import UBI iptables-1.8.10-2.el9
This commit is contained in:
parent
0aecd7e13b
commit
3115a67489
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/iptables-1.8.8.tar.bz2
|
||||
SOURCES/iptables-1.8.10.tar.xz
|
||||
|
@ -1 +1 @@
|
||||
98783621a5e58ff55f83b1350523f3de41af621d SOURCES/iptables-1.8.8.tar.bz2
|
||||
ddbebf81eacbf900dc6dd4ed409353930397e0c2 SOURCES/iptables-1.8.10.tar.xz
|
||||
|
@ -1,9 +1,14 @@
|
||||
From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001
|
||||
From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Thu, 17 Jun 2021 18:44:28 +0200
|
||||
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945151
|
||||
Upstream Status: RHEL-only
|
||||
|
||||
This is RHEL9 trying to friendly kick people towards nftables.
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/arptables-nft-restore.8 | 13 ++++++++++++-
|
||||
iptables/arptables-nft-save.8 | 14 +++++++++++++-
|
||||
@ -18,7 +23,7 @@ This is RHEL9 trying to friendly kick people towards nftables.
|
||||
10 files changed, 142 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
|
||||
index 09d9082cf9fd3..b1bf02998f9cc 100644
|
||||
index 09d9082..b1bf029 100644
|
||||
--- a/iptables/arptables-nft-restore.8
|
||||
+++ b/iptables/arptables-nft-restore.8
|
||||
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
|
||||
@ -47,7 +52,7 @@ index 09d9082cf9fd3..b1bf02998f9cc 100644
|
||||
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||
.PP
|
||||
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
|
||||
index 905e59854cc28..49bb0f6260f2f 100644
|
||||
index 905e598..49bb0f6 100644
|
||||
--- a/iptables/arptables-nft-save.8
|
||||
+++ b/iptables/arptables-nft-save.8
|
||||
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
|
||||
@ -77,7 +82,7 @@ index 905e59854cc28..49bb0f6260f2f 100644
|
||||
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||
.PP
|
||||
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
|
||||
index ea31e0842acd4..ec5b993a41e8b 100644
|
||||
index ea31e08..ec5b993 100644
|
||||
--- a/iptables/arptables-nft.8
|
||||
+++ b/iptables/arptables-nft.8
|
||||
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
|
||||
@ -116,7 +121,7 @@ index ea31e0842acd4..ec5b993a41e8b 100644
|
||||
.PP
|
||||
.BR "" "See " https://wiki.nftables.org
|
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||
index d75aae240bc05..ed1bf8f2db55b 100644
|
||||
index 0304b50..cfd617a 100644
|
||||
--- a/iptables/ebtables-nft.8
|
||||
+++ b/iptables/ebtables-nft.8
|
||||
@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
@ -139,7 +144,7 @@ index d75aae240bc05..ed1bf8f2db55b 100644
|
||||
.B ebtables
|
||||
is an application program used to set up and maintain the
|
||||
tables of rules (inside the Linux kernel) that inspect
|
||||
@@ -1069,6 +1082,6 @@ has not been implemented, although
|
||||
@@ -1083,6 +1096,6 @@ has not been implemented, although
|
||||
might replace them entirely given the inherent atomicity of nftables.
|
||||
Finally, this list is probably not complete.
|
||||
.SH SEE ALSO
|
||||
@ -148,7 +153,7 @@ index d75aae240bc05..ed1bf8f2db55b 100644
|
||||
.PP
|
||||
.BR "" "See " https://wiki.nftables.org
|
||||
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
|
||||
index f0ed4e5f8d450..7f99a21ed2b61 100644
|
||||
index f0ed4e5..7f99a21 100644
|
||||
--- a/iptables/iptables-apply.8.in
|
||||
+++ b/iptables/iptables-apply.8.in
|
||||
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
|
||||
@ -180,7 +185,7 @@ index f0ed4e5f8d450..7f99a21ed2b61 100644
|
||||
.PP
|
||||
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
|
||||
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
|
||||
index 99d89a1fe44ad..73d40bbfe9c52 100644
|
||||
index 99d89a1..73d40bb 100644
|
||||
--- a/iptables/iptables-extensions.8.tmpl.in
|
||||
+++ b/iptables/iptables-extensions.8.tmpl.in
|
||||
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
|
||||
@ -205,12 +210,12 @@ index 99d89a1fe44ad..73d40bbfe9c52 100644
|
||||
iptables can use extended packet matching modules
|
||||
with the \fB\-m\fP or \fB\-\-match\fP
|
||||
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
|
||||
index 20216842d8358..8f4811c72f2ec 100644
|
||||
index aa816f7..353d4dc 100644
|
||||
--- a/iptables/iptables-restore.8.in
|
||||
+++ b/iptables/iptables-restore.8.in
|
||||
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
|
||||
[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
|
||||
[\fBfile\fP]
|
||||
[\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
|
||||
[\fIfile\fP]
|
||||
.SH DESCRIPTION
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
@ -228,11 +233,11 @@ index 20216842d8358..8f4811c72f2ec 100644
|
||||
.PP
|
||||
.B iptables-restore
|
||||
and
|
||||
@@ -81,7 +94,9 @@ from Rusty Russell.
|
||||
@@ -82,7 +95,9 @@ from Rusty Russell.
|
||||
.br
|
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
|
||||
.SH SEE ALSO
|
||||
-\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
|
||||
-\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8)
|
||||
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
|
||||
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
|
||||
+\fBip6tables\-restore\-translate\fP(8)
|
||||
@ -240,7 +245,7 @@ index 20216842d8358..8f4811c72f2ec 100644
|
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
|
||||
index 7683fd3780f72..6fe50b2d446e5 100644
|
||||
index 65c1f28..d47be27 100644
|
||||
--- a/iptables/iptables-save.8.in
|
||||
+++ b/iptables/iptables-save.8.in
|
||||
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
|
||||
@ -262,18 +267,18 @@ index 7683fd3780f72..6fe50b2d446e5 100644
|
||||
.B iptables-save
|
||||
and
|
||||
.B ip6tables-save
|
||||
@@ -62,7 +74,8 @@ Rusty Russell <rusty@rustcorp.com.au>
|
||||
@@ -66,7 +78,8 @@ Rusty Russell <rusty@rustcorp.com.au>
|
||||
.br
|
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
|
||||
.SH SEE ALSO
|
||||
-\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
|
||||
+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8),
|
||||
-\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8)
|
||||
+\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8),
|
||||
+\fBnft\fP(8)
|
||||
.PP
|
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
|
||||
index 627ff0e4da7a4..a8b31206d45b2 100644
|
||||
index ecaa555..4c4a15a 100644
|
||||
--- a/iptables/iptables.8.in
|
||||
+++ b/iptables/iptables.8.in
|
||||
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
|
||||
@ -297,7 +302,7 @@ index 627ff0e4da7a4..a8b31206d45b2 100644
|
||||
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
|
||||
tables of IPv4 and IPv6 packet
|
||||
filter rules in the Linux kernel. Several different tables
|
||||
@@ -447,6 +461,9 @@ There are several other changes in iptables.
|
||||
@@ -455,6 +469,9 @@ There are several other changes in iptables.
|
||||
\fBiptables\-save\fP(8),
|
||||
\fBiptables\-restore\fP(8),
|
||||
\fBiptables\-extensions\fP(8),
|
||||
@ -308,7 +313,7 @@ index 627ff0e4da7a4..a8b31206d45b2 100644
|
||||
The packet-filtering-HOWTO details iptables usage for
|
||||
packet filtering, the NAT-HOWTO details NAT,
|
||||
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
|
||||
index a7f22c0d8c08e..e21d7ff23035f 100644
|
||||
index a7f22c0..e21d7ff 100644
|
||||
--- a/iptables/xtables-monitor.8.in
|
||||
+++ b/iptables/xtables-monitor.8.in
|
||||
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
|
||||
@ -329,6 +334,3 @@ index a7f22c0d8c08e..e21d7ff23035f 100644
|
||||
.PP
|
||||
.B xtables-monitor
|
||||
is used to monitor changes to the ruleset or to show rule evaluation events
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
@ -1,18 +1,23 @@
|
||||
From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001
|
||||
From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 21:51:49 +0200
|
||||
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047558
|
||||
Upstream Status: RHEL-only
|
||||
|
||||
RHEL SELinux policies don't allow setting
|
||||
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
|
||||
'packet_type' attribute (identified via
|
||||
'seinfo -xt | grep packet_type').
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
extensions/libxt_SECMARK.t | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||
index 39d4c09348bf4..295e7a7244902 100644
|
||||
index 39d4c09..295e7a7 100644
|
||||
--- a/extensions/libxt_SECMARK.t
|
||||
+++ b/extensions/libxt_SECMARK.t
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -21,6 +26,3 @@ index 39d4c09348bf4..295e7a7244902 100644
|
||||
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
|
||||
-j SECMARK;;FAIL
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
@ -0,0 +1,73 @@
|
||||
From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 7 Nov 2023 23:44:55 +0100
|
||||
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-14147
|
||||
Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||
|
||||
commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue Nov 7 19:12:14 2023 +0100
|
||||
|
||||
ebtables: Fix corner-case noflush restore bug
|
||||
|
||||
Report came from firwalld, but this is actually rather hard to trigger.
|
||||
Since a regular chain line prevents it, typical dump/restore use-cases
|
||||
are unaffected.
|
||||
|
||||
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
|
||||
Cc: Eric Garver <eric@garver.life>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
|
||||
iptables/xtables-eb.c | 2 ++
|
||||
2 files changed, 27 insertions(+)
|
||||
create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||
|
||||
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||
new file mode 100755
|
||||
index 0000000..0def0ac
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||
@@ -0,0 +1,25 @@
|
||||
+#!/bin/sh
|
||||
+#
|
||||
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
|
||||
+# - with --noflush
|
||||
+# - a second table after the broute one
|
||||
+# - A policy command but no chain line for BROUTING chain
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+case "$XT_MULTI" in
|
||||
+*xtables-nft-multi)
|
||||
+ ;;
|
||||
+*)
|
||||
+ echo "skip $XT_MULTI"
|
||||
+ exit 0
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
+$XT_MULTI ebtables-restore --noflush <<EOF
|
||||
+*broute
|
||||
+-P BROUTING ACCEPT
|
||||
+*nat
|
||||
+-P PREROUTING ACCEPT
|
||||
+COMMIT
|
||||
+EOF
|
||||
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||
index 08eec79..a8ad57c 100644
|
||||
--- a/iptables/xtables-eb.c
|
||||
+++ b/iptables/xtables-eb.c
|
||||
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
|
||||
return NF_BR_LOCAL_OUT;
|
||||
else if (strcmp(chain, "POSTROUTING") == 0)
|
||||
return NF_BR_POST_ROUTING;
|
||||
+ else if (strcmp(chain, "BROUTING") == 0)
|
||||
+ return NF_BR_BROUTING;
|
||||
|
||||
/* placeholder for user defined chain */
|
||||
return NF_BR_NUMHOOKS;
|
@ -1,29 +0,0 @@
|
||||
From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 13 May 2022 16:51:58 +0200
|
||||
Subject: [PATCH] xshared: Fix build for -Werror=format-security
|
||||
|
||||
Gcc complains about the omitted format string.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a)
|
||||
---
|
||||
iptables/xshared.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index fae5ddd5df93e..a8512d3808154 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
|
||||
return;
|
||||
|
||||
if (args->family != NFPROTO_ARP)
|
||||
- xtables_error(PARAMETER_PROBLEM, msg);
|
||||
+ xtables_error(PARAMETER_PROBLEM, "%s", msg);
|
||||
|
||||
fprintf(stderr, "%s", msg);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,61 +0,0 @@
|
||||
From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 2 Jun 2022 13:44:45 +0200
|
||||
Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
|
||||
|
||||
Some repeated calls have been reduced recently, assert this in a test
|
||||
evaluating strace output.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
|
||||
---
|
||||
.../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++
|
||||
1 file changed, 37 insertions(+)
|
||||
create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
||||
|
||||
diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
||||
new file mode 100755
|
||||
index 0000000000000..b86d71f209471
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
||||
@@ -0,0 +1,37 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Test recent performance improvements in iptables-save due to reduced
|
||||
+# overhead.
|
||||
+
|
||||
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
|
||||
+
|
||||
+RULESET=$(
|
||||
+ echo "*filter"
|
||||
+ for ((i = 0; i < 100; i++)); do
|
||||
+ echo ":mychain$i -"
|
||||
+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
|
||||
+ done
|
||||
+ echo "COMMIT"
|
||||
+)
|
||||
+
|
||||
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
|
||||
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
|
||||
+
|
||||
+do_grep() { # (name, threshold, pattern)
|
||||
+ local cnt=$(grep -c "$3")
|
||||
+ [[ $cnt -le $2 ]] && return 0
|
||||
+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
|
||||
+ exit 1
|
||||
+}
|
||||
+
|
||||
+# iptables prefers hard-coded protocol names instead of looking them up first
|
||||
+
|
||||
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
|
||||
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
|
||||
+
|
||||
+# iptables-nft-save pointlessly checked whether chain jumps are targets
|
||||
+
|
||||
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
|
||||
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
|
||||
+
|
||||
+exit 0
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 7 Jun 2022 18:07:00 +0200
|
||||
Subject: [PATCH] arptables: Support -x/--exact flag
|
||||
|
||||
Legacy arptables accepts but ignores the flag. Yet there are remains of
|
||||
the functionality in sources, like OPT_EXPANDED define and a print_num()
|
||||
function which acts on FMT_KILOMEGAGIGA flag being set or not. So
|
||||
instead of mimicking legacy behaviour by explicitly ignoring -x flag for
|
||||
arptables, just enable the feature for it.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0)
|
||||
---
|
||||
iptables/xshared.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||||
index 14568bb00fb65..a50c8b7298072 100644
|
||||
--- a/iptables/xshared.h
|
||||
+++ b/iptables/xshared.h
|
||||
@@ -69,7 +69,7 @@ struct xtables_target;
|
||||
|
||||
#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
|
||||
#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
|
||||
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */
|
||||
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
|
||||
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
|
||||
|
||||
/* define invflags which won't collide with IPT ones */
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,91 +0,0 @@
|
||||
From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 30 Jun 2022 18:04:39 +0200
|
||||
Subject: [PATCH] libxtables: Fix unsupported extension warning corner case
|
||||
|
||||
Some extensions are not supported in revision 0 by user space anymore,
|
||||
for those the warning in xtables_compatible_revision() does not print as
|
||||
no revision 0 is tried.
|
||||
|
||||
To fix this, one has to track if none of the user space supported
|
||||
revisions were accepted by the kernel. Therefore add respective logic to
|
||||
xtables_find_{target,match}().
|
||||
|
||||
Note that this does not lead to duplicated warnings for unsupported
|
||||
extensions that have a revision 0 because xtables_compatible_revision()
|
||||
returns true for them to allow for extension's help output.
|
||||
|
||||
For the record, these ip6tables extensions are affected: set/SET,
|
||||
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
|
||||
for both families.
|
||||
|
||||
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37)
|
||||
---
|
||||
libxtables/xtables.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index 96fd783a066cf..7abc63bcfd83e 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
||||
struct xtables_match *ptr;
|
||||
const char *icmp6 = "icmp6";
|
||||
bool found = false;
|
||||
+ bool seen = false;
|
||||
|
||||
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
|
||||
ptr = *dptr;
|
||||
*dptr = (*dptr)->next;
|
||||
+ seen = true;
|
||||
if (!found &&
|
||||
xtables_fully_register_pending_match(ptr, prev)) {
|
||||
found = true;
|
||||
@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
||||
dptr = &((*dptr)->next);
|
||||
}
|
||||
|
||||
+ if (seen && !found)
|
||||
+ fprintf(stderr,
|
||||
+ "Warning: Extension %s is not supported, missing kernel module?\n",
|
||||
+ name);
|
||||
+
|
||||
for (ptr = xtables_matches; ptr; ptr = ptr->next) {
|
||||
if (extension_cmp(name, ptr->name, ptr->family)) {
|
||||
struct xtables_match *clone;
|
||||
@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
struct xtables_target **dptr;
|
||||
struct xtables_target *ptr;
|
||||
bool found = false;
|
||||
+ bool seen = false;
|
||||
|
||||
/* Standard target? */
|
||||
if (strcmp(name, "") == 0
|
||||
@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
|
||||
ptr = *dptr;
|
||||
*dptr = (*dptr)->next;
|
||||
+ seen = true;
|
||||
if (!found &&
|
||||
xtables_fully_register_pending_target(ptr, prev)) {
|
||||
found = true;
|
||||
@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
dptr = &((*dptr)->next);
|
||||
}
|
||||
|
||||
+ if (seen && !found)
|
||||
+ fprintf(stderr,
|
||||
+ "Warning: Extension %s is not supported, missing kernel module?\n",
|
||||
+ name);
|
||||
+
|
||||
for (ptr = xtables_targets; ptr; ptr = ptr->next) {
|
||||
if (extension_cmp(name, ptr->name, ptr->family)) {
|
||||
struct xtables_target *clone;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,36 +0,0 @@
|
||||
From f24d2449693558d3fbf2a8313a7eb65ecf25f6af Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Tue, 2 Aug 2022 14:52:30 +0200
|
||||
Subject: [PATCH] nft: fix ebtables among match when mac+ip addresses are used
|
||||
|
||||
When matching mac and ip addresses, the ip address needs to be placed
|
||||
into then 2nd 32bit register, the switch to dynamic register allocation
|
||||
instead re-uses reg1, this partially clobbers the mac address, so
|
||||
set lookup comes up empty even though it should find a match.
|
||||
|
||||
Fixes: 7e38890c6b4fb ("nft: prepare for dynamic register allocation")
|
||||
Reported-by: Yi Chen <yiche@redhat.com>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 2ba74d421cd622757df7a93720afc3b5b4b3b4e0)
|
||||
---
|
||||
iptables/nft.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index ec79f2bc5e98b..ee003511ab7f3 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -1208,8 +1208,8 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
|
||||
nftnl_rule_add_expr(r, e);
|
||||
|
||||
if (ip) {
|
||||
- e = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
|
||||
- sizeof(struct in_addr), ®);
|
||||
+ e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
|
||||
+ sizeof(struct in_addr), NFT_REG32_02);
|
||||
if (!e)
|
||||
return -ENOMEM;
|
||||
nftnl_rule_add_expr(r, e);
|
||||
--
|
||||
2.38.0
|
||||
|
@ -1,958 +0,0 @@
|
||||
From 22e12e53b1378f0e3da23ea298dda59985d5b99b Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Thu, 22 Sep 2022 13:33:50 +0200
|
||||
Subject: [PATCH] nft: un-break among match with concatenation
|
||||
|
||||
The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags")
|
||||
breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but
|
||||
doesn't set the CONCAT flag.
|
||||
|
||||
Update uapi header and also set CONCAT.
|
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 32efb4ffc33ae874b3f26f3380e2184ad6ceb26f)
|
||||
---
|
||||
include/linux/netfilter/nf_tables.h | 483 +++++++++++++++++++++++++++-
|
||||
iptables/nft.c | 2 +-
|
||||
2 files changed, 476 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
|
||||
index 66dceee0ae307..e94d1fa554cb2 100644
|
||||
--- a/include/linux/netfilter/nf_tables.h
|
||||
+++ b/include/linux/netfilter/nf_tables.h
|
||||
@@ -8,6 +8,7 @@
|
||||
#define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN
|
||||
#define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN
|
||||
#define NFT_USERDATA_MAXLEN 256
|
||||
+#define NFT_OSF_MAXGENRELEN 16
|
||||
|
||||
/**
|
||||
* enum nft_registers - nf_tables registers
|
||||
@@ -47,6 +48,7 @@ enum nft_registers {
|
||||
|
||||
#define NFT_REG_SIZE 16
|
||||
#define NFT_REG32_SIZE 4
|
||||
+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
|
||||
|
||||
/**
|
||||
* enum nft_verdicts - nf_tables internal verdicts
|
||||
@@ -131,7 +133,7 @@ enum nf_tables_msg_types {
|
||||
* @NFTA_LIST_ELEM: list element (NLA_NESTED)
|
||||
*/
|
||||
enum nft_list_attributes {
|
||||
- NFTA_LIST_UNPEC,
|
||||
+ NFTA_LIST_UNSPEC,
|
||||
NFTA_LIST_ELEM,
|
||||
__NFTA_LIST_MAX
|
||||
};
|
||||
@@ -143,12 +145,14 @@ enum nft_list_attributes {
|
||||
* @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
|
||||
* @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
|
||||
* @NFTA_HOOK_DEV: netdevice name (NLA_STRING)
|
||||
+ * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED)
|
||||
*/
|
||||
enum nft_hook_attributes {
|
||||
NFTA_HOOK_UNSPEC,
|
||||
NFTA_HOOK_HOOKNUM,
|
||||
NFTA_HOOK_PRIORITY,
|
||||
NFTA_HOOK_DEV,
|
||||
+ NFTA_HOOK_DEVS,
|
||||
__NFTA_HOOK_MAX
|
||||
};
|
||||
#define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1)
|
||||
@@ -160,7 +164,10 @@ enum nft_hook_attributes {
|
||||
*/
|
||||
enum nft_table_flags {
|
||||
NFT_TABLE_F_DORMANT = 0x1,
|
||||
+ NFT_TABLE_F_OWNER = 0x2,
|
||||
};
|
||||
+#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \
|
||||
+ NFT_TABLE_F_OWNER)
|
||||
|
||||
/**
|
||||
* enum nft_table_attributes - nf_tables table netlink attributes
|
||||
@@ -168,6 +175,8 @@ enum nft_table_flags {
|
||||
* @NFTA_TABLE_NAME: name of the table (NLA_STRING)
|
||||
* @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
|
||||
* @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
|
||||
+ * @NFTA_TABLE_USERDATA: user data (NLA_BINARY)
|
||||
+ * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32)
|
||||
*/
|
||||
enum nft_table_attributes {
|
||||
NFTA_TABLE_UNSPEC,
|
||||
@@ -176,10 +185,21 @@ enum nft_table_attributes {
|
||||
NFTA_TABLE_USE,
|
||||
NFTA_TABLE_HANDLE,
|
||||
NFTA_TABLE_PAD,
|
||||
+ NFTA_TABLE_USERDATA,
|
||||
+ NFTA_TABLE_OWNER,
|
||||
__NFTA_TABLE_MAX
|
||||
};
|
||||
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
|
||||
|
||||
+enum nft_chain_flags {
|
||||
+ NFT_CHAIN_BASE = (1 << 0),
|
||||
+ NFT_CHAIN_HW_OFFLOAD = (1 << 1),
|
||||
+ NFT_CHAIN_BINDING = (1 << 2),
|
||||
+};
|
||||
+#define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \
|
||||
+ NFT_CHAIN_HW_OFFLOAD | \
|
||||
+ NFT_CHAIN_BINDING)
|
||||
+
|
||||
/**
|
||||
* enum nft_chain_attributes - nf_tables chain netlink attributes
|
||||
*
|
||||
@@ -191,6 +211,9 @@ enum nft_table_attributes {
|
||||
* @NFTA_CHAIN_USE: number of references to this chain (NLA_U32)
|
||||
* @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
|
||||
* @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
|
||||
+ * @NFTA_CHAIN_FLAGS: chain flags
|
||||
+ * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)
|
||||
+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
|
||||
*/
|
||||
enum nft_chain_attributes {
|
||||
NFTA_CHAIN_UNSPEC,
|
||||
@@ -203,6 +226,9 @@ enum nft_chain_attributes {
|
||||
NFTA_CHAIN_TYPE,
|
||||
NFTA_CHAIN_COUNTERS,
|
||||
NFTA_CHAIN_PAD,
|
||||
+ NFTA_CHAIN_FLAGS,
|
||||
+ NFTA_CHAIN_ID,
|
||||
+ NFTA_CHAIN_USERDATA,
|
||||
__NFTA_CHAIN_MAX
|
||||
};
|
||||
#define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1)
|
||||
@@ -218,6 +244,7 @@ enum nft_chain_attributes {
|
||||
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
|
||||
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
|
||||
* @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
|
||||
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
|
||||
*/
|
||||
enum nft_rule_attributes {
|
||||
NFTA_RULE_UNSPEC,
|
||||
@@ -230,6 +257,8 @@ enum nft_rule_attributes {
|
||||
NFTA_RULE_USERDATA,
|
||||
NFTA_RULE_PAD,
|
||||
NFTA_RULE_ID,
|
||||
+ NFTA_RULE_POSITION_ID,
|
||||
+ NFTA_RULE_CHAIN_ID,
|
||||
__NFTA_RULE_MAX
|
||||
};
|
||||
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
|
||||
@@ -266,8 +295,10 @@ enum nft_rule_compat_attributes {
|
||||
* @NFT_SET_INTERVAL: set contains intervals
|
||||
* @NFT_SET_MAP: set is used as a dictionary
|
||||
* @NFT_SET_TIMEOUT: set uses timeouts
|
||||
- * @NFT_SET_EVAL: set contains expressions for evaluation
|
||||
+ * @NFT_SET_EVAL: set can be updated from the evaluation path
|
||||
* @NFT_SET_OBJECT: set contains stateful objects
|
||||
+ * @NFT_SET_CONCAT: set contains a concatenation
|
||||
+ * @NFT_SET_EXPR: set contains expressions
|
||||
*/
|
||||
enum nft_set_flags {
|
||||
NFT_SET_ANONYMOUS = 0x1,
|
||||
@@ -277,6 +308,8 @@ enum nft_set_flags {
|
||||
NFT_SET_TIMEOUT = 0x10,
|
||||
NFT_SET_EVAL = 0x20,
|
||||
NFT_SET_OBJECT = 0x40,
|
||||
+ NFT_SET_CONCAT = 0x80,
|
||||
+ NFT_SET_EXPR = 0x100,
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -294,14 +327,28 @@ enum nft_set_policies {
|
||||
* enum nft_set_desc_attributes - set element description
|
||||
*
|
||||
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
|
||||
+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED)
|
||||
*/
|
||||
enum nft_set_desc_attributes {
|
||||
NFTA_SET_DESC_UNSPEC,
|
||||
NFTA_SET_DESC_SIZE,
|
||||
+ NFTA_SET_DESC_CONCAT,
|
||||
__NFTA_SET_DESC_MAX
|
||||
};
|
||||
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_set_field_attributes - attributes of concatenated fields
|
||||
+ *
|
||||
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
|
||||
+ */
|
||||
+enum nft_set_field_attributes {
|
||||
+ NFTA_SET_FIELD_UNSPEC,
|
||||
+ NFTA_SET_FIELD_LEN,
|
||||
+ __NFTA_SET_FIELD_MAX
|
||||
+};
|
||||
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1)
|
||||
+
|
||||
/**
|
||||
* enum nft_set_attributes - nf_tables set netlink attributes
|
||||
*
|
||||
@@ -320,6 +367,8 @@ enum nft_set_desc_attributes {
|
||||
* @NFTA_SET_USERDATA: user data (NLA_BINARY)
|
||||
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
|
||||
* @NFTA_SET_HANDLE: set handle (NLA_U64)
|
||||
+ * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
|
||||
+ * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
||||
*/
|
||||
enum nft_set_attributes {
|
||||
NFTA_SET_UNSPEC,
|
||||
@@ -339,6 +388,8 @@ enum nft_set_attributes {
|
||||
NFTA_SET_PAD,
|
||||
NFTA_SET_OBJ_TYPE,
|
||||
NFTA_SET_HANDLE,
|
||||
+ NFTA_SET_EXPR,
|
||||
+ NFTA_SET_EXPRESSIONS,
|
||||
__NFTA_SET_MAX
|
||||
};
|
||||
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
|
||||
@@ -347,9 +398,11 @@ enum nft_set_attributes {
|
||||
* enum nft_set_elem_flags - nf_tables set element flags
|
||||
*
|
||||
* @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
|
||||
+ * @NFT_SET_ELEM_CATCHALL: special catch-all element
|
||||
*/
|
||||
enum nft_set_elem_flags {
|
||||
NFT_SET_ELEM_INTERVAL_END = 0x1,
|
||||
+ NFT_SET_ELEM_CATCHALL = 0x2,
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -363,6 +416,8 @@ enum nft_set_elem_flags {
|
||||
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
|
||||
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
||||
* @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING)
|
||||
+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data)
|
||||
+ * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
||||
*/
|
||||
enum nft_set_elem_attributes {
|
||||
NFTA_SET_ELEM_UNSPEC,
|
||||
@@ -375,6 +430,8 @@ enum nft_set_elem_attributes {
|
||||
NFTA_SET_ELEM_EXPR,
|
||||
NFTA_SET_ELEM_PAD,
|
||||
NFTA_SET_ELEM_OBJREF,
|
||||
+ NFTA_SET_ELEM_KEY_END,
|
||||
+ NFTA_SET_ELEM_EXPRESSIONS,
|
||||
__NFTA_SET_ELEM_MAX
|
||||
};
|
||||
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
|
||||
@@ -440,11 +497,13 @@ enum nft_data_attributes {
|
||||
*
|
||||
* @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
|
||||
* @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
|
||||
+ * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32)
|
||||
*/
|
||||
enum nft_verdict_attributes {
|
||||
NFTA_VERDICT_UNSPEC,
|
||||
NFTA_VERDICT_CODE,
|
||||
NFTA_VERDICT_CHAIN,
|
||||
+ NFTA_VERDICT_CHAIN_ID,
|
||||
__NFTA_VERDICT_MAX
|
||||
};
|
||||
#define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1)
|
||||
@@ -477,6 +536,20 @@ enum nft_immediate_attributes {
|
||||
};
|
||||
#define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_bitwise_ops - nf_tables bitwise operations
|
||||
+ *
|
||||
+ * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and
|
||||
+ * XOR boolean operations
|
||||
+ * @NFT_BITWISE_LSHIFT: left-shift operation
|
||||
+ * @NFT_BITWISE_RSHIFT: right-shift operation
|
||||
+ */
|
||||
+enum nft_bitwise_ops {
|
||||
+ NFT_BITWISE_BOOL,
|
||||
+ NFT_BITWISE_LSHIFT,
|
||||
+ NFT_BITWISE_RSHIFT,
|
||||
+};
|
||||
+
|
||||
/**
|
||||
* enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
|
||||
*
|
||||
@@ -485,16 +558,20 @@ enum nft_immediate_attributes {
|
||||
* @NFTA_BITWISE_LEN: length of operands (NLA_U32)
|
||||
* @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
|
||||
* @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
|
||||
+ * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
|
||||
+ * @NFTA_BITWISE_DATA: argument for non-boolean operations
|
||||
+ * (NLA_NESTED: nft_data_attributes)
|
||||
*
|
||||
- * The bitwise expression performs the following operation:
|
||||
+ * The bitwise expression supports boolean and shift operations. It implements
|
||||
+ * the boolean operations by performing the following operation:
|
||||
*
|
||||
* dreg = (sreg & mask) ^ xor
|
||||
*
|
||||
- * which allow to express all bitwise operations:
|
||||
+ * with these mask and xor values:
|
||||
*
|
||||
* mask xor
|
||||
* NOT: 1 1
|
||||
- * OR: 0 x
|
||||
+ * OR: ~x x
|
||||
* XOR: 1 x
|
||||
* AND: x 0
|
||||
*/
|
||||
@@ -505,6 +582,8 @@ enum nft_bitwise_attributes {
|
||||
NFTA_BITWISE_LEN,
|
||||
NFTA_BITWISE_MASK,
|
||||
NFTA_BITWISE_XOR,
|
||||
+ NFTA_BITWISE_OP,
|
||||
+ NFTA_BITWISE_DATA,
|
||||
__NFTA_BITWISE_MAX
|
||||
};
|
||||
#define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1)
|
||||
@@ -631,10 +710,12 @@ enum nft_lookup_attributes {
|
||||
enum nft_dynset_ops {
|
||||
NFT_DYNSET_OP_ADD,
|
||||
NFT_DYNSET_OP_UPDATE,
|
||||
+ NFT_DYNSET_OP_DELETE,
|
||||
};
|
||||
|
||||
enum nft_dynset_flags {
|
||||
NFT_DYNSET_F_INV = (1 << 0),
|
||||
+ NFT_DYNSET_F_EXPR = (1 << 1),
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -648,6 +729,7 @@ enum nft_dynset_flags {
|
||||
* @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64)
|
||||
* @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
||||
* @NFTA_DYNSET_FLAGS: flags (NLA_U32)
|
||||
+ * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
|
||||
*/
|
||||
enum nft_dynset_attributes {
|
||||
NFTA_DYNSET_UNSPEC,
|
||||
@@ -660,6 +742,7 @@ enum nft_dynset_attributes {
|
||||
NFTA_DYNSET_EXPR,
|
||||
NFTA_DYNSET_PAD,
|
||||
NFTA_DYNSET_FLAGS,
|
||||
+ NFTA_DYNSET_EXPRESSIONS,
|
||||
__NFTA_DYNSET_MAX,
|
||||
};
|
||||
#define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1)
|
||||
@@ -682,10 +765,12 @@ enum nft_payload_bases {
|
||||
*
|
||||
* @NFT_PAYLOAD_CSUM_NONE: no checksumming
|
||||
* @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791)
|
||||
+ * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309)
|
||||
*/
|
||||
enum nft_payload_csum_types {
|
||||
NFT_PAYLOAD_CSUM_NONE,
|
||||
NFT_PAYLOAD_CSUM_INET,
|
||||
+ NFT_PAYLOAD_CSUM_SCTP,
|
||||
};
|
||||
|
||||
enum nft_payload_csum_flags {
|
||||
@@ -727,10 +812,14 @@ enum nft_exthdr_flags {
|
||||
*
|
||||
* @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
|
||||
* @NFT_EXTHDR_OP_TCP: match against tcp options
|
||||
+ * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
|
||||
+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
|
||||
*/
|
||||
enum nft_exthdr_op {
|
||||
NFT_EXTHDR_OP_IPV6,
|
||||
NFT_EXTHDR_OP_TCPOPT,
|
||||
+ NFT_EXTHDR_OP_IPV4,
|
||||
+ NFT_EXTHDR_OP_SCTP,
|
||||
__NFT_EXTHDR_OP_MAX
|
||||
};
|
||||
#define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1)
|
||||
@@ -788,6 +877,15 @@ enum nft_exthdr_attributes {
|
||||
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
|
||||
* @NFT_META_PRANDOM: a 32bit pseudo-random number
|
||||
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
|
||||
+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
|
||||
+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
|
||||
+ * @NFT_META_BRI_IIFPVID: packet input bridge port pvid
|
||||
+ * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto
|
||||
+ * @NFT_META_TIME_NS: time since epoch (in nanoseconds)
|
||||
+ * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)
|
||||
+ * @NFT_META_TIME_HOUR: hour of day (in seconds)
|
||||
+ * @NFT_META_SDIF: slave device interface index
|
||||
+ * @NFT_META_SDIFNAME: slave device interface name
|
||||
*/
|
||||
enum nft_meta_keys {
|
||||
NFT_META_LEN,
|
||||
@@ -816,6 +914,15 @@ enum nft_meta_keys {
|
||||
NFT_META_CGROUP,
|
||||
NFT_META_PRANDOM,
|
||||
NFT_META_SECPATH,
|
||||
+ NFT_META_IIFKIND,
|
||||
+ NFT_META_OIFKIND,
|
||||
+ NFT_META_BRI_IIFPVID,
|
||||
+ NFT_META_BRI_IIFVPROTO,
|
||||
+ NFT_META_TIME_NS,
|
||||
+ NFT_META_TIME_DAY,
|
||||
+ NFT_META_TIME_HOUR,
|
||||
+ NFT_META_SDIF,
|
||||
+ NFT_META_SDIFNAME,
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -825,13 +932,17 @@ enum nft_meta_keys {
|
||||
* @NFT_RT_NEXTHOP4: routing nexthop for IPv4
|
||||
* @NFT_RT_NEXTHOP6: routing nexthop for IPv6
|
||||
* @NFT_RT_TCPMSS: fetch current path tcp mss
|
||||
+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
|
||||
*/
|
||||
enum nft_rt_keys {
|
||||
NFT_RT_CLASSID,
|
||||
NFT_RT_NEXTHOP4,
|
||||
NFT_RT_NEXTHOP6,
|
||||
NFT_RT_TCPMSS,
|
||||
+ NFT_RT_XFRM,
|
||||
+ __NFT_RT_MAX
|
||||
};
|
||||
+#define NFT_RT_MAX (__NFT_RT_MAX - 1)
|
||||
|
||||
/**
|
||||
* enum nft_hash_types - nf_tables hash expression types
|
||||
@@ -854,6 +965,8 @@ enum nft_hash_types {
|
||||
* @NFTA_HASH_SEED: seed value (NLA_U32)
|
||||
* @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32)
|
||||
* @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types)
|
||||
+ * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING)
|
||||
+ * @NFTA_HASH_SET_ID: id of the map (NLA_U32)
|
||||
*/
|
||||
enum nft_hash_attributes {
|
||||
NFTA_HASH_UNSPEC,
|
||||
@@ -864,6 +977,8 @@ enum nft_hash_attributes {
|
||||
NFTA_HASH_SEED,
|
||||
NFTA_HASH_OFFSET,
|
||||
NFTA_HASH_TYPE,
|
||||
+ NFTA_HASH_SET_NAME, /* deprecated */
|
||||
+ NFTA_HASH_SET_ID, /* deprecated */
|
||||
__NFTA_HASH_MAX,
|
||||
};
|
||||
#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
|
||||
@@ -898,6 +1013,39 @@ enum nft_rt_attributes {
|
||||
};
|
||||
#define NFTA_RT_MAX (__NFTA_RT_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes
|
||||
+ *
|
||||
+ * @NFTA_SOCKET_KEY: socket key to match
|
||||
+ * @NFTA_SOCKET_DREG: destination register
|
||||
+ * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2)
|
||||
+ */
|
||||
+enum nft_socket_attributes {
|
||||
+ NFTA_SOCKET_UNSPEC,
|
||||
+ NFTA_SOCKET_KEY,
|
||||
+ NFTA_SOCKET_DREG,
|
||||
+ NFTA_SOCKET_LEVEL,
|
||||
+ __NFTA_SOCKET_MAX
|
||||
+};
|
||||
+#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1)
|
||||
+
|
||||
+/*
|
||||
+ * enum nft_socket_keys - nf_tables socket expression keys
|
||||
+ *
|
||||
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
|
||||
+ * @NFT_SOCKET_MARK: Value of the socket mark
|
||||
+ * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
|
||||
+ * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2
|
||||
+ */
|
||||
+enum nft_socket_keys {
|
||||
+ NFT_SOCKET_TRANSPARENT,
|
||||
+ NFT_SOCKET_MARK,
|
||||
+ NFT_SOCKET_WILDCARD,
|
||||
+ NFT_SOCKET_CGROUPV2,
|
||||
+ __NFT_SOCKET_MAX
|
||||
+};
|
||||
+#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
|
||||
+
|
||||
/**
|
||||
* enum nft_ct_keys - nf_tables ct expression keys
|
||||
*
|
||||
@@ -909,8 +1057,8 @@ enum nft_rt_attributes {
|
||||
* @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
|
||||
* @NFT_CT_HELPER: connection tracking helper assigned to conntrack
|
||||
* @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
|
||||
- * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
|
||||
- * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
|
||||
+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated)
|
||||
+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated)
|
||||
* @NFT_CT_PROTOCOL: conntrack layer 4 protocol
|
||||
* @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
|
||||
* @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
|
||||
@@ -920,6 +1068,11 @@ enum nft_rt_attributes {
|
||||
* @NFT_CT_AVGPKT: conntrack average bytes per packet
|
||||
* @NFT_CT_ZONE: conntrack zone
|
||||
* @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
|
||||
+ * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address)
|
||||
+ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
|
||||
+ * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
|
||||
+ * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
|
||||
+ * @NFT_CT_ID: conntrack id
|
||||
*/
|
||||
enum nft_ct_keys {
|
||||
NFT_CT_STATE,
|
||||
@@ -941,7 +1094,14 @@ enum nft_ct_keys {
|
||||
NFT_CT_AVGPKT,
|
||||
NFT_CT_ZONE,
|
||||
NFT_CT_EVENTMASK,
|
||||
+ NFT_CT_SRC_IP,
|
||||
+ NFT_CT_DST_IP,
|
||||
+ NFT_CT_SRC_IP6,
|
||||
+ NFT_CT_DST_IP6,
|
||||
+ NFT_CT_ID,
|
||||
+ __NFT_CT_MAX
|
||||
};
|
||||
+#define NFT_CT_MAX (__NFT_CT_MAX - 1)
|
||||
|
||||
/**
|
||||
* enum nft_ct_attributes - nf_tables ct expression netlink attributes
|
||||
@@ -1002,6 +1162,24 @@ enum nft_limit_attributes {
|
||||
};
|
||||
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
|
||||
|
||||
+enum nft_connlimit_flags {
|
||||
+ NFT_CONNLIMIT_F_INV = (1 << 0),
|
||||
+};
|
||||
+
|
||||
+/**
|
||||
+ * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes
|
||||
+ *
|
||||
+ * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32)
|
||||
+ * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags)
|
||||
+ */
|
||||
+enum nft_connlimit_attributes {
|
||||
+ NFTA_CONNLIMIT_UNSPEC,
|
||||
+ NFTA_CONNLIMIT_COUNT,
|
||||
+ NFTA_CONNLIMIT_FLAGS,
|
||||
+ __NFTA_CONNLIMIT_MAX
|
||||
+};
|
||||
+#define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1)
|
||||
+
|
||||
/**
|
||||
* enum nft_counter_attributes - nf_tables counter expression netlink attributes
|
||||
*
|
||||
@@ -1017,6 +1195,21 @@ enum nft_counter_attributes {
|
||||
};
|
||||
#define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_last_attributes - nf_tables last expression netlink attributes
|
||||
+ *
|
||||
+ * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32)
|
||||
+ * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64)
|
||||
+ */
|
||||
+enum nft_last_attributes {
|
||||
+ NFTA_LAST_UNSPEC,
|
||||
+ NFTA_LAST_SET,
|
||||
+ NFTA_LAST_MSECS,
|
||||
+ NFTA_LAST_PAD,
|
||||
+ __NFTA_LAST_MAX
|
||||
+};
|
||||
+#define NFTA_LAST_MAX (__NFTA_LAST_MAX - 1)
|
||||
+
|
||||
/**
|
||||
* enum nft_log_attributes - nf_tables log expression netlink attributes
|
||||
*
|
||||
@@ -1039,6 +1232,33 @@ enum nft_log_attributes {
|
||||
};
|
||||
#define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_log_level - nf_tables log levels
|
||||
+ *
|
||||
+ * @NFT_LOGLEVEL_EMERG: system is unusable
|
||||
+ * @NFT_LOGLEVEL_ALERT: action must be taken immediately
|
||||
+ * @NFT_LOGLEVEL_CRIT: critical conditions
|
||||
+ * @NFT_LOGLEVEL_ERR: error conditions
|
||||
+ * @NFT_LOGLEVEL_WARNING: warning conditions
|
||||
+ * @NFT_LOGLEVEL_NOTICE: normal but significant condition
|
||||
+ * @NFT_LOGLEVEL_INFO: informational
|
||||
+ * @NFT_LOGLEVEL_DEBUG: debug-level messages
|
||||
+ * @NFT_LOGLEVEL_AUDIT: enabling audit logging
|
||||
+ */
|
||||
+enum nft_log_level {
|
||||
+ NFT_LOGLEVEL_EMERG,
|
||||
+ NFT_LOGLEVEL_ALERT,
|
||||
+ NFT_LOGLEVEL_CRIT,
|
||||
+ NFT_LOGLEVEL_ERR,
|
||||
+ NFT_LOGLEVEL_WARNING,
|
||||
+ NFT_LOGLEVEL_NOTICE,
|
||||
+ NFT_LOGLEVEL_INFO,
|
||||
+ NFT_LOGLEVEL_DEBUG,
|
||||
+ NFT_LOGLEVEL_AUDIT,
|
||||
+ __NFT_LOGLEVEL_MAX
|
||||
+};
|
||||
+#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1)
|
||||
+
|
||||
/**
|
||||
* enum nft_queue_attributes - nf_tables queue expression netlink attributes
|
||||
*
|
||||
@@ -1083,6 +1303,21 @@ enum nft_quota_attributes {
|
||||
};
|
||||
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_secmark_attributes - nf_tables secmark object netlink attributes
|
||||
+ *
|
||||
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
|
||||
+ */
|
||||
+enum nft_secmark_attributes {
|
||||
+ NFTA_SECMARK_UNSPEC,
|
||||
+ NFTA_SECMARK_CTX,
|
||||
+ __NFTA_SECMARK_MAX,
|
||||
+};
|
||||
+#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
|
||||
+
|
||||
+/* Max security context length */
|
||||
+#define NFT_SECMARK_CTX_MAXLEN 256
|
||||
+
|
||||
/**
|
||||
* enum nft_reject_types - nf_tables reject expression reject types
|
||||
*
|
||||
@@ -1164,6 +1399,22 @@ enum nft_nat_attributes {
|
||||
};
|
||||
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
|
||||
+ *
|
||||
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
|
||||
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
|
||||
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
|
||||
+ */
|
||||
+enum nft_tproxy_attributes {
|
||||
+ NFTA_TPROXY_UNSPEC,
|
||||
+ NFTA_TPROXY_FAMILY,
|
||||
+ NFTA_TPROXY_REG_ADDR,
|
||||
+ NFTA_TPROXY_REG_PORT,
|
||||
+ __NFTA_TPROXY_MAX
|
||||
+};
|
||||
+#define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1)
|
||||
+
|
||||
/**
|
||||
* enum nft_masq_attributes - nf_tables masquerade expression attributes
|
||||
*
|
||||
@@ -1214,10 +1465,14 @@ enum nft_dup_attributes {
|
||||
* enum nft_fwd_attributes - nf_tables fwd expression netlink attributes
|
||||
*
|
||||
* @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register)
|
||||
+ * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register)
|
||||
+ * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto)
|
||||
*/
|
||||
enum nft_fwd_attributes {
|
||||
NFTA_FWD_UNSPEC,
|
||||
NFTA_FWD_SREG_DEV,
|
||||
+ NFTA_FWD_SREG_ADDR,
|
||||
+ NFTA_FWD_NFPROTO,
|
||||
__NFTA_FWD_MAX
|
||||
};
|
||||
#define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1)
|
||||
@@ -1302,12 +1557,38 @@ enum nft_ct_helper_attributes {
|
||||
};
|
||||
#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1)
|
||||
|
||||
+enum nft_ct_timeout_timeout_attributes {
|
||||
+ NFTA_CT_TIMEOUT_UNSPEC,
|
||||
+ NFTA_CT_TIMEOUT_L3PROTO,
|
||||
+ NFTA_CT_TIMEOUT_L4PROTO,
|
||||
+ NFTA_CT_TIMEOUT_DATA,
|
||||
+ __NFTA_CT_TIMEOUT_MAX,
|
||||
+};
|
||||
+#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1)
|
||||
+
|
||||
+enum nft_ct_expectation_attributes {
|
||||
+ NFTA_CT_EXPECT_UNSPEC,
|
||||
+ NFTA_CT_EXPECT_L3PROTO,
|
||||
+ NFTA_CT_EXPECT_L4PROTO,
|
||||
+ NFTA_CT_EXPECT_DPORT,
|
||||
+ NFTA_CT_EXPECT_TIMEOUT,
|
||||
+ NFTA_CT_EXPECT_SIZE,
|
||||
+ __NFTA_CT_EXPECT_MAX,
|
||||
+};
|
||||
+#define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1)
|
||||
+
|
||||
#define NFT_OBJECT_UNSPEC 0
|
||||
#define NFT_OBJECT_COUNTER 1
|
||||
#define NFT_OBJECT_QUOTA 2
|
||||
#define NFT_OBJECT_CT_HELPER 3
|
||||
#define NFT_OBJECT_LIMIT 4
|
||||
-#define __NFT_OBJECT_MAX 5
|
||||
+#define NFT_OBJECT_CONNLIMIT 5
|
||||
+#define NFT_OBJECT_TUNNEL 6
|
||||
+#define NFT_OBJECT_CT_TIMEOUT 7
|
||||
+#define NFT_OBJECT_SECMARK 8
|
||||
+#define NFT_OBJECT_CT_EXPECT 9
|
||||
+#define NFT_OBJECT_SYNPROXY 10
|
||||
+#define __NFT_OBJECT_MAX 11
|
||||
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
|
||||
|
||||
/**
|
||||
@@ -1319,6 +1600,7 @@ enum nft_ct_helper_attributes {
|
||||
* @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
|
||||
* @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
|
||||
* @NFTA_OBJ_HANDLE: object handle (NLA_U64)
|
||||
+ * @NFTA_OBJ_USERDATA: user data (NLA_BINARY)
|
||||
*/
|
||||
enum nft_object_attributes {
|
||||
NFTA_OBJ_UNSPEC,
|
||||
@@ -1329,10 +1611,24 @@ enum nft_object_attributes {
|
||||
NFTA_OBJ_USE,
|
||||
NFTA_OBJ_HANDLE,
|
||||
NFTA_OBJ_PAD,
|
||||
+ NFTA_OBJ_USERDATA,
|
||||
__NFTA_OBJ_MAX
|
||||
};
|
||||
#define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_flowtable_flags - nf_tables flowtable flags
|
||||
+ *
|
||||
+ * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled
|
||||
+ * @NFT_FLOWTABLE_COUNTER: enable flow counters
|
||||
+ */
|
||||
+enum nft_flowtable_flags {
|
||||
+ NFT_FLOWTABLE_HW_OFFLOAD = 0x1,
|
||||
+ NFT_FLOWTABLE_COUNTER = 0x2,
|
||||
+ NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD |
|
||||
+ NFT_FLOWTABLE_COUNTER)
|
||||
+};
|
||||
+
|
||||
/**
|
||||
* enum nft_flowtable_attributes - nf_tables flow table netlink attributes
|
||||
*
|
||||
@@ -1341,6 +1637,7 @@ enum nft_object_attributes {
|
||||
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
|
||||
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
|
||||
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
|
||||
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
|
||||
*/
|
||||
enum nft_flowtable_attributes {
|
||||
NFTA_FLOWTABLE_UNSPEC,
|
||||
@@ -1350,6 +1647,7 @@ enum nft_flowtable_attributes {
|
||||
NFTA_FLOWTABLE_USE,
|
||||
NFTA_FLOWTABLE_HANDLE,
|
||||
NFTA_FLOWTABLE_PAD,
|
||||
+ NFTA_FLOWTABLE_FLAGS,
|
||||
__NFTA_FLOWTABLE_MAX
|
||||
};
|
||||
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
|
||||
@@ -1370,6 +1668,42 @@ enum nft_flowtable_hook_attributes {
|
||||
};
|
||||
#define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1)
|
||||
|
||||
+/**
|
||||
+ * enum nft_osf_attributes - nftables osf expression netlink attributes
|
||||
+ *
|
||||
+ * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers)
|
||||
+ * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8)
|
||||
+ * @NFTA_OSF_FLAGS: flags (NLA_U32)
|
||||
+ */
|
||||
+enum nft_osf_attributes {
|
||||
+ NFTA_OSF_UNSPEC,
|
||||
+ NFTA_OSF_DREG,
|
||||
+ NFTA_OSF_TTL,
|
||||
+ NFTA_OSF_FLAGS,
|
||||
+ __NFTA_OSF_MAX,
|
||||
+};
|
||||
+#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
|
||||
+
|
||||
+enum nft_osf_flags {
|
||||
+ NFT_OSF_F_VERSION = (1 << 0),
|
||||
+};
|
||||
+
|
||||
+/**
|
||||
+ * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes
|
||||
+ *
|
||||
+ * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16)
|
||||
+ * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8)
|
||||
+ * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32)
|
||||
+ */
|
||||
+enum nft_synproxy_attributes {
|
||||
+ NFTA_SYNPROXY_UNSPEC,
|
||||
+ NFTA_SYNPROXY_MSS,
|
||||
+ NFTA_SYNPROXY_WSCALE,
|
||||
+ NFTA_SYNPROXY_FLAGS,
|
||||
+ __NFTA_SYNPROXY_MAX,
|
||||
+};
|
||||
+#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1)
|
||||
+
|
||||
/**
|
||||
* enum nft_device_attributes - nf_tables device netlink attributes
|
||||
*
|
||||
@@ -1382,6 +1716,35 @@ enum nft_devices_attributes {
|
||||
};
|
||||
#define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1)
|
||||
|
||||
+/*
|
||||
+ * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes
|
||||
+ *
|
||||
+ * @NFTA_XFRM_DREG: destination register (NLA_U32)
|
||||
+ * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32)
|
||||
+ * @NFTA_XFRM_DIR: direction (NLA_U8)
|
||||
+ * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32)
|
||||
+ */
|
||||
+enum nft_xfrm_attributes {
|
||||
+ NFTA_XFRM_UNSPEC,
|
||||
+ NFTA_XFRM_DREG,
|
||||
+ NFTA_XFRM_KEY,
|
||||
+ NFTA_XFRM_DIR,
|
||||
+ NFTA_XFRM_SPNUM,
|
||||
+ __NFTA_XFRM_MAX
|
||||
+};
|
||||
+#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1)
|
||||
+
|
||||
+enum nft_xfrm_keys {
|
||||
+ NFT_XFRM_KEY_UNSPEC,
|
||||
+ NFT_XFRM_KEY_DADDR_IP4,
|
||||
+ NFT_XFRM_KEY_DADDR_IP6,
|
||||
+ NFT_XFRM_KEY_SADDR_IP4,
|
||||
+ NFT_XFRM_KEY_SADDR_IP6,
|
||||
+ NFT_XFRM_KEY_REQID,
|
||||
+ NFT_XFRM_KEY_SPI,
|
||||
+ __NFT_XFRM_KEY_MAX,
|
||||
+};
|
||||
+#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1)
|
||||
|
||||
/**
|
||||
* enum nft_trace_attributes - nf_tables trace netlink attributes
|
||||
@@ -1442,6 +1805,8 @@ enum nft_trace_types {
|
||||
* @NFTA_NG_MODULUS: maximum counter value (NLA_U32)
|
||||
* @NFTA_NG_TYPE: operation type (NLA_U32)
|
||||
* @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32)
|
||||
+ * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING)
|
||||
+ * @NFTA_NG_SET_ID: id of the map (NLA_U32)
|
||||
*/
|
||||
enum nft_ng_attributes {
|
||||
NFTA_NG_UNSPEC,
|
||||
@@ -1449,6 +1814,8 @@ enum nft_ng_attributes {
|
||||
NFTA_NG_MODULUS,
|
||||
NFTA_NG_TYPE,
|
||||
NFTA_NG_OFFSET,
|
||||
+ NFTA_NG_SET_NAME, /* deprecated */
|
||||
+ NFTA_NG_SET_ID, /* deprecated */
|
||||
__NFTA_NG_MAX
|
||||
};
|
||||
#define NFTA_NG_MAX (__NFTA_NG_MAX - 1)
|
||||
@@ -1460,4 +1827,104 @@ enum nft_ng_types {
|
||||
};
|
||||
#define NFT_NG_MAX (__NFT_NG_MAX - 1)
|
||||
|
||||
+enum nft_tunnel_key_ip_attributes {
|
||||
+ NFTA_TUNNEL_KEY_IP_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY_IP_SRC,
|
||||
+ NFTA_TUNNEL_KEY_IP_DST,
|
||||
+ __NFTA_TUNNEL_KEY_IP_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_ip6_attributes {
|
||||
+ NFTA_TUNNEL_KEY_IP6_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY_IP6_SRC,
|
||||
+ NFTA_TUNNEL_KEY_IP6_DST,
|
||||
+ NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
|
||||
+ __NFTA_TUNNEL_KEY_IP6_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_opts_attributes {
|
||||
+ NFTA_TUNNEL_KEY_OPTS_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY_OPTS_VXLAN,
|
||||
+ NFTA_TUNNEL_KEY_OPTS_ERSPAN,
|
||||
+ NFTA_TUNNEL_KEY_OPTS_GENEVE,
|
||||
+ __NFTA_TUNNEL_KEY_OPTS_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_opts_vxlan_attributes {
|
||||
+ NFTA_TUNNEL_KEY_VXLAN_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY_VXLAN_GBP,
|
||||
+ __NFTA_TUNNEL_KEY_VXLAN_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_opts_erspan_attributes {
|
||||
+ NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY_ERSPAN_VERSION,
|
||||
+ NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
|
||||
+ NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
|
||||
+ NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
|
||||
+ __NFTA_TUNNEL_KEY_ERSPAN_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_opts_geneve_attributes {
|
||||
+ NFTA_TUNNEL_KEY_GENEVE_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY_GENEVE_CLASS,
|
||||
+ NFTA_TUNNEL_KEY_GENEVE_TYPE,
|
||||
+ NFTA_TUNNEL_KEY_GENEVE_DATA,
|
||||
+ __NFTA_TUNNEL_KEY_GENEVE_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_flags {
|
||||
+ NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0),
|
||||
+ NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1),
|
||||
+ NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2),
|
||||
+};
|
||||
+#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \
|
||||
+ NFT_TUNNEL_F_DONT_FRAGMENT | \
|
||||
+ NFT_TUNNEL_F_SEQ_NUMBER)
|
||||
+
|
||||
+enum nft_tunnel_key_attributes {
|
||||
+ NFTA_TUNNEL_KEY_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY_ID,
|
||||
+ NFTA_TUNNEL_KEY_IP,
|
||||
+ NFTA_TUNNEL_KEY_IP6,
|
||||
+ NFTA_TUNNEL_KEY_FLAGS,
|
||||
+ NFTA_TUNNEL_KEY_TOS,
|
||||
+ NFTA_TUNNEL_KEY_TTL,
|
||||
+ NFTA_TUNNEL_KEY_SPORT,
|
||||
+ NFTA_TUNNEL_KEY_DPORT,
|
||||
+ NFTA_TUNNEL_KEY_OPTS,
|
||||
+ __NFTA_TUNNEL_KEY_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_keys {
|
||||
+ NFT_TUNNEL_PATH,
|
||||
+ NFT_TUNNEL_ID,
|
||||
+ __NFT_TUNNEL_MAX
|
||||
+};
|
||||
+#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_mode {
|
||||
+ NFT_TUNNEL_MODE_NONE,
|
||||
+ NFT_TUNNEL_MODE_RX,
|
||||
+ NFT_TUNNEL_MODE_TX,
|
||||
+ __NFT_TUNNEL_MODE_MAX
|
||||
+};
|
||||
+#define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1)
|
||||
+
|
||||
+enum nft_tunnel_attributes {
|
||||
+ NFTA_TUNNEL_UNSPEC,
|
||||
+ NFTA_TUNNEL_KEY,
|
||||
+ NFTA_TUNNEL_DREG,
|
||||
+ NFTA_TUNNEL_MODE,
|
||||
+ __NFTA_TUNNEL_MAX
|
||||
+};
|
||||
+#define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1)
|
||||
+
|
||||
#endif /* _LINUX_NF_TABLES_H */
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index ee003511ab7f3..4807090cc4306 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -1167,7 +1167,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
|
||||
type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR;
|
||||
len += sizeof(struct in_addr) + NETLINK_ALIGN - 1;
|
||||
len &= ~(NETLINK_ALIGN - 1);
|
||||
- flags = NFT_SET_INTERVAL;
|
||||
+ flags = NFT_SET_INTERVAL | NFT_SET_CONCAT;
|
||||
}
|
||||
|
||||
s = add_anon_set(h, table, flags, type, len, cnt);
|
||||
--
|
||||
2.38.0
|
||||
|
@ -1,3 +1,6 @@
|
||||
%define iptables_rpmversion 1.8.10
|
||||
%define iptables_specrelease 2
|
||||
|
||||
# install init scripts to /usr/libexec with systemd
|
||||
%global script_path %{_libexecdir}/iptables
|
||||
|
||||
@ -15,9 +18,9 @@
|
||||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.8
|
||||
Release: 6%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Version: %{iptables_rpmversion}
|
||||
Release: %{iptables_specrelease}%{?dist}%{?buildid}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.xz
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
Source3: iptables.service
|
||||
@ -30,14 +33,9 @@ Source9: ebtables.service
|
||||
Source10: ebtables-config
|
||||
Source11: iptables-test.stderr.expect
|
||||
|
||||
Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||
Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||
Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch
|
||||
Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
|
||||
Patch05: 0005-arptables-Support-x-exact-flag.patch
|
||||
Patch06: 0006-libxtables-Fix-unsupported-extension-warning-corner-.patch
|
||||
Patch07: 0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch
|
||||
Patch08: 0008-nft-un-break-among-match-with-concatenation.patch
|
||||
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic 2.0
|
||||
@ -45,7 +43,7 @@ License: GPLv2 and Artistic 2.0 and ISC
|
||||
|
||||
# libnetfilter_conntrack is needed for xt_connlabel
|
||||
BuildRequires: pkgconfig(libnetfilter_conntrack)
|
||||
# libnfnetlink-devel is requires for nfnl_osf
|
||||
# libnfnetlink-devel is required for nfnl_osf
|
||||
BuildRequires: pkgconfig(libnfnetlink)
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: kernel-headers
|
||||
@ -55,7 +53,7 @@ BuildRequires: bison
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc
|
||||
BuildRequires: pkgconfig(libmnl) >= 1.0
|
||||
BuildRequires: pkgconfig(libnftnl) >= 1.1.6
|
||||
BuildRequires: pkgconfig(libnftnl) >= 1.2.6
|
||||
# libpcap-devel for nfbpf_compile
|
||||
BuildRequires: libpcap-devel
|
||||
BuildRequires: autoconf
|
||||
@ -308,7 +306,9 @@ fi
|
||||
%systemd_postun iptables.service ip6tables.service
|
||||
%systemd_postun arptables.service ebtables.service
|
||||
|
||||
%post nft
|
||||
%post -e nft
|
||||
[[ %%{_excludedocs} == 1 ]] || do_man=true
|
||||
|
||||
pfx=%{_sbindir}/iptables
|
||||
pfx6=%{_sbindir}/ip6tables
|
||||
%{_sbindir}/update-alternatives --install \
|
||||
@ -333,7 +333,7 @@ fi
|
||||
$pfx ebtables $pfx-nft 10 \
|
||||
--slave $pfx-save ebtables-save $pfx-nft-save \
|
||||
--slave $pfx-restore ebtables-restore $pfx-nft-restore \
|
||||
--slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz
|
||||
${do_man:+--slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz}
|
||||
|
||||
pfx=%{_sbindir}/arptables
|
||||
manpfx=%{_mandir}/man8/arptables
|
||||
@ -353,9 +353,9 @@ fi
|
||||
$pfx arptables $pfx-nft 10 \
|
||||
--slave $pfx-save arptables-save $pfx-nft-save \
|
||||
--slave $pfx-restore arptables-restore $pfx-nft-restore \
|
||||
--slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \
|
||||
--slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \
|
||||
--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \
|
||||
${do_man:+--slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz} \
|
||||
${do_man:+--slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz} \
|
||||
${do_man:+--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz} \
|
||||
--slave $lepfx-helper arptables-helper $lepfx-nft-helper
|
||||
|
||||
%postun nft
|
||||
@ -454,6 +454,13 @@ fi
|
||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
||||
|
||||
%changelog
|
||||
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
|
||||
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]
|
||||
|
||||
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.8.10-1.el9]
|
||||
- spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810]
|
||||
- Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147]
|
||||
|
||||
* Wed Dec 07 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-6
|
||||
- Add expected testsuite result
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user