6b60dc5be58a5781cacc4e6f238454d5e8421760 |
|
01-Feb-2016 |
Pablo Neira Ayuso <pablo@netfilter.org> |
extensions: rename xt_buf to xt_xlate Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
933400b37d0966980d07d32b64403830429761ed |
|
11-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables: add the infrastructure to translate from iptables to nft This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
d13b60c9ddb48e651b92f13579e236c530658176 |
|
13-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables-restore: add generic parsing infrastructure This allows us to reuse the xtables-restore parser code in the translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
50b056ce99517939cc4c0f5e278d32a252b71ee6 |
|
11-Apr-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: xtables: add generic parsing infrastructure to interpret commands Split the code to parse arguments and to issue command so we reuse this for the iptables to nft translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
742baabd185c326cc2125e648e240894362eb31c |
|
15-Sep-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: use new symbols in libnftnl Adapt this code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
fe97f60e5d2a968638286036db67e3a4e17f095d |
|
09-Feb-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: add watchers support ebtables watchers are targets which always return EBT_CONTINUE. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
8acf8315a44fbee8227433daabb262b6de1e70f6 |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix nft payload bases ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information from packets in the bridge family. Let's allow the add_payload() function to know in which base it should work. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
51e83a4deb4849152a29c160893f0823846d47a0 |
|
16-Oct-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
ebtables-compat: fix print_header This prints the header like ebtables. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
902e92ceedba96d3241fa8ff701c061cd53a197d |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
ebtables-compat: use ebtables_command_state in bootstrap code And introduce fake ebt_entry. This gets the code in sync in other existing compat tools. This will likely allow to consolidate common infrastructure. This code is still quite experimental. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
da871de2a6efb576b6378a66222c0871f4282e96 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: bootstrap ebtables-compat This patch bootstraps ebtables-compat, the ebtables compatibility software upon nf_tables. [ Original patches: http://patchwork.ozlabs.org/patch/395544/ http://patchwork.ozlabs.org/patch/395545/ http://patchwork.ozlabs.org/patch/395546/ I have also forward port them on top of the current git HEAD, otherwise compilation breaks. This bootstrap is experimental, this still needs more work. --Pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
c82bf9f79bbc299de428fdc2e204d571b6cbc50d |
|
12-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
iptables-compat: kill add_*() invflags parameter Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ. The caller must calculate which kind of cmp operation requires. BTW, this patch solves absence of inversion in some arptables-compat builtin matches. Thus, translating arptables inv flags is no longer needed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
4272426912b0951b4dc7f40179d5217b513775e1 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: get output in sync with arptables -L -n --line-numbers # arptables-compat -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination <-- This header is not shown by arptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
ab1e03849d7fb60e861b9715d90681f7120c3bbb |
|
08-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: allow to not specify a target arptables allows this: # arptables -I INPUT however, arptables-compat says: arptables v1.4.21: No target provided or initalization failed Try `arptables -h' or 'arptables --help' for more information. the compat utility must mimic the same behaviour. Fix this by introducing the arptables_command_state abstraction that is already available in ip{6}tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
2c4a34c30cb4db93653dbd139e04f7df963c3a41 |
|
30-Sep-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: fix address prefix This patch fixes: # iptables-compat -I INPUT -s 1.2.3.0/24 generates this bytecode: ip filter INPUT 20 [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x00030201 ] [ counter pkts 0 bytes 0 ] and it displays: # iptables-compat-save ... -A INPUT -s 1.2.3.0/24 ip6tables-compat and arptables-compat are also fixed. This patch uses the new context structure to annotate payload, meta and bitwise, so it interprets the cmp expression based on the context. This provides a rudimentary way to delinearize the iptables-compat rule-set, but it should be enough for the built-in xtables selectors since we still use the xtables extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
1cc84d47766ad74be8609477d3496544848b75b1 |
|
22-Aug-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: add nft_xt_ctx struct This patch provides the context used to transfer information between different nft_parse_* function calls. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
1aefddd07ca8e51f0528366835cf466d57bd459f |
|
11-Jun-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: save: fix the printing of the counters This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
8877968858a8dd6b7ae096988d57a7511c81733d |
|
10-Feb-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: adds save_matches_and_target This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
a4e1098169a67716a81316c36ce22ddcb33df1c0 |
|
20-Jan-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Use new libnftnl library name against former libnftables Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
4b7a4afaa240e5d2039e612e125b045d5d1cb7fa |
|
08-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing ipt_entry for MASQUERADE target The MASQUERADE target relies on the ipt_entry information that is set in ->post_parse, which is too late. Add a new hook called ->pre_parse, that sets the protocol information accordingly. Thus: xtables -4 -A POSTROUTING -t nat -p tcp \ -j MASQUERADE --to-ports 1024 works again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
0363995ef12c2377875f9ab60a43b9b601cb2560 |
|
02-Oct-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: arp: Store target entry properly and compare them relevantly Fixes a segfault issue when deleting a rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
e2a2c72277b49ac611809b3978365ab3010e1597 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_find for ARP, IPv4 and IPv6 This patch kills nft_arp_rule_find, which is almost a copy and paste of the original nft_rule_find function. Refactor this function to move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
217f021925872dcbce4187408762845ae3f6f182 |
|
16-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: nft-arp: implements is_same op for ARP family The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
84909d171585d77fe769f03e2b1b96eab0aa0213 |
|
09-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: bootstrap ARP compatibility layer for nftables This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
e83e35e236a33dfdf3e401adb7d7e18362cf1961 |
|
08-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: generalize rule addition family hook This should help Giuseppe with his ARP support works, this change was missing in (618309c nft: refactoring parse operations for more genericity). Based on patch from Giuseppe. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
04d9ad94a40e795dfa8d4cfd0bf3f092d60ecc47 |
|
04-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: refactoring parse operations for more genericity This allows to reuse the nft_parse_* function for the bridge and arp family (not yet supported). Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
36cba824e1689c6255d4e33b7fa82541a774609b |
|
20-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: use xtables_print_num So we can kill our own implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
eb4b65c49994e44e6ad617fe3f60c063d0c331c4 |
|
20-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix wrong flags handling in print_firewall_details Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357 |
|
19-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: convert rule into a command state structure This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
e23e66f9d1a25c75df684850b7cd99053708c4d0 |
|
07-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Generalize nft_rule_list() against current family Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
d801b9f3b8161752ea2358a0bfb614603d28a8e5 |
|
01-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix -p protocol The protocol field in both IPv4 and IPv6 headers are 8 bits long, so we have to compare 8 bits. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
6838a7f51e6d95f904093e05e8bdc75ada70b93f |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new nft_ops->post_parse hook Move specific layer 3 protocol post argument parsing code to the respective nft-ipv[4|6].c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
26d3a0d77c67289341361bbd3254f2257eec69a0 |
|
12-May-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: add new container xtables_args structure Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
4ef77b6d1b52e1fe52a7fd48d38d9233f0961640 |
|
24-Mar-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix missing protocol and invflags xtables -I INPUT -p tcp --dport 22 -j ACCEPT iptables: Target problem. Run `dmesg' for more information x_tables: ip_tables: tcp match: only valid for protocol Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
45ce2daf44c11f53d208f607ccdd3d11192d0de5 |
|
23-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: remove license for header file No tradition in the project to include the header file in .h file. This one is also internal - not exported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|
077785df023ad8947d44d19769bc6d91e3917633 |
|
23-Feb-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Split nft core to become family independant This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.h
|