook
This should help Giuseppe with his ARP support works, this change
was missing in (618309c nft: refactoring parse operations for more
genericity).
Based on patch from Giuseppe.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 04d9ad94a40e795dfa8d4cfd0bf3f092d60ecc47 |
|
04-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: refactoring parse operations for more genericity
This allows to reuse the nft_parse_* function for the bridge and
arp family (not yet supported).
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 36cba824e1689c6255d4e33b7fa82541a774609b |
|
20-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: use xtables_print_num
So we can kill our own implementation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| eb4b65c49994e44e6ad617fe3f60c063d0c331c4 |
|
20-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix wrong flags handling in print_firewall_details
Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have
to add an specific function to print the fragment flag, otherwise
xtables -6 misinterprets the protocol flag, ie.
Chain INPUT (policy ACCEPT)
tcp -f ::/0 ::/0
Note that -f should not show up. This problem was likely added with
the IPv6 support for the compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357 |
|
19-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: convert rule into a command state structure
This helps to reduce the code complexity to have one single common path
for printing, saving and looking up for the rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| e23e66f9d1a25c75df684850b7cd99053708c4d0 |
|
07-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Generalize nft_rule_list() against current family
Now, firewall rule printing is done through nft_family_ops
.print_firewall function. This moves generic part for ipv4 and ipv6 into
nft-shared.c, and enables reusing nft_rule_list() for other family such
as ARP which will be useful for arptables compatibility tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| d801b9f3b8161752ea2358a0bfb614603d28a8e5 |
|
01-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix -p protocol
The protocol field in both IPv4 and IPv6 headers are 8 bits long,
so we have to compare 8 bits.
Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 6838a7f51e6d95f904093e05e8bdc75ada70b93f |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new nft_ops->post_parse hook
Move specific layer 3 protocol post argument parsing code
to the respective nft-ipv[4|6].c files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 26d3a0d77c67289341361bbd3254f2257eec69a0 |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new container xtables_args structure
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 4ef77b6d1b52e1fe52a7fd48d38d9233f0961640 |
|
24-Mar-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing protocol and invflags
xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 45ce2daf44c11f53d208f607ccdd3d11192d0de5 |
|
23-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: remove license for header file
No tradition in the project to include the header file in .h file.
This one is also internal - not exported.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
| 077785df023ad8947d44d19769bc6d91e3917633 |
|
23-Feb-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Split nft core to become family independant
This makes nft core code independant from the family. Each family needs
to implement and provide a struct nft_family_ops {}.
This split will ease the future support of bridge and arp rules manipulations.
[ updated header files and rebased upon the current tree --pablo ]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|