Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Pkg Iptables
Commits
6343d369
Commit
6343d369
authored
Jan 17, 2021
by
Arturo Borrero Gonzalez
Browse files
New upstream version 1.8.7
parent
9caffe92
Changes
44
Expand all
Hide whitespace changes
Inline
Side-by-side
iptables/nft-chain.h
0 → 100644
View file @
6343d369
#ifndef _NFT_CHAIN_H_
#define _NFT_CHAIN_H_
#include <libnftnl/chain.h>
#include <libiptc/linux_list.h>
struct
nft_handle
;
struct
nft_chain
{
struct
list_head
head
;
struct
hlist_node
hnode
;
struct
nftnl_chain
*
nftnl
;
};
#define CHAIN_NAME_HSIZE 512
struct
nft_chain_list
{
struct
list_head
list
;
struct
hlist_head
names
[
CHAIN_NAME_HSIZE
];
};
struct
nft_chain
*
nft_chain_alloc
(
struct
nftnl_chain
*
nftnl
);
void
nft_chain_free
(
struct
nft_chain
*
c
);
struct
nft_chain_list
*
nft_chain_list_alloc
(
void
);
void
nft_chain_list_free
(
struct
nft_chain_list
*
list
);
void
nft_chain_list_del
(
struct
nft_chain
*
c
);
#endif
/* _NFT_CHAIN_H_ */
iptables/nft-ipv4.c
View file @
6343d369
...
@@ -50,13 +50,15 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
...
@@ -50,13 +50,15 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
if
(
cs
->
fw
.
ip
.
src
.
s_addr
||
cs
->
fw
.
ip
.
smsk
.
s_addr
||
cs
->
fw
.
ip
.
invflags
&
IPT_INV_SRCIP
)
{
if
(
cs
->
fw
.
ip
.
src
.
s_addr
||
cs
->
fw
.
ip
.
smsk
.
s_addr
||
cs
->
fw
.
ip
.
invflags
&
IPT_INV_SRCIP
)
{
op
=
nft_invflags2cmp
(
cs
->
fw
.
ip
.
invflags
,
IPT_INV_SRCIP
);
op
=
nft_invflags2cmp
(
cs
->
fw
.
ip
.
invflags
,
IPT_INV_SRCIP
);
add_addr
(
r
,
offsetof
(
struct
iphdr
,
saddr
),
add_addr
(
r
,
NFT_PAYLOAD_NETWORK_HEADER
,
offsetof
(
struct
iphdr
,
saddr
),
&
cs
->
fw
.
ip
.
src
.
s_addr
,
&
cs
->
fw
.
ip
.
smsk
.
s_addr
,
&
cs
->
fw
.
ip
.
src
.
s_addr
,
&
cs
->
fw
.
ip
.
smsk
.
s_addr
,
sizeof
(
struct
in_addr
),
op
);
sizeof
(
struct
in_addr
),
op
);
}
}
if
(
cs
->
fw
.
ip
.
dst
.
s_addr
||
cs
->
fw
.
ip
.
dmsk
.
s_addr
||
cs
->
fw
.
ip
.
invflags
&
IPT_INV_DSTIP
)
{
if
(
cs
->
fw
.
ip
.
dst
.
s_addr
||
cs
->
fw
.
ip
.
dmsk
.
s_addr
||
cs
->
fw
.
ip
.
invflags
&
IPT_INV_DSTIP
)
{
op
=
nft_invflags2cmp
(
cs
->
fw
.
ip
.
invflags
,
IPT_INV_DSTIP
);
op
=
nft_invflags2cmp
(
cs
->
fw
.
ip
.
invflags
,
IPT_INV_DSTIP
);
add_addr
(
r
,
offsetof
(
struct
iphdr
,
daddr
),
add_addr
(
r
,
NFT_PAYLOAD_NETWORK_HEADER
,
offsetof
(
struct
iphdr
,
daddr
),
&
cs
->
fw
.
ip
.
dst
.
s_addr
,
&
cs
->
fw
.
ip
.
dmsk
.
s_addr
,
&
cs
->
fw
.
ip
.
dst
.
s_addr
,
&
cs
->
fw
.
ip
.
dmsk
.
s_addr
,
sizeof
(
struct
in_addr
),
op
);
sizeof
(
struct
in_addr
),
op
);
}
}
...
@@ -199,7 +201,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
...
@@ -199,7 +201,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
parse_mask_ipv4
(
ctx
,
&
cs
->
fw
.
ip
.
smsk
);
parse_mask_ipv4
(
ctx
,
&
cs
->
fw
.
ip
.
smsk
);
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
}
else
{
}
else
{
cs
->
fw
.
ip
.
smsk
.
s_addr
=
0xffffffff
;
memset
(
&
cs
->
fw
.
ip
.
smsk
,
0xff
,
min
(
ctx
->
payload
.
len
,
sizeof
(
struct
in_addr
)));
}
}
if
(
inv
)
if
(
inv
)
...
@@ -212,7 +215,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
...
@@ -212,7 +215,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
parse_mask_ipv4
(
ctx
,
&
cs
->
fw
.
ip
.
dmsk
);
parse_mask_ipv4
(
ctx
,
&
cs
->
fw
.
ip
.
dmsk
);
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
}
else
{
}
else
{
cs
->
fw
.
ip
.
dmsk
.
s_addr
=
0xffffffff
;
memset
(
&
cs
->
fw
.
ip
.
dmsk
,
0xff
,
min
(
ctx
->
payload
.
len
,
sizeof
(
struct
in_addr
)));
}
}
if
(
inv
)
if
(
inv
)
...
...
iptables/nft-ipv6.c
View file @
6343d369
...
@@ -51,7 +51,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
...
@@ -51,7 +51,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
!
IN6_IS_ADDR_UNSPECIFIED
(
&
cs
->
fw6
.
ipv6
.
smsk
)
||
!
IN6_IS_ADDR_UNSPECIFIED
(
&
cs
->
fw6
.
ipv6
.
smsk
)
||
(
cs
->
fw6
.
ipv6
.
invflags
&
IPT_INV_SRCIP
))
{
(
cs
->
fw6
.
ipv6
.
invflags
&
IPT_INV_SRCIP
))
{
op
=
nft_invflags2cmp
(
cs
->
fw6
.
ipv6
.
invflags
,
IPT_INV_SRCIP
);
op
=
nft_invflags2cmp
(
cs
->
fw6
.
ipv6
.
invflags
,
IPT_INV_SRCIP
);
add_addr
(
r
,
offsetof
(
struct
ip6_hdr
,
ip6_src
),
add_addr
(
r
,
NFT_PAYLOAD_NETWORK_HEADER
,
offsetof
(
struct
ip6_hdr
,
ip6_src
),
&
cs
->
fw6
.
ipv6
.
src
,
&
cs
->
fw6
.
ipv6
.
smsk
,
&
cs
->
fw6
.
ipv6
.
src
,
&
cs
->
fw6
.
ipv6
.
smsk
,
sizeof
(
struct
in6_addr
),
op
);
sizeof
(
struct
in6_addr
),
op
);
}
}
...
@@ -59,7 +60,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
...
@@ -59,7 +60,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
!
IN6_IS_ADDR_UNSPECIFIED
(
&
cs
->
fw6
.
ipv6
.
dmsk
)
||
!
IN6_IS_ADDR_UNSPECIFIED
(
&
cs
->
fw6
.
ipv6
.
dmsk
)
||
(
cs
->
fw6
.
ipv6
.
invflags
&
IPT_INV_DSTIP
))
{
(
cs
->
fw6
.
ipv6
.
invflags
&
IPT_INV_DSTIP
))
{
op
=
nft_invflags2cmp
(
cs
->
fw6
.
ipv6
.
invflags
,
IPT_INV_DSTIP
);
op
=
nft_invflags2cmp
(
cs
->
fw6
.
ipv6
.
invflags
,
IPT_INV_DSTIP
);
add_addr
(
r
,
offsetof
(
struct
ip6_hdr
,
ip6_dst
),
add_addr
(
r
,
NFT_PAYLOAD_NETWORK_HEADER
,
offsetof
(
struct
ip6_hdr
,
ip6_dst
),
&
cs
->
fw6
.
ipv6
.
dst
,
&
cs
->
fw6
.
ipv6
.
dmsk
,
&
cs
->
fw6
.
ipv6
.
dst
,
&
cs
->
fw6
.
ipv6
.
dmsk
,
sizeof
(
struct
in6_addr
),
op
);
sizeof
(
struct
in6_addr
),
op
);
}
}
...
@@ -146,7 +148,8 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
...
@@ -146,7 +148,8 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
parse_mask_ipv6
(
ctx
,
&
cs
->
fw6
.
ipv6
.
smsk
);
parse_mask_ipv6
(
ctx
,
&
cs
->
fw6
.
ipv6
.
smsk
);
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
}
else
{
}
else
{
memset
(
&
cs
->
fw6
.
ipv6
.
smsk
,
0xff
,
sizeof
(
struct
in6_addr
));
memset
(
&
cs
->
fw6
.
ipv6
.
smsk
,
0xff
,
min
(
ctx
->
payload
.
len
,
sizeof
(
struct
in6_addr
)));
}
}
if
(
inv
)
if
(
inv
)
...
@@ -159,7 +162,8 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
...
@@ -159,7 +162,8 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
parse_mask_ipv6
(
ctx
,
&
cs
->
fw6
.
ipv6
.
dmsk
);
parse_mask_ipv6
(
ctx
,
&
cs
->
fw6
.
ipv6
.
dmsk
);
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
ctx
->
flags
&=
~
NFT_XT_CTX_BITWISE
;
}
else
{
}
else
{
memset
(
&
cs
->
fw6
.
ipv6
.
dmsk
,
0xff
,
sizeof
(
struct
in6_addr
));
memset
(
&
cs
->
fw6
.
ipv6
.
dmsk
,
0xff
,
min
(
ctx
->
payload
.
len
,
sizeof
(
struct
in6_addr
)));
}
}
if
(
inv
)
if
(
inv
)
...
...
iptables/nft-shared.c
View file @
6343d369
...
@@ -20,7 +20,6 @@
...
@@ -20,7 +20,6 @@
#include <xtables.h>
#include <xtables.h>
#include <linux/netfilter/nf_tables.h>
#include <linux/netfilter/xt_comment.h>
#include <linux/netfilter/xt_comment.h>
#include <linux/netfilter/xt_limit.h>
#include <linux/netfilter/xt_limit.h>
...
@@ -162,20 +161,26 @@ void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op)
...
@@ -162,20 +161,26 @@ void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op)
add_cmp_ptr
(
r
,
op
,
iface
,
iface_len
+
1
);
add_cmp_ptr
(
r
,
op
,
iface
,
iface_len
+
1
);
}
}
void
add_addr
(
struct
nftnl_rule
*
r
,
int
offset
,
void
add_addr
(
struct
nftnl_rule
*
r
,
enum
nft_payload_bases
base
,
int
offset
,
void
*
data
,
void
*
mask
,
size_t
len
,
uint32_t
op
)
void
*
data
,
void
*
mask
,
size_t
len
,
uint32_t
op
)
{
{
const
unsigned
char
*
m
=
mask
;
const
unsigned
char
*
m
=
mask
;
bool
bitwise
=
false
;
int
i
;
int
i
;
add_payload
(
r
,
offset
,
len
,
NFT_PAYLOAD_NETWORK_HEADER
);
for
(
i
=
0
;
i
<
len
;
i
++
)
{
for
(
i
=
0
;
i
<
len
;
i
++
)
{
if
(
m
[
i
]
!=
0xff
)
if
(
m
[
i
]
!=
0xff
)
{
bitwise
=
m
[
i
]
!=
0
;
break
;
break
;
}
}
}
if
(
i
!=
len
)
if
(
!
bitwise
)
len
=
i
;
add_payload
(
r
,
offset
,
len
,
base
);
if
(
bitwise
)
add_bitwise
(
r
,
mask
,
len
);
add_bitwise
(
r
,
mask
,
len
);
add_cmp_ptr
(
r
,
op
,
data
,
len
);
add_cmp_ptr
(
r
,
op
,
data
,
len
);
...
...
iptables/nft-shared.h
View file @
6343d369
...
@@ -8,6 +8,7 @@
...
@@ -8,6 +8,7 @@
#include <libnftnl/chain.h>
#include <libnftnl/chain.h>
#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter/nf_tables.h>
#include "xshared.h"
#include "xshared.h"
...
@@ -121,7 +122,7 @@ void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op);
...
@@ -121,7 +122,7 @@ void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op);
void
add_cmp_u32
(
struct
nftnl_rule
*
r
,
uint32_t
val
,
uint32_t
op
);
void
add_cmp_u32
(
struct
nftnl_rule
*
r
,
uint32_t
val
,
uint32_t
op
);
void
add_iniface
(
struct
nftnl_rule
*
r
,
char
*
iface
,
uint32_t
op
);
void
add_iniface
(
struct
nftnl_rule
*
r
,
char
*
iface
,
uint32_t
op
);
void
add_outiface
(
struct
nftnl_rule
*
r
,
char
*
iface
,
uint32_t
op
);
void
add_outiface
(
struct
nftnl_rule
*
r
,
char
*
iface
,
uint32_t
op
);
void
add_addr
(
struct
nftnl_rule
*
r
,
int
offset
,
void
add_addr
(
struct
nftnl_rule
*
r
,
enum
nft_payload_bases
base
,
int
offset
,
void
*
data
,
void
*
mask
,
size_t
len
,
uint32_t
op
);
void
*
data
,
void
*
mask
,
size_t
len
,
uint32_t
op
);
void
add_proto
(
struct
nftnl_rule
*
r
,
int
offset
,
size_t
len
,
void
add_proto
(
struct
nftnl_rule
*
r
,
int
offset
,
size_t
len
,
uint8_t
proto
,
uint32_t
op
);
uint8_t
proto
,
uint32_t
op
);
...
@@ -247,4 +248,8 @@ void xtables_restore_parse(struct nft_handle *h,
...
@@ -247,4 +248,8 @@ void xtables_restore_parse(struct nft_handle *h,
const
struct
nft_xt_restore_parse
*
p
);
const
struct
nft_xt_restore_parse
*
p
);
void
nft_check_xt_legacy
(
int
family
,
bool
is_ipt_save
);
void
nft_check_xt_legacy
(
int
family
,
bool
is_ipt_save
);
#define min(x, y) ((x) < (y) ? (x) : (y))
#define max(x, y) ((x) > (y) ? (x) : (y))
#endif
#endif
iptables/nft.c
View file @
6343d369
This diff is collapsed.
Click to expand it.
iptables/nft.h
View file @
6343d369
...
@@ -4,6 +4,7 @@
...
@@ -4,6 +4,7 @@
#include "xshared.h"
#include "xshared.h"
#include "nft-shared.h"
#include "nft-shared.h"
#include "nft-cache.h"
#include "nft-cache.h"
#include "nft-chain.h"
#include "nft-cmd.h"
#include "nft-cmd.h"
#include <libiptc/linux_list.h>
#include <libiptc/linux_list.h>
...
@@ -39,7 +40,8 @@ enum nft_cache_level {
...
@@ -39,7 +40,8 @@ enum nft_cache_level {
struct
nft_cache
{
struct
nft_cache
{
struct
{
struct
{
struct
nftnl_chain_list
*
chains
;
struct
nft_chain
*
base_chains
[
NF_INET_NUMHOOKS
];
struct
nft_chain_list
*
chains
;
struct
nftnl_set_list
*
sets
;
struct
nftnl_set_list
*
sets
;
bool
exists
;
bool
exists
;
}
table
[
NFT_TABLE_MAX
];
}
table
[
NFT_TABLE_MAX
];
...
@@ -134,6 +136,7 @@ bool nft_table_find(struct nft_handle *h, const char *tablename);
...
@@ -134,6 +136,7 @@ bool nft_table_find(struct nft_handle *h, const char *tablename);
int
nft_table_purge_chains
(
struct
nft_handle
*
h
,
const
char
*
table
,
struct
nftnl_chain_list
*
list
);
int
nft_table_purge_chains
(
struct
nft_handle
*
h
,
const
char
*
table
,
struct
nftnl_chain_list
*
list
);
int
nft_table_flush
(
struct
nft_handle
*
h
,
const
char
*
table
);
int
nft_table_flush
(
struct
nft_handle
*
h
,
const
char
*
table
);
const
struct
builtin_table
*
nft_table_builtin_find
(
struct
nft_handle
*
h
,
const
char
*
table
);
const
struct
builtin_table
*
nft_table_builtin_find
(
struct
nft_handle
*
h
,
const
char
*
table
);
int
nft_xt_fake_builtin_chains
(
struct
nft_handle
*
h
,
const
char
*
table
,
const
char
*
chain
);
/*
/*
* Operations with chains.
* Operations with chains.
...
@@ -141,7 +144,7 @@ const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const c
...
@@ -141,7 +144,7 @@ const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const c
struct
nftnl_chain
;
struct
nftnl_chain
;
int
nft_chain_set
(
struct
nft_handle
*
h
,
const
char
*
table
,
const
char
*
chain
,
const
char
*
policy
,
const
struct
xt_counters
*
counters
);
int
nft_chain_set
(
struct
nft_handle
*
h
,
const
char
*
table
,
const
char
*
chain
,
const
char
*
policy
,
const
struct
xt_counters
*
counters
);
int
nft_chain_save
(
struct
nft
nl
_chain
*
c
,
void
*
data
);
int
nft_chain_save
(
struct
nft_chain
*
c
,
void
*
data
);
int
nft_chain_user_add
(
struct
nft_handle
*
h
,
const
char
*
chain
,
const
char
*
table
);
int
nft_chain_user_add
(
struct
nft_handle
*
h
,
const
char
*
chain
,
const
char
*
table
);
int
nft_chain_user_del
(
struct
nft_handle
*
h
,
const
char
*
chain
,
const
char
*
table
,
bool
verbose
);
int
nft_chain_user_del
(
struct
nft_handle
*
h
,
const
char
*
chain
,
const
char
*
table
,
bool
verbose
);
int
nft_chain_restore
(
struct
nft_handle
*
h
,
const
char
*
chain
,
const
char
*
table
);
int
nft_chain_restore
(
struct
nft_handle
*
h
,
const
char
*
chain
,
const
char
*
table
);
...
@@ -151,6 +154,9 @@ const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t
...
@@ -151,6 +154,9 @@ const struct builtin_chain *nft_chain_builtin_find(const struct builtin_table *t
bool
nft_chain_exists
(
struct
nft_handle
*
h
,
const
char
*
table
,
const
char
*
chain
);
bool
nft_chain_exists
(
struct
nft_handle
*
h
,
const
char
*
table
,
const
char
*
chain
);
void
nft_bridge_chain_postprocess
(
struct
nft_handle
*
h
,
void
nft_bridge_chain_postprocess
(
struct
nft_handle
*
h
,
struct
nftnl_chain
*
c
);
struct
nftnl_chain
*
c
);
int
nft_chain_foreach
(
struct
nft_handle
*
h
,
const
char
*
table
,
int
(
*
cb
)(
struct
nft_chain
*
c
,
void
*
data
),
void
*
data
);
/*
/*
...
...
iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
View file @
6343d369
...
@@ -86,4 +86,8 @@ if [ $? -eq 0 ]; then
...
@@ -86,4 +86,8 @@ if [ $? -eq 0 ]; then
exit
1
exit
1
fi
fi
$XT_MULTI
ebtables
-t
filter
-E
FOO BAZ
||
exit
1
$XT_MULTI
ebtables
-t
filter
-L
|
grep
-q
FOO
&&
exit
1
$XT_MULTI
ebtables
-t
filter
-L
|
grep
-q
BAZ
||
exit
1
$XT_MULTI
ebtables
-t
$t
-F
||
exit
0
$XT_MULTI
ebtables
-t
$t
-F
||
exit
0
iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
View file @
6343d369
...
@@ -70,8 +70,8 @@ DUMP='*filter
...
@@ -70,8 +70,8 @@ DUMP='*filter
:INPUT ACCEPT
:INPUT ACCEPT
:FORWARD DROP
:FORWARD DROP
:OUTPUT ACCEPT
:OUTPUT ACCEPT
:foo ACCEPT
:bar RETURN
:bar RETURN
:foo ACCEPT
-A INPUT -p IPv4 -i lo -j ACCEPT
-A INPUT -p IPv4 -i lo -j ACCEPT
-A FORWARD -j foo
-A FORWARD -j foo
-A OUTPUT -s Broadcast -j DROP
-A OUTPUT -s Broadcast -j DROP
...
...
iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0
View file @
6343d369
...
@@ -230,21 +230,8 @@ for table in nat mangle raw filter;do
...
@@ -230,21 +230,8 @@ for table in nat mangle raw filter;do
$XT_MULTI
iptables-save
-t
$table
|
grep
-v
'^#'
>>
"
$tmpfile
"
$XT_MULTI
iptables-save
-t
$table
|
grep
-v
'^#'
>>
"
$tmpfile
"
done
done
case
"
$XT_MULTI
"
in
diff
-u
$tmpfile
$(
dirname
"
$0
"
)
/dumps/ipt-save-completed.txt
*
xtables-nft-multi
)
RET
=
$?
# nft-multi displays chain names in different order, work around this for now
tmpfile2
=
$(
mktemp
)
sort
"
$tmpfile
"
>
"
$tmpfile2
"
sort
$(
dirname
"
$0
"
)
/dumps/ipt-save-completed.txt
>
"
$tmpfile
"
diff
-u
$tmpfile
$tmpfile2
RET
=
$?
rm
-f
"
$tmpfile2
"
;;
*
)
diff
-u
$tmpfile
$(
dirname
"
$0
"
)
/dumps/ipt-save-completed.txt
RET
=
$?
;;
esac
rm
-f
"
$tmpfile
"
rm
-f
"
$tmpfile
"
...
...
iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0
View file @
6343d369
...
@@ -18,7 +18,7 @@ EXPECT="*nat
...
@@ -18,7 +18,7 @@ EXPECT="*nat
:POSTROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j ACCEPT
-A POSTROUTING -j ACCEPT
COMMIT"
COMMIT"
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
|
sort
)
<
(
$XT_MULTI
iptables-save |
grep
-v
'^#'
|
sort
)
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
)
<
(
$XT_MULTI
iptables-save |
grep
-v
'^#'
)
$XT_MULTI
iptables-restore
<<
EOF
$XT_MULTI
iptables-restore
<<
EOF
*filter
*filter
...
@@ -39,4 +39,4 @@ COMMIT
...
@@ -39,4 +39,4 @@ COMMIT
:POSTROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j ACCEPT
-A POSTROUTING -j ACCEPT
COMMIT"
COMMIT"
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
|
sort
)
<
(
$XT_MULTI
iptables-save |
grep
-v
'^#'
|
sort
)
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
)
<
(
$XT_MULTI
iptables-save |
grep
-v
'^#'
)
iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
View file @
6343d369
...
@@ -59,7 +59,7 @@ Flushing chain \`secfoo'
...
@@ -59,7 +59,7 @@ Flushing chain \`secfoo'
Deleting chain
\`
secfoo'"
Deleting chain
\`
secfoo'"
for
ipt
in
iptables-restore ip6tables-restore
;
do
for
ipt
in
iptables-restore ip6tables-restore
;
do
diff
-u
-Z
<
(
sort
<<<
"
$EXPECT
"
)
<
(
$XT_MULTI
$ipt
-v
<<<
"
$DUMP
"
|
sort
)
diff
-u
-Z
<
(
echo
"
$EXPECT
"
)
<
(
$XT_MULTI
$ipt
-v
<<<
"
$DUMP
"
)
done
done
DUMP
=
"*filter
DUMP
=
"*filter
...
...
iptables/tests/shell/testcases/ipt-restore/0017-pointless-compat-checks_0
0 → 100755
View file @
6343d369
#!/bin/bash
# A bug in extension registration would leave unsupported older extension
# revisions in pending list and get compatibility checked again for each rule
# using them. With SELinux enabled, the resulting socket() call per rule leads
# to significant slowdown (~50% performance in worst cases).
set
-e
strace
--version
>
/dev/null
||
{
echo
"skip for missing strace"
;
exit
0
;
}
RULESET
=
"
$(
echo
"*filter"
for
((
i
=
0
;
i < 100
;
i++
))
;
do
echo
"-A FORWARD -m conntrack --ctstate NEW"
done
echo
"COMMIT"
)
"
cmd
=
"
$XT_MULTI
iptables-restore"
socketcount
=
$(
strace
-esocket
$cmd
<<<
"
$RULESET
"
2>&1 |
wc
-l
)
# unpatched iptables-restore would open 111 sockets,
# patched only 12 but keep a certain margin for future changes
[[
$socketcount
-lt
20
]]
iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt
View file @
6343d369
...
@@ -40,8 +40,8 @@
...
@@ -40,8 +40,8 @@
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -o wlan0 -j wlanout
-A OUTPUT -o wlan0 -j wlanout
-A OUTPUT -j block
-A OUTPUT -j block
-A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:
F
1:05:
A
0:
E
0 -j RETURN
-A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:
f
1:05:
a
0:
e
0 -j RETURN
-A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:
F
1:05:99:85 -j RETURN
-A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:
f
1:05:99:85 -j RETURN
-A WLAN -m limit --limit 12/min -j LOG --log-prefix "UNKNOWN WLAN dropped:"
-A WLAN -m limit --limit 12/min -j LOG --log-prefix "UNKNOWN WLAN dropped:"
-A WLAN -j DROP
-A WLAN -j DROP
-A accept_log -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "TCPConnect on ppp0:"
-A accept_log -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "TCPConnect on ppp0:"
...
...
iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
0 → 100755
View file @
6343d369
#!/bin/bash -x
[[
$XT_MULTI
==
*
xtables-nft-multi
]]
||
{
echo
"skip
$XT_MULTI
"
;
exit
0
;
}
set
-e
nft flush ruleset
(
echo
"*filter"
for
plen
in
""
32 30 24 16 8 0
;
do
addr
=
"10.1.2.3
${
plen
:+/
}
$plen
"
echo
"-A OUTPUT -d
$addr
"
done
echo
"COMMIT"
)
|
$XT_MULTI
iptables-restore
(
echo
"*filter"
for
plen
in
""
128 124 120 112 88 80 64 48 16 8 0
;
do
addr
=
"feed:c0ff:ee00:0102:0304:0506:0708:090A
${
plen
:+/
}
$plen
"
echo
"-A OUTPUT -d
$addr
"
done
echo
"COMMIT"
)
|
$XT_MULTI
ip6tables-restore
masks
=
"
ff:ff:ff:ff:ff:ff
ff:ff:ff:ff:ff:f0
ff:ff:ff:ff:ff:00
ff:ff:ff:ff:00:00
ff:ff:ff:00:00:00
ff:ff:00:00:00:00
ff:00:00:00:00:00
"
(
echo
"*filter"
for
plen
in
""
32 30 24 16 8 0
;
do
addr
=
"10.1.2.3
${
plen
:+/
}
$plen
"
echo
"-A OUTPUT -d
$addr
"
done
for
mask
in
$masks
;
do
echo
"-A OUTPUT --destination-mac fe:ed:00:c0:ff:ee/
$mask
"
done
echo
"COMMIT"
)
|
$XT_MULTI
arptables-restore
(
echo
"*filter"
for
mask
in
$masks
;
do
echo
"-A OUTPUT -d fe:ed:00:c0:ff:ee/
$mask
"
done
echo
"COMMIT"
)
|
$XT_MULTI
ebtables-restore
EXPECT
=
"ip filter OUTPUT 4
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0302010a ]
[ counter pkts 0 bytes 0 ]
ip filter OUTPUT 5 4
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0302010a ]
[ counter pkts 0 bytes 0 ]
ip filter OUTPUT 6 5
[ payload load 4b @ network header + 16 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0002010a ]
[ counter pkts 0 bytes 0 ]
ip filter OUTPUT 7 6
[ payload load 3b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0002010a ]
[ counter pkts 0 bytes 0 ]
ip filter OUTPUT 8 7
[ payload load 2b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0000010a ]
[ counter pkts 0 bytes 0 ]
ip filter OUTPUT 9 8
[ payload load 1b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ counter pkts 0 bytes 0 ]
ip filter OUTPUT 10 9
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 4
[ payload load 16b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 5 4
[ payload load 16b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 6 5
[ payload load 16b @ network header + 24 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 7 6
[ payload load 15b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 8 7
[ payload load 14b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 9 8
[ payload load 11b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 10 9
[ payload load 10b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 11 10
[ payload load 8b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x020100ee ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 12 11
[ payload load 6b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0xffc0edfe 0x000000ee ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 13 12
[ payload load 2b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x0000edfe ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 14 13
[ payload load 1b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x000000fe ]
[ counter pkts 0 bytes 0 ]
ip6 filter OUTPUT 15 14
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 3
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 4b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x0302010a ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 4 3
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 4b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x0302010a ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 5 4
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 4b @ network header + 24 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0002010a ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 6 5
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 3b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x0002010a ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 7 6
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 2b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x0000010a ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 8 7
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 1b @ network header + 24 => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 9 8
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 10 9
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 6b @ network header + 18 => reg 1 ]
[ cmp eq reg 1 0xc000edfe 0x0000eeff ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 11 10
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 6b @ network header + 18 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
[ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 12 11
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 5b @ network header + 18 => reg 1 ]
[ cmp eq reg 1 0xc000edfe 0x000000ff ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 13 12
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 4b @ network header + 18 => reg 1 ]
[ cmp eq reg 1 0xc000edfe ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 14 13
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 3b @ network header + 18 => reg 1 ]
[ cmp eq reg 1 0x0000edfe ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 15 14
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 2b @ network header + 18 => reg 1 ]
[ cmp eq reg 1 0x0000edfe ]
[ counter pkts 0 bytes 0 ]
arp filter OUTPUT 16 15
[ payload load 2b @ network header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ payload load 1b @ network header + 18 => reg 1 ]
[ cmp eq reg 1 0x000000fe ]
[ counter pkts 0 bytes 0 ]
bridge filter OUTPUT 4
[ payload load 6b @ link header + 0 => reg 1 ]
[ cmp eq reg 1 0xc000edfe 0x0000eeff ]
[ counter pkts 0 bytes 0 ]
bridge filter OUTPUT 5 4
[ payload load 6b @ link header + 0 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
[ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
[ counter pkts 0 bytes 0 ]
bridge filter OUTPUT 6 5
[ payload load 5b @ link header + 0 => reg 1 ]
[ cmp eq reg 1 0xc000edfe 0x000000ff ]
[ counter pkts 0 bytes 0 ]
bridge filter OUTPUT 7 6
[ payload load 4b @ link header + 0 => reg 1 ]
[ cmp eq reg 1 0xc000edfe ]
[ counter pkts 0 bytes 0 ]
bridge filter OUTPUT 8 7
[ payload load 3b @ link header + 0 => reg 1 ]
[ cmp eq reg 1 0x0000edfe ]
[ counter pkts 0 bytes 0 ]
bridge filter OUTPUT 9 8
[ payload load 2b @ link header + 0 => reg 1 ]
[ cmp eq reg 1 0x0000edfe ]
[ counter pkts 0 bytes 0 ]
bridge filter OUTPUT 10 9
[ payload load 1b @ link header + 0 => reg 1 ]
[ cmp eq reg 1 0x000000fe ]
[ counter pkts 0 bytes 0 ]
"
# print nothing but:
# - lines with bytecode (starting with ' [')
# - empty lines (so printed diff is not a complete mess)
filter
()
{
awk
'/^( \[|$)/{print}'
}
diff
-u
-Z
<
(
filter
<<<
"
$EXPECT
"
)
<
(
nft
--debug
=
netlink list ruleset | filter
)
iptables/xshared.c
View file @
6343d369
...
@@ -779,3 +779,77 @@ int parse_rulenumber(const char *rule)
...
@@ -779,3 +779,77 @@ int parse_rulenumber(const char *rule)
return
rulenum
;
return
rulenum
;
}
}
/* Table of legal combinations of commands and options. If any of the
* given commands make an option legal, that option is legal (applies to
* CMD_LIST and CMD_ZERO only).
* Key:
* + compulsory
* x illegal
* optional
*/
static
const
char
commands_v_options
[
NUMBER_OF_CMD
][
NUMBER_OF_OPT
]
=
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
/* -n -s -d -p -j -v -x -i -o --line -c -f 2 3 l 4 5 6 */
/*INSERT*/
{
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
'x'
,
' '
,
' '
,
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*DELETE*/
{
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
'x'
,
' '
,
' '
,
'x'
,
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*DELETE_NUM*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*REPLACE*/
{
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
'x'
,
' '
,
' '
,
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*APPEND*/
{
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
'x'
,
' '
,
' '
,
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*LIST*/
{
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
' '
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*FLUSH*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*ZERO*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*NEW_CHAIN*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*DEL_CHAIN*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*SET_POLICY*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*RENAME*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*LIST_RULES*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*ZERO_NUM*/
{
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
' '
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
,
'x'
},
/*CHECK*/
{
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
'x'
,
' '
,
' '
,
'x'
,
'x'
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
};
void
generic_opt_check
(
int
command
,
int
options
)
{
int
i
,
j
,
legal
=
0
;
/* Check that commands are valid with options. Complicated by the
* fact that if an option is legal with *any* command given, it is
* legal overall (ie. -z and -l).
*/
for
(
i
=
0
;
i
<
NUMBER_OF_OPT
;
i
++
)
{
legal
=
0
;
/* -1 => illegal, 1 => legal, 0 => undecided. */
for
(
j
=
0
;
j
<
NUMBER_OF_CMD
;
j
++
)
{
if
(
!
(
command
&
(
1
<<
j
)))
continue
;
if
(
!
(
options
&
(
1
<<
i
)))
{
if
(
commands_v_options
[
j
][
i
]
==
'+'
)
xtables_error
(
PARAMETER_PROBLEM
,
"You need to supply the `-%c' "
"option for this command
\n
"
,
optflags
[
i
]);
}
else
{
if
(
commands_v_options
[
j
][
i
]
!=
'x'
)
legal
=
1
;
else
if
(
legal
==
0
)
legal
=
-
1
;
}
}
if
(
legal
==
-
1
)
xtables_error
(
PARAMETER_PROBLEM
,
"Illegal option `-%c' with this command
\n
"
,
optflags
[
i
]);
}
}
char
opt2char
(
int
option
)
{
const
char
*
ptr
;
for
(
ptr
=
optflags
;
option
>
1
;
option
>>=
1
,
ptr
++
)
;
return
*
ptr
;
}
iptables/xshared.h
View file @
6343d369
...
@@ -30,15 +30,20 @@ enum {
...
@@ -30,15 +30,20 @@ enum {
OPT_VIANAMEOUT
=
1
<<
8
,
OPT_VIANAMEOUT
=
1
<<
8
,
OPT_LINENUMBERS
=
1
<<
9
,
OPT_LINENUMBERS
=
1
<<
9
,
OPT_COUNTERS
=
1
<<
10
,
OPT_COUNTERS
=
1
<<
10
,
OPT_FRAGMENT
=
1
<<
11
,
/* below are for arptables only */
/* below are for arptables only */
OPT_S_MAC
=
1
<<
1
1
,
OPT_S_MAC
=
1
<<
1
2
,
OPT_D_MAC
=
1
<<
1
2
,
OPT_D_MAC
=
1
<<
1
3
,
OPT_H_LENGTH
=
1
<<
1
3
,
OPT_H_LENGTH
=
1
<<
1
4
,
OPT_OPCODE
=
1
<<
1
4
,
OPT_OPCODE
=
1
<<
1
5
,
OPT_H_TYPE
=
1
<<
1
5
,
OPT_H_TYPE
=
1
<<
1
6
,
OPT_P_TYPE
=
1
<<
1
6
,
OPT_P_TYPE
=
1
<<
1
7
,
};
};
#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
static
const
char
optflags
[]
=
{
'n'
,
's'
,
'd'
,
'p'
,
'j'
,
'v'
,
'x'
,
'i'
,
'o'
,
'0'
,
'c'
,
'f'
,
2
,
3
,
'l'
,
4
,
5
,
6
};
enum
{
enum
{
CMD_NONE
=
0
,
CMD_NONE
=
0
,
CMD_INSERT
=
1
<<
0
,
CMD_INSERT
=
1
<<
0
,
...
@@ -216,4 +221,7 @@ void add_command(unsigned int *cmd, const int newcmd,
...
@@ -216,4 +221,7 @@ void add_command(unsigned int *cmd, const int newcmd,
const
int
othercmds
,
int
invert
);
const
int
othercmds
,
int
invert
);
int
parse_rulenumber
(
const
char
*
rule
);
int
parse_rulenumber
(
const
char
*
rule
);
void
generic_opt_check
(
int
command
,
int
options
);
char
opt2char
(
int
option
);
#endif
/* IPTABLES_XSHARED_H */
#endif
/* IPTABLES_XSHARED_H */
iptables/xtables-arp.c
View file @
6343d369
...
@@ -53,10 +53,6 @@
...
@@ -53,10 +53,6 @@
#include "nft-arp.h"
#include "nft-arp.h"
#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
#define NUMBER_OF_OPT 16
static
const
char
optflags
[
NUMBER_OF_OPT
]
=
{
'n'
,
's'
,
'd'
,
2
,
3
,
7
,
8
,
4
,
5
,
6
,
'j'
,
'v'
,
'i'
,
'o'
,
'0'
,
'c'
};
static
struct
option
original_opts
[]
=
{
static
struct
option
original_opts
[]
=
{
{
"append"
,
1
,
0
,
'A'
},
{
"append"
,
1
,
0
,
'A'
},
{
"delete"
,
1
,
0
,
'D'
},
{
"delete"
,
1
,
0
,
'D'
},
...
@@ -113,74 +109,29 @@ struct xtables_globals arptables_globals = {
...
@@ -113,74 +109,29 @@ struct xtables_globals arptables_globals = {
static
int
inverse_for_options
[]
=
static
int
inverse_for_options
[]
=
{
{
/* -n */
0
,
/* -n */
0
,
/* -s */
AR
PT_INV_SRCIP
,
/* -s */
I
PT_INV_SRCIP
,
/* -d */
AR
PT_INV_
TG
TIP
,
/* -d */
I
PT_INV_
DS
TIP
,
/* -p */
0
,
/* -p */
0
,
/* -j */
0
,
/* -j */
0
,
/* -v */
0
,
/* -v */
0
,
/* -x */
0
,
/* -x */
0
,
/* -i */
AR
PT_INV_VIA_IN
,
/* -i */
I
PT_INV_VIA_IN
,
/* -o */
AR
PT_INV_VIA_OUT
,
/* -o */
I
PT_INV_VIA_OUT
,
/*--line*/
0
,
/*--line*/
0
,
/* -c */
0
,
/* -c */
0
,
/* 2 */
ARPT_INV_SRCDEVADDR
,
/* -f */
0
,
/* 3 */
ARPT_INV_TGTDEVADDR
,
/* 2 */
IPT_INV_SRCDEVADDR
,
/* -l */
ARPT_INV_ARPHLN
,
/* 3 */
IPT_INV_TGTDEVADDR
,
/* 4 */
ARPT_INV_ARPOP
,
/* -l */
IPT_INV_ARPHLN
,
/* 5 */
ARPT_INV_ARPHRD
,
/* 4 */
IPT_INV_ARPOP
,
/* 6 */
ARPT_INV_ARPPRO
,
/* 5 */
IPT_INV_ARPHRD
,
/* 6 */
IPT_INV_PROTO
,
};
};
/***********************************************/
/***********************************************/
/* ARPTABLES SPECIFIC NEW FUNCTIONS ADDED HERE */
/* ARPTABLES SPECIFIC NEW FUNCTIONS ADDED HERE */
/***********************************************/
/***********************************************/
static
unsigned
char
mac_type_unicast
[
ETH_ALEN
]
=
{
0
,
0
,
0
,
0
,
0
,
0
};
static
unsigned
char
msk_type_unicast
[
ETH_ALEN
]
=
{
1
,
0
,
0
,
0
,
0
,
0
};
static
unsigned
char
mac_type_multicast
[
ETH_ALEN
]
=
{
1
,
0
,
0
,
0
,
0
,
0
};
static
unsigned
char
msk_type_multicast
[
ETH_ALEN
]
=
{
1
,
0
,
0
,
0
,
0
,
0
};
static
unsigned
char
mac_type_broadcast
[
ETH_ALEN
]
=
{
255
,
255
,
255
,
255
,
255
,
255
};
static
unsigned
char
msk_type_broadcast
[
ETH_ALEN
]
=
{
255
,
255
,
255
,
255
,
255
,
255
};
/*
* put the mac address into 6 (ETH_ALEN) bytes
*/
static
int
getmac_and_mask
(
char
*
from
,
char
*
to
,
char
*
mask
)
{
char
*
p
;
int
i
;
struct
ether_addr
*
addr
;
if
(
strcasecmp
(
from
,
"Unicast"
)
==
0
)
{
memcpy
(
to
,
mac_type_unicast
,
ETH_ALEN
);
memcpy
(
mask
,
msk_type_unicast
,
ETH_ALEN
);
return
0
;
}
if
(
strcasecmp
(
from
,
"Multicast"
)
==
0
)
{
memcpy
(
to
,
mac_type_multicast
,
ETH_ALEN
);
memcpy
(
mask
,
msk_type_multicast
,
ETH_ALEN
);
return
0
;
}
if
(
strcasecmp
(
from
,
"Broadcast"
)
==
0
)
{
memcpy
(
to
,
mac_type_broadcast
,
ETH_ALEN
);
memcpy
(
mask
,
msk_type_broadcast
,
ETH_ALEN
);
return
0
;
}
if
(
(
p
=
strrchr
(
from
,
'/'
))
!=
NULL
)
{
*
p
=
'\0'
;
if
(
!
(
addr
=
ether_aton
(
p
+
1
)))
return
-
1
;
memcpy
(
mask
,
addr
,
ETH_ALEN
);
}
else
memset
(
mask
,
0xff
,
ETH_ALEN
);
if
(
!
(
addr
=
ether_aton
(
from
)))
return
-
1
;
memcpy
(
to
,
addr
,
ETH_ALEN
);
for
(
i
=
0
;
i
<
ETH_ALEN
;
i
++
)
to
[
i
]
&=
mask
[
i
];
return
0
;
}
static
int
getlength_and_mask
(
char
*
from
,
uint8_t
*
to
,
uint8_t
*
mask
)
static
int
getlength_and_mask
(
char
*
from
,
uint8_t
*
to
,
uint8_t
*
mask
)
{
{
char
*
p
,
*
buffer
;
char
*
p
,
*
buffer
;
...
@@ -327,15 +278,6 @@ printhelp(void)
...
@@ -327,15 +278,6 @@ printhelp(void)
}
}
}
}
static
char
opt2char
(
int
option
)
{
const
char
*
ptr
;
for
(
ptr
=
optflags
;
option
>
1
;
option
>>=
1
,
ptr
++
);
return
*
ptr
;
}
static
int
static
int
check_inverse
(
const
char
option
[],
int
*
invert
,
int
*
optidx
,
int
argc
)
check_inverse
(
const
char
option
[],
int
*
invert
,
int
*
optidx
,
int
argc
)
{
{
...
@@ -686,7 +628,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
...
@@ -686,7 +628,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
check_inverse
(
optarg
,
&
invert
,
&
optind
,
argc
);
check_inverse
(
optarg
,
&
invert
,
&
optind
,
argc
);
set_option
(
&
options
,
OPT_S_MAC
,
&
cs
.
arp
.
arp
.
invflags
,
set_option
(
&
options
,
OPT_S_MAC
,
&
cs
.
arp
.
arp
.
invflags
,
invert
);
invert
);
if
(
get
mac_and_mask
(
argv
[
optind
-
1
],
if
(
xtables_parse_
mac_and_mask
(
argv
[
optind
-
1
],
cs
.
arp
.
arp
.
src_devaddr
.
addr
,
cs
.
arp
.
arp
.
src_devaddr
.
mask
))
cs
.
arp
.
arp
.
src_devaddr
.
addr
,
cs
.
arp
.
arp
.
src_devaddr
.
mask
))
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified "
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified "
"source mac"
);
"source mac"
);
...
@@ -697,7 +639,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
...
@@ -697,7 +639,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
set_option
(
&
options
,
OPT_D_MAC
,
&
cs
.
arp
.
arp
.
invflags
,
set_option
(
&
options
,
OPT_D_MAC
,
&
cs
.
arp
.
arp
.
invflags
,
invert
);
invert
);
if
(
get
mac_and_mask
(
argv
[
optind
-
1
],
if
(
xtables_parse_
mac_and_mask
(
argv
[
optind
-
1
],
cs
.
arp
.
arp
.
tgt_devaddr
.
addr
,
cs
.
arp
.
arp
.
tgt_devaddr
.
mask
))
cs
.
arp
.
arp
.
tgt_devaddr
.
addr
,
cs
.
arp
.
arp
.
tgt_devaddr
.
mask
))
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified "
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified "
"destination mac"
);
"destination mac"
);
...
@@ -901,7 +843,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
...
@@ -901,7 +843,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
&
dmasks
,
&
ndaddrs
);
&
dmasks
,
&
ndaddrs
);
if
((
nsaddrs
>
1
||
ndaddrs
>
1
)
&&
if
((
nsaddrs
>
1
||
ndaddrs
>
1
)
&&
(
cs
.
arp
.
arp
.
invflags
&
(
AR
PT_INV_SRCIP
|
AR
PT_INV_
TG
TIP
)))
(
cs
.
arp
.
arp
.
invflags
&
(
I
PT_INV_SRCIP
|
I
PT_INV_
DS
TIP
)))
xtables_error
(
PARAMETER_PROBLEM
,
"! not allowed with multiple"
xtables_error
(
PARAMETER_PROBLEM
,
"! not allowed with multiple"
" source or destination IP addresses"
);
" source or destination IP addresses"
);
...
...
iptables/xtables-eb-translate.c
View file @
6343d369
...
@@ -397,7 +397,9 @@ print_zero:
...
@@ -397,7 +397,9 @@ print_zero:
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
cs
.
eb
.
invflags
|=
EBT_ISOURCE
;
cs
.
eb
.
invflags
|=
EBT_ISOURCE
;
if
(
ebt_get_mac_and_mask
(
optarg
,
cs
.
eb
.
sourcemac
,
cs
.
eb
.
sourcemsk
))
if
(
xtables_parse_mac_and_mask
(
optarg
,
cs
.
eb
.
sourcemac
,
cs
.
eb
.
sourcemsk
))
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified source mac '%s'"
,
optarg
);
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified source mac '%s'"
,
optarg
);
cs
.
eb
.
bitmask
|=
EBT_SOURCEMAC
;
cs
.
eb
.
bitmask
|=
EBT_SOURCEMAC
;
break
;
break
;
...
@@ -406,7 +408,9 @@ print_zero:
...
@@ -406,7 +408,9 @@ print_zero:
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
cs
.
eb
.
invflags
|=
EBT_IDEST
;
cs
.
eb
.
invflags
|=
EBT_IDEST
;
if
(
ebt_get_mac_and_mask
(
optarg
,
cs
.
eb
.
destmac
,
cs
.
eb
.
destmsk
))
if
(
xtables_parse_mac_and_mask
(
optarg
,
cs
.
eb
.
destmac
,
cs
.
eb
.
destmsk
))
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified destination mac '%s'"
,
optarg
);
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified destination mac '%s'"
,
optarg
);
cs
.
eb
.
bitmask
|=
EBT_DESTMAC
;
cs
.
eb
.
bitmask
|=
EBT_DESTMAC
;
break
;
break
;
...
...
iptables/xtables-eb.c
View file @
6343d369
...
@@ -55,57 +55,6 @@
...
@@ -55,57 +55,6 @@
* 1: the inverse '!' of the option has already been specified */
* 1: the inverse '!' of the option has already been specified */
int
ebt_invert
=
0
;
int
ebt_invert
=
0
;
unsigned
char
eb_mac_type_unicast
[
ETH_ALEN
]
=
{
0
,
0
,
0
,
0
,
0
,
0
};
unsigned
char
eb_msk_type_unicast
[
ETH_ALEN
]
=
{
1
,
0
,
0
,
0
,
0
,
0
};
unsigned
char
eb_mac_type_multicast
[
ETH_ALEN
]
=
{
1
,
0
,
0
,
0
,
0
,
0
};
unsigned
char
eb_msk_type_multicast
[
ETH_ALEN
]
=
{
1
,
0
,
0
,
0
,
0
,
0
};
unsigned
char
eb_mac_type_broadcast
[
ETH_ALEN
]
=
{
255
,
255
,
255
,
255
,
255
,
255
};
unsigned
char
eb_msk_type_broadcast
[
ETH_ALEN
]
=
{
255
,
255
,
255
,
255
,
255
,
255
};
unsigned
char
eb_mac_type_bridge_group
[
ETH_ALEN
]
=
{
0x01
,
0x80
,
0xc2
,
0
,
0
,
0
};
unsigned
char
eb_msk_type_bridge_group
[
ETH_ALEN
]
=
{
255
,
255
,
255
,
255
,
255
,
255
};
int
ebt_get_mac_and_mask
(
const
char
*
from
,
unsigned
char
*
to
,
unsigned
char
*
mask
)
{
char
*
p
;
int
i
;
struct
ether_addr
*
addr
=
NULL
;
if
(
strcasecmp
(
from
,
"Unicast"
)
==
0
)
{
memcpy
(
to
,
eb_mac_type_unicast
,
ETH_ALEN
);
memcpy
(
mask
,
eb_msk_type_unicast
,
ETH_ALEN
);
return
0
;
}
if
(
strcasecmp
(
from
,
"Multicast"
)
==
0
)
{
memcpy
(
to
,
eb_mac_type_multicast
,
ETH_ALEN
);
memcpy
(
mask
,
eb_msk_type_multicast
,
ETH_ALEN
);
return
0
;
}
if
(
strcasecmp
(
from
,
"Broadcast"
)
==
0
)
{
memcpy
(
to
,
eb_mac_type_broadcast
,
ETH_ALEN
);
memcpy
(
mask
,
eb_msk_type_broadcast
,
ETH_ALEN
);
return
0
;
}
if
(
strcasecmp
(
from
,
"BGA"
)
==
0
)
{
memcpy
(
to
,
eb_mac_type_bridge_group
,
ETH_ALEN
);
memcpy
(
mask
,
eb_msk_type_bridge_group
,
ETH_ALEN
);
return
0
;
}
if
(
(
p
=
strrchr
(
from
,
'/'
))
!=
NULL
)
{
*
p
=
'\0'
;
if
(
!
(
addr
=
ether_aton
(
p
+
1
)))
return
-
1
;
memcpy
(
mask
,
addr
,
ETH_ALEN
);
}
else
memset
(
mask
,
0xff
,
ETH_ALEN
);
if
(
!
(
addr
=
ether_aton
(
from
)))
return
-
1
;
memcpy
(
to
,
addr
,
ETH_ALEN
);
for
(
i
=
0
;
i
<
ETH_ALEN
;
i
++
)
to
[
i
]
&=
mask
[
i
];
return
0
;
}
static
int
ebt_check_inverse2
(
const
char
option
[],
int
argc
,
char
**
argv
)
static
int
ebt_check_inverse2
(
const
char
option
[],
int
argc
,
char
**
argv
)
{
{
if
(
!
option
)
if
(
!
option
)
...
@@ -853,6 +802,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
...
@@ -853,6 +802,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
else
if
(
strchr
(
argv
[
optind
],
' '
)
!=
NULL
)
else
if
(
strchr
(
argv
[
optind
],
' '
)
!=
NULL
)
xtables_error
(
PARAMETER_PROBLEM
,
"Use of ' ' not allowed in chain names"
);
xtables_error
(
PARAMETER_PROBLEM
,
"Use of ' ' not allowed in chain names"
);
errno
=
0
;
ret
=
nft_cmd_chain_user_rename
(
h
,
chain
,
*
table
,
ret
=
nft_cmd_chain_user_rename
(
h
,
chain
,
*
table
,
argv
[
optind
]);
argv
[
optind
]);
if
(
ret
!=
0
&&
errno
==
ENOENT
)
if
(
ret
!=
0
&&
errno
==
ENOENT
)
...
@@ -1037,7 +987,9 @@ print_zero:
...
@@ -1037,7 +987,9 @@ print_zero:
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
cs
.
eb
.
invflags
|=
EBT_ISOURCE
;
cs
.
eb
.
invflags
|=
EBT_ISOURCE
;
if
(
ebt_get_mac_and_mask
(
optarg
,
cs
.
eb
.
sourcemac
,
cs
.
eb
.
sourcemsk
))
if
(
xtables_parse_mac_and_mask
(
optarg
,
cs
.
eb
.
sourcemac
,
cs
.
eb
.
sourcemsk
))
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified source mac '%s'"
,
optarg
);
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified source mac '%s'"
,
optarg
);
cs
.
eb
.
bitmask
|=
EBT_SOURCEMAC
;
cs
.
eb
.
bitmask
|=
EBT_SOURCEMAC
;
break
;
break
;
...
@@ -1046,7 +998,9 @@ print_zero:
...
@@ -1046,7 +998,9 @@ print_zero:
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
if
(
ebt_check_inverse2
(
optarg
,
argc
,
argv
))
cs
.
eb
.
invflags
|=
EBT_IDEST
;
cs
.
eb
.
invflags
|=
EBT_IDEST
;
if
(
ebt_get_mac_and_mask
(
optarg
,
cs
.
eb
.
destmac
,
cs
.
eb
.
destmsk
))
if
(
xtables_parse_mac_and_mask
(
optarg
,
cs
.
eb
.
destmac
,
cs
.
eb
.
destmsk
))
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified destination mac '%s'"
,
optarg
);
xtables_error
(
PARAMETER_PROBLEM
,
"Problem with specified destination mac '%s'"
,
optarg
);
cs
.
eb
.
bitmask
|=
EBT_DESTMAC
;
cs
.
eb
.
bitmask
|=
EBT_DESTMAC
;
break
;
break
;
...
...
Prev
1
2
3
Next
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment