| 742baabd185c326cc2125e648e240894362eb31c |
|
15-Sep-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: use new symbols in libnftnl
Adapt this code to use the new symbols in libnftnl. This patch contains quite
some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 52dbdb74cb9a76ba97e6787b9d2373ceb85a448d |
|
05-Mar-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
arptables-compat: delete extra space in target printing
This is an extra space, let's get rid of it.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 6c8db125b258da070313f20cdf9bc4124bba5383 |
|
19-Feb-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: unset context flags in netlink delinearize step
Once the data that the compare expression provides have been digested.
For example:
-A INPUT -i noexist -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
doesn't show anymore the following broken output via iptables-compat-save:
-A INPUT -i
+t -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
/external/iptables/iptables/nft-arp.c
|
| 34c36aeebd0b44629ef6c54a3087b3b531ccc1a5 |
|
13-Feb-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
arptables-compat: add mangle target extension
This patch adds support to use the mangle target extensions, along with
the required changes in the surrounding code.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 8acf8315a44fbee8227433daabb262b6de1e70f6 |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix nft payload bases
ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information
from packets in the bridge family.
Let's allow the add_payload() function to know in which base it should work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| c82bf9f79bbc299de428fdc2e204d571b6cbc50d |
|
12-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
iptables-compat: kill add_*() invflags parameter
Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ.
The caller must calculate which kind of cmp operation requires.
BTW, this patch solves absence of inversion in some arptables-compat
builtin matches. Thus, translating arptables inv flags is no longer needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 59bfbdac8982d97085218acc7b0535d414294f1e |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: remove save code
There is not native arptables-save. The original author provides
perl scripts to implement arptables-save and arptables-restore.
We should use them to mimic arptables behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 4272426912b0951b4dc7f40179d5217b513775e1 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: get output in sync with arptables -L -n --line-numbers
# arptables-compat -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination <--
This header is not shown by arptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| ab1e03849d7fb60e861b9715d90681f7120c3bbb |
|
08-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: allow to not specify a target
arptables allows this:
# arptables -I INPUT
however, arptables-compat says:
arptables v1.4.21: No target provided or initalization failed
Try `arptables -h' or 'arptables --help' for more information.
the compat utility must mimic the same behaviour.
Fix this by introducing the arptables_command_state abstraction that
is already available in ip{6}tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 2c4a34c30cb4db93653dbd139e04f7df963c3a41 |
|
30-Sep-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: fix address prefix
This patch fixes:
# iptables-compat -I INPUT -s 1.2.3.0/24
generates this bytecode:
ip filter INPUT 20
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00030201 ]
[ counter pkts 0 bytes 0 ]
and it displays:
# iptables-compat-save
...
-A INPUT -s 1.2.3.0/24
ip6tables-compat and arptables-compat are also fixed.
This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 1cc84d47766ad74be8609477d3496544848b75b1 |
|
22-Aug-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: add nft_xt_ctx struct
This patch provides the context used to transfer
information between different nft_parse_* function calls.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| b772c3f24f75e586e406675e4b0b79eabfe3375e |
|
09-Aug-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft-arp: remove wrong conditions
Removes wrong conditions in flags translating functions
that doesn't permit to delete rule with inverse flags set.
For instance, the following command doesn't remove the rule:
arptables-compat -D INPUT -i ! eth1 -j ACCEPT
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 1aefddd07ca8e51f0528366835cf466d57bd459f |
|
11-Jun-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: save: fix the printing of the counters
This patch prints the counters of a rule before the details,
like iptables-save syntax.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 60f00639ca42a95fd5425d6bb6ac08e5b29c6b18 |
|
24-Mar-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: replace nft_rule_attr_get_u8
Since the family declaration has been modified in libnftnl,
from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16
the assertion is failed for {ip,ip6,arp}tables-compat
when printing rules.
iptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
ip6tables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 2c678e1954f95dd3d0ca3d88279f96a26f3a726b |
|
07-Mar-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft-arp: wrong condition in parse_payload
the current condition doesn't permit to parse ip addresses
when they should be. Obviously they are not printed.
arptables-compat -A INPUT -s 1.1.1.1 -i eth0 -j ACCEPT
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
-j ACCEPT -i eth0
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| b88c6bddcd1e6c28cf0b5169746c34dc3bdd9a31 |
|
07-Mar-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft-arp: fix is_same_interfaces arguments
Wrong arguments are passed to is_same_interfaces
that causes sometimes to delete a wrong rule.
See the example below:
arptables-compat -A INPUT -i eth0 -j ACCEPT
arptables-compat -A INPUT -i eth1 -j ACCEPT
arptables-compat -A INPUT -i eth2 -j ACCEPT
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
-j ACCEPT -i eth0
-j ACCEPT -i eth1
-j ACCEPT -i eth2
arptables-compat -D INPUT -i eth2 -j ACCEPT
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
-j ACCEPT -i eth1
-j ACCEPT -i eth2
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 68e5e18210b8d61dd616a0db71fddb3aa3fa3fbd |
|
19-Feb-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft-arp: adds nft_arp_save_firewall
Adds nft_arp_save_firewall to arp family. (Avoids the segfault in
xtables-events)
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 0cfd537e8020812ef02ce0e27b8b22a94d3820c3 |
|
12-Oct-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: arp: fix possible string overflow
This patch replaces strcat with strncat and strcpy with strncpy
fixing possible string overflow.
Based on the original patch:
http://patchwork.ozlabs.org/patch/279672/
from Jaromír Končický via Jiri Popelka.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| e8cbd65dcef62333b5e461cb264c844065b33e9a |
|
06-Oct-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: arp: add parse_target to nft_family_ops_arp
This patch adds parse_target for arp family, fixing segfaults
for xtables-arp -L after rules like:
xtables-arp -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7
xtables-arp -A OUTPUT -o eth1 --h-length 6 \
-j mangle --mangle-mac-s 01:00:5e:00:01:01
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| e55b3e367129cee58a3b2754d6882efeeccd1b9f |
|
03-Oct-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: arp: initialize flags in nft_arp_parse_meta
This small patch initialize the flags in nft_arp_parse_meta,
now the nft_arp_rule_find is working properly.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 0363995ef12c2377875f9ab60a43b9b601cb2560 |
|
02-Oct-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
xtables: arp: Store target entry properly and compare them relevantly
Fixes a segfault issue when deleting a rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| c6836c19592dbe1a8be9b0ad76c0ae09abcb82e7 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_new to support ARP
This patch removes nft_arp_rule_new, which almost a copy and paste
of the original nft_rule_new. This patch generalizes the
infrastructure to support ARP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| e2a2c72277b49ac611809b3978365ab3010e1597 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 217f021925872dcbce4187408762845ae3f6f182 |
|
16-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: nft-arp: implements is_same op for ARP family
The following patch implements the is_same operation
for ARP family needed for searching arp rule.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 4c4bcbcd2523da740ed02021e51cb20b14fae153 |
|
14-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: nft-arp: fix endianess in nft_arp_parse_payload
nft_arp_print_firewall already handles endianess appropriately.
This fixes the output of the option that allows you to match
ARP header fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|
| 84909d171585d77fe769f03e2b1b96eab0aa0213 |
|
09-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: bootstrap ARP compatibility layer for nftables
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-arp.c
|