| a44bee8c3582cb72868a3b7f703494dd2b24bf7d |
|
02-Aug-2016 |
Pablo M. Bermudo Garay <pablombg@gmail.com> |
xtables-compat: fix comments listing
ip[6]tables-compat -L was not printing the comments since commit
d64ef34a9961 ("iptables-compat: use nft built-in comments support").
This patch solves the issue.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 742baabd185c326cc2125e648e240894362eb31c |
|
15-Sep-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: use new symbols in libnftnl
Adapt this code to use the new symbols in libnftnl. This patch contains quite
some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 6c8db125b258da070313f20cdf9bc4124bba5383 |
|
19-Feb-2015 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: unset context flags in netlink delinearize step
Once the data that the compare expression provides have been digested.
For example:
-A INPUT -i noexist -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
doesn't show anymore the following broken output via iptables-compat-save:
-A INPUT -i
+t -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
/external/iptables/iptables/nft-shared.c
|
| fe97f60e5d2a968638286036db67e3a4e17f095d |
|
09-Feb-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: add watchers support
ebtables watchers are targets which always return EBT_CONTINUE.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 8acf8315a44fbee8227433daabb262b6de1e70f6 |
|
19-Jan-2015 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix nft payload bases
ebtables should use NFT_PAYLOAD_LL_HEADER to fetch basic payload information
from packets in the bridge family.
Let's allow the add_payload() function to know in which base it should work.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 42cfeee024d0ba0c6b15645f829273ee3dcfa5c6 |
|
26-Dec-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
ebtables-compat: fix printing of extension
This patch fix printing of ebt extensions:
% sudo ebtables-compat -L
[...]
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
--802_3-type 0x0012 -j ACCEPT
[...]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 902e92ceedba96d3241fa8ff701c061cd53a197d |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
ebtables-compat: use ebtables_command_state in bootstrap code
And introduce fake ebt_entry.
This gets the code in sync in other existing compat tools. This
will likely allow to consolidate common infrastructure.
This code is still quite experimental.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| da871de2a6efb576b6378a66222c0871f4282e96 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: bootstrap ebtables-compat
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| c82bf9f79bbc299de428fdc2e204d571b6cbc50d |
|
12-Nov-2014 |
Arturo Borrero <arturo.borrero.glez@gmail.com> |
iptables-compat: kill add_*() invflags parameter
Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ.
The caller must calculate which kind of cmp operation requires.
BTW, this patch solves absence of inversion in some arptables-compat
builtin matches. Thus, translating arptables inv flags is no longer needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 84f6bf6345f59d442fd62c47abb03089eb9b2134 |
|
16-Oct-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: fix syntax error in nft_parse_cmp()
This fixes a syntax error, remove ; in an if statement
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 4272426912b0951b4dc7f40179d5217b513775e1 |
|
09-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: get output in sync with arptables -L -n --line-numbers
# arptables-compat -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination <--
This header is not shown by arptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| ab1e03849d7fb60e861b9715d90681f7120c3bbb |
|
08-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
arptables-compat: allow to not specify a target
arptables allows this:
# arptables -I INPUT
however, arptables-compat says:
arptables v1.4.21: No target provided or initalization failed
Try `arptables -h' or 'arptables --help' for more information.
the compat utility must mimic the same behaviour.
Fix this by introducing the arptables_command_state abstraction that
is already available in ip{6}tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 2c4a34c30cb4db93653dbd139e04f7df963c3a41 |
|
30-Sep-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
iptables-compat: fix address prefix
This patch fixes:
# iptables-compat -I INPUT -s 1.2.3.0/24
generates this bytecode:
ip filter INPUT 20
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00030201 ]
[ counter pkts 0 bytes 0 ]
and it displays:
# iptables-compat-save
...
-A INPUT -s 1.2.3.0/24
ip6tables-compat and arptables-compat are also fixed.
This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 1cc84d47766ad74be8609477d3496544848b75b1 |
|
22-Aug-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: add nft_xt_ctx struct
This patch provides the context used to transfer
information between different nft_parse_* function calls.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 1aefddd07ca8e51f0528366835cf466d57bd459f |
|
11-Jun-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: save: fix the printing of the counters
This patch prints the counters of a rule before the details,
like iptables-save syntax.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 60f00639ca42a95fd5425d6bb6ac08e5b29c6b18 |
|
24-Mar-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: replace nft_rule_attr_get_u8
Since the family declaration has been modified in libnftnl,
from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16
the assertion is failed for {ip,ip6,arp}tables-compat
when printing rules.
iptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
ip6tables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| d007e1a59e4beaddab430992302d43b122ffc801 |
|
11-Feb-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft-compat: fix IP6T_F_GOTO flag handling
IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling
to avoid misinterpretations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 8877968858a8dd6b7ae096988d57a7511c81733d |
|
10-Feb-2014 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: adds save_matches_and_target
This patch permits to save matches and target for ip/ip6/arp/eb
family, required for xtables-events.
Also, generalizes nft_rule_print_save to be reused for all protocol
families.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| a4e1098169a67716a81316c36ce22ddcb33df1c0 |
|
20-Jan-2014 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Use new libnftnl library name against former libnftables
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 4182478977685b0cbe71eb3d75f004f23a775d6c |
|
10-Jan-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEY
We have to use uint32_t instead uint8_t to adapt this to the libnftables
changes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 28dcf16384b223f9890567bd89056864a7e3c85d |
|
11-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix interface wildcard matching
In (73ea1cc nft: convert rule into a command state structure), the
interface wildcard matching got broken. The previous handling was
flawed by the use of ifnametoindex in scenario where the interface
may vanished after a rule was added.
This approach relies on the trailing '\0' to identify if this is
an exact or wildcard matching, based on discussion with Florian.
Based on initial patch from Anand Raj Manickam.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 6cd426bc7593ecf04a02c901d94e04093bdf69e4 |
|
08-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix bad length when comparing extension data area
Use ->userspacesize to compare the extension data area, otherwise
we also compare the internal private pointers which are only
meaningful to the kernelspace.
This fixes:
xtables -4 -D INPUT -m connlimit \
--connlimit-above 10 --connlimit-mask 32 --connlimit-daddr
But it also fixes many other matches/targets which use internal
private data.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 5f6e384ac2a3d7b647a909654a3bdee1c0bcb3eb |
|
08-Oct-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: pass ipt_entry to ->save_firewall hook
The extension needs the ipt_entry not to crash. Since cs->fw
actually points to an union that also contains cs->fw6, just
pass cs->fw to make it work.
This fixes:
-A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| e8a218f27a3d7948697c1c1d8f364af6f65b5ac9 |
|
03-Oct-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: fix wrong target size
The allocated area was not aligned.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| ea23cfc0e663a934b05e5c09cbed5cda3c999f6f |
|
03-Oct-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Header inclusion missing
Fixes compilation issues.
nft-shared.c: In function ‘nft_ipv46_rule_find’:
nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration]
nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function)
nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 7c7dcb2f2b86f71578c4cfc810042c98a43ea70a |
|
19-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: adapt nft_rule_expr_get to use uint32_t instead of size_t
According to libnftables change 437d610, now the length obtained
via getter function is uint32_t, not size_t anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| e2a2c72277b49ac611809b3978365ab3010e1597 |
|
18-Sep-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
This patch kills nft_arp_rule_find, which is almost a copy and paste
of the original nft_rule_find function. Refactor this function to
move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c
files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 84909d171585d77fe769f03e2b1b96eab0aa0213 |
|
09-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
xtables: bootstrap ARP compatibility layer for nftables
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 7791905f7db3bce63d3316c5adaf2f735cff3c1d |
|
06-Sep-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Fix a minor compilation warning
nft-shared.c: In function ‘nft_rule_to_iptables_command_state’:
nft-shared.c:454:22: warning: ‘jumpto’ may be used uninitialized in this function [-Wmaybe-uninitialized]
nft-shared.c:432:14: note: ‘jumpto’ was declared here
All verdicts are managed and jumpto has to get a value, but since
the compiler complains, let's fix it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 04d9ad94a40e795dfa8d4cfd0bf3f092d60ecc47 |
|
04-Sep-2013 |
Giuseppe Longo <giuseppelng@gmail.com> |
nft: refactoring parse operations for more genericity
This allows to reuse the nft_parse_* function for the bridge and
arp family (not yet supported).
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 36cba824e1689c6255d4e33b7fa82541a774609b |
|
20-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: use xtables_print_num
So we can kill our own implementation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| eb4b65c49994e44e6ad617fe3f60c063d0c331c4 |
|
20-Aug-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
nft: fix wrong flags handling in print_firewall_details
Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have
to add an specific function to print the fragment flag, otherwise
xtables -6 misinterprets the protocol flag, ie.
Chain INPUT (policy ACCEPT)
tcp -f ::/0 ::/0
Note that -f should not show up. This problem was likely added with
the IPv6 support for the compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357 |
|
19-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: convert rule into a command state structure
This helps to reduce the code complexity to have one single common path
for printing, saving and looking up for the rule.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| c167e01221fc8541240b5c0505516e35a216d0eb |
|
07-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Print unknown target data only when relevant
Bug is:
xtables -N test
xtables -A FORWARD -j test
xtables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
test all -- anywhere anywhere [0 bytes of unknown target data]
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain test (1 references)
target prot opt source destination
"[0 bytes of unknown target data]" should not be printed in this case.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| e23e66f9d1a25c75df684850b7cd99053708c4d0 |
|
07-Aug-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Generalize nft_rule_list() against current family
Now, firewall rule printing is done through nft_family_ops
.print_firewall function. This moves generic part for ipv4 and ipv6 into
nft-shared.c, and enables reusing nft_rule_list() for other family such
as ARP which will be useful for arptables compatibility tool.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| d801b9f3b8161752ea2358a0bfb614603d28a8e5 |
|
01-Jun-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
xtables: fix -p protocol
The protocol field in both IPv4 and IPv6 headers are 8 bits long,
so we have to compare 8 bits.
Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|
| 077785df023ad8947d44d19769bc6d91e3917633 |
|
23-Feb-2013 |
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> |
nft: Split nft core to become family independant
This makes nft core code independant from the family. Each family needs
to implement and provide a struct nft_family_ops {}.
This split will ease the future support of bridge and arp rules manipulations.
[ updated header files and rebased upon the current tree --pablo ]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/nft-shared.c
|