Commit dd6b25de authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'upstream/1.6.0+snapshot20161117'

Upstream version 1.6.0+snapshot20161117
parents 8fceaf37 7b095084
:PREROUTING,FORWARD,OUTPUT,POSTROUTING
*mangle
-j ECN;;FAIL
-p tcp -j ECN;;FAIL
-p tcp -j ECN --ecn-tcp-remove;=;OK
......@@ -63,6 +63,11 @@ struct ipt_log_names {
unsigned int level;
};
struct ipt_log_xlate {
const char *name;
unsigned int level;
};
static const struct ipt_log_names ipt_log_names[]
= { { .name = "alert", .level = LOG_ALERT },
{ .name = "crit", .level = LOG_CRIT },
......@@ -166,6 +171,42 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target)
printf(" --log-macdecode");
}
static const struct ipt_log_xlate ipt_log_xlate_names[] = {
{"alert", LOG_ALERT },
{"crit", LOG_CRIT },
{"debug", LOG_DEBUG },
{"emerg", LOG_EMERG },
{"err", LOG_ERR },
{"info", LOG_INFO },
{"notice", LOG_NOTICE },
{"warn", LOG_WARNING }
};
static int LOG_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct ipt_log_info *loginfo =
(const struct ipt_log_info *)params->target->data;
unsigned int i = 0;
xt_xlate_add(xl, "log ");
if (strcmp(loginfo->prefix, "") != 0) {
if (params->escape_quotes)
xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
else
xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
}
for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i)
if (loginfo->level != LOG_DEFAULT_LEVEL &&
loginfo->level == ipt_log_xlate_names[i].level) {
xt_xlate_add(xl, "level %s ",
ipt_log_xlate_names[i].name);
break;
}
return 1;
}
static struct xtables_target log_tg_reg = {
.name = "LOG",
.version = XTABLES_VERSION,
......@@ -178,6 +219,7 @@ static struct xtables_target log_tg_reg = {
.save = LOG_save,
.x6_parse = LOG_parse,
.x6_options = LOG_opts,
.xlate = LOG_xlate,
};
void _init(void)
......
:INPUT,FORWARD,OUTPUT
-j LOG;-j LOG;OK
-j LOG --log-prefix "test: ";=;OK
-j LOG --log-prefix "test: " --log-level 1;=;OK
# iptables displays the log-level output using the number; not the string
-j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK
-j LOG --log-prefix "test: " --log-tcp-sequence;=;OK
-j LOG --log-prefix "test: " --log-tcp-options;=;OK
-j LOG --log-prefix "test: " --log-ip-options;=;OK
-j LOG --log-prefix "test: " --log-uid;=;OK
-j LOG --log-prefix "test: " --log-level bad;;FAIL
-j LOG --log-prefix;;FAIL
......@@ -134,6 +134,28 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
printf(" --random");
}
static int MASQUERADE_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct nf_nat_ipv4_multi_range_compat *mr =
(const void *)params->target->data;
const struct nf_nat_ipv4_range *r = &mr->range[0];
xt_xlate_add(xl, "masquerade");
if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
xt_xlate_add(xl, " to :%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
xt_xlate_add(xl, "-%hu", ntohs(r->max.tcp.port));
}
xt_xlate_add(xl, " ");
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, "random ");
return 1;
}
static struct xtables_target masquerade_tg_reg = {
.name = "MASQUERADE",
.version = XTABLES_VERSION,
......@@ -146,6 +168,7 @@ static struct xtables_target masquerade_tg_reg = {
.print = MASQUERADE_print,
.save = MASQUERADE_save,
.x6_options = MASQUERADE_opts,
.xlate = MASQUERADE_xlate,
};
void _init(void)
......
:POSTROUTING
*nat
-j MASQUERADE;=;OK
-j MASQUERADE --random;=;OK
-p tcp -j MASQUERADE --to-ports 1024;=;OK
-p udp -j MASQUERADE --to-ports 1024-65535;=;OK
-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
-p udp -j MASQUERADE --to-ports -1;;FAIL
......@@ -62,7 +62,7 @@ static void NETMAP_parse(struct xt_option_call *cb)
range->max_ip = range->min_ip | ~cb->val.hmask.ip;
}
static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
static void __NETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data;
......@@ -80,10 +80,17 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
printf("/%d", bits);
}
static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
printf(" to:");
__NETMAP_print(ip, target, numeric);
}
static void NETMAP_save(const void *ip, const struct xt_entry_target *target)
{
printf(" --%s ", NETMAP_opts[0].name);
NETMAP_print(ip, target, 0);
__NETMAP_print(ip, target, 0);
}
static struct xtables_target netmap_tg_reg = {
......
:PREROUTING,INPUT,OUTPUT,POSTROUTING
*nat
-j NETMAP --to 1.2.3.0/24;=;OK
-j NETMAP --to 1.2.3.4;=;OK
......@@ -135,6 +135,24 @@ static void REDIRECT_save(const void *ip, const struct xt_entry_target *target)
}
}
static int REDIRECT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct nf_nat_ipv4_multi_range_compat *mr =
(const void *)params->target->data;
const struct nf_nat_ipv4_range *r = &mr->range[0];
if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
xt_xlate_add(xl, "redirect to :%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
xt_xlate_add(xl, "-%hu ", ntohs(r->max.tcp.port));
if (mr->range[0].flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, " random ");
}
return 1;
}
static struct xtables_target redirect_tg_reg = {
.name = "REDIRECT",
.version = XTABLES_VERSION,
......@@ -147,6 +165,7 @@ static struct xtables_target redirect_tg_reg = {
.print = REDIRECT_print,
.save = REDIRECT_save,
.x6_options = REDIRECT_opts,
.xlate = REDIRECT_xlate,
};
void _init(void)
......
:PREROUTING,OUTPUT
*nat
-p tcp -j REDIRECT --to-ports 42;=;OK
-p udp -j REDIRECT --to-ports 42-1234;=;OK
-p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK
-j REDIRECT --to-ports 42;;FAIL
......@@ -24,6 +24,11 @@ struct reject_names {
const char *desc;
};
struct reject_names_xlate {
const char *name;
enum ipt_reject_with with;
};
enum {
O_REJECT_WITH = 0,
};
......@@ -129,8 +134,8 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target,
static void REJECT_save(const void *ip, const struct xt_entry_target *target)
{
const struct ipt_reject_info *reject
= (const struct ipt_reject_info *)target->data;
const struct ipt_reject_info *reject =
(const struct ipt_reject_info *)target->data;
unsigned int i;
for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
......@@ -140,6 +145,45 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
printf(" --reject-with %s", reject_table[i].name);
}
static const struct reject_names_xlate reject_table_xlate[] = {
{"net-unreachable", IPT_ICMP_NET_UNREACHABLE},
{"host-unreachable", IPT_ICMP_HOST_UNREACHABLE},
{"prot-unreachable", IPT_ICMP_PROT_UNREACHABLE},
{"port-unreachable", IPT_ICMP_PORT_UNREACHABLE},
#if 0
{"echo-reply", IPT_ICMP_ECHOREPLY},
#endif
{"net-prohibited", IPT_ICMP_NET_PROHIBITED},
{"host-prohibited", IPT_ICMP_HOST_PROHIBITED},
{"tcp reset", IPT_TCP_RESET},
{"admin-prohibited", IPT_ICMP_ADMIN_PROHIBITED}
};
static int REJECT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct ipt_reject_info *reject =
(const struct ipt_reject_info *)params->target->data;
unsigned int i;
for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i) {
if (reject_table_xlate[i].with == reject->with)
break;
}
if (reject->with == IPT_ICMP_PORT_UNREACHABLE)
xt_xlate_add(xl, "reject");
else if (reject->with == IPT_TCP_RESET)
xt_xlate_add(xl, "reject with %s",
reject_table_xlate[i].name);
else
xt_xlate_add(xl, "reject with icmp type %s",
reject_table_xlate[i].name);
return 1;
}
static struct xtables_target reject_tg_reg = {
.name = "REJECT",
.version = XTABLES_VERSION,
......@@ -152,6 +196,7 @@ static struct xtables_target reject_tg_reg = {
.save = REJECT_save,
.x6_parse = REJECT_parse,
.x6_options = REJECT_opts,
.xlate = REJECT_xlate,
};
void _init(void)
......
......@@ -28,5 +28,5 @@ TCP RST packet to be sent back. This is mainly useful for blocking
.I ident
(113/tcp) probes which frequently occur when sending mail to broken mail
hosts (which won't accept your mail otherwise).
.PP
.IP
(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
:INPUT,FORWARD,OUTPUT
-j REJECT;=;OK
-j REJECT --reject-with icmp-net-unreachable;=;OK
-j REJECT --reject-with icmp-host-unreachable;=;OK
-j REJECT --reject-with icmp-port-unreachable;=;OK
-j REJECT --reject-with icmp-proto-unreachable;=;OK
-j REJECT --reject-with icmp-net-prohibited;=;OK
-j REJECT --reject-with icmp-host-prohibited;=;OK
-j REJECT --reject-with icmp-admin-prohibited;=;OK
......@@ -252,6 +252,58 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target)
}
}
static void print_range_xlate(const struct nf_nat_ipv4_range *r,
struct xt_xlate *xl)
{
if (r->flags & NF_NAT_RANGE_MAP_IPS) {
struct in_addr a;
a.s_addr = r->min_ip;
xt_xlate_add(xl, "%s", xtables_ipaddr_to_numeric(&a));
if (r->max_ip != r->min_ip) {
a.s_addr = r->max_ip;
xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&a));
}
}
if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
xt_xlate_add(xl, ":");
xt_xlate_add(xl, "%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
xt_xlate_add(xl, "-%hu", ntohs(r->max.tcp.port));
}
}
static int SNAT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct ipt_natinfo *info = (const void *)params->target;
unsigned int i = 0;
bool sep_need = false;
const char *sep = " ";
for (i = 0; i < info->mr.rangesize; i++) {
xt_xlate_add(xl, "snat to ");
print_range_xlate(&info->mr.range[i], xl);
if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) {
xt_xlate_add(xl, " random");
sep_need = true;
}
if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
if (sep_need)
sep = ",";
xt_xlate_add(xl, "%sfully-random", sep);
sep_need = true;
}
if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) {
if (sep_need)
sep = ",";
xt_xlate_add(xl, "%spersistent", sep);
}
}
return 1;
}
static struct xtables_target snat_tg_reg = {
.name = "SNAT",
.version = XTABLES_VERSION,
......@@ -264,6 +316,7 @@ static struct xtables_target snat_tg_reg = {
.print = SNAT_print,
.save = SNAT_save,
.x6_options = SNAT_opts,
.xlate = SNAT_xlate,
};
void _init(void)
......
:POSTROUTING
*nat
-j SNAT --to-source 1.1.1.1;=;OK
-j SNAT --to-source 1.1.1.1-1.1.1.10;=;OK
-p tcp -j SNAT --to-source 1.1.1.1:1025-65535;=;OK
-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK
-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL
-j SNAT;;FAIL
:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
*mangle
-j TTL --ttl-set 42;=;OK
-j TTL --ttl-inc 1;=;OK
-j TTL --ttl-dec 1;=;OK
-j TTL --ttl-set 256;;FAIL
-j TTL --ttl-inc 0;;FAIL
-j TTL --ttl-dec 0;;FAIL
-j TTL --ttl-dec 1 --ttl-inc 1;;FAIL
-j TTL --ttl-set --ttl-inc 1;;FAIL
:INPUT,FORWARD,OUTPUT
-j ULOG --ulog-nlgroup 1;-j ULOG;OK
-j ULOG --ulog-nlgroup 32;=;OK
-j ULOG --ulog-nlgroup 33;;FAIL
-j ULOG --ulog-nlgroup 0;;FAIL
-j ULOG --ulog-cprange 1;=;OK
-j ULOG --ulog-cprange 4294967295;=;OK
# This below outputs 0 in iptables-save
# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-cprange 4294967296
#-j ULOG --ulog-cprange 4294967296;;FAIL
# supports up to 31 characters
-j ULOG --ulog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-prefix xxxxxx [...]
#-j ULOG --ulog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL
-j ULOG --ulog-qthreshold 1;-j ULOG;OK
-j ULOG --ulog-qthreshold 0;;FAIL
-j ULOG --ulog-qthreshold 50;=;OK
-j ULOG --ulog-qthreshold 51;;FAIL
-j ULOG;=;OK
......@@ -92,6 +92,24 @@ static void ah_save(const void *ip, const struct xt_entry_match *match)
}
static int ah_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct ipt_ah *ahinfo = (struct ipt_ah *)params->match->data;
if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) {
xt_xlate_add(xl, "ah spi%s ",
(ahinfo->invflags & IPT_AH_INV_SPI) ? " !=" : "");
if (ahinfo->spis[0] != ahinfo->spis[1])
xt_xlate_add(xl, "%u-%u", ahinfo->spis[0],
ahinfo->spis[1]);
else
xt_xlate_add(xl, "%u", ahinfo->spis[0]);
}
return 1;
}
static struct xtables_match ah_mt_reg = {
.name = "ah",
.version = XTABLES_VERSION,
......@@ -104,6 +122,7 @@ static struct xtables_match ah_mt_reg = {
.save = ah_save,
.x6_parse = ah_parse,
.x6_options = ah_opts,
.xlate = ah_xlate,
};
void
......
:INPUT,FORWARD,OUTPUT
-p ah -m ah --ahspi 0;=;OK
-p ah -m ah --ahspi 4294967295;=;OK
-p ah -m ah --ahspi 0:4294967295;-p ah -m ah;OK
-p ah -m ah ! --ahspi 0;=;OK
-p ah -m ah --ahspi -1;;FAIL
-p ah -m ah --ahspi 4294967296;;FAIL
-p ah -m ah --ahspi invalid;;FAIL
-p ah -m ah --ahspi 0:invalid;;FAIL
-m ah --ahspi 0;;FAIL
-m ah --ahspi;;FAIL
-m ah;;FAIL
-p ah -m ah;=;OK
......@@ -249,6 +249,41 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
}
}
static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
unsigned int code_min,
unsigned int code_max)
{
unsigned int i;
if (code_min != code_max) {
for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i)
if (icmp_codes[i].type == icmptype &&
icmp_codes[i].code_min == code_min &&
icmp_codes[i].code_max == code_max) {
xt_xlate_add(xl, icmp_codes[i].name);
return 1;
}
}
return 0;
}
static int icmp_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct ipt_icmp *info = (struct ipt_icmp *)params->match->data;
if (info->type != 0xFF) {
xt_xlate_add(xl, "icmp type%s ",
(info->invflags & IPT_ICMP_INV) ? " !=" : "");
if (!type_xlate_print(xl, info->type, info->code[0],
info->code[1]))
return 0;
}
return 1;
}
static struct xtables_match icmp_mt_reg = {
.name = "icmp",
.version = XTABLES_VERSION,
......@@ -261,6 +296,7 @@ static struct xtables_match icmp_mt_reg = {
.save = icmp_save,
.x6_parse = icmp_parse,
.x6_options = icmp_opts,
.xlate = icmp_xlate,
};
void _init(void)
......
:INPUT,FORWARD,OUTPUT
-p icmp -m icmp --icmp-type any;=;OK
# output uses the number, better use the name?
# ERROR: cannot find: iptables -I INPUT -p icmp -m icmp --icmp-type echo-reply
# -p icmp -m icmp --icmp-type echo-reply;=;OK
# output uses the number, better use the name?
# ERROR: annot find: iptables -I INPUT -p icmp -m icmp --icmp-type destination-unreachable
# -p icmp -m icmp --icmp-type destination-unreachable;=;OK
# it does not acccept name/name, should we accept this?
# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable
# -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable;=;OK
-m icmp;;FAIL
# we accept "iptables -I INPUT -p tcp -m tcp", why not this below?
# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp
# -p icmp -m icmp;=;OK
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment