Toshaan Bharvani
9 months ago
commit
fc247bc667
21 changed files with 4123 additions and 0 deletions
@ -0,0 +1,334 @@
@@ -0,0 +1,334 @@
|
||||
From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Thu, 17 Jun 2021 18:44:28 +0200 |
||||
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages |
||||
|
||||
This is RHEL9 trying to friendly kick people towards nftables. |
||||
--- |
||||
iptables/arptables-nft-restore.8 | 13 ++++++++++++- |
||||
iptables/arptables-nft-save.8 | 14 +++++++++++++- |
||||
iptables/arptables-nft.8 | 19 ++++++++++++++++++- |
||||
iptables/ebtables-nft.8 | 15 ++++++++++++++- |
||||
iptables/iptables-apply.8.in | 14 +++++++++++++- |
||||
iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++ |
||||
iptables/iptables-restore.8.in | 17 ++++++++++++++++- |
||||
iptables/iptables-save.8.in | 15 ++++++++++++++- |
||||
iptables/iptables.8.in | 17 +++++++++++++++++ |
||||
iptables/xtables-monitor.8.in | 11 +++++++++++ |
||||
10 files changed, 142 insertions(+), 7 deletions(-) |
||||
|
||||
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 |
||||
index 09d9082cf9fd3..b1bf02998f9cc 100644 |
||||
--- a/iptables/arptables-nft-restore.8 |
||||
+++ b/iptables/arptables-nft-restore.8 |
||||
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based) |
||||
.SH SYNOPSIS |
||||
\fBarptables\-restore |
||||
.SH DESCRIPTION |
||||
+This tool is |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. |
||||
.PP |
||||
.B arptables-restore |
||||
is used to restore ARP Tables from data specified on STDIN or |
||||
@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table. |
||||
.SH AUTHOR |
||||
Jesper Dangaard Brouer <brouer@redhat.com> |
||||
.SH SEE ALSO |
||||
-\fBarptables\-save\fP(8), \fBarptables\fP(8) |
||||
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8) |
||||
.PP |
||||
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 |
||||
index 905e59854cc28..49bb0f6260f2f 100644 |
||||
--- a/iptables/arptables-nft-save.8 |
||||
+++ b/iptables/arptables-nft-save.8 |
||||
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based) |
||||
\fBarptables\-save\fP [\fB\-V\fP] |
||||
.SH DESCRIPTION |
||||
.PP |
||||
+This tool is |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. |
||||
+.PP |
||||
.B arptables-save |
||||
is used to dump the contents of an ARP Table in easily parseable format |
||||
to STDOUT. Use I/O-redirection provided by your shell to write to a file. |
||||
@@ -43,5 +55,5 @@ Print version information and exit. |
||||
.SH AUTHOR |
||||
Jesper Dangaard Brouer <brouer@redhat.com> |
||||
.SH SEE ALSO |
||||
-\fBarptables\-restore\fP(8), \fBarptables\fP(8) |
||||
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8) |
||||
.PP |
||||
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 |
||||
index ea31e0842acd4..ec5b993a41e8b 100644 |
||||
--- a/iptables/arptables-nft.8 |
||||
+++ b/iptables/arptables-nft.8 |
||||
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based) |
||||
.BR "arptables " [ "-t table" ] " -P chain target " [ options ] |
||||
|
||||
.SH DESCRIPTION |
||||
+.PP |
||||
+This tool is |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. |
||||
+.PP |
||||
.B arptables |
||||
is a user space tool, it is used to set up and maintain the |
||||
tables of ARP rules in the Linux kernel. These rules inspect |
||||
@@ -340,9 +353,13 @@ bridges, the same may be achieved using |
||||
chain in |
||||
.BR ebtables . |
||||
|
||||
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and |
||||
+will not receive new features. New setups should use \fBnft\fP(8). Existing |
||||
+setups should migrate to \fBnft\fP(8) when possible. |
||||
+ |
||||
.SH MAILINGLISTS |
||||
.BR "" "See " http://netfilter.org/mailinglists.html |
||||
.SH SEE ALSO |
||||
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8) |
||||
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8) |
||||
.PP |
||||
.BR "" "See " https://wiki.nftables.org |
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 |
||||
index d75aae240bc05..ed1bf8f2db55b 100644 |
||||
--- a/iptables/ebtables-nft.8 |
||||
+++ b/iptables/ebtables-nft.8 |
||||
@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) |
||||
.br |
||||
|
||||
.SH DESCRIPTION |
||||
+.PP |
||||
+This tool is |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. |
||||
+.PP |
||||
.B ebtables |
||||
is an application program used to set up and maintain the |
||||
tables of rules (inside the Linux kernel) that inspect |
||||
@@ -1069,6 +1082,6 @@ has not been implemented, although |
||||
might replace them entirely given the inherent atomicity of nftables. |
||||
Finally, this list is probably not complete. |
||||
.SH SEE ALSO |
||||
-.BR xtables-nft "(8), " iptables "(8), " ip (8) |
||||
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) |
||||
.PP |
||||
.BR "" "See " https://wiki.nftables.org |
||||
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in |
||||
index f0ed4e5f8d450..7f99a21ed2b61 100644 |
||||
--- a/iptables/iptables-apply.8.in |
||||
+++ b/iptables/iptables-apply.8.in |
||||
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely |
||||
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP |
||||
.SH "DESCRIPTION" |
||||
.PP |
||||
+This tool is |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. |
||||
+.PP |
||||
iptables\-apply will try to apply a new rulesfile (as output by |
||||
iptables-save, read by iptables-restore) or run a command to configure |
||||
iptables and then prompt the user whether the changes are okay. If the |
||||
@@ -47,7 +59,7 @@ Display usage information. |
||||
Display version information. |
||||
.SH "SEE ALSO" |
||||
.PP |
||||
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8). |
||||
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8). |
||||
.SH LEGALESE |
||||
.PP |
||||
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>. |
||||
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in |
||||
index 99d89a1fe44ad..73d40bbfe9c52 100644 |
||||
--- a/iptables/iptables-extensions.8.tmpl.in |
||||
+++ b/iptables/iptables-extensions.8.tmpl.in |
||||
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio |
||||
.PP |
||||
\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] |
||||
[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] |
||||
+.SH DESCRIPTION |
||||
+These tools are |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. There is also |
||||
+.BR iptables\-translate (8)/ ip6tables\-translate (8) |
||||
+to help with the migration. |
||||
.SH MATCH EXTENSIONS |
||||
iptables can use extended packet matching modules |
||||
with the \fB\-m\fP or \fB\-\-match\fP |
||||
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in |
||||
index 20216842d8358..8f4811c72f2ec 100644 |
||||
--- a/iptables/iptables-restore.8.in |
||||
+++ b/iptables/iptables-restore.8.in |
||||
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables |
||||
[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] |
||||
[\fBfile\fP] |
||||
.SH DESCRIPTION |
||||
+These tools are |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. There is also |
||||
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8) |
||||
+to help with the migration. |
||||
.PP |
||||
.B iptables-restore |
||||
and |
||||
@@ -81,7 +94,9 @@ from Rusty Russell. |
||||
.br |
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore. |
||||
.SH SEE ALSO |
||||
-\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8) |
||||
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8), |
||||
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8), |
||||
+\fBip6tables\-restore\-translate\fP(8) |
||||
.PP |
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, |
||||
which details NAT, and the netfilter-hacking-HOWTO which details the |
||||
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in |
||||
index 7683fd3780f72..6fe50b2d446e5 100644 |
||||
--- a/iptables/iptables-save.8.in |
||||
+++ b/iptables/iptables-save.8.in |
||||
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules |
||||
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] |
||||
.SH DESCRIPTION |
||||
.PP |
||||
+These tools are |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. |
||||
+.PP |
||||
.B iptables-save |
||||
and |
||||
.B ip6tables-save |
||||
@@ -62,7 +74,8 @@ Rusty Russell <rusty@rustcorp.com.au> |
||||
.br |
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save. |
||||
.SH SEE ALSO |
||||
-\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8) |
||||
+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8), |
||||
+\fBnft\fP(8) |
||||
.PP |
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, |
||||
which details NAT, and the netfilter-hacking-HOWTO which details the |
||||
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in |
||||
index 627ff0e4da7a4..a8b31206d45b2 100644 |
||||
--- a/iptables/iptables.8.in |
||||
+++ b/iptables/iptables.8.in |
||||
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] |
||||
.PP |
||||
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP] |
||||
.SH DESCRIPTION |
||||
+These tools are |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. There is also |
||||
+.BR iptables\-translate (8)/ ip6tables\-translate (8) |
||||
+to help with the migration. |
||||
+.PP |
||||
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the |
||||
tables of IPv4 and IPv6 packet |
||||
filter rules in the Linux kernel. Several different tables |
||||
@@ -447,6 +461,9 @@ There are several other changes in iptables. |
||||
\fBiptables\-save\fP(8), |
||||
\fBiptables\-restore\fP(8), |
||||
\fBiptables\-extensions\fP(8), |
||||
+\fBnft\fP(8), |
||||
+\fBiptables\-translate\fP(8), |
||||
+\fBip6tables\-translate\fP(8) |
||||
.PP |
||||
The packet-filtering-HOWTO details iptables usage for |
||||
packet filtering, the NAT-HOWTO details NAT, |
||||
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in |
||||
index a7f22c0d8c08e..e21d7ff23035f 100644 |
||||
--- a/iptables/xtables-monitor.8.in |
||||
+++ b/iptables/xtables-monitor.8.in |
||||
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events |
||||
.PP |
||||
\ |
||||
.SH DESCRIPTION |
||||
+This tool is |
||||
+.B deprecated |
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new |
||||
+features. New setups should use |
||||
+.BR nft (8). |
||||
+Existing setups should migrate to |
||||
+.BR nft (8) |
||||
+when possible. See |
||||
+.UR https://red.ht/nft_your_tables |
||||
+.UE |
||||
+for details. |
||||
.PP |
||||
.B xtables-monitor |
||||
is used to monitor changes to the ruleset or to show rule evaluation events |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Fri, 16 Jul 2021 21:51:49 +0200 |
||||
Subject: [PATCH] extensions: SECMARK: Use a better context in test case |
||||
|
||||
RHEL SELinux policies don't allow setting |
||||
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has |
||||
'packet_type' attribute (identified via |
||||
'seinfo -xt | grep packet_type'). |
||||
--- |
||||
extensions/libxt_SECMARK.t | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t |
||||
index 39d4c09348bf4..295e7a7244902 100644 |
||||
--- a/extensions/libxt_SECMARK.t |
||||
+++ b/extensions/libxt_SECMARK.t |
||||
@@ -1,4 +1,4 @@ |
||||
:INPUT,FORWARD,OUTPUT |
||||
*security |
||||
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK |
||||
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK |
||||
-j SECMARK;;FAIL |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,29 @@
@@ -0,0 +1,29 @@
|
||||
From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <phil@nwl.cc> |
||||
Date: Fri, 13 May 2022 16:51:58 +0200 |
||||
Subject: [PATCH] xshared: Fix build for -Werror=format-security |
||||
|
||||
Gcc complains about the omitted format string. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a) |
||||
--- |
||||
iptables/xshared.c | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c |
||||
index fae5ddd5df93e..a8512d3808154 100644 |
||||
--- a/iptables/xshared.c |
||||
+++ b/iptables/xshared.c |
||||
@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) |
||||
return; |
||||
|
||||
if (args->family != NFPROTO_ARP) |
||||
- xtables_error(PARAMETER_PROBLEM, msg); |
||||
+ xtables_error(PARAMETER_PROBLEM, "%s", msg); |
||||
|
||||
fprintf(stderr, "%s", msg); |
||||
} |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,61 @@
@@ -0,0 +1,61 @@
|
||||
From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu, 2 Jun 2022 13:44:45 +0200 |
||||
Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore |
||||
|
||||
Some repeated calls have been reduced recently, assert this in a test |
||||
evaluating strace output. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1) |
||||
--- |
||||
.../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++ |
||||
1 file changed, 37 insertions(+) |
||||
create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0 |
||||
|
||||
diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 |
||||
new file mode 100755 |
||||
index 0000000000000..b86d71f209471 |
||||
--- /dev/null |
||||
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 |
||||
@@ -0,0 +1,37 @@ |
||||
+#!/bin/bash |
||||
+ |
||||
+# Test recent performance improvements in iptables-save due to reduced |
||||
+# overhead. |
||||
+ |
||||
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } |
||||
+ |
||||
+RULESET=$( |
||||
+ echo "*filter" |
||||
+ for ((i = 0; i < 100; i++)); do |
||||
+ echo ":mychain$i -" |
||||
+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i" |
||||
+ done |
||||
+ echo "COMMIT" |
||||
+) |
||||
+ |
||||
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) |
||||
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) |
||||
+ |
||||
+do_grep() { # (name, threshold, pattern) |
||||
+ local cnt=$(grep -c "$3") |
||||
+ [[ $cnt -le $2 ]] && return 0 |
||||
+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2" |
||||
+ exit 1 |
||||
+} |
||||
+ |
||||
+# iptables prefers hard-coded protocol names instead of looking them up first |
||||
+ |
||||
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" |
||||
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" |
||||
+ |
||||
+# iptables-nft-save pointlessly checked whether chain jumps are targets |
||||
+ |
||||
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" |
||||
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" |
||||
+ |
||||
+exit 0 |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <phil@nwl.cc> |
||||
Date: Tue, 7 Jun 2022 18:07:00 +0200 |
||||
Subject: [PATCH] arptables: Support -x/--exact flag |
||||
|
||||
Legacy arptables accepts but ignores the flag. Yet there are remains of |
||||
the functionality in sources, like OPT_EXPANDED define and a print_num() |
||||
function which acts on FMT_KILOMEGAGIGA flag being set or not. So |
||||
instead of mimicking legacy behaviour by explicitly ignoring -x flag for |
||||
arptables, just enable the feature for it. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0) |
||||
--- |
||||
iptables/xshared.h | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h |
||||
index 14568bb00fb65..a50c8b7298072 100644 |
||||
--- a/iptables/xshared.h |
||||
+++ b/iptables/xshared.h |
||||
@@ -69,7 +69,7 @@ struct xtables_target; |
||||
|
||||
#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" |
||||
#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x" |
||||
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */ |
||||
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ |
||||
#define EBT_OPTSTRING OPTSTRING_COMMON "hv" |
||||
|
||||
/* define invflags which won't collide with IPT ones */ |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,91 @@
@@ -0,0 +1,91 @@
|
||||
From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu, 30 Jun 2022 18:04:39 +0200 |
||||
Subject: [PATCH] libxtables: Fix unsupported extension warning corner case |
||||
|
||||
Some extensions are not supported in revision 0 by user space anymore, |
||||
for those the warning in xtables_compatible_revision() does not print as |
||||
no revision 0 is tried. |
||||
|
||||
To fix this, one has to track if none of the user space supported |
||||
revisions were accepted by the kernel. Therefore add respective logic to |
||||
xtables_find_{target,match}(). |
||||
|
||||
Note that this does not lead to duplicated warnings for unsupported |
||||
extensions that have a revision 0 because xtables_compatible_revision() |
||||
returns true for them to allow for extension's help output. |
||||
|
||||
For the record, these ip6tables extensions are affected: set/SET, |
||||
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected |
||||
for both families. |
||||
|
||||
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions") |
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37) |
||||
--- |
||||
libxtables/xtables.c | 14 ++++++++++++++ |
||||
1 file changed, 14 insertions(+) |
||||
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c |
||||
index 96fd783a066cf..7abc63bcfd83e 100644 |
||||
--- a/libxtables/xtables.c |
||||
+++ b/libxtables/xtables.c |
||||
@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, |
||||
struct xtables_match *ptr; |
||||
const char *icmp6 = "icmp6"; |
||||
bool found = false; |
||||
+ bool seen = false; |
||||
|
||||
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) |
||||
xtables_error(PARAMETER_PROBLEM, |
||||
@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, |
||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { |
||||
ptr = *dptr; |
||||
*dptr = (*dptr)->next; |
||||
+ seen = true; |
||||
if (!found && |
||||
xtables_fully_register_pending_match(ptr, prev)) { |
||||
found = true; |
||||
@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, |
||||
dptr = &((*dptr)->next); |
||||
} |
||||
|
||||
+ if (seen && !found) |
||||
+ fprintf(stderr, |
||||
+ "Warning: Extension %s is not supported, missing kernel module?\n", |
||||
+ name); |
||||
+ |
||||
for (ptr = xtables_matches; ptr; ptr = ptr->next) { |
||||
if (extension_cmp(name, ptr->name, ptr->family)) { |
||||
struct xtables_match *clone; |
||||
@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) |
||||
struct xtables_target **dptr; |
||||
struct xtables_target *ptr; |
||||
bool found = false; |
||||
+ bool seen = false; |
||||
|
||||
/* Standard target? */ |
||||
if (strcmp(name, "") == 0 |
||||
@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) |
||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { |
||||
ptr = *dptr; |
||||
*dptr = (*dptr)->next; |
||||
+ seen = true; |
||||
if (!found && |
||||
xtables_fully_register_pending_target(ptr, prev)) { |
||||
found = true; |
||||
@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) |
||||
dptr = &((*dptr)->next); |
||||
} |
||||
|
||||
+ if (seen && !found) |
||||
+ fprintf(stderr, |
||||
+ "Warning: Extension %s is not supported, missing kernel module?\n", |
||||
+ name); |
||||
+ |
||||
for (ptr = xtables_targets; ptr; ptr = ptr->next) { |
||||
if (extension_cmp(name, ptr->name, ptr->family)) { |
||||
struct xtables_target *clone; |
||||
-- |
||||
2.34.1 |
||||
|
@ -0,0 +1,36 @@
@@ -0,0 +1,36 @@
|
||||
From f24d2449693558d3fbf2a8313a7eb65ecf25f6af Mon Sep 17 00:00:00 2001 |
||||
From: Florian Westphal <fw@strlen.de> |
||||
Date: Tue, 2 Aug 2022 14:52:30 +0200 |
||||
Subject: [PATCH] nft: fix ebtables among match when mac+ip addresses are used |
||||
|
||||
When matching mac and ip addresses, the ip address needs to be placed |
||||
into then 2nd 32bit register, the switch to dynamic register allocation |
||||
instead re-uses reg1, this partially clobbers the mac address, so |
||||
set lookup comes up empty even though it should find a match. |
||||
|
||||
Fixes: 7e38890c6b4fb ("nft: prepare for dynamic register allocation") |
||||
Reported-by: Yi Chen <yiche@redhat.com> |
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
(cherry picked from commit 2ba74d421cd622757df7a93720afc3b5b4b3b4e0) |
||||
--- |
||||
iptables/nft.c | 4 ++-- |
||||
1 file changed, 2 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c |
||||
index ec79f2bc5e98b..ee003511ab7f3 100644 |
||||
--- a/iptables/nft.c |
||||
+++ b/iptables/nft.c |
||||
@@ -1208,8 +1208,8 @@ static int __add_nft_among(struct nft_handle *h, const char *table, |
||||
nftnl_rule_add_expr(r, e); |
||||
|
||||
if (ip) { |
||||
- e = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst], |
||||
- sizeof(struct in_addr), ®); |
||||
+ e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst], |
||||
+ sizeof(struct in_addr), NFT_REG32_02); |
||||
if (!e) |
||||
return -ENOMEM; |
||||
nftnl_rule_add_expr(r, e); |
||||
-- |
||||
2.38.0 |
||||
|
@ -0,0 +1,958 @@
@@ -0,0 +1,958 @@
|
||||
From 22e12e53b1378f0e3da23ea298dda59985d5b99b Mon Sep 17 00:00:00 2001 |
||||
From: Florian Westphal <fw@strlen.de> |
||||
Date: Thu, 22 Sep 2022 13:33:50 +0200 |
||||
Subject: [PATCH] nft: un-break among match with concatenation |
||||
|
||||
The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags") |
||||
breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but |
||||
doesn't set the CONCAT flag. |
||||
|
||||
Update uapi header and also set CONCAT. |
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
(cherry picked from commit 32efb4ffc33ae874b3f26f3380e2184ad6ceb26f) |
||||
--- |
||||
include/linux/netfilter/nf_tables.h | 483 +++++++++++++++++++++++++++- |
||||
iptables/nft.c | 2 +- |
||||
2 files changed, 476 insertions(+), 9 deletions(-) |
||||
|
||||
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h |
||||
index 66dceee0ae307..e94d1fa554cb2 100644 |
||||
--- a/include/linux/netfilter/nf_tables.h |
||||
+++ b/include/linux/netfilter/nf_tables.h |
||||
@@ -8,6 +8,7 @@ |
||||
#define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN |
||||
#define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN |
||||
#define NFT_USERDATA_MAXLEN 256 |
||||
+#define NFT_OSF_MAXGENRELEN 16 |
||||
|
||||
/** |
||||
* enum nft_registers - nf_tables registers |
||||
@@ -47,6 +48,7 @@ enum nft_registers { |
||||
|
||||
#define NFT_REG_SIZE 16 |
||||
#define NFT_REG32_SIZE 4 |
||||
+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1) |
||||
|
||||
/** |
||||
* enum nft_verdicts - nf_tables internal verdicts |
||||
@@ -131,7 +133,7 @@ enum nf_tables_msg_types { |
||||
* @NFTA_LIST_ELEM: list element (NLA_NESTED) |
||||
*/ |
||||
enum nft_list_attributes { |
||||
- NFTA_LIST_UNPEC, |
||||
+ NFTA_LIST_UNSPEC, |
||||
NFTA_LIST_ELEM, |
||||
__NFTA_LIST_MAX |
||||
}; |
||||
@@ -143,12 +145,14 @@ enum nft_list_attributes { |
||||
* @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32) |
||||
* @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) |
||||
* @NFTA_HOOK_DEV: netdevice name (NLA_STRING) |
||||
+ * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED) |
||||
*/ |
||||
enum nft_hook_attributes { |
||||
NFTA_HOOK_UNSPEC, |
||||
NFTA_HOOK_HOOKNUM, |
||||
NFTA_HOOK_PRIORITY, |
||||
NFTA_HOOK_DEV, |
||||
+ NFTA_HOOK_DEVS, |
||||
__NFTA_HOOK_MAX |
||||
}; |
||||
#define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1) |
||||
@@ -160,7 +164,10 @@ enum nft_hook_attributes { |
||||
*/ |
||||
enum nft_table_flags { |
||||
NFT_TABLE_F_DORMANT = 0x1, |
||||
+ NFT_TABLE_F_OWNER = 0x2, |
||||
}; |
||||
+#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \ |
||||
+ NFT_TABLE_F_OWNER) |
||||
|
||||
/** |
||||
* enum nft_table_attributes - nf_tables table netlink attributes |
||||
@@ -168,6 +175,8 @@ enum nft_table_flags { |
||||
* @NFTA_TABLE_NAME: name of the table (NLA_STRING) |
||||
* @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) |
||||
* @NFTA_TABLE_USE: number of chains in this table (NLA_U32) |
||||
+ * @NFTA_TABLE_USERDATA: user data (NLA_BINARY) |
||||
+ * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32) |
||||
*/ |
||||
enum nft_table_attributes { |
||||
NFTA_TABLE_UNSPEC, |
||||
@@ -176,10 +185,21 @@ enum nft_table_attributes { |
||||
NFTA_TABLE_USE, |
||||
NFTA_TABLE_HANDLE, |
||||
NFTA_TABLE_PAD, |
||||
+ NFTA_TABLE_USERDATA, |
||||
+ NFTA_TABLE_OWNER, |
||||
__NFTA_TABLE_MAX |
||||
}; |
||||
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) |
||||
|
||||
+enum nft_chain_flags { |
||||
+ NFT_CHAIN_BASE = (1 << 0), |
||||
+ NFT_CHAIN_HW_OFFLOAD = (1 << 1), |
||||
+ NFT_CHAIN_BINDING = (1 << 2), |
||||
+}; |
||||
+#define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \ |
||||
+ NFT_CHAIN_HW_OFFLOAD | \ |
||||
+ NFT_CHAIN_BINDING) |
||||
+ |
||||
/** |
||||
* enum nft_chain_attributes - nf_tables chain netlink attributes |
||||
* |
||||
@@ -191,6 +211,9 @@ enum nft_table_attributes { |
||||
* @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) |
||||
* @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) |
||||
* @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) |
||||
+ * @NFTA_CHAIN_FLAGS: chain flags |
||||
+ * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32) |
||||
+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY) |
||||
*/ |
||||
enum nft_chain_attributes { |
||||
NFTA_CHAIN_UNSPEC, |
||||
@@ -203,6 +226,9 @@ enum nft_chain_attributes { |
||||
NFTA_CHAIN_TYPE, |
||||
NFTA_CHAIN_COUNTERS, |
||||
NFTA_CHAIN_PAD, |
||||
+ NFTA_CHAIN_FLAGS, |
||||
+ NFTA_CHAIN_ID, |
||||
+ NFTA_CHAIN_USERDATA, |
||||
__NFTA_CHAIN_MAX |
||||
}; |
||||
#define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) |
||||
@@ -218,6 +244,7 @@ enum nft_chain_attributes { |
||||
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) |
||||
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) |
||||
* @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32) |
||||
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32) |
||||
*/ |
||||
enum nft_rule_attributes { |
||||
NFTA_RULE_UNSPEC, |
||||
@@ -230,6 +257,8 @@ enum nft_rule_attributes { |
||||
NFTA_RULE_USERDATA, |
||||
NFTA_RULE_PAD, |
||||
NFTA_RULE_ID, |
||||
+ NFTA_RULE_POSITION_ID, |
||||
+ NFTA_RULE_CHAIN_ID, |
||||
__NFTA_RULE_MAX |
||||
}; |
||||
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) |
||||
@@ -266,8 +295,10 @@ enum nft_rule_compat_attributes { |
||||
* @NFT_SET_INTERVAL: set contains intervals |
||||
* @NFT_SET_MAP: set is used as a dictionary |
||||
* @NFT_SET_TIMEOUT: set uses timeouts |
||||
- * @NFT_SET_EVAL: set contains expressions for evaluation |
||||
+ * @NFT_SET_EVAL: set can be updated from the evaluation path |
||||
* @NFT_SET_OBJECT: set contains stateful objects |
||||
+ * @NFT_SET_CONCAT: set contains a concatenation |
||||
+ * @NFT_SET_EXPR: set contains expressions |
||||
*/ |
||||
enum nft_set_flags { |
||||
NFT_SET_ANONYMOUS = 0x1, |
||||
@@ -277,6 +308,8 @@ enum nft_set_flags { |
||||
NFT_SET_TIMEOUT = 0x10, |
||||
NFT_SET_EVAL = 0x20, |
||||
NFT_SET_OBJECT = 0x40, |
||||
+ NFT_SET_CONCAT = 0x80, |
||||
+ NFT_SET_EXPR = 0x100, |
||||
}; |
||||
|
||||
/** |
||||
@@ -294,14 +327,28 @@ enum nft_set_policies { |
||||
* enum nft_set_desc_attributes - set element description |
||||
* |
||||
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) |
||||
+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED) |
||||
*/ |
||||
enum nft_set_desc_attributes { |
||||
NFTA_SET_DESC_UNSPEC, |
||||
NFTA_SET_DESC_SIZE, |
||||
+ NFTA_SET_DESC_CONCAT, |
||||
__NFTA_SET_DESC_MAX |
||||
}; |
||||
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_set_field_attributes - attributes of concatenated fields |
||||
+ * |
||||
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32) |
||||
+ */ |
||||
+enum nft_set_field_attributes { |
||||
+ NFTA_SET_FIELD_UNSPEC, |
||||
+ NFTA_SET_FIELD_LEN, |
||||
+ __NFTA_SET_FIELD_MAX |
||||
+}; |
||||
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1) |
||||
+ |
||||
/** |
||||
* enum nft_set_attributes - nf_tables set netlink attributes |
||||
* |
||||
@@ -320,6 +367,8 @@ enum nft_set_desc_attributes { |
||||
* @NFTA_SET_USERDATA: user data (NLA_BINARY) |
||||
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*) |
||||
* @NFTA_SET_HANDLE: set handle (NLA_U64) |
||||
+ * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes) |
||||
+ * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) |
||||
*/ |
||||
enum nft_set_attributes { |
||||
NFTA_SET_UNSPEC, |
||||
@@ -339,6 +388,8 @@ enum nft_set_attributes { |
||||
NFTA_SET_PAD, |
||||
NFTA_SET_OBJ_TYPE, |
||||
NFTA_SET_HANDLE, |
||||
+ NFTA_SET_EXPR, |
||||
+ NFTA_SET_EXPRESSIONS, |
||||
__NFTA_SET_MAX |
||||
}; |
||||
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1) |
||||
@@ -347,9 +398,11 @@ enum nft_set_attributes { |
||||
* enum nft_set_elem_flags - nf_tables set element flags |
||||
* |
||||
* @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval |
||||
+ * @NFT_SET_ELEM_CATCHALL: special catch-all element |
||||
*/ |
||||
enum nft_set_elem_flags { |
||||
NFT_SET_ELEM_INTERVAL_END = 0x1, |
||||
+ NFT_SET_ELEM_CATCHALL = 0x2, |
||||
}; |
||||
|
||||
/** |
||||
@@ -363,6 +416,8 @@ enum nft_set_elem_flags { |
||||
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) |
||||
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) |
||||
* @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING) |
||||
+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data) |
||||
+ * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) |
||||
*/ |
||||
enum nft_set_elem_attributes { |
||||
NFTA_SET_ELEM_UNSPEC, |
||||
@@ -375,6 +430,8 @@ enum nft_set_elem_attributes { |
||||
NFTA_SET_ELEM_EXPR, |
||||
NFTA_SET_ELEM_PAD, |
||||
NFTA_SET_ELEM_OBJREF, |
||||
+ NFTA_SET_ELEM_KEY_END, |
||||
+ NFTA_SET_ELEM_EXPRESSIONS, |
||||
__NFTA_SET_ELEM_MAX |
||||
}; |
||||
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) |
||||
@@ -440,11 +497,13 @@ enum nft_data_attributes { |
||||
* |
||||
* @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts) |
||||
* @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING) |
||||
+ * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32) |
||||
*/ |
||||
enum nft_verdict_attributes { |
||||
NFTA_VERDICT_UNSPEC, |
||||
NFTA_VERDICT_CODE, |
||||
NFTA_VERDICT_CHAIN, |
||||
+ NFTA_VERDICT_CHAIN_ID, |
||||
__NFTA_VERDICT_MAX |
||||
}; |
||||
#define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1) |
||||
@@ -477,6 +536,20 @@ enum nft_immediate_attributes { |
||||
}; |
||||
#define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_bitwise_ops - nf_tables bitwise operations |
||||
+ * |
||||
+ * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and |
||||
+ * XOR boolean operations |
||||
+ * @NFT_BITWISE_LSHIFT: left-shift operation |
||||
+ * @NFT_BITWISE_RSHIFT: right-shift operation |
||||
+ */ |
||||
+enum nft_bitwise_ops { |
||||
+ NFT_BITWISE_BOOL, |
||||
+ NFT_BITWISE_LSHIFT, |
||||
+ NFT_BITWISE_RSHIFT, |
||||
+}; |
||||
+ |
||||
/** |
||||
* enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes |
||||
* |
||||
@@ -485,16 +558,20 @@ enum nft_immediate_attributes { |
||||
* @NFTA_BITWISE_LEN: length of operands (NLA_U32) |
||||
* @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes) |
||||
* @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes) |
||||
+ * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops) |
||||
+ * @NFTA_BITWISE_DATA: argument for non-boolean operations |
||||
+ * (NLA_NESTED: nft_data_attributes) |
||||
* |
||||
- * The bitwise expression performs the following operation: |
||||
+ * The bitwise expression supports boolean and shift operations. It implements |
||||
+ * the boolean operations by performing the following operation: |
||||
* |
||||
* dreg = (sreg & mask) ^ xor |
||||
* |
||||
- * which allow to express all bitwise operations: |
||||
+ * with these mask and xor values: |
||||
* |
||||
* mask xor |
||||
* NOT: 1 1 |
||||
- * OR: 0 x |
||||
+ * OR: ~x x |
||||
* XOR: 1 x |
||||
* AND: x 0 |
||||
*/ |
||||
@@ -505,6 +582,8 @@ enum nft_bitwise_attributes { |
||||
NFTA_BITWISE_LEN, |
||||
NFTA_BITWISE_MASK, |
||||
NFTA_BITWISE_XOR, |
||||
+ NFTA_BITWISE_OP, |
||||
+ NFTA_BITWISE_DATA, |
||||
__NFTA_BITWISE_MAX |
||||
}; |
||||
#define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) |
||||
@@ -631,10 +710,12 @@ enum nft_lookup_attributes { |
||||
enum nft_dynset_ops { |
||||
NFT_DYNSET_OP_ADD, |
||||
NFT_DYNSET_OP_UPDATE, |
||||
+ NFT_DYNSET_OP_DELETE, |
||||
}; |
||||
|
||||
enum nft_dynset_flags { |
||||
NFT_DYNSET_F_INV = (1 << 0), |
||||
+ NFT_DYNSET_F_EXPR = (1 << 1), |
||||
}; |
||||
|
||||
/** |
||||
@@ -648,6 +729,7 @@ enum nft_dynset_flags { |
||||
* @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) |
||||
* @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) |
||||
* @NFTA_DYNSET_FLAGS: flags (NLA_U32) |
||||
+ * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) |
||||
*/ |
||||
enum nft_dynset_attributes { |
||||
NFTA_DYNSET_UNSPEC, |
||||
@@ -660,6 +742,7 @@ enum nft_dynset_attributes { |
||||
NFTA_DYNSET_EXPR, |
||||
NFTA_DYNSET_PAD, |
||||
NFTA_DYNSET_FLAGS, |
||||
+ NFTA_DYNSET_EXPRESSIONS, |
||||
__NFTA_DYNSET_MAX, |
||||
}; |
||||
#define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) |
||||
@@ -682,10 +765,12 @@ enum nft_payload_bases { |
||||
* |
||||
* @NFT_PAYLOAD_CSUM_NONE: no checksumming |
||||
* @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791) |
||||
+ * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309) |
||||
*/ |
||||
enum nft_payload_csum_types { |
||||
NFT_PAYLOAD_CSUM_NONE, |
||||
NFT_PAYLOAD_CSUM_INET, |
||||
+ NFT_PAYLOAD_CSUM_SCTP, |
||||
}; |
||||
|
||||
enum nft_payload_csum_flags { |
||||
@@ -727,10 +812,14 @@ enum nft_exthdr_flags { |
||||
* |
||||
* @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers |
||||
* @NFT_EXTHDR_OP_TCP: match against tcp options |
||||
+ * @NFT_EXTHDR_OP_IPV4: match against ipv4 options |
||||
+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks |
||||
*/ |
||||
enum nft_exthdr_op { |
||||
NFT_EXTHDR_OP_IPV6, |
||||
NFT_EXTHDR_OP_TCPOPT, |
||||
+ NFT_EXTHDR_OP_IPV4, |
||||
+ NFT_EXTHDR_OP_SCTP, |
||||
__NFT_EXTHDR_OP_MAX |
||||
}; |
||||
#define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) |
||||
@@ -788,6 +877,15 @@ enum nft_exthdr_attributes { |
||||
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) |
||||
* @NFT_META_PRANDOM: a 32bit pseudo-random number |
||||
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) |
||||
+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) |
||||
+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) |
||||
+ * @NFT_META_BRI_IIFPVID: packet input bridge port pvid |
||||
+ * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto |
||||
+ * @NFT_META_TIME_NS: time since epoch (in nanoseconds) |
||||
+ * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday) |
||||
+ * @NFT_META_TIME_HOUR: hour of day (in seconds) |
||||
+ * @NFT_META_SDIF: slave device interface index |
||||
+ * @NFT_META_SDIFNAME: slave device interface name |
||||
*/ |
||||
enum nft_meta_keys { |
||||
NFT_META_LEN, |
||||
@@ -816,6 +914,15 @@ enum nft_meta_keys { |
||||
NFT_META_CGROUP, |
||||
NFT_META_PRANDOM, |
||||
NFT_META_SECPATH, |
||||
+ NFT_META_IIFKIND, |
||||
+ NFT_META_OIFKIND, |
||||
+ NFT_META_BRI_IIFPVID, |
||||
+ NFT_META_BRI_IIFVPROTO, |
||||
+ NFT_META_TIME_NS, |
||||
+ NFT_META_TIME_DAY, |
||||
+ NFT_META_TIME_HOUR, |
||||
+ NFT_META_SDIF, |
||||
+ NFT_META_SDIFNAME, |
||||
}; |
||||
|
||||
/** |
||||
@@ -825,13 +932,17 @@ enum nft_meta_keys { |
||||
* @NFT_RT_NEXTHOP4: routing nexthop for IPv4 |
||||
* @NFT_RT_NEXTHOP6: routing nexthop for IPv6 |
||||
* @NFT_RT_TCPMSS: fetch current path tcp mss |
||||
+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL |
||||
*/ |
||||
enum nft_rt_keys { |
||||
NFT_RT_CLASSID, |
||||
NFT_RT_NEXTHOP4, |
||||
NFT_RT_NEXTHOP6, |
||||
NFT_RT_TCPMSS, |
||||
+ NFT_RT_XFRM, |
||||
+ __NFT_RT_MAX |
||||
}; |
||||
+#define NFT_RT_MAX (__NFT_RT_MAX - 1) |
||||
|
||||
/** |
||||
* enum nft_hash_types - nf_tables hash expression types |
||||
@@ -854,6 +965,8 @@ enum nft_hash_types { |
||||
* @NFTA_HASH_SEED: seed value (NLA_U32) |
||||
* @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32) |
||||
* @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types) |
||||
+ * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING) |
||||
+ * @NFTA_HASH_SET_ID: id of the map (NLA_U32) |
||||
*/ |
||||
enum nft_hash_attributes { |
||||
NFTA_HASH_UNSPEC, |
||||
@@ -864,6 +977,8 @@ enum nft_hash_attributes { |
||||
NFTA_HASH_SEED, |
||||
NFTA_HASH_OFFSET, |
||||
NFTA_HASH_TYPE, |
||||
+ NFTA_HASH_SET_NAME, /* deprecated */ |
||||
+ NFTA_HASH_SET_ID, /* deprecated */ |
||||
__NFTA_HASH_MAX, |
||||
}; |
||||
#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) |
||||
@@ -898,6 +1013,39 @@ enum nft_rt_attributes { |
||||
}; |
||||
#define NFTA_RT_MAX (__NFTA_RT_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes |
||||
+ * |
||||
+ * @NFTA_SOCKET_KEY: socket key to match |
||||
+ * @NFTA_SOCKET_DREG: destination register |
||||
+ * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2) |
||||
+ */ |
||||
+enum nft_socket_attributes { |
||||
+ NFTA_SOCKET_UNSPEC, |
||||
+ NFTA_SOCKET_KEY, |
||||
+ NFTA_SOCKET_DREG, |
||||
+ NFTA_SOCKET_LEVEL, |
||||
+ __NFTA_SOCKET_MAX |
||||
+}; |
||||
+#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1) |
||||
+ |
||||
+/* |
||||
+ * enum nft_socket_keys - nf_tables socket expression keys |
||||
+ * |
||||
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option |
||||
+ * @NFT_SOCKET_MARK: Value of the socket mark |
||||
+ * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0) |
||||
+ * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2 |
||||
+ */ |
||||
+enum nft_socket_keys { |
||||
+ NFT_SOCKET_TRANSPARENT, |
||||
+ NFT_SOCKET_MARK, |
||||
+ NFT_SOCKET_WILDCARD, |
||||
+ NFT_SOCKET_CGROUPV2, |
||||
+ __NFT_SOCKET_MAX |
||||
+}; |
||||
+#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) |
||||
+ |
||||
/** |
||||
* enum nft_ct_keys - nf_tables ct expression keys |
||||
* |
||||
@@ -909,8 +1057,8 @@ enum nft_rt_attributes { |
||||
* @NFT_CT_EXPIRATION: relative conntrack expiration time in ms |
||||
* @NFT_CT_HELPER: connection tracking helper assigned to conntrack |
||||
* @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol |
||||
- * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address) |
||||
- * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address) |
||||
+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated) |
||||
+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated) |
||||
* @NFT_CT_PROTOCOL: conntrack layer 4 protocol |
||||
* @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source |
||||
* @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination |
||||
@@ -920,6 +1068,11 @@ enum nft_rt_attributes { |
||||
* @NFT_CT_AVGPKT: conntrack average bytes per packet |
||||
* @NFT_CT_ZONE: conntrack zone |
||||
* @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack |
||||
+ * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address) |
||||
+ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) |
||||
+ * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) |
||||
+ * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) |
||||
+ * @NFT_CT_ID: conntrack id |
||||
*/ |
||||
enum nft_ct_keys { |
||||
NFT_CT_STATE, |
||||
@@ -941,7 +1094,14 @@ enum nft_ct_keys { |
||||
NFT_CT_AVGPKT, |
||||
NFT_CT_ZONE, |
||||
NFT_CT_EVENTMASK, |
||||
+ NFT_CT_SRC_IP, |
||||
+ NFT_CT_DST_IP, |
||||
+ NFT_CT_SRC_IP6, |
||||
+ NFT_CT_DST_IP6, |
||||
+ NFT_CT_ID, |
||||
+ __NFT_CT_MAX |
||||
}; |
||||
+#define NFT_CT_MAX (__NFT_CT_MAX - 1) |
||||
|
||||
/** |
||||
* enum nft_ct_attributes - nf_tables ct expression netlink attributes |
||||
@@ -1002,6 +1162,24 @@ enum nft_limit_attributes { |
||||
}; |
||||
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) |
||||
|
||||
+enum nft_connlimit_flags { |
||||
+ NFT_CONNLIMIT_F_INV = (1 << 0), |
||||
+}; |
||||
+ |
||||
+/** |
||||
+ * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes |
||||
+ * |
||||
+ * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32) |
||||
+ * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags) |
||||
+ */ |
||||
+enum nft_connlimit_attributes { |
||||
+ NFTA_CONNLIMIT_UNSPEC, |
||||
+ NFTA_CONNLIMIT_COUNT, |
||||
+ NFTA_CONNLIMIT_FLAGS, |
||||
+ __NFTA_CONNLIMIT_MAX |
||||
+}; |
||||
+#define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1) |
||||
+ |
||||
/** |
||||
* enum nft_counter_attributes - nf_tables counter expression netlink attributes |
||||
* |
||||
@@ -1017,6 +1195,21 @@ enum nft_counter_attributes { |
||||
}; |
||||
#define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_last_attributes - nf_tables last expression netlink attributes |
||||
+ * |
||||
+ * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32) |
||||
+ * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64) |
||||
+ */ |
||||
+enum nft_last_attributes { |
||||
+ NFTA_LAST_UNSPEC, |
||||
+ NFTA_LAST_SET, |
||||
+ NFTA_LAST_MSECS, |
||||
+ NFTA_LAST_PAD, |
||||
+ __NFTA_LAST_MAX |
||||
+}; |
||||
+#define NFTA_LAST_MAX (__NFTA_LAST_MAX - 1) |
||||
+ |
||||
/** |
||||
* enum nft_log_attributes - nf_tables log expression netlink attributes |
||||
* |
||||
@@ -1039,6 +1232,33 @@ enum nft_log_attributes { |
||||
}; |
||||
#define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_log_level - nf_tables log levels |
||||
+ * |
||||
+ * @NFT_LOGLEVEL_EMERG: system is unusable |
||||
+ * @NFT_LOGLEVEL_ALERT: action must be taken immediately |
||||
+ * @NFT_LOGLEVEL_CRIT: critical conditions |
||||
+ * @NFT_LOGLEVEL_ERR: error conditions |
||||
+ * @NFT_LOGLEVEL_WARNING: warning conditions |
||||
+ * @NFT_LOGLEVEL_NOTICE: normal but significant condition |
||||
+ * @NFT_LOGLEVEL_INFO: informational |
||||
+ * @NFT_LOGLEVEL_DEBUG: debug-level messages |
||||
+ * @NFT_LOGLEVEL_AUDIT: enabling audit logging |
||||
+ */ |
||||
+enum nft_log_level { |
||||
+ NFT_LOGLEVEL_EMERG, |
||||
+ NFT_LOGLEVEL_ALERT, |
||||
+ NFT_LOGLEVEL_CRIT, |
||||
+ NFT_LOGLEVEL_ERR, |
||||
+ NFT_LOGLEVEL_WARNING, |
||||
+ NFT_LOGLEVEL_NOTICE, |
||||
+ NFT_LOGLEVEL_INFO, |
||||
+ NFT_LOGLEVEL_DEBUG, |
||||
+ NFT_LOGLEVEL_AUDIT, |
||||
+ __NFT_LOGLEVEL_MAX |
||||
+}; |
||||
+#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1) |
||||
+ |
||||
/** |
||||
* enum nft_queue_attributes - nf_tables queue expression netlink attributes |
||||
* |
||||
@@ -1083,6 +1303,21 @@ enum nft_quota_attributes { |
||||
}; |
||||
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_secmark_attributes - nf_tables secmark object netlink attributes |
||||
+ * |
||||
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING) |
||||
+ */ |
||||
+enum nft_secmark_attributes { |
||||
+ NFTA_SECMARK_UNSPEC, |
||||
+ NFTA_SECMARK_CTX, |
||||
+ __NFTA_SECMARK_MAX, |
||||
+}; |
||||
+#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) |
||||
+ |
||||
+/* Max security context length */ |
||||
+#define NFT_SECMARK_CTX_MAXLEN 256 |
||||
+ |
||||
/** |
||||
* enum nft_reject_types - nf_tables reject expression reject types |
||||
* |
||||
@@ -1164,6 +1399,22 @@ enum nft_nat_attributes { |
||||
}; |
||||
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes |
||||
+ * |
||||
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers) |
||||
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers) |
||||
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers) |
||||
+ */ |
||||
+enum nft_tproxy_attributes { |
||||
+ NFTA_TPROXY_UNSPEC, |
||||
+ NFTA_TPROXY_FAMILY, |
||||
+ NFTA_TPROXY_REG_ADDR, |
||||
+ NFTA_TPROXY_REG_PORT, |
||||
+ __NFTA_TPROXY_MAX |
||||
+}; |
||||
+#define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1) |
||||
+ |
||||
/** |
||||
* enum nft_masq_attributes - nf_tables masquerade expression attributes |
||||
* |
||||
@@ -1214,10 +1465,14 @@ enum nft_dup_attributes { |
||||
* enum nft_fwd_attributes - nf_tables fwd expression netlink attributes |
||||
* |
||||
* @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register) |
||||
+ * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register) |
||||
+ * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto) |
||||
*/ |
||||
enum nft_fwd_attributes { |
||||
NFTA_FWD_UNSPEC, |
||||
NFTA_FWD_SREG_DEV, |
||||
+ NFTA_FWD_SREG_ADDR, |
||||
+ NFTA_FWD_NFPROTO, |
||||
__NFTA_FWD_MAX |
||||
}; |
||||
#define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1) |
||||
@@ -1302,12 +1557,38 @@ enum nft_ct_helper_attributes { |
||||
}; |
||||
#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) |
||||
|
||||
+enum nft_ct_timeout_timeout_attributes { |
||||
+ NFTA_CT_TIMEOUT_UNSPEC, |
||||
+ NFTA_CT_TIMEOUT_L3PROTO, |
||||
+ NFTA_CT_TIMEOUT_L4PROTO, |
||||
+ NFTA_CT_TIMEOUT_DATA, |
||||
+ __NFTA_CT_TIMEOUT_MAX, |
||||
+}; |
||||
+#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1) |
||||
+ |
||||
+enum nft_ct_expectation_attributes { |
||||
+ NFTA_CT_EXPECT_UNSPEC, |
||||
+ NFTA_CT_EXPECT_L3PROTO, |
||||
+ NFTA_CT_EXPECT_L4PROTO, |
||||
+ NFTA_CT_EXPECT_DPORT, |
||||
+ NFTA_CT_EXPECT_TIMEOUT, |
||||
+ NFTA_CT_EXPECT_SIZE, |
||||
+ __NFTA_CT_EXPECT_MAX, |
||||
+}; |
||||
+#define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1) |
||||
+ |
||||
#define NFT_OBJECT_UNSPEC 0 |
||||
#define NFT_OBJECT_COUNTER 1 |
||||
#define NFT_OBJECT_QUOTA 2 |
||||
#define NFT_OBJECT_CT_HELPER 3 |
||||
#define NFT_OBJECT_LIMIT 4 |
||||
-#define __NFT_OBJECT_MAX 5 |
||||
+#define NFT_OBJECT_CONNLIMIT 5 |
||||
+#define NFT_OBJECT_TUNNEL 6 |
||||
+#define NFT_OBJECT_CT_TIMEOUT 7 |
||||
+#define NFT_OBJECT_SECMARK 8 |
||||
+#define NFT_OBJECT_CT_EXPECT 9 |
||||
+#define NFT_OBJECT_SYNPROXY 10 |
||||
+#define __NFT_OBJECT_MAX 11 |
||||
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) |
||||
|
||||
/** |
||||
@@ -1319,6 +1600,7 @@ enum nft_ct_helper_attributes { |
||||
* @NFTA_OBJ_DATA: stateful object data (NLA_NESTED) |
||||
* @NFTA_OBJ_USE: number of references to this expression (NLA_U32) |
||||
* @NFTA_OBJ_HANDLE: object handle (NLA_U64) |
||||
+ * @NFTA_OBJ_USERDATA: user data (NLA_BINARY) |
||||
*/ |
||||
enum nft_object_attributes { |
||||
NFTA_OBJ_UNSPEC, |
||||
@@ -1329,10 +1611,24 @@ enum nft_object_attributes { |
||||
NFTA_OBJ_USE, |
||||
NFTA_OBJ_HANDLE, |
||||
NFTA_OBJ_PAD, |
||||
+ NFTA_OBJ_USERDATA, |
||||
__NFTA_OBJ_MAX |
||||
}; |
||||
#define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_flowtable_flags - nf_tables flowtable flags |
||||
+ * |
||||
+ * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled |
||||
+ * @NFT_FLOWTABLE_COUNTER: enable flow counters |
||||
+ */ |
||||
+enum nft_flowtable_flags { |
||||
+ NFT_FLOWTABLE_HW_OFFLOAD = 0x1, |
||||
+ NFT_FLOWTABLE_COUNTER = 0x2, |
||||
+ NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD | |
||||
+ NFT_FLOWTABLE_COUNTER) |
||||
+}; |
||||
+ |
||||
/** |
||||
* enum nft_flowtable_attributes - nf_tables flow table netlink attributes |
||||
* |
||||
@@ -1341,6 +1637,7 @@ enum nft_object_attributes { |
||||
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) |
||||
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) |
||||
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) |
||||
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) |
||||
*/ |
||||
enum nft_flowtable_attributes { |
||||
NFTA_FLOWTABLE_UNSPEC, |
||||
@@ -1350,6 +1647,7 @@ enum nft_flowtable_attributes { |
||||
NFTA_FLOWTABLE_USE, |
||||
NFTA_FLOWTABLE_HANDLE, |
||||
NFTA_FLOWTABLE_PAD, |
||||
+ NFTA_FLOWTABLE_FLAGS, |
||||
__NFTA_FLOWTABLE_MAX |
||||
}; |
||||
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1) |
||||
@@ -1370,6 +1668,42 @@ enum nft_flowtable_hook_attributes { |
||||
}; |
||||
#define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1) |
||||
|
||||
+/** |
||||
+ * enum nft_osf_attributes - nftables osf expression netlink attributes |
||||
+ * |
||||
+ * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers) |
||||
+ * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) |
||||
+ * @NFTA_OSF_FLAGS: flags (NLA_U32) |
||||
+ */ |
||||
+enum nft_osf_attributes { |
||||
+ NFTA_OSF_UNSPEC, |
||||
+ NFTA_OSF_DREG, |
||||
+ NFTA_OSF_TTL, |
||||
+ NFTA_OSF_FLAGS, |
||||
+ __NFTA_OSF_MAX, |
||||
+}; |
||||
+#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) |
||||
+ |
||||
+enum nft_osf_flags { |
||||
+ NFT_OSF_F_VERSION = (1 << 0), |
||||
+}; |
||||
+ |
||||
+/** |
||||
+ * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes |
||||
+ * |
||||
+ * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16) |
||||
+ * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8) |
||||
+ * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32) |
||||
+ */ |
||||
+enum nft_synproxy_attributes { |
||||
+ NFTA_SYNPROXY_UNSPEC, |
||||
+ NFTA_SYNPROXY_MSS, |
||||
+ NFTA_SYNPROXY_WSCALE, |
||||
+ NFTA_SYNPROXY_FLAGS, |
||||
+ __NFTA_SYNPROXY_MAX, |
||||
+}; |
||||
+#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1) |
||||
+ |
||||
/** |
||||
* enum nft_device_attributes - nf_tables device netlink attributes |
||||
* |
||||
@@ -1382,6 +1716,35 @@ enum nft_devices_attributes { |
||||
}; |
||||
#define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1) |
||||
|
||||
+/* |
||||
+ * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes |
||||
+ * |
||||
+ * @NFTA_XFRM_DREG: destination register (NLA_U32) |
||||
+ * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32) |
||||
+ * @NFTA_XFRM_DIR: direction (NLA_U8) |
||||
+ * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32) |
||||
+ */ |
||||
+enum nft_xfrm_attributes { |
||||
+ NFTA_XFRM_UNSPEC, |
||||
+ NFTA_XFRM_DREG, |
||||
+ NFTA_XFRM_KEY, |
||||
+ NFTA_XFRM_DIR, |
||||
+ NFTA_XFRM_SPNUM, |
||||
+ __NFTA_XFRM_MAX |
||||
+}; |
||||
+#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1) |
||||
+ |
||||
+enum nft_xfrm_keys { |
||||
+ NFT_XFRM_KEY_UNSPEC, |
||||
+ NFT_XFRM_KEY_DADDR_IP4, |
||||
+ NFT_XFRM_KEY_DADDR_IP6, |
||||
+ NFT_XFRM_KEY_SADDR_IP4, |
||||
+ NFT_XFRM_KEY_SADDR_IP6, |
||||
+ NFT_XFRM_KEY_REQID, |
||||
+ NFT_XFRM_KEY_SPI, |
||||
+ __NFT_XFRM_KEY_MAX, |
||||
+}; |
||||
+#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1) |
||||
|
||||
/** |
||||
* enum nft_trace_attributes - nf_tables trace netlink attributes |
||||
@@ -1442,6 +1805,8 @@ enum nft_trace_types { |
||||
* @NFTA_NG_MODULUS: maximum counter value (NLA_U32) |
||||
* @NFTA_NG_TYPE: operation type (NLA_U32) |
||||
* @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32) |
||||
+ * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING) |
||||
+ * @NFTA_NG_SET_ID: id of the map (NLA_U32) |
||||
*/ |
||||
enum nft_ng_attributes { |
||||
NFTA_NG_UNSPEC, |
||||
@@ -1449,6 +1814,8 @@ enum nft_ng_attributes { |
||||
NFTA_NG_MODULUS, |
||||
NFTA_NG_TYPE, |
||||
NFTA_NG_OFFSET, |
||||
+ NFTA_NG_SET_NAME, /* deprecated */ |
||||
+ NFTA_NG_SET_ID, /* deprecated */ |
||||
__NFTA_NG_MAX |
||||
}; |
||||
#define NFTA_NG_MAX (__NFTA_NG_MAX - 1) |
||||
@@ -1460,4 +1827,104 @@ enum nft_ng_types { |
||||
}; |
||||
#define NFT_NG_MAX (__NFT_NG_MAX - 1) |
||||
|
||||
+enum nft_tunnel_key_ip_attributes { |
||||
+ NFTA_TUNNEL_KEY_IP_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY_IP_SRC, |
||||
+ NFTA_TUNNEL_KEY_IP_DST, |
||||
+ __NFTA_TUNNEL_KEY_IP_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_ip6_attributes { |
||||
+ NFTA_TUNNEL_KEY_IP6_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY_IP6_SRC, |
||||
+ NFTA_TUNNEL_KEY_IP6_DST, |
||||
+ NFTA_TUNNEL_KEY_IP6_FLOWLABEL, |
||||
+ __NFTA_TUNNEL_KEY_IP6_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_opts_attributes { |
||||
+ NFTA_TUNNEL_KEY_OPTS_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY_OPTS_VXLAN, |
||||
+ NFTA_TUNNEL_KEY_OPTS_ERSPAN, |
||||
+ NFTA_TUNNEL_KEY_OPTS_GENEVE, |
||||
+ __NFTA_TUNNEL_KEY_OPTS_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_opts_vxlan_attributes { |
||||
+ NFTA_TUNNEL_KEY_VXLAN_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY_VXLAN_GBP, |
||||
+ __NFTA_TUNNEL_KEY_VXLAN_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_opts_erspan_attributes { |
||||
+ NFTA_TUNNEL_KEY_ERSPAN_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY_ERSPAN_VERSION, |
||||
+ NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX, |
||||
+ NFTA_TUNNEL_KEY_ERSPAN_V2_HWID, |
||||
+ NFTA_TUNNEL_KEY_ERSPAN_V2_DIR, |
||||
+ __NFTA_TUNNEL_KEY_ERSPAN_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_opts_geneve_attributes { |
||||
+ NFTA_TUNNEL_KEY_GENEVE_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY_GENEVE_CLASS, |
||||
+ NFTA_TUNNEL_KEY_GENEVE_TYPE, |
||||
+ NFTA_TUNNEL_KEY_GENEVE_DATA, |
||||
+ __NFTA_TUNNEL_KEY_GENEVE_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_flags { |
||||
+ NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0), |
||||
+ NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1), |
||||
+ NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2), |
||||
+}; |
||||
+#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \ |
||||
+ NFT_TUNNEL_F_DONT_FRAGMENT | \ |
||||
+ NFT_TUNNEL_F_SEQ_NUMBER) |
||||
+ |
||||
+enum nft_tunnel_key_attributes { |
||||
+ NFTA_TUNNEL_KEY_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY_ID, |
||||
+ NFTA_TUNNEL_KEY_IP, |
||||
+ NFTA_TUNNEL_KEY_IP6, |
||||
+ NFTA_TUNNEL_KEY_FLAGS, |
||||
+ NFTA_TUNNEL_KEY_TOS, |
||||
+ NFTA_TUNNEL_KEY_TTL, |
||||
+ NFTA_TUNNEL_KEY_SPORT, |
||||
+ NFTA_TUNNEL_KEY_DPORT, |
||||
+ NFTA_TUNNEL_KEY_OPTS, |
||||
+ __NFTA_TUNNEL_KEY_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_keys { |
||||
+ NFT_TUNNEL_PATH, |
||||
+ NFT_TUNNEL_ID, |
||||
+ __NFT_TUNNEL_MAX |
||||
+}; |
||||
+#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_mode { |
||||
+ NFT_TUNNEL_MODE_NONE, |
||||
+ NFT_TUNNEL_MODE_RX, |
||||
+ NFT_TUNNEL_MODE_TX, |
||||
+ __NFT_TUNNEL_MODE_MAX |
||||
+}; |
||||
+#define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1) |
||||
+ |
||||
+enum nft_tunnel_attributes { |
||||
+ NFTA_TUNNEL_UNSPEC, |
||||
+ NFTA_TUNNEL_KEY, |
||||
+ NFTA_TUNNEL_DREG, |
||||
+ NFTA_TUNNEL_MODE, |
||||
+ __NFTA_TUNNEL_MAX |
||||
+}; |
||||
+#define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1) |
||||
+ |
||||
#endif /* _LINUX_NF_TABLES_H */ |
||||
diff --git a/iptables/nft.c b/iptables/nft.c |
||||
index ee003511ab7f3..4807090cc4306 100644 |
||||
--- a/iptables/nft.c |
||||
+++ b/iptables/nft.c |
||||
@@ -1167,7 +1167,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table, |
||||
type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR; |
||||
len += sizeof(struct in_addr) + NETLINK_ALIGN - 1; |
||||
len &= ~(NETLINK_ALIGN - 1); |
||||
- flags = NFT_SET_INTERVAL; |
||||
+ flags = NFT_SET_INTERVAL | NFT_SET_CONCAT; |
||||
} |
||||
|
||||
s = add_anon_set(h, table, flags, type, len, cnt); |
||||
-- |
||||
2.38.0 |
||||
|
@ -0,0 +1,73 @@
@@ -0,0 +1,73 @@
|
||||
#!/bin/sh |
||||
|
||||
ARPTABLES_CONFIG=/etc/sysconfig/arptables |
||||
|
||||
# compat for removed initscripts dependency |
||||
|
||||
success() { |
||||
echo "[ OK ]" |
||||
return 0 |
||||
} |
||||
|
||||
failure() { |
||||
echo "[FAILED]" |
||||
return 1 |
||||
} |
||||
|
||||
start() { |
||||
if [ ! -x /usr/sbin/arptables ]; then |
||||
exit 4 |
||||
fi |
||||
|
||||
# don't do squat if we don't have the config file |
||||
if [ -f $ARPTABLES_CONFIG ]; then |
||||
printf "Applying arptables firewall rules: " |
||||
/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ |
||||
success || \ |
||||
failure |
||||
touch /var/lock/subsys/arptables |
||||
else |
||||
failure |
||||
echo "Configuration file /etc/sysconfig/arptables missing" |
||||
exit 6 |
||||
fi |
||||
} |
||||
|
||||
stop() { |
||||
printf "Removing user defined chains: " |
||||
arptables -X && success || failure |
||||
printf "Flushing all chains: " |
||||
arptables -F && success || failure |
||||
printf "Resetting built-in chains to the default ACCEPT policy: " |
||||
arptables -P INPUT ACCEPT && \ |
||||
arptables -P OUTPUT ACCEPT && \ |
||||
success || \ |
||||
failure |
||||
rm -f /var/lock/subsys/arptables |
||||
} |
||||
|
||||
case "$1" in |
||||
start) |
||||
start |
||||
;; |
||||
|
||||
stop) |
||||
stop |
||||
;; |
||||
|
||||
restart|reload) |
||||
# "restart" is really just "start" as this isn't a daemon, |
||||
# and "start" clears any pre-defined rules anyway. |
||||
# This is really only here to make those who expect it happy |
||||
start |
||||
;; |
||||
|
||||
condrestart|try-restart|force-reload) |
||||
[ -e /var/lock/subsys/arptables ] && start |
||||
;; |
||||
|
||||
*) |
||||
exit 2 |
||||
esac |
||||
|
||||
exit 0 |
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
[Unit] |
||||
Description=Automates a packet filtering firewall with arptables |
||||
After=network.target |
||||
|
||||
[Service] |
||||
Type=oneshot |
||||
ExecStart=/usr/libexec/arptables-helper start |
||||
ExecStop=/usr/libexec/arptables-helper stop |
||||
RemainAfterExit=yes |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,11 @@
@@ -0,0 +1,11 @@
|
||||
# Save current firewall rules on stop. |
||||
# Value: yes|no, default: no |
||||
# Saves all firewall rules if firewall gets stopped |
||||
# (e.g. on system shutdown). |
||||
EBTABLES_SAVE_ON_STOP="no" |
||||
|
||||
# Save (and restore) rule counters. |
||||
# Value: yes|no, default: no |
||||
# Save rule counters when saving a kernel table to a file. If the |
||||
# rule counters were saved, they will be restored when restoring the table. |
||||
EBTABLES_SAVE_COUNTER="no" |
@ -0,0 +1,104 @@
@@ -0,0 +1,104 @@
|
||||
#!/bin/bash |
||||
|
||||
# compat for removed initscripts dependency |
||||
|
||||
success() { |
||||
echo "[ OK ]" |
||||
return 0 |
||||
} |
||||
|
||||
failure() { |
||||
echo "[FAILED]" |
||||
return 1 |
||||
} |
||||
|
||||
# internal variables |
||||
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config |
||||
EBTABLES_DATA=/etc/sysconfig/ebtables |
||||
EBTABLES_TABLES="filter nat" |
||||
if ebtables --version | grep -q '(legacy)'; then |
||||
EBTABLES_TABLES+=" broute" |
||||
fi |
||||
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables |
||||
|
||||
# ebtables-config defaults |
||||
EBTABLES_SAVE_ON_STOP="no" |
||||
EBTABLES_SAVE_COUNTER="no" |
||||
|
||||
# load config if existing |
||||
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG" |
||||
|
||||
initialize() { |
||||
local ret=0 |
||||
for table in $EBTABLES_TABLES; do |
||||
ebtables -t $table --init-table || ret=1 |
||||
done |
||||
return $ret |
||||
} |
||||
|
||||
sanitize_dump() { |
||||
local drop=false |
||||
|
||||
export EBTABLES_TABLES |
||||
|
||||
cat $1 | while read line; do |
||||
case $line in |
||||
\**) |
||||
drop=false |
||||
local table="${line#\*}" |
||||
local found=false |
||||
for t in $EBTABLES_TABLES; do |
||||
if [[ $t == "$table" ]]; then |
||||
found=true |
||||
break |
||||
fi |
||||
done |
||||
$found || drop=true |
||||
;; |
||||
esac |
||||
$drop || echo "$line" |
||||
done |
||||
} |
||||
|
||||
start() { |
||||
if [ -f $EBTABLES_DATA ]; then |
||||
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: " |
||||
sanitize_dump $EBTABLES_DATA | ebtables-restore |
||||
else |
||||
echo -n $"ebtables: no stored ruleset, initializing empty tables: " |
||||
initialize |
||||
fi |
||||
local ret=$? |
||||
touch $VAR_SUBSYS_EBTABLES |
||||
return $ret |
||||
} |
||||
|
||||
save() { |
||||
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: " |
||||
export EBTABLES_SAVE_COUNTER |
||||
ebtables-save >$EBTABLES_DATA && success || failure |
||||
} |
||||
|
||||
case $1 in |
||||
start) |
||||
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0 |
||||
start && success || failure |
||||
RETVAL=$? |
||||
;; |
||||
stop) |
||||
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save |
||||
echo -n $"ebtables: stopping firewall: " |
||||
initialize && success || failure |
||||
RETVAL=$? |
||||
rm -f $VAR_SUBSYS_EBTABLES |
||||
;; |
||||
save) |
||||
save |
||||
;; |
||||
*) |
||||
echo "usage: ${0##*/} {start|stop|save}" >&2 |
||||
RETVAL=2 |
||||
;; |
||||
esac |
||||
|
||||
exit $RETVAL |
@ -0,0 +1,11 @@
@@ -0,0 +1,11 @@
|
||||
[Unit] |
||||
Description=Ethernet Bridge Filtering tables |
||||
|
||||
[Service] |
||||
Type=oneshot |
||||
RemainAfterExit=yes |
||||
ExecStart=/usr/libexec/ebtables-helper start |
||||
ExecStop=/usr/libexec/ebtables-helper stop |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
Binary file not shown.
@ -0,0 +1,59 @@
@@ -0,0 +1,59 @@
|
||||
# Load additional iptables modules (nat helpers) |
||||
# Default: -none- |
||||
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which |
||||
# are loaded after the firewall rules are applied. Options for the helpers are |
||||
# stored in /etc/modprobe.conf. |
||||
IPTABLES_MODULES="" |
||||
|
||||
# Save current firewall rules on stop. |
||||
# Value: yes|no, default: no |
||||
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped |
||||
# (e.g. on system shutdown). |
||||
IPTABLES_SAVE_ON_STOP="no" |
||||
|
||||
# Save current firewall rules on restart. |
||||
# Value: yes|no, default: no |
||||
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets |
||||
# restarted. |
||||
IPTABLES_SAVE_ON_RESTART="no" |
||||
|
||||
# Save (and restore) rule and chain counter. |
||||
# Value: yes|no, default: no |
||||
# Save counters for rules and chains to /etc/sysconfig/iptables if |
||||
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or |
||||
# SAVE_ON_RESTART is enabled. |
||||
IPTABLES_SAVE_COUNTER="no" |
||||
|
||||
# Numeric status output |
||||
# Value: yes|no, default: yes |
||||
# Print IP addresses and port numbers in numeric format in the status output. |
||||
IPTABLES_STATUS_NUMERIC="yes" |
||||
|
||||
# Verbose status output |
||||
# Value: yes|no, default: yes |
||||
# Print info about the number of packets and bytes plus the "input-" and |
||||
# "outputdevice" in the status output. |
||||
IPTABLES_STATUS_VERBOSE="no" |
||||
|
||||
# Status output with numbered lines |
||||
# Value: yes|no, default: yes |
||||
# Print a counter/number for every rule in the status output. |
||||
IPTABLES_STATUS_LINENUMBERS="yes" |
||||
|
||||
# Reload sysctl settings on start and restart |
||||
# Default: -none- |
||||
# Space separated list of sysctl items which are to be reloaded on start. |
||||
# List items will be matched by fgrep. |
||||
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" |
||||
|
||||
# Set wait option for iptables-restore calls in seconds |
||||
# Default: 600 |
||||
# Set to 0 to deactivate the wait. |
||||
#IPTABLES_RESTORE_WAIT=600 |
||||
|
||||
# Set wait interval option for iptables-restore calls in microseconds |
||||
# Default: 1000000 |
||||
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a |
||||
# second. |
||||
# Only usable with IPTABLES_RESTORE_WAIT > 0 |
||||
#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 |
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17) |
||||
extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8) |
||||
extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8) |
||||
extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8) |
||||
extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1) |
||||
extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1) |
||||
extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1) |
||||
extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4) |
||||
extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4) |
||||
extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4) |
||||
extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0) |
||||
extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17) |
||||
extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8) |
||||
extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8) |
||||
extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8) |
||||
extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1) |
||||
extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1) |
||||
extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1) |
||||
extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4) |
||||
extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4) |
||||
extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4) |
||||
extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0) |
||||
extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0) |
||||
extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0) |
||||
extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0) |
||||
extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0) |
||||
extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh) |
||||
extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo") |
||||
extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink) |
||||
extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP) |
||||
extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT) |
||||
extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz) |
||||
extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05) |
||||
extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00) |
||||
extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1") |
@ -0,0 +1,450 @@
@@ -0,0 +1,450 @@
|
||||
#!/bin/bash |
||||
# |
||||
# iptables Start iptables firewall |
||||
# |
||||
# chkconfig: 2345 08 92 |
||||
# description: Starts, stops and saves iptables firewall |
||||
# |
||||
# config: /etc/sysconfig/iptables |
||||
# config: /etc/sysconfig/iptables-config |
||||
# |
||||
### BEGIN INIT INFO |
||||
# Provides: iptables |
||||
# Required-Start: |
||||
# Required-Stop: |
||||
# Default-Start: 2 3 4 5 |
||||
# Default-Stop: 0 1 6 |
||||
# Short-Description: start and stop iptables firewall |
||||
# Description: Start, stop and save iptables firewall |
||||
### END INIT INFO |
||||
|
||||
# compat for removed initscripts dependency |
||||
|
||||
success() { |
||||
echo -n "[ OK ]" |
||||
return 0 |
||||
} |
||||
|
||||
warning() { |
||||
echo -n "[WARNING]" |
||||
return 1 |
||||
} |
||||
|
||||
failure() { |
||||
echo -n "[FAILED]" |
||||
return 1 |
||||
} |
||||
|
||||
IPTABLES=iptables |
||||
IPTABLES_DATA=/etc/sysconfig/$IPTABLES |
||||
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback |
||||
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config |
||||
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 |
||||
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" |
||||
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names |
||||
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES |
||||
|
||||
# only usable for root |
||||
if [ $EUID != 0 ]; then |
||||
echo -n $"${IPTABLES}: Only usable by root."; warning; echo |
||||
exit 4 |
||||
fi |
||||
|
||||
if [ ! -x /sbin/$IPTABLES ]; then |
||||
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo |
||||
exit 5 |
||||
fi |
||||
|
||||
# Default firewall configuration: |
||||
IPTABLES_MODULES="" |
||||
IPTABLES_SAVE_ON_STOP="no" |
||||
IPTABLES_SAVE_ON_RESTART="no" |
||||
IPTABLES_SAVE_COUNTER="no" |
||||
IPTABLES_STATUS_NUMERIC="yes" |
||||
IPTABLES_STATUS_VERBOSE="no" |
||||
IPTABLES_STATUS_LINENUMBERS="yes" |
||||
IPTABLES_SYSCTL_LOAD_LIST="" |
||||
IPTABLES_RESTORE_WAIT=600 |
||||
IPTABLES_RESTORE_WAIT_INTERVAL=1000000 |
||||
|
||||
# Load firewall configuration. |
||||
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" |
||||
|
||||
is_iptables_nft() { |
||||
iptables --version | grep -q '(nf_tables)' |
||||
} |
||||
|
||||
netfilter_active() { |
||||
is_iptables_nft && return 0 |
||||
[ -e "$PROC_IPTABLES_NAMES" ] |
||||
} |
||||
|
||||
netfilter_tables() { |
||||
netfilter_active || return 1 |
||||
is_iptables_nft && { |
||||
# explicitly omit security table from this list as |
||||
# it should be reserved for SELinux use |
||||
echo "raw mangle filter nat" |
||||
return 0 |
||||
} |
||||
cat "$PROC_IPTABLES_NAMES" 2>/dev/null |
||||
} |
||||
|
||||
# Get active tables |
||||
NF_TABLES=$(netfilter_tables) |
||||
|
||||
|
||||
flush_n_delete() { |
||||
# Flush firewall rules and delete chains. |
||||
netfilter_active || return 0 |
||||
|
||||
# Check if firewall is configured (has tables) |
||||
[ -z "$NF_TABLES" ] && return 1 |
||||
|
||||
echo -n $"${IPTABLES}: Flushing firewall rules: " |
||||
ret=0 |
||||
# For all tables |
||||
for i in $NF_TABLES; do |
||||
# Flush firewall rules. |
||||
$IPTABLES -t $i -F; |
||||
let ret+=$?; |
||||
|
||||
# Delete firewall chains. |
||||
$IPTABLES -t $i -X; |
||||
let ret+=$?; |
||||
|
||||
# Set counter to zero. |
||||
$IPTABLES -t $i -Z; |
||||
let ret+=$?; |
||||
done |
||||
|
||||
[ $ret -eq 0 ] && success || failure |
||||
echo |
||||
return $ret |
||||
} |
||||
|
||||
set_policy() { |
||||
# Set policy for configured tables. |
||||
policy=$1 |
||||
|
||||
# Check if iptable module is loaded |
||||
netfilter_active || return 0 |
||||
|
||||
# Check if firewall is configured (has tables) |
||||
tables=$(netfilter_tables) |
||||
[ -z "$tables" ] && return 1 |
||||
|
||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: " |
||||
ret=0 |
||||
for i in $tables; do |
||||
echo -n "$i " |
||||
case "$i" in |
||||
raw) |
||||
$IPTABLES -t raw -P PREROUTING $policy \ |
||||
&& $IPTABLES -t raw -P OUTPUT $policy \ |
||||
|| let ret+=1 |
||||
;; |
||||
filter) |
||||
$IPTABLES -t filter -P INPUT $policy \ |
||||
&& $IPTABLES -t filter -P OUTPUT $policy \ |
||||
&& $IPTABLES -t filter -P FORWARD $policy \ |
||||
|| let ret+=1 |
||||
;; |
||||
nat) |
||||
$IPTABLES -t nat -P PREROUTING $policy \ |
||||
&& $IPTABLES -t nat -P POSTROUTING $policy \ |
||||
&& $IPTABLES -t nat -P OUTPUT $policy \ |
||||
|| let ret+=1 |
||||
;; |
||||
mangle) |
||||
$IPTABLES -t mangle -P PREROUTING $policy \ |
||||
&& $IPTABLES -t mangle -P POSTROUTING $policy \ |
||||
&& $IPTABLES -t mangle -P INPUT $policy \ |
||||
&& $IPTABLES -t mangle -P OUTPUT $policy \ |
||||
&& $IPTABLES -t mangle -P FORWARD $policy \ |
||||
|| let ret+=1 |
||||
;; |
||||
*) |
||||
let ret+=1 |
||||
;; |
||||
esac |
||||
done |
||||
|
||||
[ $ret -eq 0 ] && success || failure |
||||
echo |
||||
return $ret |
||||
} |
||||
|
||||
load_sysctl() { |
||||
# load matched sysctl values |
||||
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then |
||||
echo -n $"Loading sysctl settings: " |
||||
ret=0 |
||||
for item in $IPTABLES_SYSCTL_LOAD_LIST; do |
||||
fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null |
||||
let ret+=$?; |
||||
done |
||||
[ $ret -eq 0 ] && success || failure |
||||
echo |
||||
fi |
||||
return $ret |
||||
} |
||||
|
||||
start() { |
||||
# Do not start if there is no config file. |
||||
if [ ! -f "$IPTABLES_DATA" ]; then |
||||
echo -n $"${IPTABLES}: No config file."; warning; echo |
||||
return 6 |
||||
fi |
||||
|
||||
# check if ipv6 module load is deactivated |
||||
if [ "${_IPV}" = "ipv6" ] \ |
||||
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then |
||||
echo $"${IPTABLES}: ${_IPV} is disabled." |
||||
return 150 |
||||
fi |
||||
|
||||
echo -n $"${IPTABLES}: Applying firewall rules: " |
||||
|
||||
OPT= |
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" |
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then |
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" |
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then |
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" |
||||
fi |
||||
fi |
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA |
||||
if [ $? -eq 0 ]; then |
||||
success; echo |
||||
else |
||||
failure; echo; |
||||
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then |
||||
echo -n $"${IPTABLES}: Applying firewall fallback rules: " |
||||
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA |
||||
if [ $? -eq 0 ]; then |
||||
success; echo |
||||
else |
||||
failure; echo; return 1 |
||||
fi |
||||
else |
||||
return 1 |
||||
fi |
||||
fi |
||||
|
||||
# Load additional modules (helpers) |
||||
if [ -n "$IPTABLES_MODULES" ]; then |
||||
echo -n $"${IPTABLES}: Loading additional modules: " |
||||
ret=0 |
||||
for mod in $IPTABLES_MODULES; do |
||||
echo -n "$mod " |
||||
modprobe $mod > /dev/null 2>&1 |
||||
let ret+=$?; |
||||
done |
||||
[ $ret -eq 0 ] && success || failure |
||||
echo |
||||
fi |
||||
|
||||
# Load sysctl settings |
||||
load_sysctl |
||||
|
||||
touch $VAR_SUBSYS_IPTABLES |
||||
return $ret |
||||
} |
||||
|
||||
stop() { |
||||
# Do not stop if iptables module is not loaded. |
||||
netfilter_active || return 0 |
||||
|
||||
# Set default chain policy to ACCEPT, in order to not break shutdown |
||||
# on systems where the default policy is DROP and root device is |
||||
# network-based (i.e.: iSCSI, NFS) |
||||
set_policy ACCEPT |
||||
# And then, flush the rules and delete chains |
||||
flush_n_delete |
||||
|
||||
rm -f $VAR_SUBSYS_IPTABLES |
||||
return $ret |
||||
} |
||||
|
||||
save() { |
||||
# Check if iptable module is loaded |
||||
if ! netfilter_active; then |
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo |
||||
return 0 |
||||
fi |
||||
|
||||
# Check if firewall is configured (has tables) |
||||
if [ -z "$NF_TABLES" ]; then |
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo |
||||
return 6 |
||||
fi |
||||
|
||||
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " |
||||
|
||||
OPT= |
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" |
||||
|
||||
ret=0 |
||||
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ |
||||
&& chmod 600 "$TMP_FILE" \ |
||||
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ |
||||
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ |
||||
|| ret=1 |
||||
if [ $ret -eq 0 ]; then |
||||
if [ -e $IPTABLES_DATA ]; then |
||||
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ |
||||
&& chmod 600 $IPTABLES_DATA.save \ |
||||
&& restorecon $IPTABLES_DATA.save \ |
||||
|| ret=1 |
||||
fi |
||||
if [ $ret -eq 0 ]; then |
||||
mv -f $TMP_FILE $IPTABLES_DATA \ |
||||
&& chmod 600 $IPTABLES_DATA \ |
||||
&& restorecon $IPTABLES_DATA \ |
||||
|| ret=1 |
||||
fi |
||||
fi |
||||
rm -f $TMP_FILE |
||||
[ $ret -eq 0 ] && success || failure |
||||
echo |
||||
return $ret |
||||
} |
||||
|
||||
status() { |
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then |
||||
echo $"${IPTABLES}: Firewall is not running." |
||||
return 3 |
||||
fi |
||||
|
||||
# Do not print status if lockfile is missing and iptables modules are not |
||||
# loaded. |
||||
# Check if iptable modules are loaded |
||||
if ! netfilter_active; then |
||||
echo $"${IPTABLES}: Firewall modules are not loaded." |
||||
return 3 |
||||
fi |
||||
|
||||
# Check if firewall is configured (has tables) |
||||
if [ -z "$NF_TABLES" ]; then |
||||
echo $"${IPTABLES}: Firewall is not configured. " |
||||
return 3 |
||||
fi |
||||
|
||||
NUM= |
||||
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" |
||||
VERBOSE= |
||||
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" |
||||
COUNT= |
||||
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" |
||||
|
||||
for table in $NF_TABLES; do |
||||
echo $"Table: $table" |
||||
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo |
||||
done |
||||
|
||||
return 0 |
||||
} |
||||
|
||||
reload() { |
||||
# Do not reload if there is no config file. |
||||
if [ ! -f "$IPTABLES_DATA" ]; then |
||||
echo -n $"${IPTABLES}: No config file."; warning; echo |
||||
return 6 |
||||
fi |
||||
|
||||
# check if ipv6 module load is deactivated |
||||
if [ "${_IPV}" = "ipv6" ] \ |
||||
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then |
||||
echo $"${IPTABLES}: ${_IPV} is disabled." |
||||
return 150 |
||||
fi |
||||
|
||||
echo -n $"${IPTABLES}: Trying to reload firewall rules: " |
||||
|
||||
OPT= |
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" |
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then |
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" |
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then |
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" |
||||
fi |
||||
fi |
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA |
||||
if [ $? -eq 0 ]; then |
||||
success; echo |
||||
else |
||||
failure; echo; echo "Firewall rules are not changed."; return 1 |
||||
fi |
||||
|
||||
# Load additional modules (helpers) |
||||
if [ -n "$IPTABLES_MODULES" ]; then |
||||
echo -n $"${IPTABLES}: Loading additional modules: " |
||||
ret=0 |
||||
for mod in $IPTABLES_MODULES; do |
||||
echo -n "$mod " |
||||
modprobe $mod > /dev/null 2>&1 |
||||
let ret+=$?; |
||||
done |
||||
[ $ret -eq 0 ] && success || failure |
||||
echo |
||||
fi |
||||
|
||||
# Load sysctl settings |
||||
load_sysctl |
||||
|
||||
return $ret |
||||
} |
||||
|
||||
restart() { |
||||
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save |
||||
stop |
||||
start |
||||
} |
||||
|
||||
|
||||
case "$1" in |
||||
start) |
||||
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 |
||||
start |
||||
RETVAL=$? |
||||
;; |
||||
stop) |
||||
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save |
||||
stop |
||||
RETVAL=$? |
||||
;; |
||||
restart|force-reload) |
||||
restart |
||||
RETVAL=$? |
||||
;; |
||||
reload) |
||||
[ -e "$VAR_SUBSYS_IPTABLES" ] && reload |
||||
RETVAL=$? |
||||
;; |
||||
condrestart|try-restart) |
||||
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 |
||||
restart |
||||
RETVAL=$? |
||||
;; |
||||
status) |
||||
status |
||||
RETVAL=$? |
||||
;; |
||||
panic) |
||||
set_policy DROP |
||||
RETVAL=$? |
||||
;; |
||||
save) |
||||
save |
||||
RETVAL=$? |
||||
;; |
||||
*) |
||||
echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" |
||||
RETVAL=2 |
||||
;; |
||||
esac |
||||
|
||||
exit $RETVAL |
@ -0,0 +1,17 @@
@@ -0,0 +1,17 @@
|
||||
[Unit] |
||||
Description=IPv4 firewall with iptables |
||||
AssertPathExists=/etc/sysconfig/iptables |
||||
Before=network-pre.target |
||||
Wants=network-pre.target |
||||
|
||||
[Service] |
||||
Type=oneshot |
||||
RemainAfterExit=yes |
||||
ExecStart=/usr/libexec/iptables/iptables.init start |
||||
ExecReload=/usr/libexec/iptables/iptables.init reload |
||||
ExecStop=/usr/libexec/iptables/iptables.init stop |
||||
Environment=BOOTUP=serial |
||||
Environment=CONSOLETYPE=serial |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,15 @@
@@ -0,0 +1,15 @@
|
||||
# sample configuration for ip6tables service |
||||
# you can edit this manually or use system-config-firewall |
||||
# please do not ask us to add additional ports/services to this default configuration |
||||
*filter |
||||
:INPUT ACCEPT [0:0] |
||||
:FORWARD ACCEPT [0:0] |
||||
:OUTPUT ACCEPT [0:0] |
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
||||
-A INPUT -p ipv6-icmp -j ACCEPT |
||||
-A INPUT -i lo -j ACCEPT |
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT |
||||
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT |
||||
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
||||
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited |
||||
COMMIT |
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
# sample configuration for iptables service |
||||
# you can edit this manually or use system-config-firewall |
||||
# please do not ask us to add additional ports/services to this default configuration |
||||
*filter |
||||
:INPUT ACCEPT [0:0] |
||||
:FORWARD ACCEPT [0:0] |
||||
:OUTPUT ACCEPT [0:0] |
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
||||
-A INPUT -p icmp -j ACCEPT |
||||
-A INPUT -i lo -j ACCEPT |
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT |
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited |
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited |
||||
COMMIT |
Loading…
Reference in new issue