Commit dd6b25de authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'upstream/1.6.0+snapshot20161117'

Upstream version 1.6.0+snapshot20161117
parents 8fceaf37 7b095084
......@@ -34,6 +34,7 @@ static struct xtables_lmap *realms;
static void realm_init(struct xt_entry_match *m)
{
const char file[] = "/etc/iproute2/rt_realms";
realms = xtables_lmap_init(file);
if (realms == NULL && errno != ENOENT)
fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
......@@ -70,7 +71,7 @@ static void realm_parse(struct xt_option_call *cb)
static void
print_realm(unsigned long id, unsigned long mask, int numeric)
{
const char* name = NULL;
const char *name = NULL;
if (mask != 0xffffffff)
printf(" 0x%lx/0x%lx", id, mask);
......@@ -107,6 +108,42 @@ static void realm_save(const void *ip, const struct xt_entry_match *match)
print_realm(ri->id, ri->mask, 0);
}
static void
print_realm_xlate(unsigned long id, unsigned long mask,
int numeric, struct xt_xlate *xl, uint32_t op)
{
const char *name = NULL;
if (mask != 0xffffffff)
xt_xlate_add(xl, " and 0x%lx %s 0x%lx", mask,
op == XT_OP_EQ ? "==" : "!=", id);
else {
if (numeric == 0)
name = xtables_lmap_id2name(realms, id);
if (name)
xt_xlate_add(xl, " %s%s",
op == XT_OP_EQ ? "" : "!= ", name);
else
xt_xlate_add(xl, " %s0x%lx",
op == XT_OP_EQ ? "" : "!= ", id);
}
}
static int realm_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_realm_info *ri = (const void *)params->match->data;
enum xt_op op = XT_OP_EQ;
if (ri->invert)
op = XT_OP_NEQ;
xt_xlate_add(xl, "rtclassid");
print_realm_xlate(ri->id, ri->mask, 0, xl, op);
return 1;
}
static struct xtables_match realm_mt_reg = {
.name = "realm",
.version = XTABLES_VERSION,
......@@ -119,6 +156,7 @@ static struct xtables_match realm_mt_reg = {
.save = realm_save,
.x6_parse = realm_parse,
.x6_options = realm_opts,
.xlate = realm_xlate,
};
void _init(void)
......
:INPUT,FORWARD,OUTPUT
-m realm --realm 0x1/0x2a;=;OK
-m realm --realm 0x2a;=;OK
-m realm;;FAIL
......@@ -100,6 +100,35 @@ static void ttl_save(const void *ip, const struct xt_entry_match *match)
printf(" %u", info->ttl);
}
static int ttl_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct ipt_ttl_info *info =
(struct ipt_ttl_info *) params->match->data;
switch (info->mode) {
case IPT_TTL_EQ:
xt_xlate_add(xl, "ip ttl");
break;
case IPT_TTL_NE:
xt_xlate_add(xl, "ip ttl !=");
break;
case IPT_TTL_LT:
xt_xlate_add(xl, "ip ttl lt");
break;
case IPT_TTL_GT:
xt_xlate_add(xl, "ip ttl gt");
break;
default:
/* Should not happen. */
break;
}
xt_xlate_add(xl, " %u", info->ttl);
return 1;
}
#define s struct ipt_ttl_info
static const struct xt_option_entry ttl_opts[] = {
{.name = "ttl-lt", .id = O_TTL_LT, .excl = F_ANY, .type = XTTYPE_UINT8,
......@@ -126,6 +155,7 @@ static struct xtables_match ttl_mt_reg = {
.x6_parse = ttl_parse,
.x6_fcheck = ttl_check,
.x6_options = ttl_opts,
.xlate = ttl_xlate,
};
......
:INPUT,FORWARD,OUTPUT
-m ttl --ttl-eq 0;=;OK
-m ttl --ttl-eq 255;=;OK
-m ttl ! --ttl-eq 0;=;OK
-m ttl ! --ttl-eq 255;=;OK
-m ttl --ttl-gt 0;=;OK
# not possible have anything greater than 255, TTL is 8-bit long
# ERROR: should fail: iptables -A INPUT -m ttl --ttl-gt 255
## -m ttl --ttl-gt 255;;FAIL
# not possible have anything below 0
# ERROR: should fail: iptables -A INPUT -m ttl --ttl-lt 0
## -m ttl --ttl-lt 0;;FAIL
-m ttl --ttl-eq 256;;FAIL
-m ttl --ttl-eq -1;;FAIL
-m ttl;;FAIL
:INPUT,FORWARD,OUTPUT
-j AUDIT --type accept;=;OK
-j AUDIT --type drop;=;OK
-j AUDIT --type reject;=;OK
-j AUDIT;;FAIL
-j AUDIT --type wrong;;FAIL
:PREROUTING,FORWARD,POSTROUTING
*mangle
-j CHECKSUM --checksum-fill;=;OK
-j CHECKSUM;;FAIL
......@@ -80,6 +80,31 @@ arpCLASSIFY_print(const void *ip, const struct xt_entry_target *target,
CLASSIFY_save(ip, target);
}
static int CLASSIFY_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_classify_target_info *clinfo =
(const struct xt_classify_target_info *)params->target->data;
__u32 handle = clinfo->priority;
xt_xlate_add(xl, "meta priority set ");
switch (handle) {
case TC_H_ROOT:
xt_xlate_add(xl, "root");
break;
case TC_H_UNSPEC:
xt_xlate_add(xl, "none");
break;
default:
xt_xlate_add(xl, "%0x:%0x", TC_H_MAJ(handle) >> 16,
TC_H_MIN(handle));
break;
}
return 1;
}
static struct xtables_target classify_target[] = {
{
.family = NFPROTO_UNSPEC,
......@@ -92,6 +117,7 @@ static struct xtables_target classify_target[] = {
.save = CLASSIFY_save,
.x6_parse = CLASSIFY_parse,
.x6_options = CLASSIFY_opts,
.xlate = CLASSIFY_xlate,
},
{
.family = NFPROTO_ARP,
......@@ -103,6 +129,7 @@ static struct xtables_target classify_target[] = {
.print = arpCLASSIFY_print,
.x6_parse = CLASSIFY_parse,
.x6_options = CLASSIFY_opts,
.xlate = CLASSIFY_xlate,
},
};
......
:FORWARD,OUTPUT,POSTROUTING
*mangle
-j CLASSIFY --set-class 0000:ffff;=;OK
# maximum handle accepted by tc is 0xffff
# ERROR : should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 0000:ffffffff
# -j CLASSIFY --set-class 0000:ffffffff;;FAIL
# ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1
# -j CLASSIFY --set-class 1:-1;;FAIL
-j CLASSIFY;;FAIL
......@@ -347,6 +347,50 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
}
}
static int connmark_tg_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_connmark_tginfo1 *info =
(const void *)params->target->data;
switch (info->mode) {
case XT_CONNMARK_SET:
xt_xlate_add(xl, "ct mark set ");
if (info->ctmark == 0)
xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask);
else if (info->ctmark == info->ctmask)
xt_xlate_add(xl, "ct mark or 0x%x",
info->ctmark);
else if (info->ctmask == 0)
xt_xlate_add(xl, "ct mark xor 0x%x",
info->ctmark);
else if (info->ctmask == 0xFFFFFFFFU)
xt_xlate_add(xl, "0x%x ", info->ctmark);
else
xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x",
info->ctmark, ~info->ctmask);
break;
case XT_CONNMARK_SAVE:
xt_xlate_add(xl, "ct mark set mark");
if (!(info->nfmask == UINT32_MAX &&
info->ctmask == UINT32_MAX)) {
if (info->nfmask == info->ctmask)
xt_xlate_add(xl, " and 0x%x", info->nfmask);
}
break;
case XT_CONNMARK_RESTORE:
xt_xlate_add(xl, "meta mark set ct mark");
if (!(info->nfmask == UINT32_MAX &&
info->ctmask == UINT32_MAX)) {
if (info->nfmask == info->ctmask)
xt_xlate_add(xl, " and 0x%x", info->nfmask);
}
break;
}
return 1;
}
static struct xtables_target connmark_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
......@@ -377,6 +421,7 @@ static struct xtables_target connmark_tg_reg[] = {
.x6_parse = connmark_tg_parse,
.x6_fcheck = connmark_tg_check,
.x6_options = connmark_tg_opts,
.xlate = connmark_tg_xlate,
},
};
......
:PREROUTING,FORWARD,OUTPUT,POSTROUTING
*mangle
-j CONNMARK --restore-mark;=;OK
-j CONNMARK --save-mark;=;OK
-j CONNMARK --save-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --save-mark;OK
-j CONNMARK --restore-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --restore-mark;OK
-j CONNMARK;;FAIL
:PREROUTING,FORWARD,OUTPUT,POSTROUTING
*mangle
-j CONNSECMARK --restore;=;OK
-j CONNSECMARK --save;=;OK
-j CONNSECMARK;;FAIL
:PREROUTING,OUTPUT
*raw
-j CT --notrack;=;OK
-j CT --ctevents new,related,destroy,reply,assured,protoinfo,helper,mark;=;OK
-j CT --expevents new;=;OK
# ERROR: cannot find: iptables -I PREROUTING -t raw -j CT --zone 0
# -j CT --zone 0;=;OK
-j CT --zone 65535;=;OK
-j CT --zone 65536;;FAIL
-j CT --zone -1;;FAIL
# ERROR: should fail: iptables -A PREROUTING -t raw -j CT
# -j CT;;FAIL
@nfct timeout add test inet tcp ESTABLISHED 100
# cannot load: iptables -A PREROUTING -t raw -j CT --timeout test
# -j CT --timeout test;=;OK
@nfct timeout del test
@nfct helper add rpc inet tcp
# cannot load: iptables -A PREROUTING -t raw -j CT --helper rpc
# -j CT --helper rpc;=;OK
@nfct helper del rpc
......@@ -92,8 +92,44 @@ static void DSCP_save(const void *ip, const struct xt_entry_target *target)
printf(" --set-dscp 0x%02x", dinfo->dscp);
}
static struct xtables_target dscp_target = {
.family = NFPROTO_UNSPEC,
static int DSCP_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_DSCP_info *dinfo =
(struct xt_DSCP_info *)params->target->data;
xt_xlate_add(xl, "ip dscp set 0x%02x", dinfo->dscp);
return 1;
}
static int DSCP_xlate6(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_DSCP_info *dinfo =
(struct xt_DSCP_info *)params->target->data;
xt_xlate_add(xl, "ip6 dscp set 0x%02x", dinfo->dscp);
return 1;
}
static struct xtables_target dscp_target[] = {
{
.family = NFPROTO_IPV4,
.name = "DSCP",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.help = DSCP_help,
.print = DSCP_print,
.save = DSCP_save,
.x6_parse = DSCP_parse,
.x6_fcheck = DSCP_check,
.x6_options = DSCP_opts,
.xlate = DSCP_xlate,
},
{
.family = NFPROTO_IPV6,
.name = "DSCP",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_DSCP_info)),
......@@ -104,9 +140,11 @@ static struct xtables_target dscp_target = {
.x6_parse = DSCP_parse,
.x6_fcheck = DSCP_check,
.x6_options = DSCP_opts,
.xlate = DSCP_xlate6,
},
};
void _init(void)
{
xtables_register_target(&dscp_target);
xtables_register_targets(dscp_target, ARRAY_SIZE(dscp_target));
}
:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
*mangle
-j DSCP --set-dscp 0;=;OK
-j DSCP --set-dscp 0x3f;=;OK
-j DSCP --set-dscp -1;;FAIL
-j DSCP --set-dscp 0x40;;FAIL
-j DSCP --set-dscp 0x3f --set-dscp-class CS0;;FAIL
-j DSCP --set-dscp-class CS0;-j DSCP --set-dscp 0x00;OK
-j DSCP --set-dscp-class BE;-j DSCP --set-dscp 0x00;OK
-j DSCP --set-dscp-class EF;-j DSCP --set-dscp 0x2e;OK
-j DSCP;;FAIL
:INPUT,FORWARD,OUTPUT
-j HMARK;;FAIL
-j HMARK --hmark-src-prefix 32 --hmark-rnd 0x00000004 --hmark-mod 42;=;OK
-j HMARK --hmark-src-prefix 32 --hmark-dst-prefix 32 --hmark-sport-mask 0xffff --hmark-dport-mask 0xffff --hmark-proto-mask 0xffff --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct;=;OK
-j HMARK --hmark-src-prefix 32 --hmark-dst-prefix 32 --hmark-spi-mask 0x00000004 --hmark-proto-mask 0xffff --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct;=;OK
-j HMARK --hmark-src-prefix 1 --hmark-dst-prefix 2 --hmark-sport-mask 0x0003 --hmark-dport-mask 0x0004 --hmark-proto-mask 0x05 --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct;=;OK
# cannot mix in spi mask:
-j HMARK --hmark-src-prefix 32 --hmark-dst-prefix 32 --hmark-sport-mask 0xffff --hmark-dport-mask 0xffff --hmark-proto-mask 0xffff --hmark-rnd 0x00000004 --hmark-mod 42 --hmark-offset 1 --hmark-tuple ct --hmark-spi-mask 4;;FAIL
:INPUT,FORWARD,OUTPUT
-j IDLETIMER --timeout;;FAIL
-j IDLETIMER --timeout 42;;FAIL
-j IDLETIMER --timeout 42 --label foo;=;OK
:INPUT,FORWARD,OUTPUT
-j LED;;FAIL
-j LED --led-trigger-id "foo";=;OK
-j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink;=;OK
......@@ -245,6 +245,51 @@ static void mark_tg_save(const void *ip, const struct xt_entry_target *target)
printf(" --set-xmark 0x%x/0x%x", info->mark, info->mask);
}
static int mark_tg_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_mark_tginfo2 *info = (const void *)params->target->data;
xt_xlate_add(xl, "meta mark set ");
if (info->mark == 0)
xt_xlate_add(xl, "mark and 0x%x ", ~info->mask);
else if (info->mark == info->mask)
xt_xlate_add(xl, "mark or 0x%x ", info->mark);
else if (info->mask == 0)
xt_xlate_add(xl, "mark xor 0x%x ", info->mark);
else if (info->mask == 0xffffffffU)
xt_xlate_add(xl, "0x%x ", info->mark);
else
xt_xlate_add(xl, "mark and 0x%x xor 0x%x ", ~info->mask,
info->mark);
return 1;
}
static int MARK_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_mark_target_info_v1 *markinfo =
(const struct xt_mark_target_info_v1 *)params->target->data;
xt_xlate_add(xl, "meta mark set ");
switch(markinfo->mode) {
case XT_MARK_SET:
xt_xlate_add(xl, "0x%x ", markinfo->mark);
break;
case XT_MARK_AND:
xt_xlate_add(xl, "mark and 0x%x ", markinfo->mark);
break;
case XT_MARK_OR:
xt_xlate_add(xl, "mark or 0x%x ", markinfo->mark);
break;
}
return 1;
}
static struct xtables_target mark_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
......@@ -273,6 +318,7 @@ static struct xtables_target mark_tg_reg[] = {
.x6_parse = MARK_parse_v1,
.x6_fcheck = MARK_check,
.x6_options = MARK_opts,
.xlate = MARK_xlate,
},
{
.version = XTABLES_VERSION,
......@@ -287,6 +333,7 @@ static struct xtables_target mark_tg_reg[] = {
.x6_parse = mark_tg_parse,
.x6_fcheck = mark_tg_check,
.x6_options = mark_tg_opts,
.xlate = mark_tg_xlate,
},
};
......
:INPUT,FORWARD,OUTPUT
-j MARK --set-xmark 0xfeedcafe/0xfeedcafe;=;OK
-j MARK --set-xmark 0;=;OK
-j MARK --set-xmark 4294967295;-j MARK --set-xmark 0xffffffff;OK
-j MARK --set-xmark 4294967296;;FAIL
-j MARK --set-xmark -1;;FAIL
-j MARK;;FAIL
......@@ -12,7 +12,10 @@ enum {
O_GROUP = 0,
O_PREFIX,
O_RANGE,
O_SIZE,
O_THRESHOLD,
F_RANGE = 1 << O_RANGE,
F_SIZE = 1 << O_SIZE,
};
#define s struct xt_nflog_info
......@@ -22,7 +25,9 @@ static const struct xt_option_entry NFLOG_opts[] = {
{.name = "nflog-prefix", .id = O_PREFIX, .type = XTTYPE_STRING,
.min = 1, .flags = XTOPT_PUT, XTOPT_POINTER(s, prefix)},
{.name = "nflog-range", .id = O_RANGE, .type = XTTYPE_UINT32,
.flags = XTOPT_PUT, XTOPT_POINTER(s, len)},
.excl = F_SIZE, .flags = XTOPT_PUT, XTOPT_POINTER(s, len)},
{.name = "nflog-size", .id = O_SIZE, .type = XTTYPE_UINT32,
.excl = F_RANGE, .flags = XTOPT_PUT, XTOPT_POINTER(s, len)},
{.name = "nflog-threshold", .id = O_THRESHOLD, .type = XTTYPE_UINT16,
.flags = XTOPT_PUT, XTOPT_POINTER(s, threshold)},
XTOPT_TABLEEND,
......@@ -33,7 +38,8 @@ static void NFLOG_help(void)
{
printf("NFLOG target options:\n"
" --nflog-group NUM NETLINK group used for logging\n"
" --nflog-range NUM Number of byte to copy\n"
" --nflog-range NUM This option has no effect, use --nflog-size\n"
" --nflog-size NUM Number of bytes to copy\n"
" --nflog-threshold NUM Message threshold of in-kernel queue\n"
" --nflog-prefix STRING Prefix string for log messages\n");
}
......@@ -57,6 +63,18 @@ static void NFLOG_parse(struct xt_option_call *cb)
}
}
static void NFLOG_check(struct xt_fcheck_call *cb)
{
struct xt_nflog_info *info = cb->data;
if (cb->xflags & F_RANGE)
fprintf(stderr, "warn: --nflog-range has never worked and is no"
" longer supported, please use --nflog-size insted\n");
if (cb->xflags & F_SIZE)
info->flags |= XT_NFLOG_F_COPY_LEN;
}
static void nflog_print(const struct xt_nflog_info *info, char *prefix)
{
if (info->prefix[0] != '\0') {
......@@ -65,7 +83,9 @@ static void nflog_print(const struct xt_nflog_info *info, char *prefix)
}
if (info->group)
printf(" %snflog-group %u", prefix, info->group);
if (info->len)
if (info->flags & XT_NFLOG_F_COPY_LEN)
printf(" %snflog-size %u", prefix, info->len);
else if (info->len)
printf(" %snflog-range %u", prefix, info->len);
if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
printf(" %snflog-threshold %u", prefix, info->threshold);
......@@ -86,6 +106,35 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target)
nflog_print(info, "--");
}
static void nflog_print_xlate(const struct xt_nflog_info *info,
struct xt_xlate *xl, bool escape_quotes)
{
xt_xlate_add(xl, "log ");
if (info->prefix[0] != '\0') {
if (escape_quotes)
xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix);
else
xt_xlate_add(xl, "prefix \"%s\" ", info->prefix);
}
if (info->flags & XT_NFLOG_F_COPY_LEN)
xt_xlate_add(xl, "snaplen %u ", info->len);
if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
xt_xlate_add(xl, "queue-threshold %u ", info->threshold);
xt_xlate_add(xl, "group %u ", info->group);
}
static int NFLOG_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_nflog_info *info =
(struct xt_nflog_info *)params->target->data;
nflog_print_xlate(info, xl, params->escape_quotes);
return 1;
}
static struct xtables_target nflog_target = {
.family = NFPROTO_UNSPEC,
.name = "NFLOG",
......@@ -94,10 +143,12 @@ static struct xtables_target nflog_target = {
.userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)),
.help = NFLOG_help,
.init = NFLOG_init,
.x6_fcheck = NFLOG_check,
.x6_parse = NFLOG_parse,
.print = NFLOG_print,
.save = NFLOG_save,
.x6_options = NFLOG_opts,
.xlate = NFLOG_xlate,
};
void _init(void)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment