Cross Reference: /external/iptables/iptables/nft.h

History log of /external/iptables/iptables/nft.h
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
ef2a7e9fe0d82c691aeee1cbd61095841231974f	26-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: add rule cache This patch adds a cache of rules within the nft handle. This feature is useful since the whole ruleset was brought from the kernel for every chain during listing operations. In addition with the new checks of ruleset compatibility, the rule list is loaded one more time. Now all the operations causing changes in the ruleset must invalidate the cache, a function called flush_rule_cache has been introduced for this purpose. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
4b791044cd0984c9a1771e86fa77fce9d309d9e7	26-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: check if nft ruleset is compatible This patch adds a verification of the compatibility between the nft ruleset and iptables. Nft tables, chains and rules are checked to be compatible with iptables. If something is not compatible, the execution stops and an error message is displayed to the user. This checking is triggered by xtables-compat -L and xtables-compat-save commands. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
2abd049177fa42993e4b1de588e92282a200ee43	21-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: remove useless functions The static function nft_rule_list_get was exposed outside nft.c through the nft_rule_list_create function, but this was never used out there. A similar situation occurs with nftnl_rule_list_free and nft_rule_list_destroy. This patch removes nft_rule_list_create and nft_rule_list_destroy for the sake of simplicity. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
a44bee8c3582cb72868a3b7f703494dd2b24bf7d	02-Aug-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	xtables-compat: fix comments listing ip[6]tables-compat -L was not printing the comments since commit d64ef34a9961 ("iptables-compat: use nft built-in comments support"). This patch solves the issue. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
0ddd663e9c167f9f0451dac8c02bbfcda25fe15e	30-Jul-2016	Liping Zhang <liping.zhang@spreadtrum.com>	iptables-translate: add in/out ifname wildcard match translation to nft In iptables, "-i eth+" means match all in ifname with the prefix "eth". But in nftables, this was changed to "iifname eth". So we should handle this subtle difference. Apply this patch, translation will become: # iptables-translate -A INPUT -i eth+ nft add rule ip filter INPUT iifname eth counter # ip6tables-translate -A OUTPUT ! -o eth+ nft add rule ip6 filter OUTPUT oifname != eth* counter Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
d64ef34a99610a6fb54d43660ac31555da858231	22-Jun-2016	Pablo M. Bermudo Garay <pablombg@gmail.com>	iptables-compat: use nft built-in comments support After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
6b60dc5be58a5781cacc4e6f238454d5e8421760	01-Feb-2016	Pablo Neira Ayuso <pablo@netfilter.org>	extensions: rename xt_buf to xt_xlate Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
933400b37d0966980d07d32b64403830429761ed	11-Apr-2014	Pablo Neira Ayuso <pablo@netfilter.org>	nft: xtables: add the infrastructure to translate from iptables to nft This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
742baabd185c326cc2125e648e240894362eb31c	15-Sep-2015	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: use new symbols in libnftnl Adapt this code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
902e92ceedba96d3241fa8ff701c061cd53a197d	09-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	ebtables-compat: use ebtables_command_state in bootstrap code And introduce fake ebt_entry. This gets the code in sync in other existing compat tools. This will likely allow to consolidate common infrastructure. This code is still quite experimental. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
da871de2a6efb576b6378a66222c0871f4282e96	09-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	nft: bootstrap ebtables-compat This patch bootstraps ebtables-compat, the ebtables compatibility software upon nf_tables. [ Original patches: http://patchwork.ozlabs.org/patch/395544/ http://patchwork.ozlabs.org/patch/395545/ http://patchwork.ozlabs.org/patch/395546/ I have also forward port them on top of the current git HEAD, otherwise compilation breaks. This bootstrap is experimental, this still needs more work. --Pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
c82bf9f79bbc299de428fdc2e204d571b6cbc50d	12-Nov-2014	Arturo Borrero <arturo.borrero.glez@gmail.com>	iptables-compat: kill add_*() invflags parameter Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ. The caller must calculate which kind of cmp operation requires. BTW, this patch solves absence of inversion in some arptables-compat builtin matches. Thus, translating arptables inv flags is no longer needed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
63f1391a5441bb092f7a1a4023e2f158ee9231a2	23-Oct-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables-compat: statify unused built-in table/chain functions The functions that allows you to create built-in table and chains are required out of the scope of nft.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
f1299b98d7ff200eb50ca574278bfeb1368de01b	09-Jun-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: nft: add tables and chains to the batch Since kernel changes: 55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure to handle chain"). it is possible to put tables and chains in the same batch (which was already including rules). This patch probes the kernel to check if if the new transaction is available, otherwise it falls back to the previous non-transactional approach to handle these two objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
ee85b1bc1bb9f91daf2004823dfa204dbc52f52a	09-Jun-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: nft: remove unused code Remove code to set table in dormant state, this is not required from the iptables over nft compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
495f1e8cc1753a3577a0b6c790b96b34859cd9bd	09-Jun-2014	Pablo Neira Ayuso <pablo@netfilter.org>	iptables: nft: generalize batch infrastructure Prepare inclusion of tables and chain objects in the batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
e6b8e172fca48f5d80699afe80947b0fc1f23fd6	11-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Initialize a table only once This helps to remove some runtime overhead, especially when running xtables-restore. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
690ea18fdd6f8bc12322a729a2f7c97d8e731c43	11-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: A builtin chain might be created when restoring nft_chain_set() is directly used in xtables-restore.c, however at that point no builtin chains have been created yet thus the need to request to build it relevantly. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
d007e1a59e4beaddab430992302d43b122ffc801	11-Feb-2014	Pablo Neira Ayuso <pablo@netfilter.org>	nft-compat: fix IP6T_F_GOTO flag handling IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
8877968858a8dd6b7ae096988d57a7511c81733d	10-Feb-2014	Giuseppe Longo <giuseppelng@gmail.com>	nft: adds save_matches_and_target This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
7851975e5055381d30f0788d90671485695928e1	10-Feb-2014	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	xtables: Add backward compatibility with -w option Just to keep aligned with iptables legacy tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
d6a127cd5710f8c60e95bfd0378ca352c07140a9	18-Sep-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables: batch rule-set updates into one single netlink message With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
b756cf08d6eff885d808504c674bd7eb5ebabfbb	18-Sep-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: consolidate nft_rule_* functions to support ARP This should help to avoid code duplication to support ARP. As a result, we have a common generic infrastructure for IPv4, IPv6 and ARP. This patch removes nft_arp_rule_append and nft_arp_rule_insert, which were very similar to their original nft_rule_append and nft_rule_insert. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
c6836c19592dbe1a8be9b0ad76c0ae09abcb82e7	18-Sep-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: consolidate nft_rule_new to support ARP This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
217f021925872dcbce4187408762845ae3f6f182	16-Sep-2013	Giuseppe Longo <giuseppelng@gmail.com>	xtables: nft-arp: implements is_same op for ARP family The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
84909d171585d77fe769f03e2b1b96eab0aa0213	09-Sep-2013	Giuseppe Longo <giuseppelng@gmail.com>	xtables: bootstrap ARP compatibility layer for nftables This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
a69cc575295eedb44f0fa33cd5fcf1cc0114133a	19-Aug-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	xtables: allow to reset the counters of an existing rule Now that we convert nft rules to native xt command structure, it's easier to reset the counters by replacing the existing rule by a new one with all counters set to zero. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
cdc78b1d6bd7b48ec05d78fc6e6cd98473f40357	19-Aug-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: convert rule into a command state structure This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
afae1f841bc2c4b39a38fa97d271f3877d00bf3a	26-Jul-2013	Giuseppe Longo <giuseppelng@gmail.com>	nft: associate table configuration to handle via nft_init We need family dependent built-in table/chain configuration. This patch is a step forward making nft family independent in order to support arptables and ebtables compatibility layers. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
cf95f347e52ca8badc6a7149045d9c09f4fa666d	19-Jul-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables: add -I chain rulenum This patch adds the nft_rule_insert function, which allows us to insert rules at a given position. The function nft_rule_add has been renamed to nft_rule_append. This is possible thanks to Eric Leblond's (netfilter: nf_tables: add insert operation) kernel patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
e127d223d01aaa0886c7f279110ac36651b9a057	16-Jul-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	xtables: Remove useless parameter to nft_chain_list_find Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
b48126ca92cc44e88aa024e6da7ff245914d6a53	18-Jun-2013	Giuseppe Longo <giuseppelng@gmail.com>	xtables: allow to zero chains via -Z Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
8b9ea2e3f8d685a6b940691cabf5e82c96254747	10-Mar-2013	Pablo Neira Ayuso <pablo@netfilter.org>	nft: load tables and chains based on /etc/xtables.conf If /etc/xtables.conf is available, use the configuration there to autoload the xtables built-in table and chain so you can define custom configurations. Otherwise, rely on default common table/chain configuration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
077785df023ad8947d44d19769bc6d91e3917633	23-Feb-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	nft: Split nft core to become family independant This makes nft core code independant from the family. Each family needs to implement and provide a struct nft_family_ops {}. This split will ease the future support of bridge and arp rules manipulations. [ updated header files and rebased upon the current tree --pablo ] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
1ff21a68502d67e056100da7e0da074467bc08ed	09-Feb-2013	Pablo Neira Ayuso <pablo@netfilter.org>	add xtables-events Add new program to listen to rule updates: shell$ xtables-events -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT -D INPUT -m state --state ESTABLISHED -j ACCEPT You can use `-c' option to display counters. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
9e62dc8637f210cdeaed784396fecab9b6e5f043	20-Jan-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables-restore: support atomic commit Use new services in nf_tables to support atomic commit. Commit per table, although we support global commit at once, call commit for each table to emulate iptables-restore behaviour by now. Keep table dormant/wake up code in iptables/nft.c as it can be used in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
0aad20f3979e3b6becd40e4ed5bba8d09d90706e	20-Jan-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables: purge out user-define chains from the kernel xtables-restore has to purge out user-defined chains that are not defined in the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
8ebee8c46101914b269afe94e772321e5ee09c3f	20-Jan-2013	Pablo Neira Ayuso <pablo@netfilter.org>	xtables: fix compilation warning xtables-standalone.c: In function ‘xtables_main’: xtables-standalone.c:64:2: warning: implicit declaration of function ‘do_commandx’ [-Wimplicit-function-declaration] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
0391677c1a0b28c14d01febd9628a543e8e5fd62	13-Jan-2013	Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>	xtables: add IPv6 support Summary of changes to add IPv6 support to the xtables utility: * modify all commands (add, delete, replace, check and listing) to support IPv6 addresses. And for the internal nft library: * add family to struct nft_handle and modify all caller to use this family instead of the hardcoded AF_INET. * move code that we can re-use for IPv4 and IPv6 into helper functions. * add IPv6 rule printing support. * add support to parse IPv6 address. Pablo added several improvements to this patch: * added basic xtables-save and xtables-restore support (so it defaults to IPv4) * fixed a couple of bugs found while testing * added reference when -f is used to point to -m frag (until we can make this consistent with IPv4). Note that we use one single xtables binary utility for IPv4 and IPv6. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h
5705ea1f4e3c9cd3d5d9cbcf84b9733ce1f07e57	19-Nov-2012	Pablo Neira Ayuso <pablo@netfilter.org>	xtables-restore: add support for dormant tables This patch adds support for dormant tables for xtables-restore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> /external/iptables/iptables/nft.h