parent
64d7b4343c
commit
538ceacf66
@ -1 +1 @@
|
|||||||
SOURCES/iptables-1.8.8.tar.bz2
|
SOURCES/iptables-1.8.10.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
98783621a5e58ff55f83b1350523f3de41af621d SOURCES/iptables-1.8.8.tar.bz2
|
ddbebf81eacbf900dc6dd4ed409353930397e0c2 SOURCES/iptables-1.8.10.tar.xz
|
||||||
|
@ -0,0 +1,73 @@
|
|||||||
|
From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Tue, 7 Nov 2023 23:44:55 +0100
|
||||||
|
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-14147
|
||||||
|
Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||||
|
|
||||||
|
commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Tue Nov 7 19:12:14 2023 +0100
|
||||||
|
|
||||||
|
ebtables: Fix corner-case noflush restore bug
|
||||||
|
|
||||||
|
Report came from firwalld, but this is actually rather hard to trigger.
|
||||||
|
Since a regular chain line prevents it, typical dump/restore use-cases
|
||||||
|
are unaffected.
|
||||||
|
|
||||||
|
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
|
||||||
|
Cc: Eric Garver <eric@garver.life>
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
|
||||||
|
iptables/xtables-eb.c | 2 ++
|
||||||
|
2 files changed, 27 insertions(+)
|
||||||
|
create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
|
|
||||||
|
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..0def0ac
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
|
@@ -0,0 +1,25 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+#
|
||||||
|
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
|
||||||
|
+# - with --noflush
|
||||||
|
+# - a second table after the broute one
|
||||||
|
+# - A policy command but no chain line for BROUTING chain
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+
|
||||||
|
+case "$XT_MULTI" in
|
||||||
|
+*xtables-nft-multi)
|
||||||
|
+ ;;
|
||||||
|
+*)
|
||||||
|
+ echo "skip $XT_MULTI"
|
||||||
|
+ exit 0
|
||||||
|
+ ;;
|
||||||
|
+esac
|
||||||
|
+
|
||||||
|
+$XT_MULTI ebtables-restore --noflush <<EOF
|
||||||
|
+*broute
|
||||||
|
+-P BROUTING ACCEPT
|
||||||
|
+*nat
|
||||||
|
+-P PREROUTING ACCEPT
|
||||||
|
+COMMIT
|
||||||
|
+EOF
|
||||||
|
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||||
|
index 08eec79..a8ad57c 100644
|
||||||
|
--- a/iptables/xtables-eb.c
|
||||||
|
+++ b/iptables/xtables-eb.c
|
||||||
|
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
|
||||||
|
return NF_BR_LOCAL_OUT;
|
||||||
|
else if (strcmp(chain, "POSTROUTING") == 0)
|
||||||
|
return NF_BR_POST_ROUTING;
|
||||||
|
+ else if (strcmp(chain, "BROUTING") == 0)
|
||||||
|
+ return NF_BR_BROUTING;
|
||||||
|
|
||||||
|
/* placeholder for user defined chain */
|
||||||
|
return NF_BR_NUMHOOKS;
|
@ -1,29 +0,0 @@
|
|||||||
From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Fri, 13 May 2022 16:51:58 +0200
|
|
||||||
Subject: [PATCH] xshared: Fix build for -Werror=format-security
|
|
||||||
|
|
||||||
Gcc complains about the omitted format string.
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a)
|
|
||||||
---
|
|
||||||
iptables/xshared.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
|
||||||
index fae5ddd5df93e..a8512d3808154 100644
|
|
||||||
--- a/iptables/xshared.c
|
|
||||||
+++ b/iptables/xshared.c
|
|
||||||
@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
|
|
||||||
return;
|
|
||||||
|
|
||||||
if (args->family != NFPROTO_ARP)
|
|
||||||
- xtables_error(PARAMETER_PROBLEM, msg);
|
|
||||||
+ xtables_error(PARAMETER_PROBLEM, "%s", msg);
|
|
||||||
|
|
||||||
fprintf(stderr, "%s", msg);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -0,0 +1,99 @@
|
|||||||
|
From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 18:26:58 +0200
|
||||||
|
Subject: [PATCH] nft: Fix for broken recover_rule_compat()
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-26619
|
||||||
|
Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
|
||||||
|
|
||||||
|
commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Tue Feb 27 18:47:39 2024 +0100
|
||||||
|
|
||||||
|
nft: Fix for broken recover_rule_compat()
|
||||||
|
|
||||||
|
When IPv4 rule generator was changed to emit payload instead of
|
||||||
|
meta expressions for l4proto matches, the code reinserting
|
||||||
|
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
|
||||||
|
zeroing was broken by accident.
|
||||||
|
|
||||||
|
Make rule compat recovery aware of the alternative match, basically
|
||||||
|
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
|
||||||
|
with NFTA_RULE_COMPAT") but add a test case this time to make sure
|
||||||
|
things stay intact.
|
||||||
|
|
||||||
|
Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
iptables/nft.c | 27 ++++++++++++++++---
|
||||||
|
.../nft-only/0011-zero-needs-compat_0 | 12 +++++++++
|
||||||
|
2 files changed, 35 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
|
||||||
|
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||||
|
index 97fd4f4..c4caf29 100644
|
||||||
|
--- a/iptables/nft.c
|
||||||
|
+++ b/iptables/nft.c
|
||||||
|
@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
|
||||||
|
return strerror(err);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
|
||||||
|
+{
|
||||||
|
+ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
|
||||||
|
+ uint32_t poff = offsetof(struct iphdr, protocol);
|
||||||
|
+ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
|
||||||
|
+
|
||||||
|
+ if (!strcmp(name, "payload") &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
|
||||||
|
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (!strcmp(name, "meta") &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
|
||||||
|
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int recover_rule_compat(struct nftnl_rule *r)
|
||||||
|
{
|
||||||
|
struct nftnl_expr_iter *iter;
|
||||||
|
@@ -3695,12 +3716,10 @@ next_expr:
|
||||||
|
if (!e)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
|
||||||
|
- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
|
||||||
|
+ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */
|
||||||
|
+ if (l4proto_expr_get_dreg(e, ®) < 0)
|
||||||
|
goto next_expr;
|
||||||
|
|
||||||
|
- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
|
||||||
|
-
|
||||||
|
e = nftnl_expr_iter_next(iter);
|
||||||
|
if (!e)
|
||||||
|
goto out;
|
||||||
|
diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..e276a95
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+
|
||||||
|
+rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
|
||||||
|
+for cmd in iptables ip6tables; do
|
||||||
|
+ $XT_MULTI $cmd -t mangle -A PREROUTING $rule
|
||||||
|
+ $XT_MULTI $cmd -t mangle -Z
|
||||||
|
+ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
|
||||||
|
+done
|
@ -1,61 +0,0 @@
|
|||||||
From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu, 2 Jun 2022 13:44:45 +0200
|
|
||||||
Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
|
|
||||||
|
|
||||||
Some repeated calls have been reduced recently, assert this in a test
|
|
||||||
evaluating strace output.
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
|
|
||||||
---
|
|
||||||
.../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++
|
|
||||||
1 file changed, 37 insertions(+)
|
|
||||||
create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
|
||||||
|
|
||||||
diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000000000..b86d71f209471
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
|
||||||
@@ -0,0 +1,37 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+# Test recent performance improvements in iptables-save due to reduced
|
|
||||||
+# overhead.
|
|
||||||
+
|
|
||||||
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
|
|
||||||
+
|
|
||||||
+RULESET=$(
|
|
||||||
+ echo "*filter"
|
|
||||||
+ for ((i = 0; i < 100; i++)); do
|
|
||||||
+ echo ":mychain$i -"
|
|
||||||
+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
|
|
||||||
+ done
|
|
||||||
+ echo "COMMIT"
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
|
|
||||||
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
|
|
||||||
+
|
|
||||||
+do_grep() { # (name, threshold, pattern)
|
|
||||||
+ local cnt=$(grep -c "$3")
|
|
||||||
+ [[ $cnt -le $2 ]] && return 0
|
|
||||||
+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# iptables prefers hard-coded protocol names instead of looking them up first
|
|
||||||
+
|
|
||||||
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
|
|
||||||
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
|
|
||||||
+
|
|
||||||
+# iptables-nft-save pointlessly checked whether chain jumps are targets
|
|
||||||
+
|
|
||||||
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
|
|
||||||
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
|
|
||||||
+
|
|
||||||
+exit 0
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue, 7 Jun 2022 18:07:00 +0200
|
|
||||||
Subject: [PATCH] arptables: Support -x/--exact flag
|
|
||||||
|
|
||||||
Legacy arptables accepts but ignores the flag. Yet there are remains of
|
|
||||||
the functionality in sources, like OPT_EXPANDED define and a print_num()
|
|
||||||
function which acts on FMT_KILOMEGAGIGA flag being set or not. So
|
|
||||||
instead of mimicking legacy behaviour by explicitly ignoring -x flag for
|
|
||||||
arptables, just enable the feature for it.
|
|
||||||
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0)
|
|
||||||
---
|
|
||||||
iptables/xshared.h | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
|
||||||
index 14568bb00fb65..a50c8b7298072 100644
|
|
||||||
--- a/iptables/xshared.h
|
|
||||||
+++ b/iptables/xshared.h
|
|
||||||
@@ -69,7 +69,7 @@ struct xtables_target;
|
|
||||||
|
|
||||||
#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
|
|
||||||
#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
|
|
||||||
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */
|
|
||||||
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
|
|
||||||
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
|
|
||||||
|
|
||||||
/* define invflags which won't collide with IPT ones */
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -0,0 +1,43 @@
|
|||||||
|
From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 12 Jun 2024 22:49:48 +0200
|
||||||
|
Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-40928
|
||||||
|
Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
|
||||||
|
|
||||||
|
commit 0234117d24609070f08ef36a11795c3c8e4c19bf
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Fri May 17 15:20:05 2024 +0200
|
||||||
|
|
||||||
|
extensions: libxt_sctp: Add an extra assert()
|
||||||
|
|
||||||
|
The code is sane, but this keeps popping up in static code analyzers.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
extensions/libxt_sctp.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||||
|
index 6e2b274..e8312f0 100644
|
||||||
|
--- a/extensions/libxt_sctp.c
|
||||||
|
+++ b/extensions/libxt_sctp.c
|
||||||
|
@@ -7,6 +7,7 @@
|
||||||
|
* libipt_ecn.c borrowed heavily from libipt_dscp.c
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
+#include <assert.h>
|
||||||
|
#include <stdbool.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
|
||||||
|
|
||||||
|
for (i = 7; i >= 0; i--) {
|
||||||
|
if (chunk_flags_mask & (1 << i)) {
|
||||||
|
+ assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
|
||||||
|
if (chunk_flags & (1 << i)) {
|
||||||
|
printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
|
||||||
|
} else {
|
@ -1,91 +0,0 @@
|
|||||||
From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu, 30 Jun 2022 18:04:39 +0200
|
|
||||||
Subject: [PATCH] libxtables: Fix unsupported extension warning corner case
|
|
||||||
|
|
||||||
Some extensions are not supported in revision 0 by user space anymore,
|
|
||||||
for those the warning in xtables_compatible_revision() does not print as
|
|
||||||
no revision 0 is tried.
|
|
||||||
|
|
||||||
To fix this, one has to track if none of the user space supported
|
|
||||||
revisions were accepted by the kernel. Therefore add respective logic to
|
|
||||||
xtables_find_{target,match}().
|
|
||||||
|
|
||||||
Note that this does not lead to duplicated warnings for unsupported
|
|
||||||
extensions that have a revision 0 because xtables_compatible_revision()
|
|
||||||
returns true for them to allow for extension's help output.
|
|
||||||
|
|
||||||
For the record, these ip6tables extensions are affected: set/SET,
|
|
||||||
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
|
|
||||||
for both families.
|
|
||||||
|
|
||||||
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37)
|
|
||||||
---
|
|
||||||
libxtables/xtables.c | 14 ++++++++++++++
|
|
||||||
1 file changed, 14 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
|
||||||
index 96fd783a066cf..7abc63bcfd83e 100644
|
|
||||||
--- a/libxtables/xtables.c
|
|
||||||
+++ b/libxtables/xtables.c
|
|
||||||
@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
|
||||||
struct xtables_match *ptr;
|
|
||||||
const char *icmp6 = "icmp6";
|
|
||||||
bool found = false;
|
|
||||||
+ bool seen = false;
|
|
||||||
|
|
||||||
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
|
|
||||||
xtables_error(PARAMETER_PROBLEM,
|
|
||||||
@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
|
||||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
|
|
||||||
ptr = *dptr;
|
|
||||||
*dptr = (*dptr)->next;
|
|
||||||
+ seen = true;
|
|
||||||
if (!found &&
|
|
||||||
xtables_fully_register_pending_match(ptr, prev)) {
|
|
||||||
found = true;
|
|
||||||
@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
|
||||||
dptr = &((*dptr)->next);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (seen && !found)
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "Warning: Extension %s is not supported, missing kernel module?\n",
|
|
||||||
+ name);
|
|
||||||
+
|
|
||||||
for (ptr = xtables_matches; ptr; ptr = ptr->next) {
|
|
||||||
if (extension_cmp(name, ptr->name, ptr->family)) {
|
|
||||||
struct xtables_match *clone;
|
|
||||||
@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
|
||||||
struct xtables_target **dptr;
|
|
||||||
struct xtables_target *ptr;
|
|
||||||
bool found = false;
|
|
||||||
+ bool seen = false;
|
|
||||||
|
|
||||||
/* Standard target? */
|
|
||||||
if (strcmp(name, "") == 0
|
|
||||||
@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
|
||||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
|
|
||||||
ptr = *dptr;
|
|
||||||
*dptr = (*dptr)->next;
|
|
||||||
+ seen = true;
|
|
||||||
if (!found &&
|
|
||||||
xtables_fully_register_pending_target(ptr, prev)) {
|
|
||||||
found = true;
|
|
||||||
@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
|
||||||
dptr = &((*dptr)->next);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (seen && !found)
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "Warning: Extension %s is not supported, missing kernel module?\n",
|
|
||||||
+ name);
|
|
||||||
+
|
|
||||||
for (ptr = xtables_targets; ptr; ptr = ptr->next) {
|
|
||||||
if (extension_cmp(name, ptr->name, ptr->family)) {
|
|
||||||
struct xtables_target *clone;
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From f24d2449693558d3fbf2a8313a7eb65ecf25f6af Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Tue, 2 Aug 2022 14:52:30 +0200
|
|
||||||
Subject: [PATCH] nft: fix ebtables among match when mac+ip addresses are used
|
|
||||||
|
|
||||||
When matching mac and ip addresses, the ip address needs to be placed
|
|
||||||
into then 2nd 32bit register, the switch to dynamic register allocation
|
|
||||||
instead re-uses reg1, this partially clobbers the mac address, so
|
|
||||||
set lookup comes up empty even though it should find a match.
|
|
||||||
|
|
||||||
Fixes: 7e38890c6b4fb ("nft: prepare for dynamic register allocation")
|
|
||||||
Reported-by: Yi Chen <yiche@redhat.com>
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
(cherry picked from commit 2ba74d421cd622757df7a93720afc3b5b4b3b4e0)
|
|
||||||
---
|
|
||||||
iptables/nft.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
||||||
index ec79f2bc5e98b..ee003511ab7f3 100644
|
|
||||||
--- a/iptables/nft.c
|
|
||||||
+++ b/iptables/nft.c
|
|
||||||
@@ -1208,8 +1208,8 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
|
|
||||||
nftnl_rule_add_expr(r, e);
|
|
||||||
|
|
||||||
if (ip) {
|
|
||||||
- e = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
|
|
||||||
- sizeof(struct in_addr), ®);
|
|
||||||
+ e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
|
|
||||||
+ sizeof(struct in_addr), NFT_REG32_02);
|
|
||||||
if (!e)
|
|
||||||
return -ENOMEM;
|
|
||||||
nftnl_rule_add_expr(r, e);
|
|
||||||
--
|
|
||||||
2.38.0
|
|
||||||
|
|
@ -1,958 +0,0 @@
|
|||||||
From 22e12e53b1378f0e3da23ea298dda59985d5b99b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Thu, 22 Sep 2022 13:33:50 +0200
|
|
||||||
Subject: [PATCH] nft: un-break among match with concatenation
|
|
||||||
|
|
||||||
The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags")
|
|
||||||
breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but
|
|
||||||
doesn't set the CONCAT flag.
|
|
||||||
|
|
||||||
Update uapi header and also set CONCAT.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
(cherry picked from commit 32efb4ffc33ae874b3f26f3380e2184ad6ceb26f)
|
|
||||||
---
|
|
||||||
include/linux/netfilter/nf_tables.h | 483 +++++++++++++++++++++++++++-
|
|
||||||
iptables/nft.c | 2 +-
|
|
||||||
2 files changed, 476 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
|
|
||||||
index 66dceee0ae307..e94d1fa554cb2 100644
|
|
||||||
--- a/include/linux/netfilter/nf_tables.h
|
|
||||||
+++ b/include/linux/netfilter/nf_tables.h
|
|
||||||
@@ -8,6 +8,7 @@
|
|
||||||
#define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN
|
|
||||||
#define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN
|
|
||||||
#define NFT_USERDATA_MAXLEN 256
|
|
||||||
+#define NFT_OSF_MAXGENRELEN 16
|
|
||||||
|
|
||||||
/**
|
|
||||||
* enum nft_registers - nf_tables registers
|
|
||||||
@@ -47,6 +48,7 @@ enum nft_registers {
|
|
||||||
|
|
||||||
#define NFT_REG_SIZE 16
|
|
||||||
#define NFT_REG32_SIZE 4
|
|
||||||
+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
|
|
||||||
|
|
||||||
/**
|
|
||||||
* enum nft_verdicts - nf_tables internal verdicts
|
|
||||||
@@ -131,7 +133,7 @@ enum nf_tables_msg_types {
|
|
||||||
* @NFTA_LIST_ELEM: list element (NLA_NESTED)
|
|
||||||
*/
|
|
||||||
enum nft_list_attributes {
|
|
||||||
- NFTA_LIST_UNPEC,
|
|
||||||
+ NFTA_LIST_UNSPEC,
|
|
||||||
NFTA_LIST_ELEM,
|
|
||||||
__NFTA_LIST_MAX
|
|
||||||
};
|
|
||||||
@@ -143,12 +145,14 @@ enum nft_list_attributes {
|
|
||||||
* @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
|
|
||||||
* @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
|
|
||||||
* @NFTA_HOOK_DEV: netdevice name (NLA_STRING)
|
|
||||||
+ * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED)
|
|
||||||
*/
|
|
||||||
enum nft_hook_attributes {
|
|
||||||
NFTA_HOOK_UNSPEC,
|
|
||||||
NFTA_HOOK_HOOKNUM,
|
|
||||||
NFTA_HOOK_PRIORITY,
|
|
||||||
NFTA_HOOK_DEV,
|
|
||||||
+ NFTA_HOOK_DEVS,
|
|
||||||
__NFTA_HOOK_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1)
|
|
||||||
@@ -160,7 +164,10 @@ enum nft_hook_attributes {
|
|
||||||
*/
|
|
||||||
enum nft_table_flags {
|
|
||||||
NFT_TABLE_F_DORMANT = 0x1,
|
|
||||||
+ NFT_TABLE_F_OWNER = 0x2,
|
|
||||||
};
|
|
||||||
+#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \
|
|
||||||
+ NFT_TABLE_F_OWNER)
|
|
||||||
|
|
||||||
/**
|
|
||||||
* enum nft_table_attributes - nf_tables table netlink attributes
|
|
||||||
@@ -168,6 +175,8 @@ enum nft_table_flags {
|
|
||||||
* @NFTA_TABLE_NAME: name of the table (NLA_STRING)
|
|
||||||
* @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
|
|
||||||
* @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
|
|
||||||
+ * @NFTA_TABLE_USERDATA: user data (NLA_BINARY)
|
|
||||||
+ * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32)
|
|
||||||
*/
|
|
||||||
enum nft_table_attributes {
|
|
||||||
NFTA_TABLE_UNSPEC,
|
|
||||||
@@ -176,10 +185,21 @@ enum nft_table_attributes {
|
|
||||||
NFTA_TABLE_USE,
|
|
||||||
NFTA_TABLE_HANDLE,
|
|
||||||
NFTA_TABLE_PAD,
|
|
||||||
+ NFTA_TABLE_USERDATA,
|
|
||||||
+ NFTA_TABLE_OWNER,
|
|
||||||
__NFTA_TABLE_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
|
|
||||||
|
|
||||||
+enum nft_chain_flags {
|
|
||||||
+ NFT_CHAIN_BASE = (1 << 0),
|
|
||||||
+ NFT_CHAIN_HW_OFFLOAD = (1 << 1),
|
|
||||||
+ NFT_CHAIN_BINDING = (1 << 2),
|
|
||||||
+};
|
|
||||||
+#define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \
|
|
||||||
+ NFT_CHAIN_HW_OFFLOAD | \
|
|
||||||
+ NFT_CHAIN_BINDING)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_chain_attributes - nf_tables chain netlink attributes
|
|
||||||
*
|
|
||||||
@@ -191,6 +211,9 @@ enum nft_table_attributes {
|
|
||||||
* @NFTA_CHAIN_USE: number of references to this chain (NLA_U32)
|
|
||||||
* @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
|
|
||||||
* @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
|
|
||||||
+ * @NFTA_CHAIN_FLAGS: chain flags
|
|
||||||
+ * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)
|
|
||||||
+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
|
|
||||||
*/
|
|
||||||
enum nft_chain_attributes {
|
|
||||||
NFTA_CHAIN_UNSPEC,
|
|
||||||
@@ -203,6 +226,9 @@ enum nft_chain_attributes {
|
|
||||||
NFTA_CHAIN_TYPE,
|
|
||||||
NFTA_CHAIN_COUNTERS,
|
|
||||||
NFTA_CHAIN_PAD,
|
|
||||||
+ NFTA_CHAIN_FLAGS,
|
|
||||||
+ NFTA_CHAIN_ID,
|
|
||||||
+ NFTA_CHAIN_USERDATA,
|
|
||||||
__NFTA_CHAIN_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1)
|
|
||||||
@@ -218,6 +244,7 @@ enum nft_chain_attributes {
|
|
||||||
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
|
|
||||||
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
|
|
||||||
* @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
|
|
||||||
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
|
|
||||||
*/
|
|
||||||
enum nft_rule_attributes {
|
|
||||||
NFTA_RULE_UNSPEC,
|
|
||||||
@@ -230,6 +257,8 @@ enum nft_rule_attributes {
|
|
||||||
NFTA_RULE_USERDATA,
|
|
||||||
NFTA_RULE_PAD,
|
|
||||||
NFTA_RULE_ID,
|
|
||||||
+ NFTA_RULE_POSITION_ID,
|
|
||||||
+ NFTA_RULE_CHAIN_ID,
|
|
||||||
__NFTA_RULE_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
|
|
||||||
@@ -266,8 +295,10 @@ enum nft_rule_compat_attributes {
|
|
||||||
* @NFT_SET_INTERVAL: set contains intervals
|
|
||||||
* @NFT_SET_MAP: set is used as a dictionary
|
|
||||||
* @NFT_SET_TIMEOUT: set uses timeouts
|
|
||||||
- * @NFT_SET_EVAL: set contains expressions for evaluation
|
|
||||||
+ * @NFT_SET_EVAL: set can be updated from the evaluation path
|
|
||||||
* @NFT_SET_OBJECT: set contains stateful objects
|
|
||||||
+ * @NFT_SET_CONCAT: set contains a concatenation
|
|
||||||
+ * @NFT_SET_EXPR: set contains expressions
|
|
||||||
*/
|
|
||||||
enum nft_set_flags {
|
|
||||||
NFT_SET_ANONYMOUS = 0x1,
|
|
||||||
@@ -277,6 +308,8 @@ enum nft_set_flags {
|
|
||||||
NFT_SET_TIMEOUT = 0x10,
|
|
||||||
NFT_SET_EVAL = 0x20,
|
|
||||||
NFT_SET_OBJECT = 0x40,
|
|
||||||
+ NFT_SET_CONCAT = 0x80,
|
|
||||||
+ NFT_SET_EXPR = 0x100,
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -294,14 +327,28 @@ enum nft_set_policies {
|
|
||||||
* enum nft_set_desc_attributes - set element description
|
|
||||||
*
|
|
||||||
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
|
|
||||||
+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED)
|
|
||||||
*/
|
|
||||||
enum nft_set_desc_attributes {
|
|
||||||
NFTA_SET_DESC_UNSPEC,
|
|
||||||
NFTA_SET_DESC_SIZE,
|
|
||||||
+ NFTA_SET_DESC_CONCAT,
|
|
||||||
__NFTA_SET_DESC_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_set_field_attributes - attributes of concatenated fields
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
|
|
||||||
+ */
|
|
||||||
+enum nft_set_field_attributes {
|
|
||||||
+ NFTA_SET_FIELD_UNSPEC,
|
|
||||||
+ NFTA_SET_FIELD_LEN,
|
|
||||||
+ __NFTA_SET_FIELD_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_set_attributes - nf_tables set netlink attributes
|
|
||||||
*
|
|
||||||
@@ -320,6 +367,8 @@ enum nft_set_desc_attributes {
|
|
||||||
* @NFTA_SET_USERDATA: user data (NLA_BINARY)
|
|
||||||
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
|
|
||||||
* @NFTA_SET_HANDLE: set handle (NLA_U64)
|
|
||||||
+ * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
|
|
||||||
+ * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
|
||||||
*/
|
|
||||||
enum nft_set_attributes {
|
|
||||||
NFTA_SET_UNSPEC,
|
|
||||||
@@ -339,6 +388,8 @@ enum nft_set_attributes {
|
|
||||||
NFTA_SET_PAD,
|
|
||||||
NFTA_SET_OBJ_TYPE,
|
|
||||||
NFTA_SET_HANDLE,
|
|
||||||
+ NFTA_SET_EXPR,
|
|
||||||
+ NFTA_SET_EXPRESSIONS,
|
|
||||||
__NFTA_SET_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
|
|
||||||
@@ -347,9 +398,11 @@ enum nft_set_attributes {
|
|
||||||
* enum nft_set_elem_flags - nf_tables set element flags
|
|
||||||
*
|
|
||||||
* @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
|
|
||||||
+ * @NFT_SET_ELEM_CATCHALL: special catch-all element
|
|
||||||
*/
|
|
||||||
enum nft_set_elem_flags {
|
|
||||||
NFT_SET_ELEM_INTERVAL_END = 0x1,
|
|
||||||
+ NFT_SET_ELEM_CATCHALL = 0x2,
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -363,6 +416,8 @@ enum nft_set_elem_flags {
|
|
||||||
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
|
|
||||||
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
|
||||||
* @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING)
|
|
||||||
+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data)
|
|
||||||
+ * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
|
||||||
*/
|
|
||||||
enum nft_set_elem_attributes {
|
|
||||||
NFTA_SET_ELEM_UNSPEC,
|
|
||||||
@@ -375,6 +430,8 @@ enum nft_set_elem_attributes {
|
|
||||||
NFTA_SET_ELEM_EXPR,
|
|
||||||
NFTA_SET_ELEM_PAD,
|
|
||||||
NFTA_SET_ELEM_OBJREF,
|
|
||||||
+ NFTA_SET_ELEM_KEY_END,
|
|
||||||
+ NFTA_SET_ELEM_EXPRESSIONS,
|
|
||||||
__NFTA_SET_ELEM_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
|
|
||||||
@@ -440,11 +497,13 @@ enum nft_data_attributes {
|
|
||||||
*
|
|
||||||
* @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
|
|
||||||
* @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
|
|
||||||
+ * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32)
|
|
||||||
*/
|
|
||||||
enum nft_verdict_attributes {
|
|
||||||
NFTA_VERDICT_UNSPEC,
|
|
||||||
NFTA_VERDICT_CODE,
|
|
||||||
NFTA_VERDICT_CHAIN,
|
|
||||||
+ NFTA_VERDICT_CHAIN_ID,
|
|
||||||
__NFTA_VERDICT_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1)
|
|
||||||
@@ -477,6 +536,20 @@ enum nft_immediate_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_bitwise_ops - nf_tables bitwise operations
|
|
||||||
+ *
|
|
||||||
+ * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and
|
|
||||||
+ * XOR boolean operations
|
|
||||||
+ * @NFT_BITWISE_LSHIFT: left-shift operation
|
|
||||||
+ * @NFT_BITWISE_RSHIFT: right-shift operation
|
|
||||||
+ */
|
|
||||||
+enum nft_bitwise_ops {
|
|
||||||
+ NFT_BITWISE_BOOL,
|
|
||||||
+ NFT_BITWISE_LSHIFT,
|
|
||||||
+ NFT_BITWISE_RSHIFT,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
|
|
||||||
*
|
|
||||||
@@ -485,16 +558,20 @@ enum nft_immediate_attributes {
|
|
||||||
* @NFTA_BITWISE_LEN: length of operands (NLA_U32)
|
|
||||||
* @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
|
|
||||||
* @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
|
|
||||||
+ * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
|
|
||||||
+ * @NFTA_BITWISE_DATA: argument for non-boolean operations
|
|
||||||
+ * (NLA_NESTED: nft_data_attributes)
|
|
||||||
*
|
|
||||||
- * The bitwise expression performs the following operation:
|
|
||||||
+ * The bitwise expression supports boolean and shift operations. It implements
|
|
||||||
+ * the boolean operations by performing the following operation:
|
|
||||||
*
|
|
||||||
* dreg = (sreg & mask) ^ xor
|
|
||||||
*
|
|
||||||
- * which allow to express all bitwise operations:
|
|
||||||
+ * with these mask and xor values:
|
|
||||||
*
|
|
||||||
* mask xor
|
|
||||||
* NOT: 1 1
|
|
||||||
- * OR: 0 x
|
|
||||||
+ * OR: ~x x
|
|
||||||
* XOR: 1 x
|
|
||||||
* AND: x 0
|
|
||||||
*/
|
|
||||||
@@ -505,6 +582,8 @@ enum nft_bitwise_attributes {
|
|
||||||
NFTA_BITWISE_LEN,
|
|
||||||
NFTA_BITWISE_MASK,
|
|
||||||
NFTA_BITWISE_XOR,
|
|
||||||
+ NFTA_BITWISE_OP,
|
|
||||||
+ NFTA_BITWISE_DATA,
|
|
||||||
__NFTA_BITWISE_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1)
|
|
||||||
@@ -631,10 +710,12 @@ enum nft_lookup_attributes {
|
|
||||||
enum nft_dynset_ops {
|
|
||||||
NFT_DYNSET_OP_ADD,
|
|
||||||
NFT_DYNSET_OP_UPDATE,
|
|
||||||
+ NFT_DYNSET_OP_DELETE,
|
|
||||||
};
|
|
||||||
|
|
||||||
enum nft_dynset_flags {
|
|
||||||
NFT_DYNSET_F_INV = (1 << 0),
|
|
||||||
+ NFT_DYNSET_F_EXPR = (1 << 1),
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -648,6 +729,7 @@ enum nft_dynset_flags {
|
|
||||||
* @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64)
|
|
||||||
* @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
|
||||||
* @NFTA_DYNSET_FLAGS: flags (NLA_U32)
|
|
||||||
+ * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
|
||||||
*/
|
|
||||||
enum nft_dynset_attributes {
|
|
||||||
NFTA_DYNSET_UNSPEC,
|
|
||||||
@@ -660,6 +742,7 @@ enum nft_dynset_attributes {
|
|
||||||
NFTA_DYNSET_EXPR,
|
|
||||||
NFTA_DYNSET_PAD,
|
|
||||||
NFTA_DYNSET_FLAGS,
|
|
||||||
+ NFTA_DYNSET_EXPRESSIONS,
|
|
||||||
__NFTA_DYNSET_MAX,
|
|
||||||
};
|
|
||||||
#define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1)
|
|
||||||
@@ -682,10 +765,12 @@ enum nft_payload_bases {
|
|
||||||
*
|
|
||||||
* @NFT_PAYLOAD_CSUM_NONE: no checksumming
|
|
||||||
* @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791)
|
|
||||||
+ * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309)
|
|
||||||
*/
|
|
||||||
enum nft_payload_csum_types {
|
|
||||||
NFT_PAYLOAD_CSUM_NONE,
|
|
||||||
NFT_PAYLOAD_CSUM_INET,
|
|
||||||
+ NFT_PAYLOAD_CSUM_SCTP,
|
|
||||||
};
|
|
||||||
|
|
||||||
enum nft_payload_csum_flags {
|
|
||||||
@@ -727,10 +812,14 @@ enum nft_exthdr_flags {
|
|
||||||
*
|
|
||||||
* @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
|
|
||||||
* @NFT_EXTHDR_OP_TCP: match against tcp options
|
|
||||||
+ * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
|
|
||||||
+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
|
|
||||||
*/
|
|
||||||
enum nft_exthdr_op {
|
|
||||||
NFT_EXTHDR_OP_IPV6,
|
|
||||||
NFT_EXTHDR_OP_TCPOPT,
|
|
||||||
+ NFT_EXTHDR_OP_IPV4,
|
|
||||||
+ NFT_EXTHDR_OP_SCTP,
|
|
||||||
__NFT_EXTHDR_OP_MAX
|
|
||||||
};
|
|
||||||
#define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1)
|
|
||||||
@@ -788,6 +877,15 @@ enum nft_exthdr_attributes {
|
|
||||||
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
|
|
||||||
* @NFT_META_PRANDOM: a 32bit pseudo-random number
|
|
||||||
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
|
|
||||||
+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
|
|
||||||
+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
|
|
||||||
+ * @NFT_META_BRI_IIFPVID: packet input bridge port pvid
|
|
||||||
+ * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto
|
|
||||||
+ * @NFT_META_TIME_NS: time since epoch (in nanoseconds)
|
|
||||||
+ * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)
|
|
||||||
+ * @NFT_META_TIME_HOUR: hour of day (in seconds)
|
|
||||||
+ * @NFT_META_SDIF: slave device interface index
|
|
||||||
+ * @NFT_META_SDIFNAME: slave device interface name
|
|
||||||
*/
|
|
||||||
enum nft_meta_keys {
|
|
||||||
NFT_META_LEN,
|
|
||||||
@@ -816,6 +914,15 @@ enum nft_meta_keys {
|
|
||||||
NFT_META_CGROUP,
|
|
||||||
NFT_META_PRANDOM,
|
|
||||||
NFT_META_SECPATH,
|
|
||||||
+ NFT_META_IIFKIND,
|
|
||||||
+ NFT_META_OIFKIND,
|
|
||||||
+ NFT_META_BRI_IIFPVID,
|
|
||||||
+ NFT_META_BRI_IIFVPROTO,
|
|
||||||
+ NFT_META_TIME_NS,
|
|
||||||
+ NFT_META_TIME_DAY,
|
|
||||||
+ NFT_META_TIME_HOUR,
|
|
||||||
+ NFT_META_SDIF,
|
|
||||||
+ NFT_META_SDIFNAME,
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -825,13 +932,17 @@ enum nft_meta_keys {
|
|
||||||
* @NFT_RT_NEXTHOP4: routing nexthop for IPv4
|
|
||||||
* @NFT_RT_NEXTHOP6: routing nexthop for IPv6
|
|
||||||
* @NFT_RT_TCPMSS: fetch current path tcp mss
|
|
||||||
+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
|
|
||||||
*/
|
|
||||||
enum nft_rt_keys {
|
|
||||||
NFT_RT_CLASSID,
|
|
||||||
NFT_RT_NEXTHOP4,
|
|
||||||
NFT_RT_NEXTHOP6,
|
|
||||||
NFT_RT_TCPMSS,
|
|
||||||
+ NFT_RT_XFRM,
|
|
||||||
+ __NFT_RT_MAX
|
|
||||||
};
|
|
||||||
+#define NFT_RT_MAX (__NFT_RT_MAX - 1)
|
|
||||||
|
|
||||||
/**
|
|
||||||
* enum nft_hash_types - nf_tables hash expression types
|
|
||||||
@@ -854,6 +965,8 @@ enum nft_hash_types {
|
|
||||||
* @NFTA_HASH_SEED: seed value (NLA_U32)
|
|
||||||
* @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32)
|
|
||||||
* @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types)
|
|
||||||
+ * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING)
|
|
||||||
+ * @NFTA_HASH_SET_ID: id of the map (NLA_U32)
|
|
||||||
*/
|
|
||||||
enum nft_hash_attributes {
|
|
||||||
NFTA_HASH_UNSPEC,
|
|
||||||
@@ -864,6 +977,8 @@ enum nft_hash_attributes {
|
|
||||||
NFTA_HASH_SEED,
|
|
||||||
NFTA_HASH_OFFSET,
|
|
||||||
NFTA_HASH_TYPE,
|
|
||||||
+ NFTA_HASH_SET_NAME, /* deprecated */
|
|
||||||
+ NFTA_HASH_SET_ID, /* deprecated */
|
|
||||||
__NFTA_HASH_MAX,
|
|
||||||
};
|
|
||||||
#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
|
|
||||||
@@ -898,6 +1013,39 @@ enum nft_rt_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_RT_MAX (__NFTA_RT_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_SOCKET_KEY: socket key to match
|
|
||||||
+ * @NFTA_SOCKET_DREG: destination register
|
|
||||||
+ * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2)
|
|
||||||
+ */
|
|
||||||
+enum nft_socket_attributes {
|
|
||||||
+ NFTA_SOCKET_UNSPEC,
|
|
||||||
+ NFTA_SOCKET_KEY,
|
|
||||||
+ NFTA_SOCKET_DREG,
|
|
||||||
+ NFTA_SOCKET_LEVEL,
|
|
||||||
+ __NFTA_SOCKET_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1)
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * enum nft_socket_keys - nf_tables socket expression keys
|
|
||||||
+ *
|
|
||||||
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
|
|
||||||
+ * @NFT_SOCKET_MARK: Value of the socket mark
|
|
||||||
+ * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
|
|
||||||
+ * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2
|
|
||||||
+ */
|
|
||||||
+enum nft_socket_keys {
|
|
||||||
+ NFT_SOCKET_TRANSPARENT,
|
|
||||||
+ NFT_SOCKET_MARK,
|
|
||||||
+ NFT_SOCKET_WILDCARD,
|
|
||||||
+ NFT_SOCKET_CGROUPV2,
|
|
||||||
+ __NFT_SOCKET_MAX
|
|
||||||
+};
|
|
||||||
+#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_ct_keys - nf_tables ct expression keys
|
|
||||||
*
|
|
||||||
@@ -909,8 +1057,8 @@ enum nft_rt_attributes {
|
|
||||||
* @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
|
|
||||||
* @NFT_CT_HELPER: connection tracking helper assigned to conntrack
|
|
||||||
* @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
|
|
||||||
- * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
|
|
||||||
- * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
|
|
||||||
+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated)
|
|
||||||
+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated)
|
|
||||||
* @NFT_CT_PROTOCOL: conntrack layer 4 protocol
|
|
||||||
* @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
|
|
||||||
* @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
|
|
||||||
@@ -920,6 +1068,11 @@ enum nft_rt_attributes {
|
|
||||||
* @NFT_CT_AVGPKT: conntrack average bytes per packet
|
|
||||||
* @NFT_CT_ZONE: conntrack zone
|
|
||||||
* @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
|
|
||||||
+ * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address)
|
|
||||||
+ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
|
|
||||||
+ * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
|
|
||||||
+ * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
|
|
||||||
+ * @NFT_CT_ID: conntrack id
|
|
||||||
*/
|
|
||||||
enum nft_ct_keys {
|
|
||||||
NFT_CT_STATE,
|
|
||||||
@@ -941,7 +1094,14 @@ enum nft_ct_keys {
|
|
||||||
NFT_CT_AVGPKT,
|
|
||||||
NFT_CT_ZONE,
|
|
||||||
NFT_CT_EVENTMASK,
|
|
||||||
+ NFT_CT_SRC_IP,
|
|
||||||
+ NFT_CT_DST_IP,
|
|
||||||
+ NFT_CT_SRC_IP6,
|
|
||||||
+ NFT_CT_DST_IP6,
|
|
||||||
+ NFT_CT_ID,
|
|
||||||
+ __NFT_CT_MAX
|
|
||||||
};
|
|
||||||
+#define NFT_CT_MAX (__NFT_CT_MAX - 1)
|
|
||||||
|
|
||||||
/**
|
|
||||||
* enum nft_ct_attributes - nf_tables ct expression netlink attributes
|
|
||||||
@@ -1002,6 +1162,24 @@ enum nft_limit_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
|
|
||||||
|
|
||||||
+enum nft_connlimit_flags {
|
|
||||||
+ NFT_CONNLIMIT_F_INV = (1 << 0),
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32)
|
|
||||||
+ * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags)
|
|
||||||
+ */
|
|
||||||
+enum nft_connlimit_attributes {
|
|
||||||
+ NFTA_CONNLIMIT_UNSPEC,
|
|
||||||
+ NFTA_CONNLIMIT_COUNT,
|
|
||||||
+ NFTA_CONNLIMIT_FLAGS,
|
|
||||||
+ __NFTA_CONNLIMIT_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_counter_attributes - nf_tables counter expression netlink attributes
|
|
||||||
*
|
|
||||||
@@ -1017,6 +1195,21 @@ enum nft_counter_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_last_attributes - nf_tables last expression netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32)
|
|
||||||
+ * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64)
|
|
||||||
+ */
|
|
||||||
+enum nft_last_attributes {
|
|
||||||
+ NFTA_LAST_UNSPEC,
|
|
||||||
+ NFTA_LAST_SET,
|
|
||||||
+ NFTA_LAST_MSECS,
|
|
||||||
+ NFTA_LAST_PAD,
|
|
||||||
+ __NFTA_LAST_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_LAST_MAX (__NFTA_LAST_MAX - 1)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_log_attributes - nf_tables log expression netlink attributes
|
|
||||||
*
|
|
||||||
@@ -1039,6 +1232,33 @@ enum nft_log_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_log_level - nf_tables log levels
|
|
||||||
+ *
|
|
||||||
+ * @NFT_LOGLEVEL_EMERG: system is unusable
|
|
||||||
+ * @NFT_LOGLEVEL_ALERT: action must be taken immediately
|
|
||||||
+ * @NFT_LOGLEVEL_CRIT: critical conditions
|
|
||||||
+ * @NFT_LOGLEVEL_ERR: error conditions
|
|
||||||
+ * @NFT_LOGLEVEL_WARNING: warning conditions
|
|
||||||
+ * @NFT_LOGLEVEL_NOTICE: normal but significant condition
|
|
||||||
+ * @NFT_LOGLEVEL_INFO: informational
|
|
||||||
+ * @NFT_LOGLEVEL_DEBUG: debug-level messages
|
|
||||||
+ * @NFT_LOGLEVEL_AUDIT: enabling audit logging
|
|
||||||
+ */
|
|
||||||
+enum nft_log_level {
|
|
||||||
+ NFT_LOGLEVEL_EMERG,
|
|
||||||
+ NFT_LOGLEVEL_ALERT,
|
|
||||||
+ NFT_LOGLEVEL_CRIT,
|
|
||||||
+ NFT_LOGLEVEL_ERR,
|
|
||||||
+ NFT_LOGLEVEL_WARNING,
|
|
||||||
+ NFT_LOGLEVEL_NOTICE,
|
|
||||||
+ NFT_LOGLEVEL_INFO,
|
|
||||||
+ NFT_LOGLEVEL_DEBUG,
|
|
||||||
+ NFT_LOGLEVEL_AUDIT,
|
|
||||||
+ __NFT_LOGLEVEL_MAX
|
|
||||||
+};
|
|
||||||
+#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_queue_attributes - nf_tables queue expression netlink attributes
|
|
||||||
*
|
|
||||||
@@ -1083,6 +1303,21 @@ enum nft_quota_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_secmark_attributes - nf_tables secmark object netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
|
|
||||||
+ */
|
|
||||||
+enum nft_secmark_attributes {
|
|
||||||
+ NFTA_SECMARK_UNSPEC,
|
|
||||||
+ NFTA_SECMARK_CTX,
|
|
||||||
+ __NFTA_SECMARK_MAX,
|
|
||||||
+};
|
|
||||||
+#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
|
|
||||||
+
|
|
||||||
+/* Max security context length */
|
|
||||||
+#define NFT_SECMARK_CTX_MAXLEN 256
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_reject_types - nf_tables reject expression reject types
|
|
||||||
*
|
|
||||||
@@ -1164,6 +1399,22 @@ enum nft_nat_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
|
|
||||||
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
|
|
||||||
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
|
|
||||||
+ */
|
|
||||||
+enum nft_tproxy_attributes {
|
|
||||||
+ NFTA_TPROXY_UNSPEC,
|
|
||||||
+ NFTA_TPROXY_FAMILY,
|
|
||||||
+ NFTA_TPROXY_REG_ADDR,
|
|
||||||
+ NFTA_TPROXY_REG_PORT,
|
|
||||||
+ __NFTA_TPROXY_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_masq_attributes - nf_tables masquerade expression attributes
|
|
||||||
*
|
|
||||||
@@ -1214,10 +1465,14 @@ enum nft_dup_attributes {
|
|
||||||
* enum nft_fwd_attributes - nf_tables fwd expression netlink attributes
|
|
||||||
*
|
|
||||||
* @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register)
|
|
||||||
+ * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register)
|
|
||||||
+ * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto)
|
|
||||||
*/
|
|
||||||
enum nft_fwd_attributes {
|
|
||||||
NFTA_FWD_UNSPEC,
|
|
||||||
NFTA_FWD_SREG_DEV,
|
|
||||||
+ NFTA_FWD_SREG_ADDR,
|
|
||||||
+ NFTA_FWD_NFPROTO,
|
|
||||||
__NFTA_FWD_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1)
|
|
||||||
@@ -1302,12 +1557,38 @@ enum nft_ct_helper_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1)
|
|
||||||
|
|
||||||
+enum nft_ct_timeout_timeout_attributes {
|
|
||||||
+ NFTA_CT_TIMEOUT_UNSPEC,
|
|
||||||
+ NFTA_CT_TIMEOUT_L3PROTO,
|
|
||||||
+ NFTA_CT_TIMEOUT_L4PROTO,
|
|
||||||
+ NFTA_CT_TIMEOUT_DATA,
|
|
||||||
+ __NFTA_CT_TIMEOUT_MAX,
|
|
||||||
+};
|
|
||||||
+#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_ct_expectation_attributes {
|
|
||||||
+ NFTA_CT_EXPECT_UNSPEC,
|
|
||||||
+ NFTA_CT_EXPECT_L3PROTO,
|
|
||||||
+ NFTA_CT_EXPECT_L4PROTO,
|
|
||||||
+ NFTA_CT_EXPECT_DPORT,
|
|
||||||
+ NFTA_CT_EXPECT_TIMEOUT,
|
|
||||||
+ NFTA_CT_EXPECT_SIZE,
|
|
||||||
+ __NFTA_CT_EXPECT_MAX,
|
|
||||||
+};
|
|
||||||
+#define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1)
|
|
||||||
+
|
|
||||||
#define NFT_OBJECT_UNSPEC 0
|
|
||||||
#define NFT_OBJECT_COUNTER 1
|
|
||||||
#define NFT_OBJECT_QUOTA 2
|
|
||||||
#define NFT_OBJECT_CT_HELPER 3
|
|
||||||
#define NFT_OBJECT_LIMIT 4
|
|
||||||
-#define __NFT_OBJECT_MAX 5
|
|
||||||
+#define NFT_OBJECT_CONNLIMIT 5
|
|
||||||
+#define NFT_OBJECT_TUNNEL 6
|
|
||||||
+#define NFT_OBJECT_CT_TIMEOUT 7
|
|
||||||
+#define NFT_OBJECT_SECMARK 8
|
|
||||||
+#define NFT_OBJECT_CT_EXPECT 9
|
|
||||||
+#define NFT_OBJECT_SYNPROXY 10
|
|
||||||
+#define __NFT_OBJECT_MAX 11
|
|
||||||
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -1319,6 +1600,7 @@ enum nft_ct_helper_attributes {
|
|
||||||
* @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
|
|
||||||
* @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
|
|
||||||
* @NFTA_OBJ_HANDLE: object handle (NLA_U64)
|
|
||||||
+ * @NFTA_OBJ_USERDATA: user data (NLA_BINARY)
|
|
||||||
*/
|
|
||||||
enum nft_object_attributes {
|
|
||||||
NFTA_OBJ_UNSPEC,
|
|
||||||
@@ -1329,10 +1611,24 @@ enum nft_object_attributes {
|
|
||||||
NFTA_OBJ_USE,
|
|
||||||
NFTA_OBJ_HANDLE,
|
|
||||||
NFTA_OBJ_PAD,
|
|
||||||
+ NFTA_OBJ_USERDATA,
|
|
||||||
__NFTA_OBJ_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_flowtable_flags - nf_tables flowtable flags
|
|
||||||
+ *
|
|
||||||
+ * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled
|
|
||||||
+ * @NFT_FLOWTABLE_COUNTER: enable flow counters
|
|
||||||
+ */
|
|
||||||
+enum nft_flowtable_flags {
|
|
||||||
+ NFT_FLOWTABLE_HW_OFFLOAD = 0x1,
|
|
||||||
+ NFT_FLOWTABLE_COUNTER = 0x2,
|
|
||||||
+ NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD |
|
|
||||||
+ NFT_FLOWTABLE_COUNTER)
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_flowtable_attributes - nf_tables flow table netlink attributes
|
|
||||||
*
|
|
||||||
@@ -1341,6 +1637,7 @@ enum nft_object_attributes {
|
|
||||||
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
|
|
||||||
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
|
|
||||||
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
|
|
||||||
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
|
|
||||||
*/
|
|
||||||
enum nft_flowtable_attributes {
|
|
||||||
NFTA_FLOWTABLE_UNSPEC,
|
|
||||||
@@ -1350,6 +1647,7 @@ enum nft_flowtable_attributes {
|
|
||||||
NFTA_FLOWTABLE_USE,
|
|
||||||
NFTA_FLOWTABLE_HANDLE,
|
|
||||||
NFTA_FLOWTABLE_PAD,
|
|
||||||
+ NFTA_FLOWTABLE_FLAGS,
|
|
||||||
__NFTA_FLOWTABLE_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
|
|
||||||
@@ -1370,6 +1668,42 @@ enum nft_flowtable_hook_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1)
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * enum nft_osf_attributes - nftables osf expression netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers)
|
|
||||||
+ * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8)
|
|
||||||
+ * @NFTA_OSF_FLAGS: flags (NLA_U32)
|
|
||||||
+ */
|
|
||||||
+enum nft_osf_attributes {
|
|
||||||
+ NFTA_OSF_UNSPEC,
|
|
||||||
+ NFTA_OSF_DREG,
|
|
||||||
+ NFTA_OSF_TTL,
|
|
||||||
+ NFTA_OSF_FLAGS,
|
|
||||||
+ __NFTA_OSF_MAX,
|
|
||||||
+};
|
|
||||||
+#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_osf_flags {
|
|
||||||
+ NFT_OSF_F_VERSION = (1 << 0),
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16)
|
|
||||||
+ * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8)
|
|
||||||
+ * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32)
|
|
||||||
+ */
|
|
||||||
+enum nft_synproxy_attributes {
|
|
||||||
+ NFTA_SYNPROXY_UNSPEC,
|
|
||||||
+ NFTA_SYNPROXY_MSS,
|
|
||||||
+ NFTA_SYNPROXY_WSCALE,
|
|
||||||
+ NFTA_SYNPROXY_FLAGS,
|
|
||||||
+ __NFTA_SYNPROXY_MAX,
|
|
||||||
+};
|
|
||||||
+#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1)
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* enum nft_device_attributes - nf_tables device netlink attributes
|
|
||||||
*
|
|
||||||
@@ -1382,6 +1716,35 @@ enum nft_devices_attributes {
|
|
||||||
};
|
|
||||||
#define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1)
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes
|
|
||||||
+ *
|
|
||||||
+ * @NFTA_XFRM_DREG: destination register (NLA_U32)
|
|
||||||
+ * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32)
|
|
||||||
+ * @NFTA_XFRM_DIR: direction (NLA_U8)
|
|
||||||
+ * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32)
|
|
||||||
+ */
|
|
||||||
+enum nft_xfrm_attributes {
|
|
||||||
+ NFTA_XFRM_UNSPEC,
|
|
||||||
+ NFTA_XFRM_DREG,
|
|
||||||
+ NFTA_XFRM_KEY,
|
|
||||||
+ NFTA_XFRM_DIR,
|
|
||||||
+ NFTA_XFRM_SPNUM,
|
|
||||||
+ __NFTA_XFRM_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_xfrm_keys {
|
|
||||||
+ NFT_XFRM_KEY_UNSPEC,
|
|
||||||
+ NFT_XFRM_KEY_DADDR_IP4,
|
|
||||||
+ NFT_XFRM_KEY_DADDR_IP6,
|
|
||||||
+ NFT_XFRM_KEY_SADDR_IP4,
|
|
||||||
+ NFT_XFRM_KEY_SADDR_IP6,
|
|
||||||
+ NFT_XFRM_KEY_REQID,
|
|
||||||
+ NFT_XFRM_KEY_SPI,
|
|
||||||
+ __NFT_XFRM_KEY_MAX,
|
|
||||||
+};
|
|
||||||
+#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1)
|
|
||||||
|
|
||||||
/**
|
|
||||||
* enum nft_trace_attributes - nf_tables trace netlink attributes
|
|
||||||
@@ -1442,6 +1805,8 @@ enum nft_trace_types {
|
|
||||||
* @NFTA_NG_MODULUS: maximum counter value (NLA_U32)
|
|
||||||
* @NFTA_NG_TYPE: operation type (NLA_U32)
|
|
||||||
* @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32)
|
|
||||||
+ * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING)
|
|
||||||
+ * @NFTA_NG_SET_ID: id of the map (NLA_U32)
|
|
||||||
*/
|
|
||||||
enum nft_ng_attributes {
|
|
||||||
NFTA_NG_UNSPEC,
|
|
||||||
@@ -1449,6 +1814,8 @@ enum nft_ng_attributes {
|
|
||||||
NFTA_NG_MODULUS,
|
|
||||||
NFTA_NG_TYPE,
|
|
||||||
NFTA_NG_OFFSET,
|
|
||||||
+ NFTA_NG_SET_NAME, /* deprecated */
|
|
||||||
+ NFTA_NG_SET_ID, /* deprecated */
|
|
||||||
__NFTA_NG_MAX
|
|
||||||
};
|
|
||||||
#define NFTA_NG_MAX (__NFTA_NG_MAX - 1)
|
|
||||||
@@ -1460,4 +1827,104 @@ enum nft_ng_types {
|
|
||||||
};
|
|
||||||
#define NFT_NG_MAX (__NFT_NG_MAX - 1)
|
|
||||||
|
|
||||||
+enum nft_tunnel_key_ip_attributes {
|
|
||||||
+ NFTA_TUNNEL_KEY_IP_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY_IP_SRC,
|
|
||||||
+ NFTA_TUNNEL_KEY_IP_DST,
|
|
||||||
+ __NFTA_TUNNEL_KEY_IP_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_ip6_attributes {
|
|
||||||
+ NFTA_TUNNEL_KEY_IP6_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY_IP6_SRC,
|
|
||||||
+ NFTA_TUNNEL_KEY_IP6_DST,
|
|
||||||
+ NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
|
|
||||||
+ __NFTA_TUNNEL_KEY_IP6_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_opts_attributes {
|
|
||||||
+ NFTA_TUNNEL_KEY_OPTS_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY_OPTS_VXLAN,
|
|
||||||
+ NFTA_TUNNEL_KEY_OPTS_ERSPAN,
|
|
||||||
+ NFTA_TUNNEL_KEY_OPTS_GENEVE,
|
|
||||||
+ __NFTA_TUNNEL_KEY_OPTS_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_opts_vxlan_attributes {
|
|
||||||
+ NFTA_TUNNEL_KEY_VXLAN_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY_VXLAN_GBP,
|
|
||||||
+ __NFTA_TUNNEL_KEY_VXLAN_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_opts_erspan_attributes {
|
|
||||||
+ NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY_ERSPAN_VERSION,
|
|
||||||
+ NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
|
|
||||||
+ NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
|
|
||||||
+ NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
|
|
||||||
+ __NFTA_TUNNEL_KEY_ERSPAN_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_opts_geneve_attributes {
|
|
||||||
+ NFTA_TUNNEL_KEY_GENEVE_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY_GENEVE_CLASS,
|
|
||||||
+ NFTA_TUNNEL_KEY_GENEVE_TYPE,
|
|
||||||
+ NFTA_TUNNEL_KEY_GENEVE_DATA,
|
|
||||||
+ __NFTA_TUNNEL_KEY_GENEVE_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_flags {
|
|
||||||
+ NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0),
|
|
||||||
+ NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1),
|
|
||||||
+ NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2),
|
|
||||||
+};
|
|
||||||
+#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \
|
|
||||||
+ NFT_TUNNEL_F_DONT_FRAGMENT | \
|
|
||||||
+ NFT_TUNNEL_F_SEQ_NUMBER)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_key_attributes {
|
|
||||||
+ NFTA_TUNNEL_KEY_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY_ID,
|
|
||||||
+ NFTA_TUNNEL_KEY_IP,
|
|
||||||
+ NFTA_TUNNEL_KEY_IP6,
|
|
||||||
+ NFTA_TUNNEL_KEY_FLAGS,
|
|
||||||
+ NFTA_TUNNEL_KEY_TOS,
|
|
||||||
+ NFTA_TUNNEL_KEY_TTL,
|
|
||||||
+ NFTA_TUNNEL_KEY_SPORT,
|
|
||||||
+ NFTA_TUNNEL_KEY_DPORT,
|
|
||||||
+ NFTA_TUNNEL_KEY_OPTS,
|
|
||||||
+ __NFTA_TUNNEL_KEY_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_keys {
|
|
||||||
+ NFT_TUNNEL_PATH,
|
|
||||||
+ NFT_TUNNEL_ID,
|
|
||||||
+ __NFT_TUNNEL_MAX
|
|
||||||
+};
|
|
||||||
+#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_mode {
|
|
||||||
+ NFT_TUNNEL_MODE_NONE,
|
|
||||||
+ NFT_TUNNEL_MODE_RX,
|
|
||||||
+ NFT_TUNNEL_MODE_TX,
|
|
||||||
+ __NFT_TUNNEL_MODE_MAX
|
|
||||||
+};
|
|
||||||
+#define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1)
|
|
||||||
+
|
|
||||||
+enum nft_tunnel_attributes {
|
|
||||||
+ NFTA_TUNNEL_UNSPEC,
|
|
||||||
+ NFTA_TUNNEL_KEY,
|
|
||||||
+ NFTA_TUNNEL_DREG,
|
|
||||||
+ NFTA_TUNNEL_MODE,
|
|
||||||
+ __NFTA_TUNNEL_MAX
|
|
||||||
+};
|
|
||||||
+#define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1)
|
|
||||||
+
|
|
||||||
#endif /* _LINUX_NF_TABLES_H */
|
|
||||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
||||||
index ee003511ab7f3..4807090cc4306 100644
|
|
||||||
--- a/iptables/nft.c
|
|
||||||
+++ b/iptables/nft.c
|
|
||||||
@@ -1167,7 +1167,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
|
|
||||||
type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR;
|
|
||||||
len += sizeof(struct in_addr) + NETLINK_ALIGN - 1;
|
|
||||||
len &= ~(NETLINK_ALIGN - 1);
|
|
||||||
- flags = NFT_SET_INTERVAL;
|
|
||||||
+ flags = NFT_SET_INTERVAL | NFT_SET_CONCAT;
|
|
||||||
}
|
|
||||||
|
|
||||||
s = add_anon_set(h, table, flags, type, len, cnt);
|
|
||||||
--
|
|
||||||
2.38.0
|
|
||||||
|
|
Loading…
Reference in new issue