summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* xtables-standalone: Drop version number from init errorsPhil Sutter2021-10-201-8/+4
| | | | | | | | | | | Aside from the rather unconventional formatting, if those initialization functions fail we've either released a completely broken iptables or the wrong libraries are chosen by the loader. In both cases, the version number is not really interesting. While being at it, fix indenting of the first exit() call. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Add family ops callbacks wrapping different nft_cmd_* functionsPhil Sutter2021-10-204-177/+228
| | | | | | | | | | Commands supporting multiple source/destination addresses need to iterate over them and call the respective nft_cmd_* function multiple times. These loops are family-specific though as each family uses a different data structure within struct iptables_command_state to store the addresses. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Simplify addr_mask freeingPhil Sutter2021-10-202-11/+6
| | | | | | Introduce a generic 'ptr' union field to pass to free(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-shared: Introduce init_cs family ops callbackPhil Sutter2021-10-203-5/+17
| | | | | | | Arptables sets a few defaults in struct iptables_command_state upon initialization. Introduce a callback to do that. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Store optstring in xtables_globalsPhil Sutter2021-10-205-6/+10
| | | | | | | | | | | Preparing for a common option parser, store the string of options for each family inside the respective xtables_globals object. The array of long option definitions sitting in there already indicates it's the right place. While being at it, drop '-m' support from arptables-nft. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Introduce builtin_tables_lookup()Phil Sutter2021-10-209-24/+25
| | | | | | | The set of builtin tables to use is fully determined by the given family so just look it up instead of having callers pass it explicitly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: fix bashismJeremy Sowden2021-10-011-1/+1
| | | | | | | | | The `<(cmd)` redirection is specific to Bash. Update the shebang accordingly. Fixes: 63ab4fe3a191 ("ebtables: Avoid dropping policy when flushing") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: Delete builtin chains compatiblyPhil Sutter2021-09-273-9/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | Attempting to delete all chains if --delete-chain is called without argument has unwanted side-effects especially legacy iptables users are not aware of and won't expect: * Non-default policies are ignored, a previously dropping firewall may start accepting traffic. * The kernel refuses to remove non-empty chains, causing program abort even if no user-defined chain exists. Fix this by requiring a rule cache in that situation and make builtin chain deletion depend on its policy and number of rules. Since this may change concurrently, check again when having to refresh the transaction. Also, hide builtin chains from verbose output - their creation is implicit, so treat their removal as implicit, too. When deleting a specific chain, do not allow to skip the job though. Otherwise deleting a builtin chain which is still in use will succeed although not executed. Fixes: 61e85e3192dea ("iptables-nft: allow removal of empty builtin chains") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-chain: Introduce base_slot fieldPhil Sutter2021-09-273-29/+5
| | | | | | | | For builtin chains, record the base_chains array slot they are assigned to. This simplifies removing that reference if they are being deleted later. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Check base-chain compatibility when adding to cachePhil Sutter2021-09-275-44/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | With introduction of dedicated base-chain slots, a selection process was established as no longer all base-chains ended in the same chain list for later searching/checking but only the first one found for each hook matching criteria is kept and the rest discarded. A side-effect of the above is that table compatibility checking started to omit consecutive base-chains, making iptables-nft less restrictive as long as the expected base-chains were returned first from kernel when populating the cache. Make behaviour consistent and warn users about the possibly disturbing chains found by: * Run all base-chain checks from nft_is_chain_compatible() before allowing a base-chain to occupy its slot. * If an unfit base-chain was found (and discarded), flag the table's cache as tainted and warn about it if the remaining ruleset is otherwise compatible. Since base-chains that remain in cache would pass nft_is_chain_compatible() checking, remove that and reduce it to rule inspection. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Avoid double free of unrecognized base-chainsPhil Sutter2021-09-272-3/+28
| | | | | | | | | On error, nft_cache_add_chain() frees the allocated nft_chain object along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to not free the nftnl_chain again in that case. Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: add missing argument and option to usagemizuta.takeshi@fujitsu.com2021-09-261-2/+3
| | | | | | | | In xtables-restore-translate usage, the argument <FILE> for the -f option and the -V|--version option are missing, so added them. Signed-off-by: MIZUTA Takeshi <mizuta.takeshi@fujitsu.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: iptables-test: Fix conditional colors on stderrPhil Sutter2021-09-221-4/+5
| | | | | | | | | | Štěpán's patch to make colored output depend on whether output is a TTY clashed with my change to print errors to stderr instead of stdout. Fix this by telling maybe_colored() if it should print colors or not as only caller knows where output is sent to. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Avoid dropping policy when flushingPhil Sutter2021-09-152-1/+44
| | | | | | | | Unlike nftables, ebtables' user-defined chains have policies - ebtables-nft implements those internally as invisible last rule. In order to recreate them after a flush command, a rule cache is needed. https://bugzilla.netfilter.org/show_bug.cgi?id=1558
* iptables-test.py: print with color escapes only when stdout isattyŠtěpán Němec2021-09-131-10/+13
| | | | | | | | When the output doesn't go to a terminal (typical case: log files), the escape sequences are just noise. Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Return non-zero on errorPhil Sutter2021-09-131-1/+1
| | | | | | If any test fails, return a non-zero exit code. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: iptables-test: Exit non-zero on errorPhil Sutter2021-09-131-1/+2
| | | | | | If any test fails, return a non-zero exit code. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: xlate-test: Exit non-zero on errorPhil Sutter2021-09-131-10/+16
| | | | | | | | | If a test fails, return a non-zero exit code. To do so, propagate the pass/fail statistics up to main() for evaluation. While being at it, move the statistics printing into there as well and get rid of that redundant assignment to 'test_passed'. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: iptables-test: Print errors to stderrPhil Sutter2021-09-131-4/+5
| | | | | | | No big deal, just pass the extra parameter to the four error print calls. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: xlate-test: Print errors to stderrPhil Sutter2021-09-131-2/+2
| | | | | | | Return code is always zero, so grepping for output on stderr is a simple way to detect testsuite failures. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: xlate-test: Don't skip any input after the first empty linePhil Sutter2021-09-131-2/+2
| | | | | | | | | | | | | | | | | | | | | In conditionals, testing the empty string evaluates to false. This is dumb but seems intentional, as readline() method returns an empty string at EOF. This is distinct from reading an empty line as the latter contains the newline character - unless it is stripped in between readline() and conditional. The fixed commit introduced just that by accident, effectively reducing any test file to the first contained test: | $ ./xlate-test.py | [...] | 81 test files, 84 tests, 84 tests passed, 0 tests failed, 0 errors With this change in place, the summary looks much better: | 81 test files, 368 tests, 368 tests passed, 0 tests failed, 0 errors Fixes: 62828a6aff231 ("tests: xlate-test: support multiline expectation") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: iptables-test: Fix missing chain casePhil Sutter2021-09-131-2/+5
| | | | | | | | | If a chain line was really missing, Python complained about reference before assignment of 'chain_array' variable. While being at it, reuse print_error() function for reporting and allow to continue with the next input file instead of exiting. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-nft: allow removal of empty builtin chainsFlorian Westphal2021-09-078-45/+72
| | | | | | | | | | | | The only reason why this is prohibited is that you cannot do it in iptables-legacy. This removes the artifical limitation. "iptables-nft -X" will leave the builtin chains alone; Also, deletion is only permitted if the chain is empty. Signed-off-by: Florian Westphal <fw@strlen.de>
* Fix a few doc typosŠtěpán Němec2021-09-032-4/+4
| | | | | | | Just a few minor language fixes. Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Use xtables_{m,c}alloc() everywherePhil Sutter2021-08-316-47/+12
| | | | | | | | | | Make use of libxtables allocators where sensible to have implicit error checking. Leave library-internal calls in place to not create unexpected program exit points for users, apart from xt_xlate_alloc() as that function called xtables_error() in error case which exits by itself already. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Use xtables_malloc() in mnl_err_list_node_add()Phil Sutter2021-08-311-1/+1
| | | | | | | | The function called malloc() without checking for memory allocation failure. Simply replace the call by xtables_malloc() to fix that. Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_mac: Fix for missing space in listingPhil Sutter2021-08-311-2/+2
| | | | | | | | | Listing the extension using 'iptables -L', there was no space between 'MAC' and the following Address. Reported-by: Adam Wójcik <a.wojcik@hyp.home.pl> Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-test: Make netns spawning more robustPhil Sutter2021-08-111-7/+30
| | | | | | | On systems without unshare Python module, try to call unshare binary with oneself as parameters. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: hashlimit: Fix tests with HZ=100Phil Sutter2021-08-101-4/+2
| | | | | | | | | | With the kernel ticking at 100Hz, a limit of 1/day with burst 5 does not overflow in kernel, making the test unstable depending on kernel config. Change it to not overflow with 1000Hz either by increasing the burst value by a factor of 100. Fixes: fcf9f6f25db11 ("extensions: libxt_hashlimit: add unit test") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ip6tables: masquerade: use fully-random so that nft can understand the rulePavel Tikhomirov2021-08-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Here is the problem: []# nft -v nftables v0.9.8 (E.D.S.) []# iptables-nft -v iptables v1.8.7 (nf_tables): no command specified Try `iptables -h' or 'iptables --help' for more information. []# nft flush ruleset []# ip6tables-nft -t nat -A POSTROUTING -j MASQUERADE --random-full []# nft list ruleset table ip6 nat { chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 0 bytes 0 masquerade random-fully } } []# nft list ruleset > /tmp/ruleset []# nft flush ruleset []# nft -f /tmp/ruleset /tmp/ruleset:4:54-54: Error: syntax error, unexpected newline counter packets 0 bytes 0 masquerade random-fully That's because nft list ruleset saves "random-fully" which is wrong format for nft -f, right should be "fully-random". We face this problem because we run k8s in Virtuozzo container, and k8s creates those "random-fully" rules by iptables(nft) and then CRIU can't restore those rules using nft. Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libxtables: exit if called by setuid executeableFlorian Westphal2021-08-041-0/+4
| | | | | | | | | iptables (legacy or nft, doesn't matter) cannot be safely used with setuid binaries. Add a safety check for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/shell: Assert non-verbose mode is silentPhil Sutter2021-08-031-0/+11
| | | | | | | | | | Unexpected output from iptables commands might mess up error-checking in scripts for instance, so do a quick test of the most common commands. Note: Test adds two rules to make sure flush command operates on a non-empty chain. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix for non-verbose check commandPhil Sutter2021-08-031-1/+1
| | | | | | | | Check command was unconditionally verbose since v1.8.5. Make it respect --verbose option again. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Dump atomic wastePhil Sutter2021-08-021-53/+0
| | | | | | | | | | | With ebtables-nft.8 now educating people about the missing functionality, get rid of atomic remains in source code. This eliminates mostly comments except for --atomic-commit which was treated as alias of --init-table. People not using the latter are probably trying to atomic-commit from an atomic-file which in turn is not supported, so no point keeping it. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: ebtables-nft.8: Adjust for missing atomic-optionsPhil Sutter2021-07-291-56/+8
| | | | | | | | | Drop any reference to them (and the environment variable) but list them in BUGS section hinting at ebtables-save and -restore tools. Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Call init_extensions6() for static buildsErik Wilson2021-07-145-0/+5
| | | | | | | | Initialize extensions from libext6 for cases where xtables is built statically. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1550 Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_multiport: add translation for -m multiport --portsPablo Neira Ayuso2021-06-252-8/+33
| | | | | | Add a translation for -m multiport --ports. Extend the existing testcase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_conntrack: simplify translation using negationPablo Neira Ayuso2021-06-072-37/+17
| | | | | | | | | Available since nftables 0.9.9. For example: # iptables-translate -I INPUT -m state ! --state NEW,INVALID nft insert rule ip filter INPUT ct state ! invalid,new counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_tcp: rework translation to use flags match representationPablo Neira Ayuso2021-06-073-10/+10
| | | | | | | Use the new flags match representation available since nftables 0.9.9 to simplify the translation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlimit: add translationPablo Neira Ayuso2021-06-072-0/+64
| | | | | | | | This patch adds a translation for connlimit matches which requires the definition of a set and the family context (either IPv4 or IPv6) which is required to display the netmask accordingly. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xlate-test: support multiline expectationPablo Neira Ayuso2021-06-071-2/+12
| | | | | | | | | | Extend translation test to deal with multiline translation, e.g. iptables-translate -A INPUT -m connlimit --connlimit-above 2 nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; } nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: extend xlate infrastructurePablo Neira Ayuso2021-06-074-28/+93
| | | | | | | | | | | | | | This infrastructure extends the existing xlate infrastructure: - Extensions can define set dependencies through .xlate. The resulting set definition can be obtained through xt_xlate_set_get(). - Add xl_xlate_set_family() and xl_xlate_get_family() to store/fetch the family. The first client of this new xlate API is the connlimit extension, which is added in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_string: Avoid buffer size warning for strncpy()Phil Sutter2021-06-071-1/+1
| | | | | | | If the target buffer does not need to be null-terminated, one may simply use memcpy() and thereby avoid any compiler warnings. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_strdup() and use it everywherePhil Sutter2021-06-0726-73/+60
| | | | | | This wraps strdup(), checking for errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Use xtables_ip6parse_any()Phil Sutter2021-06-071-64/+10
| | | | | | | | | | | The code was almost identical and suffered from the same problem as fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory corruption bugs"). The only functional change this involves is ebt_parse_ip6_address() will now accept hostnames as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-apply: Drop unused variablePhil Sutter2021-06-071-1/+0
| | | | | | | It was assigned to but never read. Fixes: b45b4e3903414 ("iptables-apply: script and manpage update") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Avoid buffer size warnings copying iface namesPhil Sutter2021-06-072-4/+4
| | | | | | | | | The call to strncpy() is actually not needed: source buffer is only IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to avoid compiler warnings due to size parameter matching the destination buffer size by performing the copy using (dumb) memcpy() instead. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Avoid memleak in error path of nft_cmd_new()Phil Sutter2021-06-071-1/+3
| | | | | | | | If rule allocation fails, free the allocated 'cmd' before returning to caller. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Fix memleak in xtopt_parse_hostmask()Phil Sutter2021-06-071-0/+1
| | | | | | | The allocated hostmask duplicate needs to be freed again. Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip6: Drop unused variablesPhil Sutter2021-06-071-4/+2
| | | | | | | They are being assigned to but never read. Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") Signed-off-by: Phil Sutter <phil@nwl.cc>