Commit 712749e7 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Update upstream source from tag 'upstream/1.8.5'

Update to upstream version '1.8.5'
with Debian dir 8a97bace31de0bf6fa044da123d7fa2e84e9f6aa
parents 214468ea eb1d7c5f
This target allows to selectively work around known ECN blackholes. This target selectively works around known ECN blackholes.
It can only be used in the mangle table. It can only be used in the mangle table.
.TP .TP
\fB\-\-ecn\-tcp\-remove\fP \fB\-\-ecn\-tcp\-remove\fP
......
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
*/ */
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <strings.h>
#include <xtables.h> #include <xtables.h>
/* For 64bit kernel / 32bit userspace */ /* For 64bit kernel / 32bit userspace */
#include <linux/netfilter_ipv4/ipt_ULOG.h> #include <linux/netfilter_ipv4/ipt_ULOG.h>
......
This target allows to create audit records for packets hitting the target. This target creates audit records for packets hitting the target.
It can be used to record accepted, dropped, and rejected packets. See It can be used to record accepted, dropped, and rejected packets. See
auditd(8) for additional details. auditd(8) for additional details.
.TP .TP
......
This target allows to selectively work around broken/old applications. This target selectively works around broken/old applications.
It can only be used in the mangle table. It can only be used in the mangle table.
.TP .TP
\fB\-\-checksum\-fill\fP \fB\-\-checksum\-fill\fP
......
...@@ -348,6 +348,20 @@ static void notrack_ct2_tg_init(struct xt_entry_target *target) ...@@ -348,6 +348,20 @@ static void notrack_ct2_tg_init(struct xt_entry_target *target)
info->flags = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS; info->flags = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS;
} }
static int xlate_ct1_tg(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
struct xt_ct_target_info_v1 *info =
(struct xt_ct_target_info_v1 *)params->target->data;
if (info->flags & XT_CT_NOTRACK)
xt_xlate_add(xl, "notrack");
else
return 0;
return 1;
}
static struct xtables_target ct_target_reg[] = { static struct xtables_target ct_target_reg[] = {
{ {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
...@@ -387,6 +401,7 @@ static struct xtables_target ct_target_reg[] = { ...@@ -387,6 +401,7 @@ static struct xtables_target ct_target_reg[] = {
.alias = ct_print_name_alias, .alias = ct_print_name_alias,
.x6_parse = ct_parse_v1, .x6_parse = ct_parse_v1,
.x6_options = ct_opts_v1, .x6_options = ct_opts_v1,
.xlate = xlate_ct1_tg,
}, },
{ {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
...@@ -418,6 +433,7 @@ static struct xtables_target ct_target_reg[] = { ...@@ -418,6 +433,7 @@ static struct xtables_target ct_target_reg[] = {
.size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
.userspacesize = offsetof(struct xt_ct_target_info_v1, ct), .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
.init = notrack_ct2_tg_init, .init = notrack_ct2_tg_init,
.xlate = xlate_ct1_tg,
}, },
{ {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
......
The CT target allows to set parameters for a packet or its associated The CT target sets parameters for a packet or its associated
connection. The target attaches a "template" connection tracking entry to connection. The target attaches a "template" connection tracking entry to
the packet, which is then used by the conntrack core when initializing the packet, which is then used by the conntrack core when initializing
a new ct entry. This target is thus only valid in the "raw" table. a new ct entry. This target is thus only valid in the "raw" table.
......
This target allows to alter the value of the DSCP bits within the TOS This target alters the value of the DSCP bits within the TOS
header of the IPv4 packet. As this manipulates a packet, it can only header of the IPv4 packet. As this manipulates a packet, it can only
be used in the mangle table. be used in the mangle table.
.TP .TP
......
...@@ -56,5 +56,5 @@ iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW ...@@ -56,5 +56,5 @@ iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
\-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
.PP .PP
iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000 iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000
\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef \-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
...@@ -27,6 +27,7 @@ ...@@ -27,6 +27,7 @@
enum { enum {
O_TIMEOUT = 0, O_TIMEOUT = 0,
O_LABEL, O_LABEL,
O_ALARM,
}; };
#define s struct idletimer_tg_info #define s struct idletimer_tg_info
...@@ -39,6 +40,17 @@ static const struct xt_option_entry idletimer_tg_opts[] = { ...@@ -39,6 +40,17 @@ static const struct xt_option_entry idletimer_tg_opts[] = {
}; };
#undef s #undef s
#define s struct idletimer_tg_info_v1
static const struct xt_option_entry idletimer_tg_opts_v1[] = {
{.name = "timeout", .id = O_TIMEOUT, .type = XTTYPE_UINT32,
.flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, timeout)},
{.name = "label", .id = O_LABEL, .type = XTTYPE_STRING,
.flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, label)},
{.name = "alarm", .id = O_ALARM, .type = XTTYPE_NONE},
XTOPT_TABLEEND,
};
#undef s
static void idletimer_tg_help(void) static void idletimer_tg_help(void)
{ {
printf( printf(
...@@ -48,6 +60,16 @@ static void idletimer_tg_help(void) ...@@ -48,6 +60,16 @@ static void idletimer_tg_help(void)
"\n"); "\n");
} }
static void idletimer_tg_help_v1(void)
{
printf(
"IDLETIMER target options:\n"
" --timeout time Timeout until the notification is sent (in seconds)\n"
" --label string Unique rule identifier\n"
" --alarm Use alarm instead of default timer\n"
"\n");
}
static void idletimer_tg_print(const void *ip, static void idletimer_tg_print(const void *ip,
const struct xt_entry_target *target, const struct xt_entry_target *target,
int numeric) int numeric)
...@@ -59,6 +81,20 @@ static void idletimer_tg_print(const void *ip, ...@@ -59,6 +81,20 @@ static void idletimer_tg_print(const void *ip,
printf(" label:%s", info->label); printf(" label:%s", info->label);
} }
static void idletimer_tg_print_v1(const void *ip,
const struct xt_entry_target *target,
int numeric)
{
struct idletimer_tg_info_v1 *info =
(struct idletimer_tg_info_v1 *) target->data;
printf(" timeout:%u", info->timeout);
printf(" label:%s", info->label);
if (info->timer_type == XT_IDLETIMER_ALARM)
printf(" alarm");
}
static void idletimer_tg_save(const void *ip, static void idletimer_tg_save(const void *ip,
const struct xt_entry_target *target) const struct xt_entry_target *target)
{ {
...@@ -69,21 +105,58 @@ static void idletimer_tg_save(const void *ip, ...@@ -69,21 +105,58 @@ static void idletimer_tg_save(const void *ip,
printf(" --label %s", info->label); printf(" --label %s", info->label);
} }
static struct xtables_target idletimer_tg_reg = { static void idletimer_tg_save_v1(const void *ip,
.family = NFPROTO_UNSPEC, const struct xt_entry_target *target)
.name = "IDLETIMER", {
.version = XTABLES_VERSION, struct idletimer_tg_info_v1 *info =
.revision = 0, (struct idletimer_tg_info_v1 *) target->data;
.size = XT_ALIGN(sizeof(struct idletimer_tg_info)),
.userspacesize = offsetof(struct idletimer_tg_info, timer), printf(" --timeout %u", info->timeout);
.help = idletimer_tg_help, printf(" --label %s", info->label);
.x6_parse = xtables_option_parse, if (info->timer_type == XT_IDLETIMER_ALARM)
.print = idletimer_tg_print, printf(" --alarm");
.save = idletimer_tg_save, }
.x6_options = idletimer_tg_opts,
static void idletimer_tg_parse_v1(struct xt_option_call *cb)
{
struct idletimer_tg_info_v1 *info = cb->data;
xtables_option_parse(cb);
if (cb->entry->id == O_ALARM)
info->timer_type = XT_IDLETIMER_ALARM;
}
static struct xtables_target idletimer_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
.name = "IDLETIMER",
.version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct idletimer_tg_info)),
.userspacesize = offsetof(struct idletimer_tg_info, timer),
.help = idletimer_tg_help,
.x6_parse = xtables_option_parse,
.print = idletimer_tg_print,
.save = idletimer_tg_save,
.x6_options = idletimer_tg_opts,
},
{
.family = NFPROTO_UNSPEC,
.name = "IDLETIMER",
.version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct idletimer_tg_info_v1)),
.userspacesize = offsetof(struct idletimer_tg_info_v1, timer),
.help = idletimer_tg_help_v1,
.x6_parse = idletimer_tg_parse_v1,
.print = idletimer_tg_print_v1,
.save = idletimer_tg_save_v1,
.x6_options = idletimer_tg_opts_v1,
},
}; };
void _init(void) void _init(void)
{ {
xtables_register_target(&idletimer_tg_reg); xtables_register_targets(idletimer_tg_reg, ARRAY_SIZE(idletimer_tg_reg));
} }
...@@ -2,3 +2,4 @@ ...@@ -2,3 +2,4 @@
-j IDLETIMER --timeout;;FAIL -j IDLETIMER --timeout;;FAIL
-j IDLETIMER --timeout 42;;FAIL -j IDLETIMER --timeout 42;;FAIL
-j IDLETIMER --timeout 42 --label foo;=;OK -j IDLETIMER --timeout 42 --label foo;=;OK
-j IDLETIMER --timeout 42 --label foo --alarm;;OK
This target is used to set the Netfilter mark value associated with the packet. This target is used to set the Netfilter mark value associated with the packet.
It can, for example, be used in conjunction with routing based on fwmark (needs It can, for example, be used in conjunction with routing based on fwmark (needs
iproute2). If you plan on doing so, note that the mark needs to be set in the iproute2). If you plan on doing so, note that the mark needs to be set in
PREROUTING chain of the mangle table to affect routing. either the PREROUTING or the OUTPUT chain of the mangle table to affect routing.
The mark field is 32 bits wide. The mark field is 32 bits wide.
.TP .TP
\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] \fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
......
:PREROUTING,OUTPUT :PREROUTING,OUTPUT
*raw *raw
# ERROR: cannot find: iptables -I PREROUTING -t raw -j NOTRACK -j NOTRACK;=;OK
#-j NOTRACK;=;OK
iptables-translate -A PREROUTING -t raw -j NOTRACK
nft add rule ip raw PREROUTING counter notrack
...@@ -42,5 +42,5 @@ and ...@@ -42,5 +42,5 @@ and
\fB\-\-map\-queue\fP \fB\-\-map\-queue\fP
flags can be used in the OUTPUT, FORWARD and POSTROUTING chains. flags can be used in the OUTPUT, FORWARD and POSTROUTING chains.
.PP .PP
Use of -j SET requires that ipset kernel support is provided, which, for Use of \-j SET requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39. standard kernels, is the case since Linux 2.6.39.
This target allows to alter the MSS value of TCP SYN packets, to control This target alters the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your the maximum size for that connection (usually limiting it to your
outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
Of course, it can only be used Of course, it can only be used
......
...@@ -32,5 +32,5 @@ longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is ...@@ -32,5 +32,5 @@ longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
a bug whereby IPv6 TOS mangling does not behave as documented and differs from a bug whereby IPv6 TOS mangling does not behave as documented and differs from
the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
needs to be inverted before applying it to the original TOS field. However, the needs to be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its aformentioned kernels forgo the inversion which breaks \-\-set\-tos and its
mnemonics. mnemonics.
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
* This program is released under the terms of GNU GPL */ * This program is released under the terms of GNU GPL */
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <strings.h>
#include <xtables.h> #include <xtables.h>
#include <linux/netfilter/xt_addrtype.h> #include <linux/netfilter/xt_addrtype.h>
......
...@@ -61,14 +61,26 @@ static const struct xt_option_entry bpf_opts_v1[] = { ...@@ -61,14 +61,26 @@ static const struct xt_option_entry bpf_opts_v1[] = {
XTOPT_TABLEEND, XTOPT_TABLEEND,
}; };
static int bpf_obj_get(const char *filepath) static int bpf_obj_get_readonly(const char *filepath)
{ {
#if defined HAVE_LINUX_BPF_H && defined __NR_bpf && defined BPF_FS_MAGIC #if defined HAVE_LINUX_BPF_H && defined __NR_bpf && defined BPF_FS_MAGIC
union bpf_attr attr; /* union bpf_attr includes this in an anonymous struct, but the
* file_flags field and the BPF_F_RDONLY constant are only present
memset(&attr, 0, sizeof(attr)); * in Linux 4.15+ kernel headers (include/uapi/linux/bpf.h)
attr.pathname = (__u64) filepath; */
struct { // this part of union bpf_attr is for BPF_OBJ_* commands
__aligned_u64 pathname;
__u32 bpf_fd;
__u32 file_flags;
} attr = {
.pathname = (__u64)filepath,
.file_flags = (1U << 3), // BPF_F_RDONLY
};
int fd = syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr));
if (fd >= 0) return fd;
/* on any error fallback to default R/W access for pre-4.15-rc1 kernels */
attr.file_flags = 0;
return syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr)); return syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr));
#else #else
xtables_error(OTHER_PROBLEM, xtables_error(OTHER_PROBLEM,
...@@ -125,7 +137,7 @@ static void bpf_parse_string(struct sock_filter *pc, __u16 *lenp, __u16 len_max, ...@@ -125,7 +137,7 @@ static void bpf_parse_string(struct sock_filter *pc, __u16 *lenp, __u16 len_max,
static void bpf_parse_obj_pinned(struct xt_bpf_info_v1 *bi, static void bpf_parse_obj_pinned(struct xt_bpf_info_v1 *bi,
const char *filepath) const char *filepath)
{ {
bi->fd = bpf_obj_get(filepath); bi->fd = bpf_obj_get_readonly(filepath);
if (bi->fd < 0) if (bi->fd < 0)
xtables_error(PARAMETER_PROBLEM, xtables_error(PARAMETER_PROBLEM,
"bpf: failed to get bpf object"); "bpf: failed to get bpf object");
......
...@@ -17,7 +17,7 @@ iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j AC ...@@ -17,7 +17,7 @@ iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j AC
\fB\-\-bytecode\fP \fIcode\fP \fB\-\-bytecode\fP \fIcode\fP
Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility. Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
.PP .PP
The code format is similar to the output of the tcpdump -ddd command: one line The code format is similar to the output of the tcpdump \-ddd command: one line
that stores the number of instructions, followed by one line for each that stores the number of instructions, followed by one line for each
instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
notation. Fields encode the operation, jump offset if true, jump offset if notation. Fields encode the operation, jump offset if true, jump offset if
......
...@@ -156,7 +156,7 @@ static int cluster_xlate(struct xt_xlate *xl, ...@@ -156,7 +156,7 @@ static int cluster_xlate(struct xt_xlate *xl,
xt_xlate_add(xl, "%s %u seed 0x%08x ", jhash_st, xt_xlate_add(xl, "%s %u seed 0x%08x ", jhash_st,
info->total_nodes, info->hash_seed); info->total_nodes, info->hash_seed);
for (node = 0; node < 32; node++) { for (node = 0; node < 32; node++) {
if (info->node_mask & (1 << node)) { if (info->node_mask & (1u << node)) {
if (needs_set == 0) { if (needs_set == 0) {
xt_xlate_add(xl, "{ "); xt_xlate_add(xl, "{ ");
needs_set = 1; needs_set = 1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment