Commit eb1d7c5f authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

New upstream version 1.8.5

parent 290749d4
This target allows to selectively work around known ECN blackholes.
This target selectively works around known ECN blackholes.
It can only be used in the mangle table.
.TP
\fB\-\-ecn\-tcp\-remove\fP
......
......@@ -11,6 +11,7 @@
*/
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <xtables.h>
/* For 64bit kernel / 32bit userspace */
#include <linux/netfilter_ipv4/ipt_ULOG.h>
......
This target allows to create audit records for packets hitting the target.
This target creates audit records for packets hitting the target.
It can be used to record accepted, dropped, and rejected packets. See
auditd(8) for additional details.
.TP
......
This target allows to selectively work around broken/old applications.
This target selectively works around broken/old applications.
It can only be used in the mangle table.
.TP
\fB\-\-checksum\-fill\fP
......
......@@ -348,6 +348,20 @@ static void notrack_ct2_tg_init(struct xt_entry_target *target)
info->flags = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS;
}
static int xlate_ct1_tg(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
struct xt_ct_target_info_v1 *info =
(struct xt_ct_target_info_v1 *)params->target->data;
if (info->flags & XT_CT_NOTRACK)
xt_xlate_add(xl, "notrack");
else
return 0;
return 1;
}
static struct xtables_target ct_target_reg[] = {
{
.family = NFPROTO_UNSPEC,
......@@ -387,6 +401,7 @@ static struct xtables_target ct_target_reg[] = {
.alias = ct_print_name_alias,
.x6_parse = ct_parse_v1,
.x6_options = ct_opts_v1,
.xlate = xlate_ct1_tg,
},
{
.family = NFPROTO_UNSPEC,
......@@ -418,6 +433,7 @@ static struct xtables_target ct_target_reg[] = {
.size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
.userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
.init = notrack_ct2_tg_init,
.xlate = xlate_ct1_tg,
},
{
.family = NFPROTO_UNSPEC,
......
The CT target allows to set parameters for a packet or its associated
The CT target sets parameters for a packet or its associated
connection. The target attaches a "template" connection tracking entry to
the packet, which is then used by the conntrack core when initializing
a new ct entry. This target is thus only valid in the "raw" table.
......
This target allows to alter the value of the DSCP bits within the TOS
This target alters the value of the DSCP bits within the TOS
header of the IPv4 packet. As this manipulates a packet, it can only
be used in the mangle table.
.TP
......
......@@ -56,5 +56,5 @@ iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
\-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
.PP
iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000
\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
......@@ -27,6 +27,7 @@
enum {
O_TIMEOUT = 0,
O_LABEL,
O_ALARM,
};
#define s struct idletimer_tg_info
......@@ -39,6 +40,17 @@ static const struct xt_option_entry idletimer_tg_opts[] = {
};
#undef s
#define s struct idletimer_tg_info_v1
static const struct xt_option_entry idletimer_tg_opts_v1[] = {
{.name = "timeout", .id = O_TIMEOUT, .type = XTTYPE_UINT32,
.flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, timeout)},
{.name = "label", .id = O_LABEL, .type = XTTYPE_STRING,
.flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, label)},
{.name = "alarm", .id = O_ALARM, .type = XTTYPE_NONE},
XTOPT_TABLEEND,
};
#undef s
static void idletimer_tg_help(void)
{
printf(
......@@ -48,6 +60,16 @@ static void idletimer_tg_help(void)
"\n");
}
static void idletimer_tg_help_v1(void)
{
printf(
"IDLETIMER target options:\n"
" --timeout time Timeout until the notification is sent (in seconds)\n"
" --label string Unique rule identifier\n"
" --alarm Use alarm instead of default timer\n"
"\n");
}
static void idletimer_tg_print(const void *ip,
const struct xt_entry_target *target,
int numeric)
......@@ -59,6 +81,20 @@ static void idletimer_tg_print(const void *ip,
printf(" label:%s", info->label);
}
static void idletimer_tg_print_v1(const void *ip,
const struct xt_entry_target *target,
int numeric)
{
struct idletimer_tg_info_v1 *info =
(struct idletimer_tg_info_v1 *) target->data;
printf(" timeout:%u", info->timeout);
printf(" label:%s", info->label);
if (info->timer_type == XT_IDLETIMER_ALARM)
printf(" alarm");
}
static void idletimer_tg_save(const void *ip,
const struct xt_entry_target *target)
{
......@@ -69,21 +105,58 @@ static void idletimer_tg_save(const void *ip,
printf(" --label %s", info->label);
}
static struct xtables_target idletimer_tg_reg = {
.family = NFPROTO_UNSPEC,
.name = "IDLETIMER",
.version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct idletimer_tg_info)),
.userspacesize = offsetof(struct idletimer_tg_info, timer),
.help = idletimer_tg_help,
.x6_parse = xtables_option_parse,
.print = idletimer_tg_print,
.save = idletimer_tg_save,
.x6_options = idletimer_tg_opts,
static void idletimer_tg_save_v1(const void *ip,
const struct xt_entry_target *target)
{
struct idletimer_tg_info_v1 *info =
(struct idletimer_tg_info_v1 *) target->data;
printf(" --timeout %u", info->timeout);
printf(" --label %s", info->label);
if (info->timer_type == XT_IDLETIMER_ALARM)
printf(" --alarm");
}
static void idletimer_tg_parse_v1(struct xt_option_call *cb)
{
struct idletimer_tg_info_v1 *info = cb->data;
xtables_option_parse(cb);
if (cb->entry->id == O_ALARM)
info->timer_type = XT_IDLETIMER_ALARM;
}
static struct xtables_target idletimer_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
.name = "IDLETIMER",
.version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct idletimer_tg_info)),
.userspacesize = offsetof(struct idletimer_tg_info, timer),
.help = idletimer_tg_help,
.x6_parse = xtables_option_parse,
.print = idletimer_tg_print,
.save = idletimer_tg_save,
.x6_options = idletimer_tg_opts,
},
{
.family = NFPROTO_UNSPEC,
.name = "IDLETIMER",
.version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct idletimer_tg_info_v1)),
.userspacesize = offsetof(struct idletimer_tg_info_v1, timer),
.help = idletimer_tg_help_v1,
.x6_parse = idletimer_tg_parse_v1,
.print = idletimer_tg_print_v1,
.save = idletimer_tg_save_v1,
.x6_options = idletimer_tg_opts_v1,
},
};
void _init(void)
{
xtables_register_target(&idletimer_tg_reg);
xtables_register_targets(idletimer_tg_reg, ARRAY_SIZE(idletimer_tg_reg));
}
......@@ -2,3 +2,4 @@
-j IDLETIMER --timeout;;FAIL
-j IDLETIMER --timeout 42;;FAIL
-j IDLETIMER --timeout 42 --label foo;=;OK
-j IDLETIMER --timeout 42 --label foo --alarm;;OK
This target is used to set the Netfilter mark value associated with the packet.
It can, for example, be used in conjunction with routing based on fwmark (needs
iproute2). If you plan on doing so, note that the mark needs to be set in the
PREROUTING chain of the mangle table to affect routing.
iproute2). If you plan on doing so, note that the mark needs to be set in
either the PREROUTING or the OUTPUT chain of the mangle table to affect routing.
The mark field is 32 bits wide.
.TP
\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
......
:PREROUTING,OUTPUT
*raw
# ERROR: cannot find: iptables -I PREROUTING -t raw -j NOTRACK
#-j NOTRACK;=;OK
-j NOTRACK;=;OK
iptables-translate -A PREROUTING -t raw -j NOTRACK
nft add rule ip raw PREROUTING counter notrack
......@@ -42,5 +42,5 @@ and
\fB\-\-map\-queue\fP
flags can be used in the OUTPUT, FORWARD and POSTROUTING chains.
.PP
Use of -j SET requires that ipset kernel support is provided, which, for
Use of \-j SET requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39.
This target allows to alter the MSS value of TCP SYN packets, to control
This target alters the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
Of course, it can only be used
......
......@@ -32,5 +32,5 @@ longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
a bug whereby IPv6 TOS mangling does not behave as documented and differs from
the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
needs to be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its
aformentioned kernels forgo the inversion which breaks \-\-set\-tos and its
mnemonics.
......@@ -5,6 +5,7 @@
* This program is released under the terms of GNU GPL */
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <xtables.h>
#include <linux/netfilter/xt_addrtype.h>
......
......@@ -61,14 +61,26 @@ static const struct xt_option_entry bpf_opts_v1[] = {
XTOPT_TABLEEND,
};
static int bpf_obj_get(const char *filepath)
static int bpf_obj_get_readonly(const char *filepath)
{
#if defined HAVE_LINUX_BPF_H && defined __NR_bpf && defined BPF_FS_MAGIC
union bpf_attr attr;
memset(&attr, 0, sizeof(attr));
attr.pathname = (__u64) filepath;
/* union bpf_attr includes this in an anonymous struct, but the
* file_flags field and the BPF_F_RDONLY constant are only present
* in Linux 4.15+ kernel headers (include/uapi/linux/bpf.h)
*/
struct { // this part of union bpf_attr is for BPF_OBJ_* commands
__aligned_u64 pathname;
__u32 bpf_fd;
__u32 file_flags;
} attr = {
.pathname = (__u64)filepath,
.file_flags = (1U << 3), // BPF_F_RDONLY
};
int fd = syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr));
if (fd >= 0) return fd;
/* on any error fallback to default R/W access for pre-4.15-rc1 kernels */
attr.file_flags = 0;
return syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr));
#else
xtables_error(OTHER_PROBLEM,
......@@ -125,7 +137,7 @@ static void bpf_parse_string(struct sock_filter *pc, __u16 *lenp, __u16 len_max,
static void bpf_parse_obj_pinned(struct xt_bpf_info_v1 *bi,
const char *filepath)
{
bi->fd = bpf_obj_get(filepath);
bi->fd = bpf_obj_get_readonly(filepath);
if (bi->fd < 0)
xtables_error(PARAMETER_PROBLEM,
"bpf: failed to get bpf object");
......
......@@ -17,7 +17,7 @@ iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j AC
\fB\-\-bytecode\fP \fIcode\fP
Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
.PP
The code format is similar to the output of the tcpdump -ddd command: one line
The code format is similar to the output of the tcpdump \-ddd command: one line
that stores the number of instructions, followed by one line for each
instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
notation. Fields encode the operation, jump offset if true, jump offset if
......
......@@ -156,7 +156,7 @@ static int cluster_xlate(struct xt_xlate *xl,
xt_xlate_add(xl, "%s %u seed 0x%08x ", jhash_st,
info->total_nodes, info->hash_seed);
for (node = 0; node < 32; node++) {
if (info->node_mask & (1 << node)) {
if (info->node_mask & (1u << node)) {
if (needs_set == 0) {
xt_xlate_add(xl, "{ ");
needs_set = 1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment