summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* extensions: tcpmss: add iptables-translate supportHEADmasterFlorian Westphal10 days2-0/+27
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xshared: Make load_proto() staticPhil Sutter2021-11-232-2/+1
| | | | | | | The last outside users vanished ten years ago. Fixes: 449cdd6bcc8d1 ("src: combine default_command functions") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-shared: Drop unused function print_proto()Phil Sutter2021-11-232-16/+0
| | | | | | | | | The last users vanished back in 2013. There is identical code in save_rule_details(), but with only a single user there's not much point in keeping the function. Fixes: cdc78b1d6bd7b ("nft: convert rule into a command state structure") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Share print_header() with legacy iptablesPhil Sutter2021-11-239-161/+82
| | | | | | | | | | | | | | | Legacy iptables fetches the relevant data via libiptc before calling the shared routine which merely prints data as requested. Drop the 'basechain' parameter, instead make sure a policy name is passed only with base chains. Since the function is not shared with ebtables (which uses a very rudimental header instead), this is safe. In order to support legacy iptables' checking of iptc_get_references() return code (printing an error message instead of the reference count), make refs parameter signed and print the error message if it's negative. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Share print_fragment() with legacyPhil Sutter2021-11-236-35/+25
| | | | | | | | | | | Also add a fake mode to make it suitable for ip6tables. This is required because IPT_F_FRAG value clashes with IP6T_F_PROTO, so ip6tables rules might seem to have IPT_F_FRAG bit set. While being at it, drop the local variable 'flags' from print_firewall(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Share print_rule_details() with legacyPhil Sutter2021-11-238-76/+37
| | | | | | | | | | Have to pass pointer to counters directly since different fields are being used for some reason. Since proto_to_name() is not used outside of xshared.c anymore, make it static. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Share save_ipv{4,6}_addr() with legacyPhil Sutter2021-11-236-119/+70
| | | | | | | While being at it, make save_ipv4_addr() accept an in_addr* as mask - mask_to_str() needs it anyway. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Share save_rule_details() with legacyPhil Sutter2021-11-238-91/+50
| | | | | | | | | | The function combines printing of input and output interfaces and protocol parameter, all being IP family independent. Extend the function to print fragment option ('-f'), too if requested. While being at it, drop unused iptables_command_state parameter and reorder the remaining ones a bit. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Share print_iface() functionPhil Sutter2021-11-235-80/+33
| | | | | | | | | | | Merge the three identical copies into one and name it 'save_iface' (as the printed syntax is for "save"-format). Leave arptables alone for now, its rather complicated whitespace printing doesn't allow for use of the shared function. Also keep ebtables' custom implementation, it is used for the --logical-in/--logical-out long-options, too. Apart from that, ebtables-nft does not use a mask, at all. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Change whitespace printing in save_rule callbackPhil Sutter2021-11-236-25/+30
| | | | | | | This aligns whitespace printing with legacy iptables' print_rule4() in order to prepare for further code-sharing. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Merge and share parse_chain()Phil Sutter2021-11-235-59/+26
| | | | | | | Have a common routine to perform chain name checks, combining all variants' requirements. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: hashlimit: Fix tests with HZ=1000Phil Sutter2021-11-231-2/+2
| | | | | | | | | | | | | | | | | | In an attempt to fix for failing hashlimit tests with HZ=100, the expected failures were changed so they are expected to pass and the parameters changed to seemingly fix them. Yet while the new parameters worked on HZ=100 systems, with higher tick rates they didn't so the observed problem moved from the test failing on HZ=100 to failing on HZ=1000 instead. Kernel's error message "try lower: 864000000/5" turned out to be a red herring: The burst value does not act as a dividor but a multiplier instead, so in order to lower the overflow-checked value, a lower burst value must be chosen. Inded, using a burst value of 1 makes the kernel accept the rule in both HZ=100 and HZ=1000 configurations. Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xlate-test: Print full path if testing all filesPhil Sutter2021-11-081-9/+9
| | | | | | | | Lines won't become too long and it's more clear to users where test input comes from this way. Signed-off-by: Phil Sutter <phil@nwl.cc> Tested-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Unbreak xtables-translatePhil Sutter2021-11-081-1/+8
| | | | | | | | | | | | | | | | Fixed commit broke xtables-translate which still relied upon do_parse() to properly initialize the passed iptables_command_state reference. To allow for callers to preset fields, this doesn't happen anymore so do_command_xlate() has to initialize itself. Otherwise garbage from stack is read leading to segfaults and program aborts. Although init_cs callback is used by arptables only and arptables-translate has not been implemented, do call it if set just to avoid future issues. Fixes: cfdda18044d81 ("nft-shared: Introduce init_cs family ops callback") Signed-off-by: Phil Sutter <phil@nwl.cc> Tested-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Merge xtables-arp-standalone.c into xtables-standalone.cPhil Sutter2021-10-207-699/+218
| | | | | | | | | | | | | | | | | | | By declaring the relevant family_ops callbacks for arptables, the code becomes ready to just use do_commandx() instead of a dedicated parser. As a side-effect, this enables a bunch of new features in arptables-nft: * Support '-C' command * Support '-S' command * Support rule indexes just like xtables, e.g. in '-I' or '-R' commands * Reject chain names starting with '!' * Support '-c N,M' counter syntax Since arptables still accepts intrapositioned negations, add code to cover that but print a warning like iptables did 12 years ago prior to removing the functionality. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: arptables accepts empty interface namesPhil Sutter2021-10-201-8/+15
| | | | | | | | The empty string passed as interface name is simply ignored by legacy arptables. Make the new common parser print a warning but accept it. Calling xtables_parse_interface() with an empty string is safe. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Derive xtables_globals from familyPhil Sutter2021-10-205-8/+23
| | | | | | | | | | | | | | Prepare xtables_main() for use with other families than IPV4 or IPV6 which both use the same xtables_globals object. Therefore introduce a function to map from family value to xtables_globals object pointer. In do_parse(), use xt_params pointer as well instead of direct reference. While being at it, Declare arptables_globals and ebtables_globals in xtables_multi.h which seems to be the proper place for that. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-shared: Make nft_check_xt_legacy() family agnosticPhil Sutter2021-10-201-0/+5
| | | | | | | Of course there is no such thing as *_tables_names for ebtables, so no legacy tables checking for ebtables-nft. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-arp: Introduce post_parse callbackPhil Sutter2021-10-203-128/+178
| | | | | | | This accomplishes the same tasks as e.g. nft_ipv4_post_parse() plus some arptables-specific bits. Signed-off-by: Phil Sutter <phil@nwl.cc>
* arptables: Use standard data structures when parsingPhil Sutter2021-10-201-142/+138
| | | | | | | | Use the compound data structures introduced for dedicated parsing routines in other families instead of the many local variables. This allows to standardize code a bit for sharing a common parser later. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libxtables: Introduce xtables_globals print_help callbackPhil Sutter2021-10-203-3/+8
| | | | | | | | With optstring being stored in struct xtables_globals as well, it is a natural choice to store a pointer to a help printer also which matches the supported options. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-standalone: Drop version number from init errorsPhil Sutter2021-10-201-8/+4
| | | | | | | | | | | Aside from the rather unconventional formatting, if those initialization functions fail we've either released a completely broken iptables or the wrong libraries are chosen by the loader. In both cases, the version number is not really interesting. While being at it, fix indenting of the first exit() call. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Add family ops callbacks wrapping different nft_cmd_* functionsPhil Sutter2021-10-204-177/+228
| | | | | | | | | | Commands supporting multiple source/destination addresses need to iterate over them and call the respective nft_cmd_* function multiple times. These loops are family-specific though as each family uses a different data structure within struct iptables_command_state to store the addresses. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Simplify addr_mask freeingPhil Sutter2021-10-202-11/+6
| | | | | | Introduce a generic 'ptr' union field to pass to free(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-shared: Introduce init_cs family ops callbackPhil Sutter2021-10-203-5/+17
| | | | | | | Arptables sets a few defaults in struct iptables_command_state upon initialization. Introduce a callback to do that. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Store optstring in xtables_globalsPhil Sutter2021-10-205-6/+10
| | | | | | | | | | | Preparing for a common option parser, store the string of options for each family inside the respective xtables_globals object. The array of long option definitions sitting in there already indicates it's the right place. While being at it, drop '-m' support from arptables-nft. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Introduce builtin_tables_lookup()Phil Sutter2021-10-209-24/+25
| | | | | | | The set of builtin tables to use is fully determined by the given family so just look it up instead of having callers pass it explicitly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: fix bashismJeremy Sowden2021-10-011-1/+1
| | | | | | | | | The `<(cmd)` redirection is specific to Bash. Update the shebang accordingly. Fixes: 63ab4fe3a191 ("ebtables: Avoid dropping policy when flushing") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: Delete builtin chains compatiblyPhil Sutter2021-09-273-9/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | Attempting to delete all chains if --delete-chain is called without argument has unwanted side-effects especially legacy iptables users are not aware of and won't expect: * Non-default policies are ignored, a previously dropping firewall may start accepting traffic. * The kernel refuses to remove non-empty chains, causing program abort even if no user-defined chain exists. Fix this by requiring a rule cache in that situation and make builtin chain deletion depend on its policy and number of rules. Since this may change concurrently, check again when having to refresh the transaction. Also, hide builtin chains from verbose output - their creation is implicit, so treat their removal as implicit, too. When deleting a specific chain, do not allow to skip the job though. Otherwise deleting a builtin chain which is still in use will succeed although not executed. Fixes: 61e85e3192dea ("iptables-nft: allow removal of empty builtin chains") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-chain: Introduce base_slot fieldPhil Sutter2021-09-273-29/+5
| | | | | | | | For builtin chains, record the base_chains array slot they are assigned to. This simplifies removing that reference if they are being deleted later. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Check base-chain compatibility when adding to cachePhil Sutter2021-09-275-44/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | With introduction of dedicated base-chain slots, a selection process was established as no longer all base-chains ended in the same chain list for later searching/checking but only the first one found for each hook matching criteria is kept and the rest discarded. A side-effect of the above is that table compatibility checking started to omit consecutive base-chains, making iptables-nft less restrictive as long as the expected base-chains were returned first from kernel when populating the cache. Make behaviour consistent and warn users about the possibly disturbing chains found by: * Run all base-chain checks from nft_is_chain_compatible() before allowing a base-chain to occupy its slot. * If an unfit base-chain was found (and discarded), flag the table's cache as tainted and warn about it if the remaining ruleset is otherwise compatible. Since base-chains that remain in cache would pass nft_is_chain_compatible() checking, remove that and reduce it to rule inspection. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Avoid double free of unrecognized base-chainsPhil Sutter2021-09-272-3/+28
| | | | | | | | | On error, nft_cache_add_chain() frees the allocated nft_chain object along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to not free the nftnl_chain again in that case. Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: add missing argument and option to usagemizuta.takeshi@fujitsu.com2021-09-261-2/+3
| | | | | | | | In xtables-restore-translate usage, the argument <FILE> for the -f option and the -V|--version option are missing, so added them. Signed-off-by: MIZUTA Takeshi <mizuta.takeshi@fujitsu.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: iptables-test: Fix conditional colors on stderrPhil Sutter2021-09-221-4/+5
| | | | | | | | | | Štěpán's patch to make colored output depend on whether output is a TTY clashed with my change to print errors to stderr instead of stdout. Fix this by telling maybe_colored() if it should print colors or not as only caller knows where output is sent to. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: Avoid dropping policy when flushingPhil Sutter2021-09-152-1/+44
| | | | | | | | Unlike nftables, ebtables' user-defined chains have policies - ebtables-nft implements those internally as invisible last rule. In order to recreate them after a flush command, a rule cache is needed. https://bugzilla.netfilter.org/show_bug.cgi?id=1558
* iptables-test.py: print with color escapes only when stdout isattyŠtěpán Němec2021-09-131-10/+13
| | | | | | | | When the output doesn't go to a terminal (typical case: log files), the escape sequences are just noise. Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Return non-zero on errorPhil Sutter2021-09-131-1/+1
| | | | | | If any test fails, return a non-zero exit code. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: iptables-test: Exit non-zero on errorPhil Sutter2021-09-131-1/+2
| | | | | | If any test fails, return a non-zero exit code. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: xlate-test: Exit non-zero on errorPhil Sutter2021-09-131-10/+16
| | | | | | | | | If a test fails, return a non-zero exit code. To do so, propagate the pass/fail statistics up to main() for evaluation. While being at it, move the statistics printing into there as well and get rid of that redundant assignment to 'test_passed'. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: iptables-test: Print errors to stderrPhil Sutter2021-09-131-4/+5
| | | | | | | No big deal, just pass the extra parameter to the four error print calls. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: xlate-test: Print errors to stderrPhil Sutter2021-09-131-2/+2
| | | | | | | Return code is always zero, so grepping for output on stderr is a simple way to detect testsuite failures. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: xlate-test: Don't skip any input after the first empty linePhil Sutter2021-09-131-2/+2
| | | | | | | | | | | | | | | | | | | | | In conditionals, testing the empty string evaluates to false. This is dumb but seems intentional, as readline() method returns an empty string at EOF. This is distinct from reading an empty line as the latter contains the newline character - unless it is stripped in between readline() and conditional. The fixed commit introduced just that by accident, effectively reducing any test file to the first contained test: | $ ./xlate-test.py | [...] | 81 test files, 84 tests, 84 tests passed, 0 tests failed, 0 errors With this change in place, the summary looks much better: | 81 test files, 368 tests, 368 tests passed, 0 tests failed, 0 errors Fixes: 62828a6aff231 ("tests: xlate-test: support multiline expectation") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: iptables-test: Fix missing chain casePhil Sutter2021-09-131-2/+5
| | | | | | | | | If a chain line was really missing, Python complained about reference before assignment of 'chain_array' variable. While being at it, reuse print_error() function for reporting and allow to continue with the next input file instead of exiting. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-nft: allow removal of empty builtin chainsFlorian Westphal2021-09-078-45/+72
| | | | | | | | | | | | The only reason why this is prohibited is that you cannot do it in iptables-legacy. This removes the artifical limitation. "iptables-nft -X" will leave the builtin chains alone; Also, deletion is only permitted if the chain is empty. Signed-off-by: Florian Westphal <fw@strlen.de>
* Fix a few doc typosŠtěpán Němec2021-09-032-4/+4
| | | | | | | Just a few minor language fixes. Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Use xtables_{m,c}alloc() everywherePhil Sutter2021-08-316-47/+12
| | | | | | | | | | Make use of libxtables allocators where sensible to have implicit error checking. Leave library-internal calls in place to not create unexpected program exit points for users, apart from xt_xlate_alloc() as that function called xtables_error() in error case which exits by itself already. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Use xtables_malloc() in mnl_err_list_node_add()Phil Sutter2021-08-311-1/+1
| | | | | | | | The function called malloc() without checking for memory allocation failure. Simply replace the call by xtables_malloc() to fix that. Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libxt_mac: Fix for missing space in listingPhil Sutter2021-08-311-2/+2
| | | | | | | | | Listing the extension using 'iptables -L', there was no space between 'MAC' and the following Address. Reported-by: Adam Wójcik <a.wojcik@hyp.home.pl> Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables-test: Make netns spawning more robustPhil Sutter2021-08-111-7/+30
| | | | | | | On systems without unshare Python module, try to call unshare binary with oneself as parameters. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: hashlimit: Fix tests with HZ=100Phil Sutter2021-08-101-4/+2
| | | | | | | | | | With the kernel ticking at 100Hz, a limit of 1/day with burst 5 does not overflow in kernel, making the test unstable depending on kernel config. Change it to not overflow with 1000Hz either by increasing the burst value by a factor of 100. Fixes: fcf9f6f25db11 ("extensions: libxt_hashlimit: add unit test") Signed-off-by: Phil Sutter <phil@nwl.cc>