Skip to content

GitLab

Commit 89c92f0c authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

New upstream version 1.8.3

parent 0309474b
Show whitespace changes
Inline Side-by-side
extensions/libxt_TRACE.man
View file @ 89c92f0c
This target marks packets so that the kernel will log every rule which match
the packets as those traverse the tables, chains, rules.
the packets as those traverse the tables, chains, rules. It can only be used in
the
.BR raw
table.
.PP
A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
to be visible.
With iptables-legacy, a logging backend, such as ip(6)t_LOG or nfnetlink_log,
must be loaded for this to be visible.
The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
plain rule, "return" for implicit rule at the end of a user defined chain
and "policy" for the policy of the built in chains.
.br
It can only be used in the
.BR raw
table.
.PP
With iptables-nft, the target is translated into nftables'
.B "meta nftrace"
expression. Hence the kernel sends trace events via netlink to userspace where
they may be displayed using
.B "xtables-monitor --trace"
command. For details, refer to
.BR xtables-monitor (8).
extensions/libxt_TRACE.t 0 → 100644
View file @ 89c92f0c
:PREROUTING,OUTPUT
*raw
-j TRACE;=;OK
extensions/libxt_addrtype.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m addrtype;;FAIL
-m addrtype --src-type wrong;;FAIL
-m addrtype --src-type UNSPEC;=;OK
-m addrtype --dst-type UNSPEC;=;OK
-m addrtype --src-type LOCAL --dst-type LOCAL;=;OK
-m addrtype --dst-type UNSPEC;=;OK
-m addrtype --limit-iface-in;;FAIL
-m addrtype --limit-iface-out;;FAIL
-m addrtype --limit-iface-in --limit-iface-out;;FAIL
-m addrtype --src-type LOCAL --limit-iface-in --limit-iface-out;;FAIL
:INPUT
-m addrtype --src-type LOCAL --limit-iface-in;=;OK
-m addrtype --dst-type LOCAL --limit-iface-in;=;OK
:OUTPUT
-m addrtype --src-type LOCAL --limit-iface-out;=;OK
-m addrtype --dst-type LOCAL --limit-iface-out;=;OK
extensions/libxt_bpf.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m bpf --bytecode "4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0";=;OK
extensions/libxt_cgroup.t 0 → 100644
View file @ 89c92f0c
:INPUT,OUTPUT,POSTROUTING
*mangle
-m cgroup --cgroup 1;=;OK
-m cgroup ! --cgroup 1;=;OK
-m cgroup --path "/";=;OK
-m cgroup ! --path "/";=;OK
-m cgroup --cgroup 1 --path "/";;FAIL
-m cgroup ;;FAIL
extensions/libxt_cluster.t 0 → 100644
View file @ 89c92f0c
:PREROUTING,FORWARD,POSTROUTING
*mangle
-m cluster;;FAIL
-m cluster --cluster-total-nodes 3;;FAIL
-m cluster --cluster-total-nodes 2 --cluster-local-node 2;;FAIL
-m cluster --cluster-total-nodes 2 --cluster-local-node 3 --cluster-hash-seed;;FAIL
#
# outputs --cluster-local-nodemask instead of --cluster-local-node
#
-m cluster --cluster-total-nodes 2 --cluster-local-node 2 --cluster-hash-seed 0xfeedcafe;-m cluster --cluster-local-nodemask 0x00000002 --cluster-total-nodes 2 --cluster-hash-seed 0xfeedcafe;OK
extensions/libxt_comment.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m comment;;FAIL
-m comment --comment;;FAIL
-p tcp -m tcp --dport 22 -m comment --comment foo;=;OK
-p tcp -m comment --comment foo -m tcp --dport 22;=;OK
#
# it fails with 256 characters
#
# should fail: iptables -A INPUT -m comment --comment xxxxxxxxxxxxxxxxx [....]
# -m comment --comment xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL
#
# success with 255 characters
#
-m comment --comment xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
extensions/libxt_connbytes.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir original;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir reply;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir both;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir original;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir reply;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir both;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir original;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir reply;=;OK
-m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir both;=;OK
-m connbytes --connbytes -1:0 --connbytes-mode packets --connbytes-dir original;;FAIL
-m connbytes --connbytes 0:-1 --connbytes-mode packets --connbytes-dir original;;FAIL
# ERROR: cannot find: iptables -I INPUT -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both
# -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both;=;OK
-m connbytes --connbytes 0:18446744073709551616 --connbytes-mode avgpkt --connbytes-dir both;;FAIL
-m connbytes --connbytes 0:1000 --connbytes-mode wrong --connbytes-dir both;;FAIL
-m connbytes --connbytes 0:1000 --connbytes-dir original;;FAIL
-m connbytes --connbytes 0:1000 --connbytes-mode packets;;FAIL
-m connbytes --connbytes-dir original;;FAIL
-m connbytes --connbytes 0:1000;;FAIL
-m connbytes;;FAIL
extensions/libxt_connlabel.c
View file @ 89c92f0c
#define _GNU_SOURCE
#include <errno.h>
#include <stdbool.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <xtables.h>
#include <linux/netfilter/xt_connlabel.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
......@@ -32,40 +34,59 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
/* cannot do this via _init, else static builds might spew error message
* for every iptables invocation.
*/
static void connlabel_open(void)
static int connlabel_open(void)
{
const char *fname;
if (map)
return;
return 0;
map = nfct_labelmap_new(NULL);
if (map != NULL)
return;
return 0;
fname = nfct_labels_get_path();
if (errno) {
xtables_error(RESOURCE_PROBLEM,
"cannot open %s: %s", fname, strerror(errno));
fprintf(stderr, "Warning: cannot open %s: %s\n",
fname, strerror(errno));
} else {
xtables_error(RESOURCE_PROBLEM,
"cannot parse %s: no labels found", fname);
}
return 1;
}
static int connlabel_value_parse(const char *in)
{
char *end;
unsigned long value = strtoul(in, &end, 0);
if (in[0] == '\0' || *end != '\0')
return -1;
return value;
}
static void connlabel_mt_parse(struct xt_option_call *cb)
{
struct xt_connlabel_mtinfo *info = cb->data;
bool have_labelmap = !connlabel_open();
int tmp;
connlabel_open();
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_LABEL:
if (have_labelmap)
tmp = nfct_labelmap_get_bit(map, cb->arg);
else
tmp = connlabel_value_parse(cb->arg);
if (tmp < 0)
xtables_error(PARAMETER_PROBLEM, "label '%s' not found", cb->arg);
xtables_error(PARAMETER_PROBLEM,
"label '%s' not found or invalid value",
cb->arg);
info->bit = tmp;
if (cb->invert)
info->options |= XT_CONNLABEL_OP_INVERT;
......@@ -81,7 +102,8 @@ static const char *connlabel_get_name(int b)
{
const char *name;
connlabel_open();
if (connlabel_open())
return NULL;
name = nfct_labelmap_get_name(map, b);
if (name && strcmp(name, ""))
......@@ -134,9 +156,13 @@ static int connlabel_mt_xlate(struct xt_xlate *xl,
const struct xt_connlabel_mtinfo *info =
(const void *)params->match->data;
const char *name = connlabel_get_name(info->bit);
char *valbuf = NULL;
if (name == NULL)
if (name == NULL) {
if (asprintf(&valbuf, "%u", info->bit) < 0)
return 0;
name = valbuf;
}
if (info->options & XT_CONNLABEL_OP_SET)
xt_xlate_add(xl, "ct label set %s ", name);
......@@ -146,6 +172,7 @@ static int connlabel_mt_xlate(struct xt_xlate *xl,
xt_xlate_add(xl, "and %s != ", name);
xt_xlate_add(xl, "%s", name);
free(valbuf);
return 1;
}
......
extensions/libxt_connlabel.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m connlabel --label "40";=;OK
-m connlabel ! --label "40";=;OK
-m connlabel --label "41" --set;=;OK
-m connlabel ! --label "41" --set;=;OK
-m connlabel --label "2048";;FAIL
-m connlabel --label "foobar_not_there";;FAIL
extensions/libxt_connlabel.txlate
View file @ 89c92f0c
iptables-translate -A INPUT -m connlabel --label bit40
nft add rule ip filter INPUT ct label bit40 counter
iptables-translate -A INPUT -m connlabel --label 40
nft add rule ip filter INPUT ct label 40 counter
iptables-translate -A INPUT -m connlabel ! --label bit40 --set
nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40 counter
iptables-translate -A INPUT -m connlabel ! --label 40 --set
nft add rule ip filter INPUT ct label set 40 ct label and 40 != 40 counter
extensions/libxt_connlimit.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m connlimit --connlimit-upto 0;=;OK
-m connlimit --connlimit-upto 4294967295;=;OK
-m connlimit --connlimit-upto 4294967296;;FAIL
-m connlimit --connlimit-upto -1;;FAIL
-m connlimit --connlimit-above 0;=;OK
-m connlimit --connlimit-above 4294967295;=;OK
-m connlimit --connlimit-above 4294967296;;FAIL
-m connlimit --connlimit-above -1;;FAIL
-m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL
-m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;OK
-m connlimit --connlimit-above 10 --connlimit-daddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;OK
-m connlimit --connlimit-above 10 --connlimit-saddr --connlimit-daddr;;FAIL
-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;=;OK
-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;=;OK
-m connlimit;;FAIL
extensions/libxt_connmark.t 0 → 100644
View file @ 89c92f0c
:PREROUTING,FORWARD,OUTPUT,POSTROUTING
*mangle
-m connmark --mark 0xffffffff;=;OK
-m connmark --mark 0xffffffff/0xffffffff;-m connmark --mark 0xffffffff;OK
-m connmark --mark 0xffffffff/0;=;OK
-m connmark --mark 0/0xffffffff;-m connmark --mark 0;OK
-m connmark --mark -1;;FAIL
-m connmark --mark 0xfffffffff;;FAIL
-m connmark;;FAIL
extensions/libxt_conntrack.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m conntrack --ctstate NEW;=;OK
-m conntrack --ctstate NEW,ESTABLISHED;=;OK
-m conntrack --ctstate NEW,RELATED,ESTABLISHED;=;OK
-m conntrack --ctstate INVALID;=;OK
-m conntrack --ctstate UNTRACKED;=;OK
-m conntrack --ctstate SNAT,DNAT;=;OK
-m conntrack --ctstate wrong;;FAIL
# should we convert this to output "tcp" instead of 6?
-m conntrack --ctproto tcp;-m conntrack --ctproto 6;OK
-m conntrack --ctorigsrc 1.1.1.1;=;OK
-m conntrack --ctorigdst 1.1.1.1;=;OK
-m conntrack --ctreplsrc 1.1.1.1;=;OK
-m conntrack --ctrepldst 1.1.1.1;=;OK
-m conntrack --ctexpire 0;=;OK
-m conntrack --ctexpire 4294967295;=;OK
-m conntrack --ctexpire 0:4294967295;=;OK
-m conntrack --ctexpire 42949672956;;FAIL
-m conntrack --ctexpire -1;;FAIL
-m conntrack --ctdir ORIGINAL;=;OK
-m conntrack --ctdir REPLY;=;OK
-m conntrack --ctstatus NONE;=;OK
-m conntrack --ctstatus CONFIRMED;=;OK
-m conntrack --ctstatus ASSURED;=;OK
-m conntrack --ctstatus EXPECTED;=;OK
-m conntrack --ctstatus SEEN_REPLY;=;OK
-m conntrack;;FAIL
extensions/libxt_cpu.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m cpu --cpu 0;=;OK
-m cpu ! --cpu 0;=;OK
-m cpu --cpu 4294967295;=;OK
-m cpu --cpu 4294967296;;FAIL
-m cpu;;FAIL
extensions/libxt_dccp.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-p dccp -m dccp --sport 1;=;OK
-p dccp -m dccp --sport 65535;=;OK
-p dccp -m dccp --dport 1;=;OK
-p dccp -m dccp --dport 65535;=;OK
-p dccp -m dccp --sport 1:1023;=;OK
-p dccp -m dccp --sport 1024:65535;=;OK
-p dccp -m dccp --sport 1024:;-p dccp -m dccp --sport 1024:65535;OK
-p dccp -m dccp ! --sport 1;=;OK
-p dccp -m dccp ! --sport 65535;=;OK
-p dccp -m dccp ! --dport 1;=;OK
-p dccp -m dccp ! --dport 65535;=;OK
-p dccp -m dccp --sport 1 --dport 65535;=;OK
-p dccp -m dccp --sport 65535 --dport 1;=;OK
-p dccp -m dccp ! --sport 1 --dport 65535;=;OK
-p dccp -m dccp ! --sport 65535 --dport 1;=;OK
# ERROR: should fail: iptables -A INPUT -p dccp -m dccp --sport 65536
# -p dccp -m dccp --sport 65536;;FAIL
-p dccp -m dccp --sport -1;;FAIL
-p dccp -m dccp --dport -1;;FAIL
-p dccp -m dccp --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,RESET,SYNC,SYNCACK,INVALID;=;OK
-p dccp -m dccp ! --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,RESET,SYNC,SYNCACK,INVALID;=;OK
# DCCP option 0 is valid, see http://tools.ietf.org/html/rfc4340#page-29
# ERROR: cannot load: iptables -A INPUT -p dccp -m dccp --dccp-option 0
#-p dccp -m dccp --dccp-option 0;=;OK
-p dccp -m dccp --dccp-option 255;=;OK
-p dccp -m dccp --dccp-option 256;;FAIL
-p dccp -m dccp --dccp-option -1;;FAIL
# should we accept this below?
-p dccp -m dccp;=;OK
extensions/libxt_dscp.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m dscp --dscp 0;=;OK
-m dscp --dscp 0x3f;=;OK
-m dscp --dscp -1;;FAIL
-m dscp --dscp 0x40;;FAIL
-m dscp --dscp 0x3f --dscp-class CS0;;FAIL
-m dscp --dscp-class CS0;-m dscp --dscp 0x00;OK
-m dscp --dscp-class BE;-m dscp --dscp 0x00;OK
-m dscp --dscp-class EF;-m dscp --dscp 0x2e;OK
-m dscp;;FAIL
extensions/libxt_ecn.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m ecn --ecn-tcp-cwr;;FAIL
-p tcp -m ecn --ecn-tcp-cwr;=;OK
-p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 2;=;OK
-p tcp -m ecn ! --ecn-tcp-ece ! --ecn-tcp-cwr ! --ecn-ip-ect 2;=;OK
extensions/libxt_esp.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-p esp -m esp --espspi 0;=;OK
-p esp -m esp --espspi :32;-p esp -m esp --espspi 0:32;OK
-p esp -m esp --espspi 0:4294967295;-p esp -m esp;OK
-p esp -m esp ! --espspi 0:4294967294;=;OK
-p esp -m esp --espspi -1;;FAIL
-p esp -m esp;=;OK
-m esp;;FAIL
extensions/libxt_hashlimit.t 0 → 100644
View file @ 89c92f0c
:INPUT,FORWARD,OUTPUT
-m hashlimit --hashlimit-above 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
-m hashlimit --hashlimit-above 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-max 2000 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-max 2000 --hashlimit-htable-gcinterval 60000 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-name mini1;-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;OK
-m hashlimit --hashlimit-upto 4kb/s --hashlimit-burst 400kb --hashlimit-name mini5;=;OK
-m hashlimit --hashlimit-upto 10mb/s --hashlimit-name mini6;=;OK
-m hashlimit --hashlimit-upto 123456b/s --hashlimit-burst 1mb --hashlimit-name mini7;=;OK
# should work, it says "iptables v1.4.15: burst cannot be smaller than 96b"
# ERROR: cannot load: iptables -A INPUT -m hashlimit --hashlimit-upto 96b/s --hashlimit-burst 5 --hashlimit-name mini1
# -m hashlimit --hashlimit-upto 96b/s --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-name mini1;;FAIL
-m hashlimit --hashlimit-upto 1/sec;;FAIL
-m hashlimit;;FAIL
-m hashlimit --hashlimit-upto 40/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name syn-flood;=;OK
-m hashlimit --hashlimit-upto 40/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name rate1 --hashlimit-rate-match;=;OK
-m hashlimit --hashlimit-upto 40mb/s --hashlimit-mode srcip --hashlimit-name rate2 --hashlimit-rate-match;=;OK
-m hashlimit --hashlimit-upto 40/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name rate3 --hashlimit-rate-match --hashlimit-rate-interval 10;=;OK
-m hashlimit --hashlimit-upto 40mb/s --hashlimit-mode srcip --hashlimit-name rate4 --hashlimit-rate-match --hashlimit-rate-interval 10;=;OK
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment