├── .gitignore ├── Android.bp ├── COMMIT_NOTES ├── COPYING ├── INSTALL ├── METADATA ├── MODULE_LICENSE_GPL ├── Makefile.am ├── OWNERS ├── TEST_MAPPING ├── autogen.sh ├── config.h ├── configure.ac ├── etc └── ethertypes ├── extensions ├── .gitignore ├── Android.bp ├── GNUmakefile.in ├── dscp_helper.c ├── filter_init ├── gen_init ├── generic.txlate ├── iptables.t ├── libarpt_CLASSIFY.t ├── libarpt_MARK.t ├── libarpt_mangle.c ├── libarpt_mangle.t ├── libarpt_mangle.txlate ├── libarpt_standard.t ├── libebt_802_3.c ├── libebt_802_3.t ├── libebt_among.c ├── libebt_among.t ├── libebt_arp.c ├── libebt_arp.t ├── libebt_arpreply.c ├── libebt_arpreply.t ├── libebt_dnat.c ├── libebt_dnat.t ├── libebt_dnat.txlate ├── libebt_ip.c ├── libebt_ip.t ├── libebt_ip.txlate ├── libebt_ip6.c ├── libebt_ip6.t ├── libebt_ip6.txlate ├── libebt_limit.txlate ├── libebt_log.c ├── libebt_log.t ├── libebt_log.txlate ├── libebt_mark.c ├── libebt_mark.t ├── libebt_mark.txlate ├── libebt_mark_m.c ├── libebt_mark_m.t ├── libebt_mark_m.txlate ├── libebt_nflog.c ├── libebt_nflog.t ├── libebt_nflog.txlate ├── libebt_pkttype.c ├── libebt_pkttype.t ├── libebt_pkttype.txlate ├── libebt_redirect.c ├── libebt_redirect.t ├── libebt_redirect.txlate ├── libebt_snat.c ├── libebt_snat.t ├── libebt_snat.txlate ├── libebt_standard.t ├── libebt_stp.c ├── libebt_stp.t ├── libebt_vlan.c ├── libebt_vlan.t ├── libebt_vlan.txlate ├── libip6t_DNAT.t ├── libip6t_DNPT.c ├── libip6t_DNPT.man ├── libip6t_DNPT.t ├── libip6t_HL.c ├── libip6t_HL.man ├── libip6t_HL.t ├── libip6t_LOG.t ├── libip6t_LOG.txlate ├── libip6t_MASQUERADE.t ├── libip6t_MASQUERADE.txlate ├── libip6t_NETMAP.c ├── libip6t_NETMAP.t ├── libip6t_REJECT.c ├── libip6t_REJECT.man ├── libip6t_REJECT.t ├── libip6t_REJECT.txlate ├── libip6t_SNAT.t ├── libip6t_SNAT.txlate ├── libip6t_SNPT.c ├── libip6t_SNPT.man ├── libip6t_SNPT.t ├── libip6t_TEE.t ├── libip6t_TPROXY.t ├── libip6t_ah.c ├── libip6t_ah.man ├── libip6t_ah.t ├── libip6t_ah.txlate ├── libip6t_connlimit.t ├── libip6t_conntrack.t ├── libip6t_dst.c ├── libip6t_dst.man ├── libip6t_dst.t ├── libip6t_eui64.c ├── libip6t_eui64.man ├── libip6t_eui64.t ├── libip6t_frag.c ├── libip6t_frag.man ├── libip6t_frag.t ├── libip6t_frag.txlate ├── libip6t_hbh.c ├── libip6t_hbh.man ├── libip6t_hbh.t ├── libip6t_hbh.txlate ├── libip6t_hl.c ├── libip6t_hl.man ├── libip6t_hl.t ├── libip6t_hl.txlate ├── libip6t_icmp6.c ├── libip6t_icmp6.man ├── libip6t_icmp6.t ├── libip6t_icmp6.txlate ├── libip6t_iprange.t ├── libip6t_ipv6header.c ├── libip6t_ipv6header.man ├── libip6t_ipv6header.t ├── libip6t_ipvs.t ├── libip6t_mh.c ├── libip6t_mh.man ├── libip6t_mh.t ├── libip6t_mh.txlate ├── libip6t_policy.t ├── libip6t_recent.t ├── libip6t_rt.c ├── libip6t_rt.man ├── libip6t_rt.t ├── libip6t_rt.txlate ├── libip6t_srh.c ├── libip6t_srh.t ├── libip6t_standard.t ├── libipt_CLUSTERIP.c ├── libipt_CLUSTERIP.man ├── libipt_DNAT.t ├── libipt_ECN.c ├── libipt_ECN.man ├── libipt_ECN.t ├── libipt_LOG.t ├── libipt_LOG.txlate ├── libipt_MASQUERADE.t ├── libipt_MASQUERADE.txlate ├── libipt_NETMAP.c ├── libipt_NETMAP.t ├── libipt_REJECT.c ├── libipt_REJECT.man ├── libipt_REJECT.t ├── libipt_REJECT.txlate ├── libipt_SNAT.t ├── libipt_SNAT.txlate ├── libipt_TEE.t ├── libipt_TPROXY.t ├── libipt_TTL.c ├── libipt_TTL.man ├── libipt_TTL.t ├── libipt_ULOG.c ├── libipt_ULOG.man ├── libipt_ah.c ├── libipt_ah.man ├── libipt_ah.t ├── libipt_ah.txlate ├── libipt_connlimit.t ├── libipt_conntrack.t ├── libipt_icmp.c ├── libipt_icmp.man ├── libipt_icmp.t ├── libipt_icmp.txlate ├── libipt_iprange.t ├── libipt_ipvs.t ├── libipt_osf.t ├── libipt_policy.t ├── libipt_realm.c ├── libipt_realm.man ├── libipt_realm.t ├── libipt_realm.txlate ├── libipt_recent.t ├── libipt_standard.t ├── libipt_ttl.c ├── libipt_ttl.man ├── libipt_ttl.t ├── libipt_ttl.txlate ├── libxt_AUDIT.c ├── libxt_AUDIT.man ├── libxt_AUDIT.t ├── libxt_AUDIT.txlate ├── libxt_CHECKSUM.c ├── libxt_CHECKSUM.man ├── libxt_CHECKSUM.t ├── libxt_CLASSIFY.c ├── libxt_CLASSIFY.man ├── libxt_CLASSIFY.t ├── libxt_CLASSIFY.txlate ├── libxt_CONNMARK.c ├── libxt_CONNMARK.man ├── libxt_CONNMARK.t ├── libxt_CONNMARK.txlate ├── libxt_CONNSECMARK.c ├── libxt_CONNSECMARK.man ├── libxt_CONNSECMARK.t ├── libxt_CT.c ├── libxt_CT.man ├── libxt_CT.t ├── libxt_DNAT.man ├── libxt_DNAT.txlate ├── libxt_DSCP.c ├── libxt_DSCP.man ├── libxt_DSCP.t ├── libxt_DSCP.txlate ├── libxt_HMARK.c ├── libxt_HMARK.man ├── libxt_HMARK.t ├── libxt_IDLETIMER.c ├── libxt_IDLETIMER.man ├── libxt_IDLETIMER.t ├── libxt_LED.c ├── libxt_LED.man ├── libxt_LED.t ├── libxt_LOG.c ├── libxt_LOG.man ├── libxt_MARK.c ├── libxt_MARK.man ├── libxt_MARK.t ├── libxt_MARK.txlate ├── libxt_MASQUERADE.man ├── libxt_NAT.c ├── libxt_NETMAP.man ├── libxt_NFLOG.c ├── libxt_NFLOG.man ├── libxt_NFLOG.t ├── libxt_NFLOG.txlate ├── libxt_NFQUEUE.c ├── libxt_NFQUEUE.man ├── libxt_NFQUEUE.t ├── libxt_NFQUEUE.txlate ├── libxt_NOTRACK.man ├── libxt_NOTRACK.t ├── libxt_NOTRACK.txlate ├── libxt_RATEEST.c ├── libxt_RATEEST.man ├── libxt_RATEEST.t ├── libxt_REDIRECT.man ├── libxt_REDIRECT.t ├── libxt_REDIRECT.txlate ├── libxt_SECMARK.c ├── libxt_SECMARK.man ├── libxt_SECMARK.t ├── libxt_SET.c ├── libxt_SET.man ├── libxt_SET.t ├── libxt_SNAT.man ├── libxt_SYNPROXY.c ├── libxt_SYNPROXY.man ├── libxt_SYNPROXY.t ├── libxt_SYNPROXY.txlate ├── libxt_TCPMSS.c ├── libxt_TCPMSS.man ├── libxt_TCPMSS.t ├── libxt_TCPMSS.txlate ├── libxt_TCPOPTSTRIP.c ├── libxt_TCPOPTSTRIP.man ├── libxt_TCPOPTSTRIP.t ├── libxt_TEE.c ├── libxt_TEE.man ├── libxt_TEE.t ├── libxt_TEE.txlate ├── libxt_TOS.c ├── libxt_TOS.man ├── libxt_TOS.t ├── libxt_TOS.txlate ├── libxt_TPROXY.c ├── libxt_TPROXY.man ├── libxt_TPROXY.txlate ├── libxt_TRACE.c ├── libxt_TRACE.man ├── libxt_TRACE.t ├── libxt_TRACE.txlate ├── libxt_addrtype.c ├── libxt_addrtype.man ├── libxt_addrtype.t ├── libxt_addrtype.txlate ├── libxt_bpf.c ├── libxt_bpf.man ├── libxt_bpf.t ├── libxt_cgroup.c ├── libxt_cgroup.man ├── libxt_cgroup.t ├── libxt_cgroup.txlate ├── libxt_cluster.c ├── libxt_cluster.man ├── libxt_cluster.t ├── libxt_cluster.txlate ├── libxt_comment.c ├── libxt_comment.man ├── libxt_comment.t ├── libxt_comment.txlate ├── libxt_connbytes.c ├── libxt_connbytes.man ├── libxt_connbytes.t ├── libxt_connbytes.txlate ├── libxt_connlabel.c ├── libxt_connlabel.man ├── libxt_connlabel.t ├── libxt_connlabel.txlate ├── libxt_connlimit.c ├── libxt_connlimit.man ├── libxt_connlimit.t ├── libxt_connlimit.txlate ├── libxt_connmark.c ├── libxt_connmark.man ├── libxt_connmark.t ├── libxt_connmark.txlate ├── libxt_conntrack.c ├── libxt_conntrack.man ├── libxt_conntrack.t ├── libxt_conntrack.txlate ├── libxt_cpu.c ├── libxt_cpu.man ├── libxt_cpu.t ├── libxt_cpu.txlate ├── libxt_dccp.c ├── libxt_dccp.man ├── libxt_dccp.t ├── libxt_dccp.txlate ├── libxt_devgroup.c ├── libxt_devgroup.man ├── libxt_devgroup.txlate ├── libxt_dscp.c ├── libxt_dscp.man ├── libxt_dscp.t ├── libxt_dscp.txlate ├── libxt_ecn.c ├── libxt_ecn.man ├── libxt_ecn.t ├── libxt_ecn.txlate ├── libxt_esp.c ├── libxt_esp.man ├── libxt_esp.t ├── libxt_esp.txlate ├── libxt_hashlimit.c ├── libxt_hashlimit.man ├── libxt_hashlimit.t ├── libxt_hashlimit.txlate ├── libxt_helper.c ├── libxt_helper.man ├── libxt_helper.t ├── libxt_helper.txlate ├── libxt_icmp.h ├── libxt_ipcomp.c ├── libxt_ipcomp.c.man ├── libxt_ipcomp.t ├── libxt_ipcomp.txlate ├── libxt_iprange.c ├── libxt_iprange.man ├── libxt_iprange.t ├── libxt_iprange.txlate ├── libxt_ipvs.c ├── libxt_ipvs.man ├── libxt_ipvs.t ├── libxt_length.c ├── libxt_length.man ├── libxt_length.t ├── libxt_length.txlate ├── libxt_limit.c ├── libxt_limit.man ├── libxt_limit.t ├── libxt_limit.txlate ├── libxt_mac.c ├── libxt_mac.man ├── libxt_mac.t ├── libxt_mac.txlate ├── libxt_mark.c ├── libxt_mark.man ├── libxt_mark.t ├── libxt_mark.txlate ├── libxt_multiport.c ├── libxt_multiport.man ├── libxt_multiport.t ├── libxt_multiport.txlate ├── libxt_nfacct.c ├── libxt_nfacct.man ├── libxt_nfacct.t ├── libxt_osf.c ├── libxt_osf.man ├── libxt_owner.c ├── libxt_owner.man ├── libxt_owner.t ├── libxt_owner.txlate ├── libxt_physdev.c ├── libxt_physdev.man ├── libxt_physdev.t ├── libxt_pkttype.c ├── libxt_pkttype.man ├── libxt_pkttype.t ├── libxt_pkttype.txlate ├── libxt_policy.c ├── libxt_policy.man ├── libxt_policy.t ├── libxt_policy.txlate ├── libxt_quota.c ├── libxt_quota.man ├── libxt_quota.t ├── libxt_quota.txlate ├── libxt_quota2.c ├── libxt_quota2.man ├── libxt_rateest.c ├── libxt_rateest.man ├── libxt_rateest.t ├── libxt_recent.c ├── libxt_recent.man ├── libxt_recent.t ├── libxt_rpfilter.c ├── libxt_rpfilter.man ├── libxt_rpfilter.t ├── libxt_rpfilter.txlate ├── libxt_sctp.c ├── libxt_sctp.man ├── libxt_sctp.t ├── libxt_sctp.txlate ├── libxt_set.c ├── libxt_set.h ├── libxt_set.man ├── libxt_set.t ├── libxt_socket.c ├── libxt_socket.man ├── libxt_socket.t ├── libxt_socket.txlate ├── libxt_standard.c ├── libxt_standard.t ├── libxt_state.man ├── libxt_state.t ├── libxt_statistic.c ├── libxt_statistic.man ├── libxt_statistic.t ├── libxt_statistic.txlate ├── libxt_string.c ├── libxt_string.man ├── libxt_string.t ├── libxt_tcp.c ├── libxt_tcp.man ├── libxt_tcp.t ├── libxt_tcp.txlate ├── libxt_tcpmss.c ├── libxt_tcpmss.man ├── libxt_tcpmss.t ├── libxt_tcpmss.txlate ├── libxt_time.c ├── libxt_time.man ├── libxt_time.t ├── libxt_time.txlate ├── libxt_tos.c ├── libxt_tos.man ├── libxt_tos.t ├── libxt_u32.c ├── libxt_u32.man ├── libxt_u32.t ├── libxt_udp.c ├── libxt_udp.man ├── libxt_udp.t ├── libxt_udp.txlate └── tos_values.c ├── include ├── Makefile.am ├── ip6tables.h ├── iptables.h ├── iptables │ └── internal.h ├── libipq │ └── libipq.h ├── libiptc │ ├── ipt_kernel_headers.h │ ├── libip6tc.h │ ├── libiptc.h │ ├── libxtc.h │ └── xtcshared.h ├── linux │ ├── const.h │ ├── filter.h │ ├── kernel.h │ ├── netfilter.h │ ├── netfilter │ │ ├── ipset │ │ │ └── ip_set.h │ │ ├── nf_conntrack_common.h │ │ ├── nf_conntrack_tuple_common.h │ │ ├── nf_log.h │ │ ├── nf_nat.h │ │ ├── nf_tables.h │ │ ├── nf_tables_compat.h │ │ ├── nfnetlink.h │ │ ├── x_tables.h │ │ ├── xt_AUDIT.h │ │ ├── xt_CHECKSUM.h │ │ ├── xt_CLASSIFY.h │ │ ├── xt_CONNMARK.h │ │ ├── xt_CONNSECMARK.h │ │ ├── xt_CT.h │ │ ├── xt_DSCP.h │ │ ├── xt_HMARK.h │ │ ├── xt_IDLETIMER.h │ │ ├── xt_LED.h │ │ ├── xt_LOG.h │ │ ├── xt_MARK.h │ │ ├── xt_NFLOG.h │ │ ├── xt_NFQUEUE.h │ │ ├── xt_RATEEST.h │ │ ├── xt_SECMARK.h │ │ ├── xt_SYNPROXY.h │ │ ├── xt_TCPMSS.h │ │ ├── xt_TCPOPTSTRIP.h │ │ ├── xt_TEE.h │ │ ├── xt_TPROXY.h │ │ ├── xt_addrtype.h │ │ ├── xt_bpf.h │ │ ├── xt_cgroup.h │ │ ├── xt_cluster.h │ │ ├── xt_comment.h │ │ ├── xt_connbytes.h │ │ ├── xt_connlabel.h │ │ ├── xt_connlimit.h │ │ ├── xt_connmark.h │ │ ├── xt_conntrack.h │ │ ├── xt_cpu.h │ │ ├── xt_dccp.h │ │ ├── xt_devgroup.h │ │ ├── xt_dscp.h │ │ ├── xt_ecn.h │ │ ├── xt_esp.h │ │ ├── xt_hashlimit.h │ │ ├── xt_helper.h │ │ ├── xt_ipcomp.h │ │ ├── xt_iprange.h │ │ ├── xt_ipvs.h │ │ ├── xt_length.h │ │ ├── xt_limit.h │ │ ├── xt_mac.h │ │ ├── xt_mark.h │ │ ├── xt_multiport.h │ │ ├── xt_nfacct.h │ │ ├── xt_osf.h │ │ ├── xt_owner.h │ │ ├── xt_physdev.h │ │ ├── xt_pkttype.h │ │ ├── xt_policy.h │ │ ├── xt_quota.h │ │ ├── xt_quota2.h │ │ ├── xt_rateest.h │ │ ├── xt_realm.h │ │ ├── xt_recent.h │ │ ├── xt_rpfilter.h │ │ ├── xt_sctp.h │ │ ├── xt_set.h │ │ ├── xt_socket.h │ │ ├── xt_state.h │ │ ├── xt_statistic.h │ │ ├── xt_string.h │ │ ├── xt_tcpmss.h │ │ ├── xt_tcpudp.h │ │ ├── xt_time.h │ │ └── xt_u32.h │ ├── netfilter_arp.h │ ├── netfilter_arp │ │ ├── arp_tables.h │ │ └── arpt_mangle.h │ ├── netfilter_bridge.h │ ├── netfilter_bridge │ │ ├── ebt_802_3.h │ │ ├── ebt_ip.h │ │ ├── ebt_mark_m.h │ │ └── ebt_mark_t.h │ ├── netfilter_ipv4.h │ ├── netfilter_ipv4 │ │ ├── ip_queue.h │ │ ├── ip_tables.h │ │ ├── ipt_CLUSTERIP.h │ │ ├── ipt_ECN.h │ │ ├── ipt_REJECT.h │ │ ├── ipt_TTL.h │ │ ├── ipt_ULOG.h │ │ ├── ipt_addrtype.h │ │ ├── ipt_ah.h │ │ ├── ipt_realm.h │ │ └── ipt_ttl.h │ ├── netfilter_ipv6.h │ ├── netfilter_ipv6 │ │ ├── ip6_tables.h │ │ ├── ip6t_HL.h │ │ ├── ip6t_NPT.h │ │ ├── ip6t_REJECT.h │ │ ├── ip6t_ah.h │ │ ├── ip6t_frag.h │ │ ├── ip6t_hl.h │ │ ├── ip6t_ipv6header.h │ │ ├── ip6t_mh.h │ │ ├── ip6t_opts.h │ │ ├── ip6t_rt.h │ │ └── ip6t_srh.h │ ├── sysinfo.h │ └── types.h ├── xtables-version.h ├── xtables-version.h.in ├── xtables.h └── xtables_internal.h ├── iptables-test.py ├── iptables ├── .gitignore ├── Android.bp ├── Makefile.am ├── NOTICE ├── arptables-nft-restore.8 ├── arptables-nft-save.8 ├── arptables-nft.8 ├── ebtables-nft.8 ├── ip6tables-multi.h ├── ip6tables-standalone.c ├── ip6tables.c ├── iptables-apply ├── iptables-apply.8.in ├── iptables-extensions.8.tmpl.in ├── iptables-multi.h ├── iptables-restore.8.in ├── iptables-restore.c ├── iptables-save.8.in ├── iptables-save.c ├── iptables-standalone.c ├── iptables-xml.1.in ├── iptables-xml.c ├── iptables.8.in ├── iptables.c ├── iptables.xslt ├── nft-arp.c ├── nft-bridge.c ├── nft-bridge.h ├── nft-cache.c ├── nft-cache.h ├── nft-chain.c ├── nft-chain.h ├── nft-cmd.c ├── nft-cmd.h ├── nft-ipv4.c ├── nft-ipv6.c ├── nft-ruleparse-arp.c ├── nft-ruleparse-bridge.c ├── nft-ruleparse-ipv4.c ├── nft-ruleparse-ipv6.c ├── nft-ruleparse.c ├── nft-ruleparse.h ├── nft-shared.c ├── nft-shared.h ├── nft.c ├── nft.h ├── tests │ └── shell │ │ ├── README │ │ ├── run-tests.sh │ │ └── testcases │ │ ├── arptables │ │ ├── 0001-arptables-save-restore_0 │ │ ├── 0002-arptables-restore-defaults_0 │ │ └── 0003-arptables-verbose-output_0 │ │ ├── chain │ │ ├── 0001duplicate_1 │ │ ├── 0002newchain_0 │ │ ├── 0003rename_0 │ │ ├── 0004extra-base_0 │ │ ├── 0005base-delete_0 │ │ ├── 0006rename-segfault_0 │ │ ├── 0007counters_0 │ │ └── 0008rename-segfault2_0 │ │ ├── ebtables │ │ ├── 0001-ebtables-basic_0 │ │ ├── 0002-ebtables-save-restore_0 │ │ ├── 0003-ebtables-restore-defaults_0 │ │ ├── 0004-save-counters_0 │ │ ├── 0005-ifnamechecks_0 │ │ ├── 0006-flush_0 │ │ ├── 0007-chain-policies_0 │ │ ├── 0008-ebtables-among_0 │ │ ├── 0009-broute-bug_0 │ │ ├── 0010-change-counters_0 │ │ ├── 0011-rulenum_0 │ │ └── 0012-restore-delete-among_0 │ │ ├── firewalld-restore │ │ ├── 0001-firewalld_0 │ │ ├── 0002-firewalld-restart_0 │ │ └── dumps │ │ │ └── ipt-save-completed.txt │ │ ├── ip6tables │ │ ├── 0002-verbose-output_0 │ │ ├── 0003-list-rules_0 │ │ ├── 0004-address-masks_0 │ │ └── 0005-rule-check_0 │ │ ├── ipt-restore │ │ ├── 0001load-specific-table_0 │ │ ├── 0002-parameters_0 │ │ ├── 0003-restore-ordering_0 │ │ ├── 0004-restore-race_0 │ │ ├── 0005-ipt-6_0 │ │ ├── 0006-ip6t-4_0 │ │ ├── 0007-flush-noflush_0 │ │ ├── 0008-restore-counters_0 │ │ ├── 0009-table-name-comment_0 │ │ ├── 0010-noflush-new-chain_0 │ │ ├── 0011-noflush-empty-line_0 │ │ ├── 0012-dash-F_0 │ │ ├── 0013-test-mode_0 │ │ ├── 0014-verbose-restore_0 │ │ ├── 0016-concurrent-restores_0 │ │ ├── 0017-pointless-compat-checks_0 │ │ └── dumps │ │ │ ├── ip6tables.dump │ │ │ └── iptables.dump │ │ ├── ipt-save │ │ ├── 0001load-dumps_0 │ │ ├── 0002load-fedora27-firewalld_0 │ │ ├── 0003save-restore_0 │ │ ├── 0005iptables_0 │ │ ├── 0006iptables-xml_0 │ │ ├── 0007-overhead_0 │ │ └── dumps │ │ │ ├── fedora27-ip6tables │ │ │ ├── fedora27-iptables │ │ │ ├── fedora27-iptables.xml │ │ │ ├── ipt-save-filter.txt │ │ │ ├── policy-drop.txt │ │ │ └── wireless.txt │ │ ├── iptables │ │ ├── 0001-chain-refs_0 │ │ ├── 0002-verbose-output_0 │ │ ├── 0003-list-rules_0 │ │ ├── 0004-return-codes_0 │ │ ├── 0005-delete-rules_0 │ │ ├── 0005-rule-replace_0 │ │ ├── 0006-46-args_0 │ │ ├── 0007-zero-counters_0 │ │ ├── 0008-unprivileged_0 │ │ ├── 0009-unknown-arg_0 │ │ ├── 0010-wait_0 │ │ └── 0011-rulenum_0 │ │ └── nft-only │ │ ├── 0001compat_0 │ │ ├── 0002invflags_0 │ │ ├── 0003delete-with-comment_0 │ │ ├── 0006-policy-override_0 │ │ ├── 0007-mid-restore-flush_0 │ │ ├── 0008-basechain-policy_0 │ │ ├── 0009-needless-bitwise_0 │ │ ├── 0010-iptables-nft-save.txt │ │ ├── 0010-native-delinearize_0 │ │ ├── 0010-nft-native.txt │ │ ├── 0011-zero-needs-compat_0 │ │ ├── 0012-xtables-monitor_0 │ │ ├── 0013-zero-non-existent_0 │ │ └── 0020-compare-interfaces_0 ├── xshared.c ├── xshared.h ├── xtables-arp.c ├── xtables-eb-standalone.c ├── xtables-eb-translate.c ├── xtables-eb.c ├── xtables-legacy-multi.c ├── xtables-legacy.8 ├── xtables-monitor.8.in ├── xtables-monitor.c ├── xtables-multi.h ├── xtables-nft-multi.c ├── xtables-nft.8 ├── xtables-restore.c ├── xtables-save.c ├── xtables-standalone.c ├── xtables-translate.8 ├── xtables-translate.c ├── xtables.c ├── xtables.lock └── xtables.pc.in ├── libipq ├── .gitignore ├── Makefile.am ├── ipq_create_handle.3 ├── ipq_destroy_handle.3 ├── ipq_errstr.3 ├── ipq_get_msgerr.3 ├── ipq_get_packet.3 ├── ipq_message_type.3 ├── ipq_perror.3 ├── ipq_read.3 ├── ipq_set_mode.3 ├── ipq_set_verdict.3 ├── libipq.3 ├── libipq.c └── libipq.pc.in ├── libiptc ├── .gitignore ├── Android.bp ├── Makefile.am ├── libip4tc.c ├── libip4tc.pc.in ├── libip6tc.c ├── libip6tc.pc.in ├── libiptc.c ├── libiptc.pc.in └── linux_list.h ├── libxtables ├── Android.bp ├── Makefile.am ├── getethertype.c ├── xtables.c └── xtoptions.c ├── m4 └── .gitignore ├── utils ├── .gitignore ├── Makefile.am ├── nfbpf_compile.8.in ├── nfbpf_compile.c ├── nfnl_osf.8.in ├── nfnl_osf.c ├── nfsynproxy.c └── pf.os └── xlate-test.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.a 2 | *.gcda 3 | *.gcno 4 | *.gcno.gcov.json.gz 5 | *.gcov 6 | *.la 7 | *.lo 8 | *.so 9 | *.o 10 | .deps/ 11 | .dirstamp 12 | .libs/ 13 | Makefile 14 | Makefile.in 15 | 16 | # pre-generated for Android: /include/xtables-version.h 17 | 18 | /aclocal.m4 19 | /autom4te.cache/ 20 | /build-aux/ 21 | /config.* 22 | /configure 23 | /configure~ 24 | /libtool 25 | /stamp-h1 26 | /iptables/iptables-apply.8 27 | 28 | /iptables/xtables-multi 29 | /iptables/xtables-compat-multi 30 | 31 | # vim/nano swap file 32 | *.swp 33 | 34 | /tags 35 | 36 | # make check results 37 | /test-suite.log 38 | /iptables-test.py.log 39 | /iptables-test.py.trs 40 | /xlate-test.py.log 41 | /xlate-test.py.trs 42 | iptables/tests/shell/run-tests.sh.log 43 | iptables/tests/shell/run-tests.sh.trs 44 | -------------------------------------------------------------------------------- /METADATA: -------------------------------------------------------------------------------- 1 | name: "iptables" 2 | description: 3 | "Linux netfilter subsystem iptables cli utility." 4 | 5 | third_party { 6 | url { 7 | type: HOMEPAGE 8 | value: "https://netfilter.org/projects/iptables/index.html" 9 | } 10 | url { 11 | type: GIT 12 | value: "git://git.netfilter.org/iptables" 13 | } 14 | version: "v1.8.11" 15 | last_upgrade_date { year: 2025 month: 3 day: 4 } 16 | license_type: RESTRICTED 17 | } 18 | -------------------------------------------------------------------------------- /MODULE_LICENSE_GPL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aosp-mirror/platform_external_iptables/672d4a9452846646a3017d255fae319e12d92295/MODULE_LICENSE_GPL -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | set noparent 2 | file:platform/packages/modules/Connectivity:main:/OWNERS_core_networking 3 | include platform/system/core:/janitors/OWNERS #{LAST_RESORT_SUGGESTION} 4 | -------------------------------------------------------------------------------- /TEST_MAPPING: -------------------------------------------------------------------------------- 1 | { 2 | "presubmit": [ 3 | { "name": "netd_integration_test" }, 4 | { "name": "netd_unit_test" }, 5 | { "name": "netdutils_test" }, 6 | { "name": "resolv_integration_test" }, 7 | { "name": "resolv_unit_test" } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | autoreconf -fi; 4 | rm -Rf autom4te*.cache; 5 | -------------------------------------------------------------------------------- /extensions/.gitignore: -------------------------------------------------------------------------------- 1 | .*.d 2 | .*.dd 3 | *.oo 4 | 5 | /GNUmakefile 6 | /initext.c 7 | /initext?.c 8 | /matches.man 9 | /targets.man 10 | -------------------------------------------------------------------------------- /extensions/filter_init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This is for working around Android.mk's incapability to handle $* in CFLAGS, 3 | # even with SECONDEXPNASION. 4 | # LOCAL_CFLAGS:=-D_INIT=$*_init 5 | f=${1##*/} 6 | f=${f%%.*} 7 | sed "s/\([ ]*\)\(_init\)\(([ ]*void\)/\1${f}_init\3/" $1 8 | -------------------------------------------------------------------------------- /extensions/gen_init: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | # 3 | # Generate init_extensions* functions to call all the _init functions from 4 | # filter_init 5 | # 6 | # Usage: gen_init filename... 7 | # 8 | # Example output: 9 | # 10 | # void libxt_tcp_init(void); 11 | # void libxt_udp_init(void); 12 | # void init_extensions(void); 13 | # void init_extensions(void) { 14 | # libxt_tcp_init(); 15 | # libxt_udp_init(); 16 | # } 17 | 18 | EXT=$1 19 | shift 20 | 21 | for i in "$@"; do 22 | f=${i##*/} 23 | f=${f%%.*} 24 | echo "void ${f}_init(void);" 25 | done 26 | 27 | echo "void init_extensions${EXT}(void);" 28 | echo "void init_extensions${EXT}(void) {" 29 | 30 | for i in "$@"; do 31 | f=${i##*/} 32 | f=${f%%.*} 33 | echo " ${f}_init();" 34 | done 35 | 36 | echo "}" 37 | -------------------------------------------------------------------------------- /extensions/iptables.t: -------------------------------------------------------------------------------- 1 | :FORWARD 2 | -i alongifacename0;=;OK 3 | -i thisinterfaceistoolong0;;FAIL 4 | -i eth+ -o alongifacename+;=;OK 5 | ! -i eth0;=;OK 6 | ! -o eth+;=;OK 7 | -i + -j ACCEPT;-j ACCEPT;OK 8 | ! -i +;=;OK 9 | -c "";;FAIL 10 | -c ,3;;FAIL 11 | -c 3,;;FAIL 12 | -c ,;;FAIL 13 | -c 2,3 -j ACCEPT;-j ACCEPT;OK 14 | -------------------------------------------------------------------------------- /extensions/libarpt_CLASSIFY.t: -------------------------------------------------------------------------------- 1 | :OUTPUT 2 | -o lo --destination-mac 11:22:33:44:55:66;-o lo --dst-mac 11:22:33:44:55:66;OK 3 | --dst-mac Broadcast ;--dst-mac ff:ff:ff:ff:ff:ff;OK 4 | ! -o eth+ -d 1.2.3.4/24 -j CLASSIFY --set-class 0:0;-j CLASSIFY ! -o eth+ -d 1.2.3.0/24 --set-class 0:0;OK 5 | -------------------------------------------------------------------------------- /extensions/libarpt_MARK.t: -------------------------------------------------------------------------------- 1 | :INPUT,OUTPUT 2 | -j MARK -d 0.0.0.0/8 --set-mark 1;=;OK 3 | -s ! 0.0.0.0 -j MARK --and-mark 0x17;-j MARK ! -s 0.0.0.0 --and-mark 17;OK 4 | -j MARK -s 0.0.0.0 --or-mark 17;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libarpt_mangle.t: -------------------------------------------------------------------------------- 1 | :OUTPUT 2 | -j mangle -s 1.2.3.4 --mangle-ip-s 1.2.3.5;=;OK 3 | -j mangle -d 1.2.3.4 --mangle-ip-d 1.2.3.5;=;OK 4 | -j mangle -d 1.2.3.4 --mangle-mac-d 00:01:02:03:04:05;=;OK 5 | -d 1.2.3.4 --h-length 5 -j mangle --mangle-mac-s 00:01:02:03:04:05;=;FAIL 6 | -j mangle --mangle-ip-s 1.2.3.4 --mangle-target DROP;=;OK 7 | -j mangle --mangle-ip-s 1.2.3.4 --mangle-target ACCEPT;-j mangle --mangle-ip-s 1.2.3.4;OK 8 | -j mangle --mangle-ip-s 1.2.3.4 --mangle-target CONTINUE;=;OK 9 | -j mangle --mangle-ip-s 1.2.3.4 --mangle-target FOO;=;FAIL 10 | -------------------------------------------------------------------------------- /extensions/libarpt_mangle.txlate: -------------------------------------------------------------------------------- 1 | arptables-translate -A OUTPUT -d 10.21.22.129 -j mangle --mangle-ip-s 10.21.22.161 2 | nft 'add rule arp filter OUTPUT arp htype 1 arp hlen 6 arp plen 4 arp daddr ip 10.21.22.129 counter arp saddr ip set 10.21.22.161 accept' 3 | arptables-translate -A OUTPUT -d 10.2.22.129/24 -j mangle --mangle-ip-d 10.2.22.1 --mangle-target CONTINUE 4 | nft 'add rule arp filter OUTPUT arp htype 1 arp hlen 6 arp plen 4 arp daddr ip 10.2.22.0/24 counter arp daddr ip set 10.2.22.1' 5 | arptables-translate -A OUTPUT -d 10.2.22.129/24 -j mangle --mangle-ip-d 10.2.22.1 --mangle-mac-d a:b:c:d:e:f 6 | nft 'add rule arp filter OUTPUT arp htype 1 arp hlen 6 arp plen 4 arp daddr ip 10.2.22.0/24 counter arp daddr ip set 10.2.22.1 arp daddr ether set 0a:0b:0c:0d:0e:0f accept' 7 | -------------------------------------------------------------------------------- /extensions/libebt_802_3.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | ! --802_3-sap 0x0a -j CONTINUE;=;FAIL 3 | --802_3-type 0x000a -j RETURN;=;FAIL 4 | -p Length --802_3-sap 0x0a -j CONTINUE;=;OK 5 | -p Length ! --802_3-sap 0x0a -j CONTINUE;=;OK 6 | -p Length --802_3-type 0x000a -j RETURN;=;OK 7 | -p Length ! --802_3-type 0x000a -j RETURN;=;OK 8 | -------------------------------------------------------------------------------- /extensions/libebt_arpreply.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *nat 3 | -j arpreply;=;FAIL 4 | -p ARP -i foo -j arpreply;-p ARP -i foo -j arpreply --arpreply-mac 00:00:00:00:00:00;OK 5 | -p ARP -i foo -j arpreply --arpreply-mac de:ad:00:be:ee:ff --arpreply-target ACCEPT;=;OK 6 | -p ARP -i foo -j arpreply --arpreply-mac de:ad:00:be:ee:ff;=;OK 7 | -p ARP -j arpreply ! --arpreply-mac de:ad:00:be:ee:ff;;FAIL 8 | -p ARP -j arpreply --arpreply-mac de:ad:00:be:ee:ff ! --arpreply-target ACCEPT;;FAIL 9 | -------------------------------------------------------------------------------- /extensions/libebt_dnat.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *nat 3 | -i someport -j dnat --to-dst de:ad:0:be:ee:ff;-i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT;OK 4 | -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT;=;OK 5 | -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libebt_dnat.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff 2 | nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept' 3 | 4 | ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT 5 | nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept' 6 | 7 | ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE 8 | nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff continue' 9 | -------------------------------------------------------------------------------- /extensions/libebt_limit.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -A INPUT --limit 3/m --limit-burst 3 2 | nft 'add rule bridge filter INPUT limit rate 3/minute burst 3 packets counter' 3 | 4 | ebtables-translate -A INPUT --limit 10/s --limit-burst 5 5 | nft 'add rule bridge filter INPUT limit rate 10/second burst 5 packets counter' 6 | 7 | ebtables-translate -A INPUT --limit 10/s --limit-burst 0 8 | nft 'add rule bridge filter INPUT limit rate 10/second counter' 9 | -------------------------------------------------------------------------------- /extensions/libebt_log.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | --log;--log-level notice;OK 3 | --log-level crit;=;OK 4 | --log-level 1;--log-level alert;OK 5 | --log-level emerg --log-ip --log-arp --log-ip6;=;OK 6 | --log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo;--log-level crit --log-prefix "foo" --log-ip --log-arp --log-ip6 -j CONTINUE;OK 7 | -------------------------------------------------------------------------------- /extensions/libebt_log.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -A INPUT --log 2 | nft 'add rule bridge filter INPUT log level notice flags ether counter' 3 | 4 | ebtables-translate -A INPUT --log-level 1 5 | nft 'add rule bridge filter INPUT log level alert flags ether counter' 6 | 7 | ebtables-translate -A INPUT --log-level crit 8 | nft 'add rule bridge filter INPUT log level crit flags ether counter' 9 | 10 | ebtables-translate -A INPUT --log-level emerg --log-ip --log-arp --log-ip6 11 | nft 'add rule bridge filter INPUT log level emerg flags ether counter' 12 | 13 | ebtables-translate -A INPUT --log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo 14 | nft 'add rule bridge filter INPUT log prefix "foo" level crit flags ether counter' 15 | 16 | -------------------------------------------------------------------------------- /extensions/libebt_mark.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j mark --mark-set 1;-j mark --mark-set 0x1 --mark-target ACCEPT;OK 3 | -j mark --mark-or 0xa --mark-target CONTINUE;=;OK 4 | -j mark --mark-and 0x1 --mark-target RETURN;=;OK 5 | -j mark --mark-xor 0x1 --mark-target CONTINUE;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libebt_mark.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -A INPUT -j mark --mark-set 42 2 | nft 'add rule bridge filter INPUT counter meta mark set 0x2a accept' 3 | 4 | ebtables-translate -A INPUT -j mark --mark-or 42 --mark-target RETURN 5 | nft 'add rule bridge filter INPUT counter meta mark set meta mark or 0x2a return' 6 | 7 | ebtables-translate -A INPUT -j mark --mark-and 42 --mark-target ACCEPT 8 | nft 'add rule bridge filter INPUT counter meta mark set meta mark and 0x2a accept' 9 | 10 | ebtables-translate -A INPUT -j mark --mark-xor 42 --mark-target DROP 11 | nft 'add rule bridge filter INPUT counter meta mark set meta mark xor 0x2a drop' 12 | -------------------------------------------------------------------------------- /extensions/libebt_mark_m.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | --mark 42;--mark 0x2a;OK 3 | ! --mark 42;! --mark 0x2a;OK 4 | --mark 42/0xff;--mark 0x2a/0xff;OK 5 | ! --mark 0x1/0xff;=;OK 6 | --mark /0x2;=;OK 7 | -------------------------------------------------------------------------------- /extensions/libebt_mark_m.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -A INPUT --mark 42 2 | nft 'add rule bridge filter INPUT meta mark 0x2a counter' 3 | 4 | ebtables-translate -A INPUT ! --mark 42 5 | nft 'add rule bridge filter INPUT meta mark != 0x2a counter' 6 | 7 | ebtables-translate -A INPUT --mark ! 42 8 | nft 'add rule bridge filter INPUT meta mark != 0x2a counter' 9 | 10 | ebtables-translate -A INPUT ! --mark 0x1/0xff 11 | nft 'add rule bridge filter INPUT meta mark and 0xff != 0x1 counter' 12 | 13 | ebtables-translate -A INPUT --mark /0x02 14 | nft 'add rule bridge filter INPUT meta mark and 0x2 != 0 counter' 15 | -------------------------------------------------------------------------------- /extensions/libebt_nflog.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | --nflog;--nflog-group 1;OK 3 | --nflog-group 42;=;OK 4 | --nflog-range 42;--nflog-group 1 --nflog-range 42 -j CONTINUE;OK 5 | --nflog-threshold 100 --nflog-prefix foo;--nflog-prefix "foo" --nflog-group 1 --nflog-threshold 100 -j CONTINUE;OK 6 | -------------------------------------------------------------------------------- /extensions/libebt_nflog.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -A INPUT --nflog 2 | nft 'add rule bridge filter INPUT log group 1 counter' 3 | 4 | ebtables-translate -A INPUT --nflog-group 42 5 | nft 'add rule bridge filter INPUT log group 42 counter' 6 | 7 | ebtables-translate -A INPUT --nflog-range 42 8 | nft 'add rule bridge filter INPUT log group 1 snaplen 42 counter' 9 | 10 | ebtables-translate -A INPUT --nflog-threshold 100 --nflog-prefix foo 11 | nft 'add rule bridge filter INPUT log prefix "foo" group 1 queue-threshold 100 counter' 12 | -------------------------------------------------------------------------------- /extensions/libebt_pkttype.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | --pkttype-type ! host;! --pkttype-type host -j CONTINUE;OK 3 | --pkttype-type host;=;OK 4 | ! --pkttype-type host;=;OK 5 | --pkttype-type broadcast;=;OK 6 | ! --pkttype-type broadcast;=;OK 7 | --pkttype-type multicast;=;OK 8 | ! --pkttype-type multicast;=;OK 9 | --pkttype-type otherhost;=;OK 10 | ! --pkttype-type otherhost;=;OK 11 | --pkttype-type outgoing;=;OK 12 | ! --pkttype-type outgoing;=;OK 13 | --pkttype-type loopback;=;OK 14 | ! --pkttype-type loopback;=;OK 15 | -------------------------------------------------------------------------------- /extensions/libebt_pkttype.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -A INPUT --pkttype-type host 2 | nft 'add rule bridge filter INPUT meta pkttype host counter' 3 | 4 | ebtables-translate -A INPUT ! --pkttype-type broadcast 5 | nft 'add rule bridge filter INPUT meta pkttype != broadcast counter' 6 | 7 | ebtables-translate -A INPUT --pkttype-type ! multicast 8 | nft 'add rule bridge filter INPUT meta pkttype != multicast counter' 9 | 10 | ebtables-translate -A INPUT --pkttype-type otherhost 11 | nft 'add rule bridge filter INPUT meta pkttype other counter' 12 | 13 | ebtables-translate -A INPUT --pkttype-type outgoing 14 | nft 'add rule bridge filter INPUT meta pkttype 4 counter' 15 | 16 | ebtables-translate -A INPUT --pkttype-type loopback 17 | nft 'add rule bridge filter INPUT meta pkttype 5 counter' 18 | 19 | ebtables-translate -A INPUT --pkttype-type fastroute 20 | nft 'add rule bridge filter INPUT meta pkttype 6 counter' 21 | -------------------------------------------------------------------------------- /extensions/libebt_redirect.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *nat 3 | -j redirect ;=;OK 4 | -j redirect --redirect-target RETURN;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libebt_redirect.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect 2 | nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept' 3 | 4 | ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN 5 | nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return' 6 | 7 | ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE 8 | nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host' 9 | -------------------------------------------------------------------------------- /extensions/libebt_snat.t: -------------------------------------------------------------------------------- 1 | :POSTROUTING 2 | *nat 3 | -o someport -j snat --to-source a:b:c:d:e:f;-o someport -j snat --to-src 0a:0b:0c:0d:0e:0f --snat-target ACCEPT;OK 4 | -o someport+ -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE;=;OK 5 | -j snat;;FAIL 6 | -j snat --to-src de:ad:00:be:ee:ff;-j snat --to-src de:ad:00:be:ee:ff --snat-target ACCEPT;OK 7 | -------------------------------------------------------------------------------- /extensions/libebt_snat.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ -j snat --to-source de:ad:00:be:ee:ff 2 | nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 counter ether saddr set de:ad:0:be:ee:ff accept' 3 | 4 | ebtables-translate -t nat -A POSTROUTING -o someport -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE 5 | nft 'add rule bridge nat POSTROUTING oifname "someport" counter ether saddr set de:ad:0:be:ee:ff continue' 6 | -------------------------------------------------------------------------------- /extensions/libebt_vlan.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -p 802_1Q --vlan-id 42;=;OK 3 | -p 802_1Q ! --vlan-id 42;=;OK 4 | -p 802_1Q --vlan-prio 1;=;OK 5 | -p 802_1Q ! --vlan-prio 1;=;OK 6 | -p 802_1Q --vlan-encap ip;-p 802_1Q --vlan-encap 0800 -j CONTINUE;OK 7 | -p 802_1Q --vlan-encap 0800;=;OK 8 | -p 802_1Q ! --vlan-encap 0800;=;OK 9 | -p 802_1Q --vlan-encap IPv6 --vlan-id ! 1;-p 802_1Q ! --vlan-id 1 --vlan-encap 86DD -j CONTINUE;OK 10 | -p 802_1Q ! --vlan-id 1 --vlan-encap 86DD;=;OK 11 | --vlan-encap ip;=;FAIL 12 | --vlan-id 2;=;FAIL 13 | --vlan-prio 1;=;FAIL 14 | -------------------------------------------------------------------------------- /extensions/libebt_vlan.txlate: -------------------------------------------------------------------------------- 1 | ebtables-translate -A INPUT -p 802_1Q --vlan-id 42 2 | nft 'add rule bridge filter INPUT vlan id 42 counter' 3 | 4 | ebtables-translate -A INPUT -p 802_1Q ! --vlan-prio 1 5 | nft 'add rule bridge filter INPUT vlan pcp != 1 counter' 6 | 7 | ebtables-translate -A INPUT -p 802_1Q --vlan-encap ip 8 | nft 'add rule bridge filter INPUT vlan type 0x0800 counter' 9 | 10 | ebtables-translate -A INPUT -p 802_1Q --vlan-encap ipv6 ! --vlan-id 1 11 | nft 'add rule bridge filter INPUT vlan id != 1 vlan type 0x86dd counter' 12 | -------------------------------------------------------------------------------- /extensions/libip6t_DNPT.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *mangle 3 | -j DNPT --src-pfx dead::/64 --dst-pfx 1c3::/64;=;OK 4 | -j DNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL 5 | -j DNPT --src-pfx dead::/64;;FAIL 6 | -j DNPT --dst-pfx dead::/64;;FAIL 7 | -j DNPT;;FAIL 8 | -------------------------------------------------------------------------------- /extensions/libip6t_HL.man: -------------------------------------------------------------------------------- 1 | This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field 2 | is similar to what is known as TTL value in IPv4. Setting or incrementing the 3 | Hop Limit field can potentially be very dangerous, so it should be avoided at 4 | any cost. This target is only valid in 5 | .B mangle 6 | table. 7 | .PP 8 | .B Don't ever set or increment the value on packets that leave your local network! 9 | .TP 10 | \fB\-\-hl\-set\fP \fIvalue\fP 11 | Set the Hop Limit to `value'. 12 | .TP 13 | \fB\-\-hl\-dec\fP \fIvalue\fP 14 | Decrement the Hop Limit `value' times. 15 | .TP 16 | \fB\-\-hl\-inc\fP \fIvalue\fP 17 | Increment the Hop Limit `value' times. 18 | -------------------------------------------------------------------------------- /extensions/libip6t_HL.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j HL --hl-set 42;=;OK 4 | -j HL --hl-inc 1;=;OK 5 | -j HL --hl-dec 1;=;OK 6 | -j HL --hl-set 256;;FAIL 7 | -j HL --hl-inc 0;;FAIL 8 | -j HL --hl-dec 0;;FAIL 9 | -j HL --hl-dec 1 --hl-inc 1;;FAIL 10 | -j HL --hl-set --hl-inc 1;;FAIL 11 | -------------------------------------------------------------------------------- /extensions/libip6t_LOG.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j LOG;-j LOG;OK 3 | -j LOG --log-prefix "test: ";=;OK 4 | -j LOG --log-prefix "test: " --log-level 1;=;OK 5 | # iptables displays the log-level output using the number; not the string 6 | -j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK 7 | -j LOG --log-prefix "test: " --log-tcp-sequence;=;OK 8 | -j LOG --log-prefix "test: " --log-tcp-options;=;OK 9 | -j LOG --log-prefix "test: " --log-ip-options;=;OK 10 | -j LOG --log-prefix "test: " --log-uid;=;OK 11 | -j LOG --log-prefix "test: " --log-level bad;;FAIL 12 | -j LOG --log-prefix;;FAIL 13 | -------------------------------------------------------------------------------- /extensions/libip6t_LOG.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -I INPUT -j LOG 2 | nft 'insert rule ip filter INPUT counter log' 3 | 4 | ip6tables-translate -A FORWARD -p tcp -j LOG --log-level debug 5 | nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log level debug' 6 | 7 | ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log" 8 | nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log prefix "Checking log"' 9 | -------------------------------------------------------------------------------- /extensions/libip6t_MASQUERADE.t: -------------------------------------------------------------------------------- 1 | :POSTROUTING 2 | *nat 3 | -j MASQUERADE;=;OK 4 | -j MASQUERADE --random;=;OK 5 | -j MASQUERADE --random-fully;=;OK 6 | -p tcp -j MASQUERADE --to-ports 1024;=;OK 7 | -p udp -j MASQUERADE --to-ports 1024-65535;=;OK 8 | -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL 9 | -p udp -j MASQUERADE --to-ports -1;;FAIL 10 | -------------------------------------------------------------------------------- /extensions/libip6t_NETMAP.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT,OUTPUT,POSTROUTING 2 | *nat 3 | -j NETMAP --to dead::/64;=;OK 4 | -j NETMAP --to dead::beef;-j NETMAP --to dead::beef/128;OK 5 | -------------------------------------------------------------------------------- /extensions/libip6t_REJECT.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j REJECT;-j REJECT --reject-with icmp6-port-unreachable;OK 3 | # manpage for IPv6 variant of REJECT does not show up for some reason? 4 | -j REJECT --reject-with icmp6-no-route;=;OK 5 | -j REJECT --reject-with icmp6-adm-prohibited;=;OK 6 | -j REJECT --reject-with icmp6-addr-unreachable;=;OK 7 | -j REJECT --reject-with icmp6-port-unreachable;=;OK 8 | -j REJECT --reject-with icmp6-policy-fail;=;OK 9 | -j REJECT --reject-with icmp6-reject-route;=;OK 10 | -p tcp -j REJECT --reject-with tcp-reset;=;OK 11 | -j REJECT --reject-with tcp-reset;;FAIL 12 | -------------------------------------------------------------------------------- /extensions/libip6t_REJECT.txlate: -------------------------------------------------------------------------------- 1 | ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT 2 | nft 'add rule ip6 filter FORWARD tcp dport 22 counter reject' 3 | 4 | ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route 5 | nft 'add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route' 6 | 7 | ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset 8 | nft 'add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset' 9 | -------------------------------------------------------------------------------- /extensions/libip6t_SNAT.txlate: -------------------------------------------------------------------------------- 1 | ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:80 2 | nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:80' 3 | 4 | ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:1-20 5 | nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:1-20' 6 | 7 | ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random 8 | nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:123 random' 9 | 10 | ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random-fully --persistent 11 | nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:123 fully-random,persistent' 12 | -------------------------------------------------------------------------------- /extensions/libip6t_SNPT.t: -------------------------------------------------------------------------------- 1 | :INPUT,POSTROUTING 2 | *mangle 3 | -j SNPT --src-pfx dead::/64 --dst-pfx 1c3::/64;=;OK 4 | -j SNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL 5 | -j SNPT --src-pfx dead::/64;;FAIL 6 | -j SNPT --dst-pfx dead::/64;;FAIL 7 | -j SNPT;;FAIL 8 | -------------------------------------------------------------------------------- /extensions/libip6t_TEE.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j TEE --gateway 2001:db8::1;=;OK 3 | -j TEE ! --gateway 2001:db8::1;;FAIL 4 | -------------------------------------------------------------------------------- /extensions/libip6t_TPROXY.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *mangle 3 | -j TPROXY --on-port 12345 --on-ip 2001:db8::1 --tproxy-mark 0x23/0xff;;FAIL 4 | -p udp -j TPROXY --on-port 12345 --on-ip 2001:db8::1 --tproxy-mark 0x23/0xff;=;OK 5 | -p tcp -m tcp --dport 2342 -j TPROXY --on-port 12345 --on-ip 2001:db8::1 --tproxy-mark 0x23/0xff;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libip6t_ah.man: -------------------------------------------------------------------------------- 1 | This module matches the parameters in Authentication header of IPsec packets. 2 | .TP 3 | [\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] 4 | Matches SPI. 5 | .TP 6 | [\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP 7 | Total length of this header in octets. 8 | .TP 9 | \fB\-\-ahres\fP 10 | Matches if the reserved field is filled with zero. 11 | -------------------------------------------------------------------------------- /extensions/libip6t_ah.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m ah --ahspi 0;=;OK 3 | -m ah --ahspi 4294967295;=;OK 4 | -m ah --ahspi 0:4294967295;-m ah;OK 5 | -m ah ! --ahspi 0;=;OK 6 | # ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1 7 | # -m ah --ahres;=;OK 8 | # ERROR: line 7 (cannot find: ip6tables -I INPUT -m ah --ahlen 32 9 | # -m ah --ahlen 32;=;OK 10 | -m ah --ahspi -1;;FAIL 11 | -m ah --ahspi 4294967296;;FAIL 12 | -m ah --ahspi invalid;;FAIL 13 | -m ah --ahspi 0:invalid;;FAIL 14 | -m ah --ahspi;;FAIL 15 | -m ah;=;OK 16 | -m ah --ahspi :;-m ah;OK 17 | -m ah ! --ahspi :;-m ah ! --ahspi 0:4294967295;OK 18 | -m ah --ahspi :3;-m ah --ahspi 0:3;OK 19 | -m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK 20 | -m ah --ahspi 3:3;-m ah --ahspi 3;OK 21 | -m ah --ahspi 4:3;;FAIL 22 | -------------------------------------------------------------------------------- /extensions/libip6t_conntrack.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m conntrack --ctorigsrc 2001:db8::1;=;OK 3 | -m conntrack --ctorigdst 2001:db8::1;=;OK 4 | -m conntrack --ctreplsrc 2001:db8::1;=;OK 5 | -m conntrack --ctrepldst 2001:db8::1;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libip6t_dst.man: -------------------------------------------------------------------------------- 1 | This module matches the parameters in Destination Options header 2 | .TP 3 | [\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP 4 | Total length of this header in octets. 5 | .TP 6 | \fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] 7 | numeric type of option and the length of the option data in octets. 8 | -------------------------------------------------------------------------------- /extensions/libip6t_dst.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m dst --dst-len 0;=;OK 3 | -m dst --dst-opts 149:92,12:12,123:12;=;OK 4 | -m dst ! --dst-len 42;=;OK 5 | -m dst --dst-len 42 --dst-opts 149:92,12:12,123:12;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libip6t_eui64.c: -------------------------------------------------------------------------------- 1 | /* Shared library add-on to ip6tables to add EUI64 address checking support. */ 2 | #include 3 | 4 | static struct xtables_match eui64_mt6_reg = { 5 | .name = "eui64", 6 | .version = XTABLES_VERSION, 7 | .family = NFPROTO_IPV6, 8 | .size = XT_ALIGN(sizeof(int)), 9 | .userspacesize = XT_ALIGN(sizeof(int)), 10 | }; 11 | 12 | void _init(void) 13 | { 14 | xtables_register_match(&eui64_mt6_reg); 15 | } 16 | -------------------------------------------------------------------------------- /extensions/libip6t_eui64.man: -------------------------------------------------------------------------------- 1 | This module matches the EUI-64 part of a stateless autoconfigured IPv6 address. 2 | It compares the EUI-64 derived from the source MAC address in Ethernet frame 3 | with the lower 64 bits of the IPv6 source address. But "Universal/Local" 4 | bit is not compared. This module doesn't match other link layer frame, and 5 | is only valid in the 6 | .BR PREROUTING , 7 | .BR INPUT 8 | and 9 | .BR FORWARD 10 | chains. 11 | -------------------------------------------------------------------------------- /extensions/libip6t_eui64.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *raw 3 | -m eui64;=;OK 4 | :INPUT,FORWARD 5 | *filter 6 | -m eui64;=;OK 7 | :OUTPUT 8 | -m eui64;;FAIL 9 | -------------------------------------------------------------------------------- /extensions/libip6t_frag.man: -------------------------------------------------------------------------------- 1 | This module matches the parameters in Fragment header. 2 | .TP 3 | [\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP] 4 | Matches the given Identification or range of it. 5 | .TP 6 | [\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP 7 | This option cannot be used with kernel version 2.6.10 or later. The length of 8 | Fragment header is static and this option doesn't make sense. 9 | .TP 10 | \fB\-\-fragres\fP 11 | Matches if the reserved fields are filled with zero. 12 | .TP 13 | \fB\-\-fragfirst\fP 14 | Matches on the first fragment. 15 | .TP 16 | \fB\-\-fragmore\fP 17 | Matches if there are more fragments. 18 | .TP 19 | \fB\-\-fraglast\fP 20 | Matches if this is the last fragment. 21 | -------------------------------------------------------------------------------- /extensions/libip6t_frag.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m frag --fragid :;-m frag;OK 3 | -m frag ! --fragid :;-m frag ! --fragid 0:4294967295;OK 4 | -m frag --fragid :42;-m frag --fragid 0:42;OK 5 | -m frag --fragid 42:;-m frag --fragid 42:4294967295;OK 6 | -m frag --fragid 1:42;=;OK 7 | -m frag --fragid 3:3;-m frag --fragid 3;OK 8 | -m frag --fragid 4:3;;FAIL 9 | -m frag --fraglen 42;=;OK 10 | -m frag --fragres;=;OK 11 | -m frag --fragfirst;=;OK 12 | -m frag --fragmore;=;OK 13 | -m frag --fraglast;=;OK 14 | -m frag ! --fragid 1 ! --fraglen 42 --fragres --fragfirst;=;OK 15 | -m frag --fragfirst --fragmore;=;OK 16 | -m frag --fragfirst --fraglast;=;OK 17 | -m frag --fraglast --fragmore;;FAIL 18 | -d ff02::fb/128 -p udp -m udp --dport 5353 -m frag --fragmore;=;OK 19 | -d fe80::/64 -p udp --dport 546 -m frag --fraglast;-d fe80::/64 -p udp -m udp --dport 546 -m frag --fraglast;OK 20 | -------------------------------------------------------------------------------- /extensions/libip6t_hbh.man: -------------------------------------------------------------------------------- 1 | This module matches the parameters in Hop-by-Hop Options header 2 | .TP 3 | [\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP 4 | Total length of this header in octets. 5 | .TP 6 | \fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...] 7 | numeric type of option and the length of the option data in octets. 8 | -------------------------------------------------------------------------------- /extensions/libip6t_hbh.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m hbh;=;OK 3 | -m hbh --hbh-len 42;=;OK 4 | -m hbh ! --hbh-len 42;=;OK 5 | -m hbh --hbh-len 42 --hbh-opts 1:2,23:42,4:6,8:10,42,23,4:5;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libip6t_hbh.txlate: -------------------------------------------------------------------------------- 1 | ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22 2 | nft 'add rule ip6 filter INPUT hbh hdrlength 22 counter' 3 | 4 | ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22 5 | nft 'add rule ip6 filter INPUT hbh hdrlength != 22 counter' 6 | -------------------------------------------------------------------------------- /extensions/libip6t_hl.man: -------------------------------------------------------------------------------- 1 | This module matches the Hop Limit field in the IPv6 header. 2 | .TP 3 | [\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP 4 | Matches if Hop Limit equals \fIvalue\fP. 5 | .TP 6 | \fB\-\-hl\-lt\fP \fIvalue\fP 7 | Matches if Hop Limit is less than \fIvalue\fP. 8 | .TP 9 | \fB\-\-hl\-gt\fP \fIvalue\fP 10 | Matches if Hop Limit is greater than \fIvalue\fP. 11 | -------------------------------------------------------------------------------- /extensions/libip6t_hl.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m hl;;FAIL 3 | -m hl --hl-eq 42;=;OK 4 | -m hl ! --hl-eq 42;=;OK 5 | -m hl --hl-lt 42;=;OK 6 | -m hl --hl-gt 42;=;OK 7 | -m hl --hl-gt 42 --hl-eq 42;;FAIL 8 | -m hl --hl-gt;;FAIL 9 | -------------------------------------------------------------------------------- /extensions/libip6t_hl.txlate: -------------------------------------------------------------------------------- 1 | ip6tables-translate -t nat -A postrouting -m hl --hl-gt 3 2 | nft 'add rule ip6 nat postrouting ip6 hoplimit gt 3 counter' 3 | 4 | ip6tables-translate -t nat -A postrouting -m hl ! --hl-eq 3 5 | nft 'add rule ip6 nat postrouting ip6 hoplimit != 3 counter' 6 | -------------------------------------------------------------------------------- /extensions/libip6t_icmp6.man: -------------------------------------------------------------------------------- 1 | This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is 2 | specified. It provides the following option: 3 | .TP 4 | [\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP 5 | This allows specification of the ICMPv6 type, which can be a numeric 6 | ICMPv6 7 | .IR type , 8 | .IR type 9 | and 10 | .IR code , 11 | or one of the ICMPv6 type names shown by the command 12 | .nf 13 | ip6tables \-p ipv6\-icmp \-h 14 | .fi 15 | -------------------------------------------------------------------------------- /extensions/libip6t_icmp6.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m icmpv6;;FAIL 3 | -p ipv6-icmp -m icmp6 --icmpv6-type 1/0;=;OK 4 | -p ipv6-icmp -m icmp6 --icmpv6-type 2;=;OK 5 | # cannot use option twice: 6 | -p ipv6-icmp -m icmp6 --icmpv6-type no-route --icmpv6-type packet-too-big;;FAIL 7 | -p ipv6-icmp -m icmp6 --icmpv6-type mld-listener-query;-p ipv6-icmp -m icmp6 --icmpv6-type 130;OK 8 | -p ipv6-icmp -m icmp6 --icmpv6-type mld-listener-report;-p ipv6-icmp -m icmp6 --icmpv6-type 131;OK 9 | -p ipv6-icmp -m icmp6 --icmpv6-type mld-listener-done;-p ipv6-icmp -m icmp6 --icmpv6-type 132;OK 10 | -p ipv6-icmp -m icmp6 --icmpv6-type mld-listener-reduction;-p ipv6-icmp -m icmp6 --icmpv6-type 132;OK 11 | -------------------------------------------------------------------------------- /extensions/libip6t_icmp6.txlate: -------------------------------------------------------------------------------- 1 | ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type 1 -j LOG 2 | nft 'add rule ip6 filter INPUT icmpv6 type destination-unreachable counter log' 3 | 4 | ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type neighbour-advertisement -j LOG 5 | nft 'add rule ip6 filter INPUT icmpv6 type nd-neighbor-advert counter log' 6 | 7 | ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type packet-too-big -j LOG 8 | nft 'add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log' 9 | -------------------------------------------------------------------------------- /extensions/libip6t_iprange.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m iprange --src-range 2001:db8::1-2001:db8::10;=;OK 3 | -m iprange ! --src-range 2001:db8::1-2001:db8::10;=;OK 4 | -m iprange --dst-range 2001:db8::1-2001:db8::10;=;OK 5 | -m iprange ! --dst-range 2001:db8::1-2001:db8::10;=;OK 6 | # it shows -A INPUT -m iprange --src-range 2001:db8::1-2001:db8::1, should we support this? 7 | # ERROR: should fail: ip6tables -A INPUT -m iprange --src-range 2001:db8::1 8 | # -m iprange --src-range 2001:db8::1;;FAIL 9 | # ERROR: should fail: ip6tables -A INPUT -m iprange --dst-range 2001:db8::1 10 | #-m iprange --dst-range 2001:db8::1;;FAIL 11 | -------------------------------------------------------------------------------- /extensions/libip6t_ipv6header.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m ipv6header --header hop-by-hop;=;OK 3 | -m ipv6header --header hop-by-hop --soft;=;OK 4 | -m ipv6header --header ipv6-nonxt;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libip6t_ipvs.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m ipvs --vaddr 2001:db8::1;=;OK 3 | -m ipvs ! --vaddr 2001:db8::/64;=;OK 4 | -m ipvs --vproto 6 --vaddr 2001:db8::/64 --vport 22 --vdir ORIGINAL --vmethod GATE;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libip6t_mh.man: -------------------------------------------------------------------------------- 1 | This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is 2 | specified. It provides the following option: 3 | .TP 4 | [\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP] 5 | This allows specification of the Mobility Header(MH) type, which can be 6 | a numeric MH 7 | .IR type , 8 | .IR type 9 | or one of the MH type names shown by the command 10 | .nf 11 | ip6tables \-p mh \-h 12 | .fi 13 | -------------------------------------------------------------------------------- /extensions/libip6t_mh.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m mh;;FAIL 3 | -p mobility-header -m mh;=;OK 4 | -p mobility-header -m mh --mh-type 1;=;OK 5 | -p mobility-header -m mh ! --mh-type 4;=;OK 6 | -p mobility-header -m mh --mh-type 4:123;=;OK 7 | -p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK 8 | -p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh ! --mh-type 0:255;OK 9 | -p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK 10 | -p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK 11 | -p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK 12 | -p mobility-header -m mh --mh-type 4:3;;FAIL 13 | -------------------------------------------------------------------------------- /extensions/libip6t_mh.txlate: -------------------------------------------------------------------------------- 1 | ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT 2 | nft 'add rule ip6 filter INPUT mh type 1 counter accept' 3 | 4 | ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT 5 | nft 'add rule ip6 filter INPUT mh type 1-3 counter accept' 6 | 7 | ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT 8 | nft 'add rule ip6 filter INPUT exthdr mh exists counter accept' 9 | 10 | ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT 11 | nft 'add rule ip6 filter INPUT exthdr mh exists counter accept' 12 | 13 | ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT 14 | nft 'add rule ip6 filter INPUT mh type != 0-255 counter accept' 15 | -------------------------------------------------------------------------------- /extensions/libip6t_policy.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD 2 | -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 2001:db8::/32 --tunnel-src 2001:db8::/32 --next --reqid 2;=;OK 3 | -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 2001:db8::/32;;FAIL 4 | -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp --mode tunnel --tunnel-dst 2001:db8::/32 --tunnel-src 2001:db8::/32 --next --reqid 2;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libip6t_rt.man: -------------------------------------------------------------------------------- 1 | Match on IPv6 routing header 2 | .TP 3 | [\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP 4 | Match the type (numeric). 5 | .TP 6 | [\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP] 7 | Match the `segments left' field (range). 8 | .TP 9 | [\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP 10 | Match the length of this header. 11 | .TP 12 | \fB\-\-rt\-0\-res\fP 13 | Match the reserved field, too (type=0) 14 | .TP 15 | \fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...] 16 | Match type=0 addresses (list). 17 | .TP 18 | \fB\-\-rt\-0\-not\-strict\fP 19 | List of type=0 addresses is not a strict list. 20 | -------------------------------------------------------------------------------- /extensions/libip6t_rt.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m rt --rt-type 0 --rt-segsleft 1:23 --rt-len 42 --rt-0-res;=;OK 3 | -m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK 4 | -m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK 5 | -m rt;=;OK 6 | -m rt --rt-segsleft :;-m rt;OK 7 | -m rt ! --rt-segsleft :;-m rt ! --rt-segsleft 0:4294967295;OK 8 | -m rt --rt-segsleft :3;-m rt --rt-segsleft 0:3;OK 9 | -m rt --rt-segsleft 3:;-m rt --rt-segsleft 3:4294967295;OK 10 | -m rt --rt-segsleft 3:3;-m rt --rt-segsleft 3;OK 11 | -m rt --rt-segsleft 4:3;;FAIL 12 | -------------------------------------------------------------------------------- /extensions/libip6t_standard.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -s ::/128;=;OK 3 | ! -d ::;! -d ::/128;OK 4 | ! -s ::;! -s ::/128;OK 5 | -s ::/64;=;OK 6 | :INPUT 7 | -i + -d c0::fe;-d c0::fe/128;OK 8 | -i + -p tcp;-p tcp;OK 9 | -------------------------------------------------------------------------------- /extensions/libipt_ECN.man: -------------------------------------------------------------------------------- 1 | This target selectively works around known ECN blackholes. 2 | It can only be used in the mangle table. 3 | .TP 4 | \fB\-\-ecn\-tcp\-remove\fP 5 | Remove all ECN bits from the TCP header. Of course, it can only be used 6 | in conjunction with 7 | \fB\-p tcp\fP. 8 | -------------------------------------------------------------------------------- /extensions/libipt_ECN.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j ECN;;FAIL 4 | -p tcp -j ECN;;FAIL 5 | -p tcp -j ECN --ecn-tcp-remove;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libipt_LOG.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j LOG;-j LOG;OK 3 | -j LOG --log-prefix "test: ";=;OK 4 | -j LOG --log-prefix "test: " --log-level 1;=;OK 5 | # iptables displays the log-level output using the number; not the string 6 | -j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK 7 | -j LOG --log-prefix "test: " --log-tcp-sequence;=;OK 8 | -j LOG --log-prefix "test: " --log-tcp-options;=;OK 9 | -j LOG --log-prefix "test: " --log-ip-options;=;OK 10 | -j LOG --log-prefix "test: " --log-uid;=;OK 11 | -j LOG --log-prefix "test: " --log-level bad;;FAIL 12 | -j LOG --log-prefix;;FAIL 13 | -------------------------------------------------------------------------------- /extensions/libipt_LOG.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A FORWARD -p tcp -j LOG --log-level error 2 | nft 'add rule ip filter FORWARD ip protocol tcp counter log level err' 3 | 4 | iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix" 5 | nft 'add rule ip filter FORWARD ip protocol tcp counter log prefix "Random prefix"' 6 | -------------------------------------------------------------------------------- /extensions/libipt_MASQUERADE.t: -------------------------------------------------------------------------------- 1 | :POSTROUTING 2 | *nat 3 | -j MASQUERADE;=;OK 4 | -j MASQUERADE --random;=;OK 5 | -j MASQUERADE --random-fully;=;OK 6 | -p tcp -j MASQUERADE --to-ports 1024;=;OK 7 | -p udp -j MASQUERADE --to-ports 1024-65535;=;OK 8 | -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL 9 | -p udp -j MASQUERADE --to-ports -1;;FAIL 10 | -------------------------------------------------------------------------------- /extensions/libipt_NETMAP.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT,OUTPUT,POSTROUTING 2 | *nat 3 | -j NETMAP --to 1.2.3.0/24;=;OK 4 | -j NETMAP --to 1.2.3.4;-j NETMAP --to 1.2.3.4/32;OK 5 | -------------------------------------------------------------------------------- /extensions/libipt_REJECT.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j REJECT;-j REJECT --reject-with icmp-port-unreachable;OK 3 | -j REJECT --reject-with icmp-net-unreachable;=;OK 4 | -j REJECT --reject-with icmp-host-unreachable;=;OK 5 | -j REJECT --reject-with icmp-port-unreachable;=;OK 6 | -j REJECT --reject-with icmp-proto-unreachable;=;OK 7 | -j REJECT --reject-with icmp-net-prohibited;=;OK 8 | -j REJECT --reject-with icmp-host-prohibited;=;OK 9 | -j REJECT --reject-with icmp-admin-prohibited;=;OK 10 | -------------------------------------------------------------------------------- /extensions/libipt_REJECT.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT 2 | nft 'add rule ip filter FORWARD tcp dport 22 counter reject' 3 | 4 | iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp-net-unreachable 5 | nft 'add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable' 6 | 7 | iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset 8 | nft 'add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset' 9 | -------------------------------------------------------------------------------- /extensions/libipt_SNAT.t: -------------------------------------------------------------------------------- 1 | :POSTROUTING 2 | *nat 3 | -j SNAT --to-source 1.1.1.1;=;OK 4 | -j SNAT --to-source 1.1.1.1-1.1.1.10;=;OK 5 | -j SNAT --to-source 1.1.1.1:1025-65535;;FAIL 6 | -j SNAT --to-source 1.1.1.1 --to-source 2.2.2.2;;FAIL 7 | -j SNAT --to-source 1.1.1.1 --random;=;OK 8 | -j SNAT --to-source 1.1.1.1 --random-fully;=;OK 9 | -j SNAT --to-source 1.1.1.1 --persistent;=;OK 10 | -j SNAT --to-source 1.1.1.1 --random --persistent;=;OK 11 | -j SNAT --to-source 1.1.1.1 --random --random-fully;=;OK 12 | -j SNAT --to-source 1.1.1.1 --random --random-fully --persistent;=;OK 13 | -p tcp -j SNAT --to-source 1.1.1.1:1025-65535;=;OK 14 | -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK 15 | -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL 16 | -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535 --to-source 2.2.2.2-2.2.2.20:1025-65535;;FAIL 17 | -j SNAT;;FAIL 18 | -------------------------------------------------------------------------------- /extensions/libipt_SNAT.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 2 | nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4' 3 | 4 | iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 5 | nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4-1.2.3.6' 6 | 7 | iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 8 | nft 'add rule ip nat postrouting oifname "eth0" ip protocol tcp counter snat to 1.2.3.4:1-1023' 9 | 10 | iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random 11 | nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random' 12 | 13 | iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random --persistent 14 | nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random,persistent' 15 | -------------------------------------------------------------------------------- /extensions/libipt_TEE.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j TEE --gateway 1.1.1.1;=;OK 3 | -j TEE ! --gateway 1.1.1.1;;FAIL 4 | -------------------------------------------------------------------------------- /extensions/libipt_TPROXY.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *mangle 3 | -j TPROXY --on-port 12345 --on-ip 10.0.0.1 --tproxy-mark 0x23/0xff;;FAIL 4 | -p udp -j TPROXY --on-port 12345 --on-ip 10.0.0.1 --tproxy-mark 0x23/0xff;=;OK 5 | -p tcp -m tcp --dport 2342 -j TPROXY --on-port 12345 --on-ip 10.0.0.1 --tproxy-mark 0x23/0xff;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libipt_TTL.man: -------------------------------------------------------------------------------- 1 | This is used to modify the IPv4 TTL header field. The TTL field determines 2 | how many hops (routers) a packet can traverse until it's time to live is 3 | exceeded. 4 | .PP 5 | Setting or incrementing the TTL field can potentially be very dangerous, 6 | so it should be avoided at any cost. This target is only valid in 7 | .B mangle 8 | table. 9 | .PP 10 | .B Don't ever set or increment the value on packets that leave your local network! 11 | .TP 12 | \fB\-\-ttl\-set\fP \fIvalue\fP 13 | Set the TTL value to `value'. 14 | .TP 15 | \fB\-\-ttl\-dec\fP \fIvalue\fP 16 | Decrement the TTL value `value' times. 17 | .TP 18 | \fB\-\-ttl\-inc\fP \fIvalue\fP 19 | Increment the TTL value `value' times. 20 | -------------------------------------------------------------------------------- /extensions/libipt_TTL.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j TTL --ttl-set 42;=;OK 4 | -j TTL --ttl-inc 1;=;OK 5 | -j TTL --ttl-dec 1;=;OK 6 | -j TTL --ttl-set 256;;FAIL 7 | -j TTL --ttl-inc 0;;FAIL 8 | -j TTL --ttl-dec 0;;FAIL 9 | -j TTL --ttl-dec 1 --ttl-inc 1;;FAIL 10 | -j TTL --ttl-set --ttl-inc 1;;FAIL 11 | -------------------------------------------------------------------------------- /extensions/libipt_ah.man: -------------------------------------------------------------------------------- 1 | This module matches the SPIs in Authentication header of IPsec packets. 2 | .TP 3 | [\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] 4 | -------------------------------------------------------------------------------- /extensions/libipt_ah.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -p ah -m ah --ahspi 0;=;OK 3 | -p ah -m ah --ahspi 4294967295;=;OK 4 | -p ah -m ah --ahspi 0:4294967295;-p ah -m ah;OK 5 | -p ah -m ah ! --ahspi 0;=;OK 6 | -p ah -m ah --ahspi -1;;FAIL 7 | -p ah -m ah --ahspi 4294967296;;FAIL 8 | -p ah -m ah --ahspi invalid;;FAIL 9 | -p ah -m ah --ahspi 0:invalid;;FAIL 10 | -m ah --ahspi 0;;FAIL 11 | -m ah --ahspi;;FAIL 12 | -m ah;;FAIL 13 | -p ah -m ah;=;OK 14 | -p ah -m ah --ahspi :;-p ah -m ah;OK 15 | -p ah -m ah ! --ahspi :;-p ah -m ah ! --ahspi 0:4294967295;OK 16 | -p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK 17 | -p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK 18 | -p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK 19 | -p ah -m ah --ahspi 4:3;;FAIL 20 | -------------------------------------------------------------------------------- /extensions/libipt_ah.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -p 51 -m ah --ahspi 500 -j DROP 2 | nft 'add rule ip filter INPUT ah spi 500 counter drop' 3 | 4 | iptables-translate -A INPUT -p 51 -m ah --ahspi 500:600 -j DROP 5 | nft 'add rule ip filter INPUT ah spi 500-600 counter drop' 6 | 7 | iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP 8 | nft 'add rule ip filter INPUT ah spi != 50 counter drop' 9 | 10 | iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP 11 | nft 'add rule ip filter INPUT meta l4proto ah counter drop' 12 | 13 | iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP 14 | nft 'add rule ip filter INPUT ah spi != 0-4294967295 counter drop' 15 | -------------------------------------------------------------------------------- /extensions/libipt_conntrack.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m conntrack --ctorigsrc 1.1.1.1;=;OK 3 | -m conntrack --ctorigdst 1.1.1.1;=;OK 4 | -m conntrack --ctreplsrc 1.1.1.1;=;OK 5 | -m conntrack --ctrepldst 1.1.1.1;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libipt_icmp.man: -------------------------------------------------------------------------------- 1 | This extension can be used if `\-\-protocol icmp' is specified. It 2 | provides the following option: 3 | .TP 4 | [\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP} 5 | This allows specification of the ICMP type, which can be a numeric 6 | ICMP type, type/code pair, or one of the ICMP type names shown by the command 7 | .nf 8 | iptables \-p icmp \-h 9 | .fi 10 | -------------------------------------------------------------------------------- /extensions/libipt_icmp.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -p icmp -m icmp --icmp-type any;=;OK 3 | # XXX: output uses the number, better use the name? 4 | -p icmp -m icmp --icmp-type echo-reply;-p icmp -m icmp --icmp-type 0;OK 5 | -p icmp -m icmp --icmp-type destination-unreachable;-p icmp -m icmp --icmp-type 3;OK 6 | # it does not acccept name/name, should we accept this? 7 | # ERROR: cannot load: iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable 8 | # -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable;=;OK 9 | -m icmp;;FAIL 10 | # we accept "iptables -I INPUT -p tcp -m tcp", why not this below? 11 | # ERROR: cannot load: iptables -A INPUT -p icmp -m icmp 12 | # -p icmp -m icmp;=;OK 13 | -p icmp -m icmp --icmp-type 255/255;=;OK 14 | -p icmp -m icmp --icmp-type 255/0:255;-p icmp -m icmp --icmp-type any;OK 15 | -------------------------------------------------------------------------------- /extensions/libipt_icmp.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j ACCEPT 2 | nft 'add rule ip filter INPUT icmp type echo-reply counter accept' 3 | 4 | iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j ACCEPT 5 | nft 'add rule ip filter INPUT icmp type destination-unreachable counter accept' 6 | 7 | iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT 8 | nft 'add rule ip filter INPUT icmp type != destination-unreachable counter accept' 9 | 10 | iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT 11 | nft 'add rule ip filter INPUT ip protocol icmp counter accept' 12 | -------------------------------------------------------------------------------- /extensions/libipt_iprange.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m iprange --src-range 1.1.1.1-1.1.1.10;=;OK 3 | -m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK 4 | -m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK 5 | -m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK 6 | # it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this? 7 | # ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1 8 | # -m iprange --src-range 1.1.1.1;;FAIL 9 | # ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1 10 | #-m iprange --dst-range 1.1.1.1;;FAIL 11 | -------------------------------------------------------------------------------- /extensions/libipt_ipvs.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m ipvs --vaddr 1.2.3.4;=;OK 3 | -m ipvs ! --vaddr 1.2.3.4/255.255.255.0;-m ipvs ! --vaddr 1.2.3.4/24;OK 4 | -m ipvs --vproto 6 --vaddr 1.2.3.4/16 --vport 22 --vdir ORIGINAL --vmethod GATE;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libipt_osf.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD 2 | -m osf --genre linux --ttl 0 --log 0;;FAIL 3 | -p tcp -m osf --genre linux --ttl 0 --log 0;=;OK 4 | -p tcp -m osf --genre linux --ttl 3 --log 0;;FAIL 5 | -------------------------------------------------------------------------------- /extensions/libipt_policy.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD 2 | -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK 3 | -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 10.0.0.0/8;;FAIL 4 | -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libipt_realm.man: -------------------------------------------------------------------------------- 1 | This matches the routing realm. Routing realms are used in complex routing 2 | setups involving dynamic routing protocols like BGP. 3 | .TP 4 | [\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP] 5 | Matches a given realm number (and optionally mask). If not a number, value 6 | can be a named realm from /etc/iproute2/rt_realms (mask can not be used in 7 | that case). 8 | Both value and mask are four byte unsigned integers and may be specified in 9 | decimal, hex (by prefixing with "0x") or octal (if a leading zero is given). 10 | -------------------------------------------------------------------------------- /extensions/libipt_realm.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m realm --realm 0x1/0x2a;=;OK 3 | -m realm --realm 0x2a;=;OK 4 | -m realm;;FAIL 5 | -------------------------------------------------------------------------------- /extensions/libipt_realm.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A PREROUTING -m realm --realm 4 2 | nft 'add rule ip filter PREROUTING rtclassid 0x4 counter' 3 | 4 | iptables-translate -A PREROUTING -m realm --realm 5/5 5 | nft 'add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter' 6 | 7 | iptables-translate -A PREROUTING -m realm ! --realm 50 8 | nft 'add rule ip filter PREROUTING rtclassid != 0x32 counter' 9 | 10 | iptables-translate -A INPUT -m realm --realm 1/0xf 11 | nft 'add rule ip filter INPUT rtclassid and 0xf == 0x1 counter' 12 | -------------------------------------------------------------------------------- /extensions/libipt_ttl.man: -------------------------------------------------------------------------------- 1 | This module matches the time to live field in the IP header. 2 | .TP 3 | [\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP 4 | Matches the given TTL value. 5 | .TP 6 | \fB\-\-ttl\-gt\fP \fIttl\fP 7 | Matches if TTL is greater than the given TTL value. 8 | .TP 9 | \fB\-\-ttl\-lt\fP \fIttl\fP 10 | Matches if TTL is less than the given TTL value. 11 | -------------------------------------------------------------------------------- /extensions/libipt_ttl.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m ttl --ttl-eq 0;=;OK 3 | -m ttl --ttl-eq 255;=;OK 4 | -m ttl ! --ttl-eq 0;=;OK 5 | -m ttl ! --ttl-eq 255;=;OK 6 | -m ttl --ttl-gt 0;=;OK 7 | # not possible have anything greater than 255, TTL is 8-bit long 8 | # ERROR: should fail: iptables -A INPUT -m ttl --ttl-gt 255 9 | ## -m ttl --ttl-gt 255;;FAIL 10 | # not possible have anything below 0 11 | # ERROR: should fail: iptables -A INPUT -m ttl --ttl-lt 0 12 | ## -m ttl --ttl-lt 0;;FAIL 13 | -m ttl --ttl-eq 256;;FAIL 14 | -m ttl --ttl-eq -1;;FAIL 15 | -m ttl;;FAIL 16 | -------------------------------------------------------------------------------- /extensions/libipt_ttl.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m ttl --ttl-eq 3 -j ACCEPT 2 | nft 'add rule ip filter INPUT ip ttl 3 counter accept' 3 | 4 | iptables-translate -A INPUT -m ttl --ttl-gt 5 -j ACCEPT 5 | nft 'add rule ip filter INPUT ip ttl gt 5 counter accept' 6 | -------------------------------------------------------------------------------- /extensions/libxt_AUDIT.man: -------------------------------------------------------------------------------- 1 | This target creates audit records for packets hitting the target. 2 | It can be used to record accepted, dropped, and rejected packets. See 3 | auditd(8) for additional details. 4 | .TP 5 | \fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP} 6 | Set type of audit record. Starting with linux-4.12, this option has no effect 7 | on generated audit messages anymore. It is still accepted by iptables for 8 | compatibility reasons, but ignored. 9 | .PP 10 | Example: 11 | .IP 12 | iptables \-N AUDIT_DROP 13 | .IP 14 | iptables \-A AUDIT_DROP \-j AUDIT 15 | .IP 16 | iptables \-A AUDIT_DROP \-j DROP 17 | -------------------------------------------------------------------------------- /extensions/libxt_AUDIT.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j AUDIT --type accept;=;OK 3 | -j AUDIT --type drop;=;OK 4 | -j AUDIT --type reject;=;OK 5 | -j AUDIT;;FAIL 6 | -j AUDIT --type wrong;;FAIL 7 | -------------------------------------------------------------------------------- /extensions/libxt_AUDIT.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t filter -A INPUT -j AUDIT --type accept 2 | nft 'add rule ip filter INPUT counter log level audit' 3 | 4 | iptables-translate -t filter -A INPUT -j AUDIT --type drop 5 | nft 'add rule ip filter INPUT counter log level audit' 6 | 7 | iptables-translate -t filter -A INPUT -j AUDIT --type reject 8 | nft 'add rule ip filter INPUT counter log level audit' 9 | -------------------------------------------------------------------------------- /extensions/libxt_CHECKSUM.man: -------------------------------------------------------------------------------- 1 | This target selectively works around broken/old applications. 2 | It can only be used in the mangle table. 3 | .TP 4 | \fB\-\-checksum\-fill\fP 5 | Compute and fill in the checksum in a packet that lacks a checksum. 6 | This is particularly useful, if you need to work around old applications 7 | such as dhcp clients, that do not work well with checksum offloads, 8 | but don't want to disable checksum offload in your device. 9 | -------------------------------------------------------------------------------- /extensions/libxt_CHECKSUM.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,FORWARD,POSTROUTING 2 | *mangle 3 | -j CHECKSUM --checksum-fill;=;OK 4 | -j CHECKSUM;;FAIL 5 | -------------------------------------------------------------------------------- /extensions/libxt_CLASSIFY.man: -------------------------------------------------------------------------------- 1 | This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class). 2 | .TP 3 | \fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP 4 | Set the major and minor class value. The values are always interpreted as 5 | hexadecimal even if no 0x prefix is given. 6 | -------------------------------------------------------------------------------- /extensions/libxt_CLASSIFY.t: -------------------------------------------------------------------------------- 1 | :FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j CLASSIFY --set-class 0000:ffff;=;OK 4 | # maximum handle accepted by tc is 0xffff 5 | # ERROR : should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 0000:ffffffff 6 | # -j CLASSIFY --set-class 0000:ffffffff;;FAIL 7 | # ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1 8 | # -j CLASSIFY --set-class 1:-1;;FAIL 9 | -j CLASSIFY;;FAIL 10 | -------------------------------------------------------------------------------- /extensions/libxt_CLASSIFY.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0 2 | nft 'add rule ip filter OUTPUT counter meta priority set none' 3 | 4 | iptables-translate -A OUTPUT -j CLASSIFY --set-class ffff:ffff 5 | nft 'add rule ip filter OUTPUT counter meta priority set root' 6 | 7 | iptables-translate -A OUTPUT -j CLASSIFY --set-class 1:234 8 | nft 'add rule ip filter OUTPUT counter meta priority set 1:234' 9 | -------------------------------------------------------------------------------- /extensions/libxt_CONNMARK.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j CONNMARK --restore-mark;-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff;OK 4 | -j CONNMARK --save-mark;-j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff;OK 5 | -j CONNMARK --save-mark --nfmask 0xfffffff --ctmask 0xffffffff;=;OK 6 | -j CONNMARK --restore-mark --nfmask 0xfffffff --ctmask 0xffffffff;=;OK 7 | -j CONNMARK;;FAIL 8 | -------------------------------------------------------------------------------- /extensions/libxt_CONNSECMARK.man: -------------------------------------------------------------------------------- 1 | This module copies security markings from packets to connections 2 | (if unlabeled), and from connections back to packets (also only 3 | if unlabeled). Typically used in conjunction with SECMARK, it is 4 | valid in the 5 | .B security 6 | table (for backwards compatibility with older kernels, it is also 7 | valid in the 8 | .B mangle 9 | table). 10 | .TP 11 | \fB\-\-save\fP 12 | If the packet has a security marking, copy it to the connection 13 | if the connection is not marked. 14 | .TP 15 | \fB\-\-restore\fP 16 | If the packet does not have a security marking, and the connection 17 | does, copy the security marking from the connection to the packet. 18 | 19 | -------------------------------------------------------------------------------- /extensions/libxt_CONNSECMARK.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j CONNSECMARK --restore;=;OK 4 | -j CONNSECMARK --save;=;OK 5 | -j CONNSECMARK;;FAIL 6 | -------------------------------------------------------------------------------- /extensions/libxt_CT.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,OUTPUT 2 | *raw 3 | -j CT --notrack;=;OK 4 | -j CT --ctevents new,related,destroy,reply,assured,protoinfo,helper,mark;=;OK 5 | -j CT --expevents new;=;OK 6 | # ERROR: cannot find: iptables -I PREROUTING -t raw -j CT --zone 0 7 | # -j CT --zone 0;=;OK 8 | -j CT --zone 65535;=;OK 9 | -j CT --zone 65536;;FAIL 10 | -j CT --zone -1;;FAIL 11 | # ERROR: should fail: iptables -A PREROUTING -t raw -j CT 12 | # -j CT;;FAIL 13 | @nfct timeout add test inet tcp ESTABLISHED 100 14 | # cannot load: iptables -A PREROUTING -t raw -j CT --timeout test 15 | # -j CT --timeout test;=;OK 16 | @nfct timeout del test 17 | @nfct helper add rpc inet tcp 18 | # cannot load: iptables -A PREROUTING -t raw -j CT --helper rpc 19 | # -j CT --helper rpc;=;OK 20 | @nfct helper del rpc 21 | -------------------------------------------------------------------------------- /extensions/libxt_DSCP.man: -------------------------------------------------------------------------------- 1 | This target alters the value of the DSCP bits within the TOS 2 | header of the IPv4 packet. As this manipulates a packet, it can only 3 | be used in the mangle table. 4 | .TP 5 | \fB\-\-set\-dscp\fP \fIvalue\fP 6 | Set the DSCP field to a numerical value (can be decimal or hex) 7 | .TP 8 | \fB\-\-set\-dscp\-class\fP \fIclass\fP 9 | Set the DSCP field to a DiffServ class. 10 | -------------------------------------------------------------------------------- /extensions/libxt_DSCP.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j DSCP --set-dscp 0x00;=;OK 4 | -j DSCP --set-dscp 0x3f;=;OK 5 | -j DSCP --set-dscp -1;;FAIL 6 | -j DSCP --set-dscp 0x40;;FAIL 7 | -j DSCP --set-dscp 0x3f --set-dscp-class CS0;;FAIL 8 | -j DSCP --set-dscp-class CS0;-j DSCP --set-dscp 0x00;OK 9 | -j DSCP --set-dscp-class BE;-j DSCP --set-dscp 0x00;OK 10 | -j DSCP --set-dscp-class EF;-j DSCP --set-dscp 0x2e;OK 11 | -j DSCP;;FAIL 12 | -------------------------------------------------------------------------------- /extensions/libxt_DSCP.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A OUTPUT -j DSCP --set-dscp 1 2 | nft 'add rule ip filter OUTPUT counter ip dscp set 0x01' 3 | 4 | ip6tables-translate -A OUTPUT -j DSCP --set-dscp 6 5 | nft 'add rule ip6 filter OUTPUT counter ip6 dscp set 0x06' 6 | -------------------------------------------------------------------------------- /extensions/libxt_IDLETIMER.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j IDLETIMER --timeout;;FAIL 3 | -j IDLETIMER --timeout 42;;FAIL 4 | -j IDLETIMER --timeout 42 --label foo;=;OK 5 | -j IDLETIMER --timeout 42 --label bar --alarm;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libxt_LED.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j LED;;FAIL 3 | -j LED --led-trigger-id "foo";=;OK 4 | -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libxt_MARK.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j MARK --set-xmark 0xfeedcafe/0xfeedcafe;=;OK 3 | -j MARK --set-xmark 0x0;-j MARK --set-xmark 0x0/0xffffffff;OK 4 | -j MARK --set-xmark 4294967295;-j MARK --set-xmark 0xffffffff/0xffffffff;OK 5 | -j MARK --set-xmark 4294967296;;FAIL 6 | -j MARK --set-xmark -1;;FAIL 7 | -j MARK;;FAIL 8 | -------------------------------------------------------------------------------- /extensions/libxt_NETMAP.man: -------------------------------------------------------------------------------- 1 | This target allows you to statically map a whole network of addresses onto 2 | another network of addresses. It can only be used from rules in the 3 | .B nat 4 | table. 5 | .TP 6 | \fB\-\-to\fP \fIaddress\fP[\fB/\fP\fImask\fP] 7 | Network address to map to. The resulting address will be constructed in the 8 | following way: All 'one' bits in the mask are filled in from the new `address'. 9 | All bits that are zero in the mask are filled in from the original address. 10 | .TP 11 | IPv6 support available since Linux kernels >= 3.7. 12 | -------------------------------------------------------------------------------- /extensions/libxt_NFLOG.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0" 2 | nft 'add rule ip filter FORWARD counter log prefix "Prefix 1.0" group 32' 3 | 4 | iptables-translate -A OUTPUT -j NFLOG --nflog-group 30 5 | nft 'add rule ip filter OUTPUT counter log group 30' 6 | 7 | iptables-translate -I INPUT -j NFLOG --nflog-threshold 2 8 | nft 'insert rule ip filter INPUT counter log queue-threshold 2 group 0' 9 | 10 | iptables-translate -I INPUT -j NFLOG --nflog-size 256 11 | nft 'insert rule ip filter INPUT counter log snaplen 256 group 0' 12 | 13 | iptables-translate -I INPUT -j NFLOG --nflog-threshold 25 14 | nft 'insert rule ip filter INPUT counter log queue-threshold 25 group 0' 15 | -------------------------------------------------------------------------------- /extensions/libxt_NFQUEUE.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 30 2 | nft 'add rule ip nat PREROUTING tcp dport 80 counter queue num 30' 3 | 4 | iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p TCP --sport 80 5 | nft 'add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass' 6 | 7 | iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout 8 | nft 'add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout' 9 | -------------------------------------------------------------------------------- /extensions/libxt_NOTRACK.man: -------------------------------------------------------------------------------- 1 | This extension disables connection tracking for all packets matching that rule. 2 | It is equivalent with \-j CT \-\-notrack. Like CT, NOTRACK can only be used in 3 | the \fBraw\fP table. 4 | -------------------------------------------------------------------------------- /extensions/libxt_NOTRACK.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,OUTPUT 2 | *raw 3 | -j NOTRACK;=;OK 4 | -------------------------------------------------------------------------------- /extensions/libxt_NOTRACK.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A PREROUTING -t raw -j NOTRACK 2 | nft 'add rule ip raw PREROUTING counter notrack' 3 | -------------------------------------------------------------------------------- /extensions/libxt_RATEEST.man: -------------------------------------------------------------------------------- 1 | The RATEEST target collects statistics, performs rate estimation calculation 2 | and saves the results for later evaluation using the \fBrateest\fP match. 3 | .TP 4 | \fB\-\-rateest\-name\fP \fIname\fP 5 | Count matched packets into the pool referred to by \fIname\fP, which is freely 6 | choosable. 7 | .TP 8 | \fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP} 9 | Rate measurement interval, in seconds, milliseconds or microseconds. 10 | .TP 11 | \fB\-\-rateest\-ewmalog\fP \fIvalue\fP 12 | Rate measurement averaging time constant. 13 | -------------------------------------------------------------------------------- /extensions/libxt_RATEEST.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms;=;OK 3 | -------------------------------------------------------------------------------- /extensions/libxt_REDIRECT.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,OUTPUT 2 | *nat 3 | -p tcp -j REDIRECT --to-ports 42;=;OK 4 | -p tcp -j REDIRECT --to-ports 0;=;OK 5 | -p tcp -j REDIRECT --to-ports 65535;=;OK 6 | -p tcp -j REDIRECT --to-ports 65536;;FAIL 7 | -p udp -j REDIRECT --to-ports 0-0;-p udp -j REDIRECT --to-ports 0;OK 8 | -p udp -j REDIRECT --to-ports 512-512;-p udp -j REDIRECT --to-ports 512;OK 9 | -p udp -j REDIRECT --to-ports 42-1234;=;OK 10 | -p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK 11 | -p tcp -j REDIRECT --to-ports 42-1234/567;;FAIL 12 | -p tcp -j REDIRECT --to-ports ssh;-p tcp -j REDIRECT --to-ports 22;OK 13 | -p tcp -j REDIRECT --to-ports ftp-data;-p tcp -j REDIRECT --to-ports 20;OK 14 | -p tcp -j REDIRECT --to-ports ftp-ssh;;FAIL 15 | -p tcp -j REDIRECT --to-ports 10-ssh;;FAIL 16 | -j REDIRECT --to-ports 42;;FAIL 17 | -j REDIRECT --random;=;OK 18 | -------------------------------------------------------------------------------- /extensions/libxt_SECMARK.man: -------------------------------------------------------------------------------- 1 | This is used to set the security mark value associated with the 2 | packet for use by security subsystems such as SELinux. It is 3 | valid in the 4 | .B security 5 | table (for backwards compatibility with older kernels, it is also 6 | valid in the 7 | .B mangle 8 | table). The mark is 32 bits wide. 9 | .TP 10 | \fB\-\-selctx\fP \fIsecurity_context\fP 11 | -------------------------------------------------------------------------------- /extensions/libxt_SECMARK.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | *security 3 | -j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK 4 | -j SECMARK;;FAIL 5 | -------------------------------------------------------------------------------- /extensions/libxt_SET.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | # fails: foo does not exist 3 | -j SET --add-set foo src,dst;;FAIL 4 | -------------------------------------------------------------------------------- /extensions/libxt_SYNPROXY.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD 2 | -j SYNPROXY --sack-perm --timestamp --mss 1460 --wscale 9;;FAIL 3 | -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460;=;OK 4 | -------------------------------------------------------------------------------- /extensions/libxt_SYNPROXY.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t mangle -A INPUT -i iifname -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 2 | nft 'add rule ip mangle INPUT iifname "iifname" tcp dport 80 ct state invalid,untracked counter synproxy sack-perm timestamp wscale 7 mss 1460' 3 | -------------------------------------------------------------------------------- /extensions/libxt_TCPMSS.t: -------------------------------------------------------------------------------- 1 | :FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j TCPMSS;;FAIL 4 | -p tcp -j TCPMSS --set-mss 42;=;FAIL;LEGACY 5 | -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 42;=;OK 6 | -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu;=;OK 7 | -------------------------------------------------------------------------------- /extensions/libxt_TCPMSS.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2 | nft 'add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu' 3 | 4 | iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 90 5 | nft 'add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set 90' 6 | -------------------------------------------------------------------------------- /extensions/libxt_TCPOPTSTRIP.man: -------------------------------------------------------------------------------- 1 | This target will strip TCP options off a TCP packet. (It will actually replace 2 | them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters. 3 | .TP 4 | \fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...] 5 | Strip the given option(s). The options may be specified by TCP option number or 6 | by symbolic name. The list of recognized options can be obtained by calling 7 | iptables with \fB\-j TCPOPTSTRIP \-h\fP. 8 | -------------------------------------------------------------------------------- /extensions/libxt_TCPOPTSTRIP.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j TCPOPTSTRIP;;FAIL 4 | -p tcp -j TCPOPTSTRIP;=;OK 5 | -p tcp -j TCPOPTSTRIP --strip-options 2,3,4,5,6,7;=;OK 6 | -p tcp -j TCPOPTSTRIP --strip-options 0;;FAIL 7 | -p tcp -j TCPOPTSTRIP --strip-options 1;;FAIL 8 | -p tcp -j TCPOPTSTRIP --strip-options 1,2;;FAIL 9 | -------------------------------------------------------------------------------- /extensions/libxt_TEE.man: -------------------------------------------------------------------------------- 1 | The \fBTEE\fP target will clone a packet and redirect this clone to another 2 | machine on the \fBlocal\fP network segment. In other words, the nexthop 3 | must be the target, or you will have to configure the nexthop to forward it 4 | further if so desired. 5 | .TP 6 | \fB\-\-gateway\fP \fIipaddr\fP 7 | Send the cloned packet to the host reachable at the given IP address. 8 | Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid. 9 | .PP 10 | To forward all incoming traffic on eth0 to an Network Layer logging box: 11 | .PP 12 | \-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1 13 | -------------------------------------------------------------------------------- /extensions/libxt_TEE.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -j TEE;;FAIL 3 | -------------------------------------------------------------------------------- /extensions/libxt_TEE.txlate: -------------------------------------------------------------------------------- 1 | # iptables-translate -t mangle -A PREROUTING -j TEE --gateway 192.168.0.2 --oif eth0 2 | # nft 'add rule ip mangle PREROUTING counter dup to 192.168.0.2 device eth0 3 | # 4 | # iptables-translate -t mangle -A PREROUTING -j TEE --gateway 192.168.0.2 5 | # nft 'add rule ip mangle PREROUTING counter dup to 192.168.0.2 6 | 7 | ip6tables-translate -t mangle -A PREROUTING -j TEE --gateway ab12:00a1:1112:acba:: 8 | nft 'add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba::' 9 | 10 | ip6tables-translate -t mangle -A PREROUTING -j TEE --gateway ab12:00a1:1112:acba:: --oif eth0 11 | nft 'add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba:: device eth0' 12 | -------------------------------------------------------------------------------- /extensions/libxt_TOS.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -j TOS --set-tos 0x1f;-j TOS --set-tos 0x1f/0xff;OK 4 | -j TOS --set-tos 0x1f/0x1f;=;OK 5 | # maximum TOS is 0x1f (5 bits) 6 | # ERROR: should fail: iptables -A PREROUTING -t mangle -j TOS --set-tos 0xff 7 | # -j TOS --set-tos 0xff;;FAIL 8 | -j TOS --set-tos Minimize-Delay;-j TOS --set-tos 0x10/0x3f;OK 9 | -j TOS --set-tos Maximize-Throughput;-j TOS --set-tos 0x08/0x3f;OK 10 | -j TOS --set-tos Maximize-Reliability;-j TOS --set-tos 0x04/0x3f;OK 11 | -j TOS --set-tos Minimize-Cost;-j TOS --set-tos 0x02/0x3f;OK 12 | -j TOS --set-tos Normal-Service;-j TOS --set-tos 0x00/0x3f;OK 13 | -j TOS --and-tos 0x12;-j TOS --set-tos 0x00/0xed;OK 14 | -j TOS --or-tos 0x12;-j TOS --set-tos 0x12/0x12;OK 15 | -j TOS --xor-tos 0x12;-j TOS --set-tos 0x12/0x00;OK 16 | -j TOS;;FAIL 17 | -------------------------------------------------------------------------------- /extensions/libxt_TRACE.c: -------------------------------------------------------------------------------- 1 | /* Shared library add-on to iptables to add TRACE target support. */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | 10 | static int trace_xlate(struct xt_xlate *xl, 11 | const struct xt_xlate_tg_params *params) 12 | { 13 | xt_xlate_add(xl, "nftrace set 1"); 14 | return 1; 15 | } 16 | 17 | static struct xtables_target trace_target = { 18 | .family = NFPROTO_UNSPEC, 19 | .name = "TRACE", 20 | .version = XTABLES_VERSION, 21 | .size = XT_ALIGN(0), 22 | .userspacesize = XT_ALIGN(0), 23 | .xlate = trace_xlate, 24 | }; 25 | 26 | void _init(void) 27 | { 28 | xtables_register_target(&trace_target); 29 | } 30 | -------------------------------------------------------------------------------- /extensions/libxt_TRACE.man: -------------------------------------------------------------------------------- 1 | This target marks packets so that the kernel will log every rule which match 2 | the packets as those traverse the tables, chains, rules. It can only be used in 3 | the 4 | .BR raw 5 | table. 6 | .PP 7 | With iptables-legacy, a logging backend, such as ip(6)t_LOG or nfnetlink_log, 8 | must be loaded for this to be visible. 9 | The packets are logged with the string prefix: 10 | "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for 11 | plain rule, "return" for implicit rule at the end of a user defined chain 12 | and "policy" for the policy of the built in chains. 13 | .PP 14 | With iptables-nft, the target is translated into nftables' 15 | .B "meta nftrace" 16 | expression. Hence the kernel sends trace events via netlink to userspace where 17 | they may be displayed using 18 | .B "xtables\-monitor \-\-trace" 19 | command. For details, refer to 20 | .BR xtables\-monitor (8). 21 | -------------------------------------------------------------------------------- /extensions/libxt_TRACE.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,OUTPUT 2 | *raw 3 | -j TRACE;=;OK 4 | -------------------------------------------------------------------------------- /extensions/libxt_TRACE.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t raw -A PREROUTING -j TRACE 2 | nft 'add rule ip raw PREROUTING counter nftrace set 1' 3 | -------------------------------------------------------------------------------- /extensions/libxt_addrtype.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m addrtype;;FAIL 3 | -m addrtype --src-type wrong;;FAIL 4 | -m addrtype --src-type UNSPEC;=;OK 5 | -m addrtype --dst-type UNSPEC;=;OK 6 | -m addrtype --src-type LOCAL --dst-type LOCAL;=;OK 7 | -m addrtype --dst-type UNSPEC;=;OK 8 | -m addrtype --limit-iface-in;;FAIL 9 | -m addrtype --limit-iface-out;;FAIL 10 | -m addrtype --limit-iface-in --limit-iface-out;;FAIL 11 | -m addrtype --src-type LOCAL --limit-iface-in --limit-iface-out;;FAIL 12 | :INPUT 13 | -m addrtype --src-type LOCAL --limit-iface-in;=;OK 14 | -m addrtype --dst-type LOCAL --limit-iface-in;=;OK 15 | :OUTPUT 16 | -m addrtype --src-type LOCAL --limit-iface-out;=;OK 17 | -m addrtype --dst-type LOCAL --limit-iface-out;=;OK 18 | -------------------------------------------------------------------------------- /extensions/libxt_addrtype.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m addrtype --src-type LOCAL 2 | nft 'add rule ip filter INPUT fib saddr type local counter' 3 | 4 | iptables-translate -A INPUT -m addrtype --dst-type LOCAL 5 | nft 'add rule ip filter INPUT fib daddr type local counter' 6 | 7 | iptables-translate -A INPUT -m addrtype ! --dst-type ANYCAST,LOCAL 8 | nft 'add rule ip filter INPUT fib daddr type != { local, anycast } counter' 9 | 10 | iptables-translate -A INPUT -m addrtype --limit-iface-in --dst-type ANYCAST,LOCAL 11 | nft 'add rule ip filter INPUT fib daddr . iif type { local, anycast } counter' 12 | -------------------------------------------------------------------------------- /extensions/libxt_bpf.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m bpf --bytecode "4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0";=;OK 3 | -------------------------------------------------------------------------------- /extensions/libxt_cgroup.t: -------------------------------------------------------------------------------- 1 | :INPUT,OUTPUT,POSTROUTING 2 | *mangle 3 | -m cgroup --cgroup 1;=;OK 4 | -m cgroup ! --cgroup 1;=;OK 5 | -m cgroup --path "/";=;OK 6 | -m cgroup ! --path "/";=;OK 7 | -m cgroup --cgroup 1 --path "/";;FAIL 8 | -m cgroup ;;FAIL 9 | -------------------------------------------------------------------------------- /extensions/libxt_cgroup.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT 2 | nft 'add rule ip filter INPUT meta cgroup 0 counter accept' 3 | 4 | iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT 5 | nft 'add rule ip filter INPUT meta cgroup != 0 counter accept' 6 | -------------------------------------------------------------------------------- /extensions/libxt_cluster.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,FORWARD,POSTROUTING 2 | *mangle 3 | -m cluster;;FAIL 4 | -m cluster --cluster-total-nodes 3;;FAIL 5 | -m cluster --cluster-total-nodes 2 --cluster-local-node 2;;FAIL 6 | -m cluster --cluster-total-nodes 2 --cluster-local-node 3 --cluster-hash-seed;;FAIL 7 | # 8 | # outputs --cluster-local-nodemask instead of --cluster-local-node 9 | # 10 | -m cluster --cluster-total-nodes 2 --cluster-local-node 2 --cluster-hash-seed 0xfeedcafe;-m cluster --cluster-local-nodemask 0x00000002 --cluster-total-nodes 2 --cluster-hash-seed 0xfeedcafe;OK 11 | -------------------------------------------------------------------------------- /extensions/libxt_comment.man: -------------------------------------------------------------------------------- 1 | Allows you to add comments (up to 256 characters) to any rule. 2 | .TP 3 | \fB\-\-comment\fP \fIcomment\fP 4 | .TP 5 | Example: 6 | iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN" 7 | -------------------------------------------------------------------------------- /extensions/libxt_comment.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block" 2 | nft 'add rule ip filter INPUT ip saddr 192.168.0.0 counter comment "A privatized IP block"' 3 | 4 | iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" 5 | nft 'add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment "foobar"' 6 | 7 | iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment 8 | nft 'add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter drop comment "singlecomment"' 9 | -------------------------------------------------------------------------------- /extensions/libxt_connbytes.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A OUTPUT -m connbytes --connbytes 200 --connbytes-dir original --connbytes-mode packets 2 | nft 'add rule ip filter OUTPUT ct original packets ge 200 counter' 3 | 4 | iptables-translate -A OUTPUT -m connbytes ! --connbytes 200 --connbytes-dir reply --connbytes-mode packets 5 | nft 'add rule ip filter OUTPUT ct reply packets lt 200 counter' 6 | 7 | iptables-translate -A OUTPUT -m connbytes --connbytes 200:600 --connbytes-dir both --connbytes-mode bytes 8 | nft 'add rule ip filter OUTPUT ct bytes 200-600 counter' 9 | 10 | iptables-translate -A OUTPUT -m connbytes ! --connbytes 200:600 --connbytes-dir both --connbytes-mode bytes 11 | nft 'add rule ip filter OUTPUT ct bytes != 200-600 counter' 12 | 13 | iptables-translate -A OUTPUT -m connbytes --connbytes 200:200 --connbytes-dir both --connbytes-mode avgpkt 14 | nft 'add rule ip filter OUTPUT ct avgpkt 200 counter' 15 | -------------------------------------------------------------------------------- /extensions/libxt_connlabel.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m connlabel --label "40";=;OK 3 | -m connlabel ! --label "40";=;OK 4 | -m connlabel --label "41" --set;=;OK 5 | -m connlabel ! --label "41" --set;=;OK 6 | -m connlabel --label "2048";;FAIL 7 | -m connlabel --label "foobar_not_there";;FAIL 8 | -------------------------------------------------------------------------------- /extensions/libxt_connlabel.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m connlabel --label 40 2 | nft 'add rule ip filter INPUT ct label 40 counter' 3 | 4 | iptables-translate -A INPUT -m connlabel ! --label 40 --set 5 | nft 'add rule ip filter INPUT ct label set 40 ct label and 40 != 40 counter' 6 | -------------------------------------------------------------------------------- /extensions/libxt_connlimit.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m connlimit --connlimit-upto -1;;FAIL 3 | -m connlimit --connlimit-above -1;;FAIL 4 | -m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL 5 | -m connlimit --connlimit-above 10 --connlimit-saddr --connlimit-daddr;;FAIL 6 | -m connlimit;;FAIL 7 | -------------------------------------------------------------------------------- /extensions/libxt_connmark.man: -------------------------------------------------------------------------------- 1 | This module matches the netfilter mark field associated with a connection 2 | (which can be set using the \fBCONNMARK\fP target below). 3 | .TP 4 | [\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] 5 | Matches packets in connections with the given mark value (if a mask is 6 | specified, this is logically ANDed with the mark before the comparison). 7 | -------------------------------------------------------------------------------- /extensions/libxt_connmark.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,FORWARD,OUTPUT,POSTROUTING 2 | *mangle 3 | -m connmark --mark 0xffffffff;=;OK 4 | -m connmark --mark 0xffffffff/0xffffffff;-m connmark --mark 0xffffffff;OK 5 | -m connmark --mark 0xffffffff/0x0;=;OK 6 | -m connmark --mark 0/0xffffffff;-m connmark --mark 0x0;OK 7 | -m connmark --mark -1;;FAIL 8 | -m connmark --mark 0xfffffffff;;FAIL 9 | -m connmark;;FAIL 10 | -------------------------------------------------------------------------------- /extensions/libxt_connmark.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m connmark --mark 2 -j ACCEPT 2 | nft 'add rule ip filter INPUT ct mark 0x2 counter accept' 3 | 4 | iptables-translate -A INPUT -m connmark ! --mark 2 -j ACCEPT 5 | nft 'add rule ip filter INPUT ct mark != 0x2 counter accept' 6 | 7 | iptables-translate -A INPUT -m connmark --mark 10/10 -j ACCEPT 8 | nft 'add rule ip filter INPUT ct mark and 0xa == 0xa counter accept' 9 | 10 | iptables-translate -A INPUT -m connmark ! --mark 10/10 -j ACCEPT 11 | nft 'add rule ip filter INPUT ct mark and 0xa != 0xa counter accept' 12 | 13 | iptables-translate -t mangle -A PREROUTING -p tcp --dport 40 -m connmark --mark 0x40 14 | nft 'add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter' 15 | -------------------------------------------------------------------------------- /extensions/libxt_cpu.man: -------------------------------------------------------------------------------- 1 | .TP 2 | [\fB!\fP] \fB\-\-cpu\fP \fInumber\fP 3 | Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS\-1 4 | Can be used in combination with RPS (Remote Packet Steering) or 5 | multiqueue NICs to spread network traffic on different queues. 6 | .PP 7 | Example: 8 | .PP 9 | iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 10 | \-j REDIRECT \-\-to\-ports 8080 11 | .PP 12 | iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 13 | \-j REDIRECT \-\-to\-ports 8081 14 | .PP 15 | Available since Linux 2.6.36. 16 | -------------------------------------------------------------------------------- /extensions/libxt_cpu.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m cpu --cpu 0;=;OK 3 | -m cpu ! --cpu 0;=;OK 4 | -m cpu --cpu 4294967295;=;OK 5 | -m cpu --cpu 4294967296;;FAIL 6 | -m cpu;;FAIL 7 | -------------------------------------------------------------------------------- /extensions/libxt_cpu.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT 2 | nft 'add rule ip filter INPUT tcp dport 80 cpu 0 counter accept' 3 | 4 | iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT 5 | nft 'add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept' 6 | -------------------------------------------------------------------------------- /extensions/libxt_dccp.man: -------------------------------------------------------------------------------- 1 | .TP 2 | [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] 3 | .TP 4 | [\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] 5 | .TP 6 | [\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP 7 | Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated 8 | list of packet types. Packet types are: 9 | .BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" . 10 | .TP 11 | [\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP 12 | Match if DCCP option set. 13 | -------------------------------------------------------------------------------- /extensions/libxt_devgroup.man: -------------------------------------------------------------------------------- 1 | Match device group of a packet's incoming/outgoing interface. 2 | .TP 3 | [\fB!\fP] \fB\-\-src\-group\fP \fIname\fP 4 | Match device group of incoming device 5 | .TP 6 | [\fB!\fP] \fB\-\-dst\-group\fP \fIname\fP 7 | Match device group of outgoing device 8 | -------------------------------------------------------------------------------- /extensions/libxt_dscp.man: -------------------------------------------------------------------------------- 1 | This module matches the 6 bit DSCP field within the TOS field in the 2 | IP header. DSCP has superseded TOS within the IETF. 3 | .TP 4 | [\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP 5 | Match against a numeric (decimal or hex) value in the range 0\(en63. 6 | .TP 7 | [\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP 8 | Match the DiffServ class. This value may be any of the 9 | BE, EF, AFxx or CSx classes. It will then be converted 10 | into its according numeric value. 11 | -------------------------------------------------------------------------------- /extensions/libxt_dscp.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m dscp --dscp 0x00;=;OK 3 | -m dscp --dscp 0x3f;=;OK 4 | -m dscp --dscp -1;;FAIL 5 | -m dscp --dscp 0x40;;FAIL 6 | -m dscp --dscp 0x3f --dscp-class CS0;;FAIL 7 | -m dscp --dscp-class CS0;-m dscp --dscp 0x00;OK 8 | -m dscp --dscp-class BE;-m dscp --dscp 0x00;OK 9 | -m dscp --dscp-class EF;-m dscp --dscp 0x2e;OK 10 | -m dscp;;FAIL 11 | -------------------------------------------------------------------------------- /extensions/libxt_dscp.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT 2 | nft 'add rule ip filter INPUT ip dscp 0x32 counter accept' 3 | 4 | ip6tables-translate -t filter -A INPUT -m dscp ! --dscp 0x32 -j ACCEPT 5 | nft 'add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept' 6 | -------------------------------------------------------------------------------- /extensions/libxt_ecn.man: -------------------------------------------------------------------------------- 1 | This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 2 | .TP 3 | [\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP 4 | This matches if the TCP ECN CWR (Congestion Window Received) bit is set. 5 | .TP 6 | [\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP 7 | This matches if the TCP ECN ECE (ECN Echo) bit is set. 8 | .TP 9 | [\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP 10 | This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify 11 | a number between `0' and `3'. 12 | -------------------------------------------------------------------------------- /extensions/libxt_ecn.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m ecn --ecn-tcp-cwr;;FAIL 3 | -p tcp -m ecn --ecn-tcp-cwr;=;OK 4 | -p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 2;=;OK 5 | -p tcp -m ecn ! --ecn-tcp-ece ! --ecn-tcp-cwr ! --ecn-ip-ect 2;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libxt_esp.man: -------------------------------------------------------------------------------- 1 | This module matches the SPIs in ESP header of IPsec packets. 2 | .TP 3 | [\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] 4 | -------------------------------------------------------------------------------- /extensions/libxt_esp.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -p esp -m esp --espspi 0;=;OK 3 | -p esp -m esp --espspi :32;-p esp -m esp --espspi 0:32;OK 4 | -p esp -m esp --espspi 0:4294967295;-p esp -m esp;OK 5 | -p esp -m esp ! --espspi 0:4294967294;=;OK 6 | -p esp -m esp --espspi -1;;FAIL 7 | -p esp -m esp --espspi :;-p esp -m esp;OK 8 | -p esp -m esp ! --espspi :;-p esp -m esp ! --espspi 0:4294967295;OK 9 | -p esp -m esp --espspi :4;-p esp -m esp --espspi 0:4;OK 10 | -p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK 11 | -p esp -m esp --espspi 3:4;=;OK 12 | -p esp -m esp --espspi 4:4;-p esp -m esp --espspi 4;OK 13 | -p esp -m esp --espspi 4:3;;FAIL 14 | -p esp -m esp;=;OK 15 | -m esp;;FAIL 16 | -------------------------------------------------------------------------------- /extensions/libxt_hashlimit.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip --hashlimit-name https --hashlimit-dstmask 24 -m state --state NEW -j DROP 2 | nft 'add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second burst 1 mbytes } ct state new counter drop' 3 | 4 | iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 -m state --state NEW -j DROP 5 | nft 'add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets } ct state new counter drop' 6 | -------------------------------------------------------------------------------- /extensions/libxt_helper.man: -------------------------------------------------------------------------------- 1 | This module matches packets related to a specific conntrack helper. 2 | .TP 3 | [\fB!\fP] \fB\-\-helper\fP \fIstring\fP 4 | Matches packets related to the specified conntrack helper. 5 | .RS 6 | .PP 7 | string can be "ftp" for packets related to an FTP session on default port. 8 | For other ports, append \-\-portnr to the value, ie. "ftp\-2121". 9 | .PP 10 | Same rules apply for other conntrack helpers. 11 | .RE 12 | -------------------------------------------------------------------------------- /extensions/libxt_helper.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m helper --helper ftp;=;OK 3 | # should be OK? 4 | # ERROR: should fail: iptables -A INPUT -m helper --helper wrong 5 | # -m helper --helper wrong;;FAIL 6 | -m helper;;FAIL 7 | -------------------------------------------------------------------------------- /extensions/libxt_helper.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A FORWARD -m helper --helper sip 2 | nft 'add rule ip filter FORWARD ct helper "sip" counter' 3 | 4 | iptables-translate -A FORWARD -m helper ! --helper ftp 5 | nft 'add rule ip filter FORWARD ct helper != "ftp" counter' 6 | -------------------------------------------------------------------------------- /extensions/libxt_ipcomp.c.man: -------------------------------------------------------------------------------- 1 | This module matches the parameters in IPcomp header of IPsec packets. 2 | .TP 3 | [\fB!\fP] \fB\-\-ipcompspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] 4 | Matches IPcomp header CPI value. 5 | -------------------------------------------------------------------------------- /extensions/libxt_ipcomp.t: -------------------------------------------------------------------------------- 1 | :INPUT,OUTPUT 2 | -p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK 3 | -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK 4 | -p ipcomp -m ipcomp --ipcompspi :;-p ipcomp -m ipcomp;OK 5 | -p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp ! --ipcompspi 0:4294967295;OK 6 | -p ipcomp -m ipcomp --ipcompspi :4;-p ipcomp -m ipcomp --ipcompspi 0:4;OK 7 | -p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK 8 | -p ipcomp -m ipcomp --ipcompspi 3:4;=;OK 9 | -p ipcomp -m ipcomp --ipcompspi 4:4;-p ipcomp -m ipcomp --ipcompspi 4;OK 10 | -p ipcomp -m ipcomp --ipcompspi 4:3;;FAIL 11 | -------------------------------------------------------------------------------- /extensions/libxt_ipcomp.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t filter -A INPUT -m ipcomp --ipcompspi 0x12 -j ACCEPT 2 | nft 'add rule ip filter INPUT comp cpi 18 counter accept' 3 | 4 | iptables-translate -t filter -A INPUT -m ipcomp ! --ipcompspi 0x12 -j ACCEPT 5 | nft 'add rule ip filter INPUT comp cpi != 18 counter accept' 6 | -------------------------------------------------------------------------------- /extensions/libxt_iprange.man: -------------------------------------------------------------------------------- 1 | This matches on a given arbitrary range of IP addresses. 2 | .TP 3 | [\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] 4 | Match source IP in the specified range. 5 | .TP 6 | [\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] 7 | Match destination IP in the specified range. 8 | -------------------------------------------------------------------------------- /extensions/libxt_iprange.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m iprange;;FAIL 3 | -------------------------------------------------------------------------------- /extensions/libxt_ipvs.man: -------------------------------------------------------------------------------- 1 | Match IPVS connection properties. 2 | .TP 3 | [\fB!\fP] \fB\-\-ipvs\fP 4 | packet belongs to an IPVS connection 5 | .TP 6 | Any of the following options implies \-\-ipvs (even negated) 7 | .TP 8 | [\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP 9 | VIP protocol to match; by number or name, e.g. "tcp" 10 | .TP 11 | [\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] 12 | VIP address to match 13 | .TP 14 | [\fB!\fP] \fB\-\-vport\fP \fIport\fP 15 | VIP port to match; by number or name, e.g. "http" 16 | .TP 17 | \fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} 18 | flow direction of packet 19 | .TP 20 | [\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} 21 | IPVS forwarding method used 22 | .TP 23 | [\fB!\fP] \fB\-\-vportctl\fP \fIport\fP 24 | VIP port of the controlling connection to match, e.g. 21 for FTP 25 | -------------------------------------------------------------------------------- /extensions/libxt_ipvs.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m ipvs --ipvs;=;OK 3 | -m ipvs ! --ipvs;=;OK 4 | -m ipvs --vproto tcp;-m ipvs --vproto 6;OK 5 | -m ipvs ! --vproto TCP;-m ipvs ! --vproto 6;OK 6 | -m ipvs --vproto 23;=;OK 7 | -m ipvs --vport http;-m ipvs --vport 80;OK 8 | -m ipvs ! --vport ssh;-m ipvs ! --vport 22;OK 9 | -m ipvs --vport 22;=;OK 10 | -m ipvs ! --vport 443;=;OK 11 | -m ipvs --vdir ORIGINAL;=;OK 12 | -m ipvs --vdir REPLY;=;OK 13 | -m ipvs --vmethod GATE;=;OK 14 | -m ipvs ! --vmethod IPIP;=;OK 15 | -m ipvs --vmethod MASQ;=;OK 16 | -m ipvs --vportctl 21;=;OK 17 | -m ipvs ! --vportctl 21;=;OK 18 | -------------------------------------------------------------------------------- /extensions/libxt_length.man: -------------------------------------------------------------------------------- 1 | This module matches the length of the layer-3 payload (e.g. layer-4 packet) 2 | of a packet against a specific value 3 | or range of values. 4 | .TP 5 | [\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP] 6 | -------------------------------------------------------------------------------- /extensions/libxt_length.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m length --length 1;=;OK 3 | -m length --length :2;-m length --length 0:2;OK 4 | -m length --length 0:3;=;OK 5 | -m length --length 4:;-m length --length 4:65535;OK 6 | -m length --length :;-m length --length 0:65535;OK 7 | -m length --length 0:65535;=;OK 8 | -m length ! --length 0:65535;=;OK 9 | -m length --length 0:65536;;FAIL 10 | -m length --length -1:65535;;FAIL 11 | -m length --length 4:4;-m length --length 4;OK 12 | -m length --length 4:3;;FAIL 13 | -m length;;FAIL 14 | -------------------------------------------------------------------------------- /extensions/libxt_length.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -p icmp -m length --length 86:0xffff -j DROP 2 | nft 'add rule ip filter INPUT ip protocol icmp meta length 86-65535 counter drop' 3 | 4 | iptables-translate -A INPUT -p udp -m length --length :400 5 | nft 'add rule ip filter INPUT ip protocol udp meta length 0-400 counter' 6 | 7 | iptables-translate -A INPUT -p udp -m length --length 40 8 | nft 'add rule ip filter INPUT ip protocol udp meta length 40 counter' 9 | 10 | iptables-translate -A INPUT -p udp -m length ! --length 40 11 | nft 'add rule ip filter INPUT ip protocol udp meta length != 40 counter' 12 | -------------------------------------------------------------------------------- /extensions/libxt_limit.man: -------------------------------------------------------------------------------- 1 | This module matches at a limited rate using a token bucket filter. 2 | A rule using this extension will match until this limit is reached. 3 | It can be used in combination with the 4 | .B LOG 5 | target to give limited logging, for example. 6 | .PP 7 | xt_limit has no negation support \(em you will have to use \-m hashlimit ! 8 | \-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode. 9 | .TP 10 | \fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 11 | Maximum average matching rate: specified as a number, with an optional 12 | `/second', `/minute', `/hour', or `/day' suffix; the default is 13 | 3/hour. 14 | .TP 15 | \fB\-\-limit\-burst\fP \fInumber\fP 16 | Maximum initial number of packets to match: this number gets 17 | recharged by one every time the limit specified above is not reached, 18 | up to this number; the default is 5. 19 | -------------------------------------------------------------------------------- /extensions/libxt_limit.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m limit --limit 1/sec;=;OK 3 | -m limit --limit 1/min;=;OK 4 | -m limit --limit 1000/hour;=;OK 5 | -m limit --limit 1000/day;=;OK 6 | -m limit --limit 1/sec --limit-burst 1;=;OK 7 | -------------------------------------------------------------------------------- /extensions/libxt_limit.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3 2 | nft 'add rule ip filter INPUT limit rate 3/minute burst 3 packets counter' 3 | 4 | iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 5 | nft 'add rule ip filter INPUT limit rate 10/second burst 5 packets counter' 6 | 7 | iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 8 | nft 'add rule ip filter INPUT limit rate 10/second counter' 9 | -------------------------------------------------------------------------------- /extensions/libxt_mac.man: -------------------------------------------------------------------------------- 1 | .TP 2 | [\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP 3 | Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. 4 | Note that this only makes sense for packets coming from an Ethernet device 5 | and entering the 6 | .BR PREROUTING , 7 | .B FORWARD 8 | or 9 | .B INPUT 10 | chains. 11 | -------------------------------------------------------------------------------- /extensions/libxt_mac.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD 2 | -m mac --mac-source 42:01:02:03:04:05;=;OK 3 | -m mac --mac-source 42:01:02:03:04;=;FAIL 4 | -m mac --mac-source 42:01:02:03:04:05:06;=;FAIL 5 | -m mac;;FAIL 6 | -------------------------------------------------------------------------------- /extensions/libxt_mac.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m mac --mac-source 0a:12:3e:4f:b2:c6 -j DROP 2 | nft 'add rule ip filter INPUT ether saddr 0a:12:3e:4f:b2:c6 counter drop' 3 | 4 | iptables-translate -A INPUT -p tcp --dport 80 -m mac --mac-source 0a:12:3e:4f:b2:c6 -j ACCEPT 5 | nft 'add rule ip filter INPUT tcp dport 80 ether saddr 0a:12:3e:4f:b2:c6 counter accept' 6 | -------------------------------------------------------------------------------- /extensions/libxt_mark.man: -------------------------------------------------------------------------------- 1 | This module matches the netfilter mark field associated with a packet 2 | (which can be set using the 3 | .B MARK 4 | target below). 5 | .TP 6 | [\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] 7 | Matches packets with the given unsigned mark value (if a \fImask\fP is 8 | specified, this is logically ANDed with the \fImask\fP before the 9 | comparison). 10 | -------------------------------------------------------------------------------- /extensions/libxt_mark.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m mark --mark 0xfeedcafe/0xfeedcafe;=;OK 3 | -m mark --mark 0x0;=;OK 4 | -m mark --mark 4294967295;-m mark --mark 0xffffffff;OK 5 | -m mark --mark 4294967296;;FAIL 6 | -m mark --mark -1;;FAIL 7 | -m mark;;FAIL 8 | -m mark --mark 0x0/0xff0;=;OK 9 | -------------------------------------------------------------------------------- /extensions/libxt_mark.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -I INPUT -p tcp -m mark ! --mark 0xa/0xa 2 | nft 'insert rule ip filter INPUT ip protocol tcp mark and 0xa != 0xa counter' 3 | 4 | iptables-translate -I INPUT -p tcp -m mark ! --mark 0x1 5 | nft 'insert rule ip filter INPUT ip protocol tcp mark != 0x1 counter' 6 | -------------------------------------------------------------------------------- /extensions/libxt_multiport.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81 -j ACCEPT 2 | nft 'add rule ip filter INPUT ip protocol tcp tcp dport { 80, 81 } counter accept' 3 | 4 | iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80:88 -j ACCEPT 5 | nft 'add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept' 6 | 7 | iptables-translate -t filter -A INPUT -p tcp -m multiport ! --dports 80:88 -j ACCEPT 8 | nft 'add rule ip filter INPUT ip protocol tcp tcp dport != 80-88 counter accept' 9 | 10 | iptables-translate -t filter -A INPUT -p tcp -m multiport --sports 50 -j ACCEPT 11 | nft 'add rule ip filter INPUT ip protocol tcp tcp sport 50 counter accept' 12 | 13 | iptables-translate -t filter -I INPUT -p tcp -m multiport --ports 10 14 | nft 'insert rule ip filter INPUT ip protocol tcp tcp sport . tcp dport { 0-65535 . 10, 10 . 0-65535 } counter' 15 | -------------------------------------------------------------------------------- /extensions/libxt_nfacct.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | @nfacct add test 3 | # 4 | # extra space in iptables-save output, fix it 5 | # 6 | # ERROR: cannot load: iptables -A INPUT -m nfacct --nfacct-name test 7 | #-m nfacct --nfacct-name test;=;OK 8 | -m nfacct --nfacct-name wrong;;FAIL 9 | -m nfacct;;FAIL 10 | @nfacct del test 11 | -------------------------------------------------------------------------------- /extensions/libxt_owner.t: -------------------------------------------------------------------------------- 1 | :OUTPUT,POSTROUTING 2 | *mangle 3 | -m owner --uid-owner root;-m owner --uid-owner 0;OK 4 | -m owner --uid-owner 0-10;=;OK 5 | -m owner --gid-owner root;-m owner --gid-owner 0;OK 6 | -m owner --gid-owner 0-10;=;OK 7 | -m owner --uid-owner root --gid-owner root;-m owner --uid-owner 0 --gid-owner 0;OK 8 | -m owner --uid-owner 0-10 --gid-owner 0-10;=;OK 9 | -m owner ! --uid-owner root;-m owner ! --uid-owner 0;OK 10 | -m owner --socket-exists;=;OK 11 | -m owner --gid-owner 0-10 --suppl-groups;=;OK 12 | -m owner --suppl-groups --gid-owner 0-10;;FAIL 13 | -m owner --gid-owner 0-10 ! --suppl-groups;;FAIL 14 | -m owner --suppl-groups;;FAIL 15 | :INPUT 16 | -m owner --uid-owner root;;FAIL 17 | -------------------------------------------------------------------------------- /extensions/libxt_owner.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT 2 | nft 'add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept' 3 | 4 | iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 0-10 -j ACCEPT 5 | nft 'add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept' 6 | 7 | iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner 1000 -j ACCEPT 8 | nft 'add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept' 9 | -------------------------------------------------------------------------------- /extensions/libxt_physdev.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD 2 | -m physdev --physdev-in lo;=;OK 3 | -m physdev --physdev-is-in --physdev-in lo;=;OK 4 | :OUTPUT,FORWARD 5 | # xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. 6 | # ERROR: should fail: iptables -A FORWARD -m physdev --physdev-out lo 7 | #-m physdev --physdev-out lo;;FAIL 8 | # ERROR: cannot load: iptables -A OUTPUT -m physdev --physdev-is-out --physdev-out lo 9 | #-m physdev --physdev-is-out --physdev-out lo;=;OK 10 | :FORWARD 11 | -m physdev --physdev-in lo --physdev-is-bridged;=;OK 12 | :POSTROUTING 13 | *mangle 14 | -m physdev --physdev-out lo --physdev-is-bridged;=;OK 15 | -------------------------------------------------------------------------------- /extensions/libxt_pkttype.man: -------------------------------------------------------------------------------- 1 | This module matches the link-layer packet type. 2 | .TP 3 | [\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP} 4 | -------------------------------------------------------------------------------- /extensions/libxt_pkttype.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m pkttype --pkt-type unicast;=;OK 3 | -m pkttype --pkt-type broadcast;=;OK 4 | -m pkttype --pkt-type multicast;=;OK 5 | -m pkttype --pkt-type wrong;;FAIL 6 | -m pkttype;;FAIL 7 | -------------------------------------------------------------------------------- /extensions/libxt_pkttype.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m pkttype --pkt-type broadcast -j DROP 2 | nft 'add rule ip filter INPUT pkttype broadcast counter drop' 3 | 4 | iptables-translate -A INPUT -m pkttype ! --pkt-type unicast -j DROP 5 | nft 'add rule ip filter INPUT pkttype != unicast counter drop' 6 | 7 | iptables-translate -A INPUT -m pkttype --pkt-type multicast -j ACCEPT 8 | nft 'add rule ip filter INPUT pkttype multicast counter accept' 9 | -------------------------------------------------------------------------------- /extensions/libxt_policy.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD 2 | -m policy --dir in --pol ipsec;=;OK 3 | -m policy --dir in --pol ipsec --proto ipcomp;=;OK 4 | -m policy --dir in --pol ipsec --strict;;FAIL 5 | -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp;=;OK 6 | -------------------------------------------------------------------------------- /extensions/libxt_policy.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m policy --pol ipsec --dir in 2 | nft 'add rule ip filter INPUT meta secpath exists counter' 3 | 4 | iptables-translate -A INPUT -m policy --pol none --dir in 5 | nft 'add rule ip filter INPUT meta secpath missing counter' 6 | -------------------------------------------------------------------------------- /extensions/libxt_quota.man: -------------------------------------------------------------------------------- 1 | Implements network quotas by decrementing a byte counter with each 2 | packet. The condition matches until the byte counter reaches zero. Behavior 3 | is reversed with negation (i.e. the condition does not match until the 4 | byte counter reaches zero). 5 | .TP 6 | [\fB!\fP] \fB\-\-quota\fP \fIbytes\fP 7 | The quota in bytes. 8 | -------------------------------------------------------------------------------- /extensions/libxt_quota.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m quota --quota 0;=;OK 3 | -m quota ! --quota 0;=;OK 4 | -m quota --quota 18446744073709551615;=;OK 5 | -m quota ! --quota 18446744073709551615;=;OK 6 | -m quota --quota 18446744073709551616;;FAIL 7 | -m quota;;FAIL 8 | -------------------------------------------------------------------------------- /extensions/libxt_quota.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A OUTPUT -m quota --quota 111 2 | nft 'add rule ip filter OUTPUT quota 111 bytes counter' 3 | 4 | iptables-translate -A OUTPUT -m quota ! --quota 111 5 | nft 'add rule ip filter OUTPUT quota over 111 bytes counter' 6 | -------------------------------------------------------------------------------- /extensions/libxt_recent.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m recent --set --rttl;;FAIL 3 | -------------------------------------------------------------------------------- /extensions/libxt_rpfilter.t: -------------------------------------------------------------------------------- 1 | :PREROUTING 2 | *mangle 3 | -m rpfilter;=;OK 4 | -m rpfilter --loose --validmark --accept-local --invert;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libxt_rpfilter.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -t mangle -A PREROUTING -m rpfilter 2 | nft 'add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter' 3 | 4 | iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark --loose 5 | nft 'add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter' 6 | 7 | ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark --invert 8 | nft 'add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter' 9 | -------------------------------------------------------------------------------- /extensions/libxt_set.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m set --match-set foo;;FAIL 3 | # fails: foo does not exist 4 | -m set --match-set foo src,dst;;FAIL 5 | -------------------------------------------------------------------------------- /extensions/libxt_socket.t: -------------------------------------------------------------------------------- 1 | :PREROUTING,INPUT 2 | *mangle 3 | -m socket;=;OK 4 | -m socket --transparent --nowildcard;=;OK 5 | -m socket --transparent --nowildcard --restore-skmark;=;OK 6 | -m socket --transparent --restore-skmark;=;OK 7 | -m socket --nowildcard --restore-skmark;=;OK 8 | -m socket --restore-skmark;=;OK 9 | -------------------------------------------------------------------------------- /extensions/libxt_standard.c: -------------------------------------------------------------------------------- 1 | /* Shared library add-on to iptables for standard target support. */ 2 | #include 3 | #include 4 | 5 | static void standard_help(void) 6 | { 7 | printf( 8 | "standard match options:\n" 9 | "(If target is DROP, ACCEPT, RETURN or nothing)\n"); 10 | } 11 | 12 | static struct xtables_target standard_target = { 13 | .family = NFPROTO_UNSPEC, 14 | .name = "standard", 15 | .version = XTABLES_VERSION, 16 | .size = XT_ALIGN(sizeof(int)), 17 | .userspacesize = XT_ALIGN(sizeof(int)), 18 | .help = standard_help, 19 | }; 20 | 21 | void _init(void) 22 | { 23 | xtables_register_target(&standard_target); 24 | } 25 | -------------------------------------------------------------------------------- /extensions/libxt_standard.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -p tcp -j ACCEPT;=;OK 3 | ! -p udp -j ACCEPT;=;OK 4 | -j DROP;=;OK 5 | -j ACCEPT;=;OK 6 | -j RETURN;=;OK 7 | ! -p 0 -j ACCEPT;=;FAIL 8 | :FORWARD 9 | -i + -p tcp;-p tcp;OK 10 | -------------------------------------------------------------------------------- /extensions/libxt_state.man: -------------------------------------------------------------------------------- 1 | The "state" extension is a subset of the "conntrack" module. 2 | "state" allows access to the connection tracking state for this packet. 3 | .TP 4 | [\fB!\fP] \fB\-\-state\fP \fIstate\fP 5 | Where state is a comma separated list of the connection states to match. Only a 6 | subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP, 7 | \fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their 8 | description, see the "conntrack" heading in this manpage. 9 | -------------------------------------------------------------------------------- /extensions/libxt_state.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m state --state INVALID;=;OK 3 | -m state --state NEW,RELATED;=;OK 4 | -m state --state UNTRACKED;=;OK 5 | -m state wrong;;FAIL 6 | -m state;;FAIL 7 | -------------------------------------------------------------------------------- /extensions/libxt_statistic.man: -------------------------------------------------------------------------------- 1 | This module matches packets based on some statistic condition. 2 | It supports two distinct modes settable with the 3 | \fB\-\-mode\fP 4 | option. 5 | .PP 6 | Supported options: 7 | .TP 8 | \fB\-\-mode\fP \fImode\fP 9 | Set the matching mode of the matching rule, supported modes are 10 | .B random 11 | and 12 | .B nth. 13 | .TP 14 | [\fB!\fP] \fB\-\-probability\fP \fIp\fP 15 | Set the probability for a packet to be randomly matched. It only works with the 16 | \fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported 17 | granularity is in 1/2147483648th increments. 18 | .TP 19 | [\fB!\fP] \fB\-\-every\fP \fIn\fP 20 | Match one packet every nth packet. It works only with the 21 | .B nth 22 | mode (see also the 23 | \fB\-\-packet\fP 24 | option). 25 | .TP 26 | \fB\-\-packet\fP \fIp\fP 27 | Set the initial counter value (0 <= p <= n\-1, default 0) for the 28 | .B nth 29 | mode. 30 | -------------------------------------------------------------------------------- /extensions/libxt_statistic.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m statistic;;FAIL 3 | -m statistic --mode random ! --probability 0.50000000000;=;OK 4 | -m statistic --mode random ! --probability 1.1;;FAIL 5 | -m statistic --probability 1;;FAIL 6 | -m statistic --mode nth ! --every 5 --packet 2;=;OK 7 | -m statistic --mode nth ! --every 5;;FAIL 8 | -m statistic --mode nth ! --every 5 --packet 5;;FAIL 9 | -------------------------------------------------------------------------------- /extensions/libxt_statistic.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A OUTPUT -m statistic --mode nth --every 10 --packet 1 2 | nft 'add rule ip filter OUTPUT numgen inc mod 10 1 counter' 3 | 4 | iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 --packet 5 5 | nft 'add rule ip filter OUTPUT numgen inc mod 10 != 5 counter' 6 | 7 | iptables-translate -A OUTPUT -m statistic --mode random --probability 0.1 8 | nft 'add rule ip filter OUTPUT meta random & 2147483647 < 214748365 counter' 9 | -------------------------------------------------------------------------------- /extensions/libxt_string.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m string --algo bm --string "test";-m string --string "test" --algo bm;OK 3 | -m string --string "test" --algo kmp;=;OK 4 | -m string ! --string "test" --algo kmp;=;OK 5 | -m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK 6 | -m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL 7 | -m string --hex-string "|0a0a0a0a|" --algo bm;=;OK 8 | -m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK 9 | -m string --algo wrong;;FAIL 10 | -m string --algo bm;;FAIL 11 | -m string;;FAIL 12 | -------------------------------------------------------------------------------- /extensions/libxt_tcpmss.man: -------------------------------------------------------------------------------- 1 | This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. 2 | .TP 3 | [\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] 4 | Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP. 5 | -------------------------------------------------------------------------------- /extensions/libxt_tcpmss.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m tcpmss --mss 42;;FAIL 3 | -p tcp -m tcpmss --mss 42;=;OK 4 | -p tcp -m tcpmss --mss :;-p tcp -m tcpmss --mss 0:65535;OK 5 | -p tcp -m tcpmss --mss :42;-p tcp -m tcpmss --mss 0:42;OK 6 | -p tcp -m tcpmss --mss 42:;-p tcp -m tcpmss --mss 42:65535;OK 7 | -p tcp -m tcpmss --mss 42:42;-p tcp -m tcpmss --mss 42;OK 8 | -p tcp -m tcpmss --mss 42:12345;=;OK 9 | -p tcp -m tcpmss --mss 42:65536;;FAIL 10 | -p tcp -m tcpmss --mss 65535:1000;;FAIL 11 | -------------------------------------------------------------------------------- /extensions/libxt_tcpmss.txlate: -------------------------------------------------------------------------------- 1 | iptables-translate -A INPUT -m tcpmss --mss 42 2 | nft 'add rule ip filter INPUT tcp option maxseg size 42 counter' 3 | 4 | iptables-translate -A INPUT -m tcpmss ! --mss 42 5 | nft 'add rule ip filter INPUT tcp option maxseg size != 42 counter' 6 | 7 | iptables-translate -A INPUT -m tcpmss --mss 42:1024 8 | nft 'add rule ip filter INPUT tcp option maxseg size 42-1024 counter' 9 | 10 | iptables-translate -A INPUT -m tcpmss ! --mss 1461:65535 11 | nft 'add rule ip filter INPUT tcp option maxseg size != 1461-65535 counter' 12 | -------------------------------------------------------------------------------- /extensions/libxt_time.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz;=;OK 3 | -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05;=;OK 4 | -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00;=;OK 5 | -------------------------------------------------------------------------------- /extensions/libxt_tos.man: -------------------------------------------------------------------------------- 1 | This module matches the 8-bit Type of Service field in the IPv4 header (i.e. 2 | including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6 3 | header. 4 | .TP 5 | [\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] 6 | Matches packets with the given TOS mark value. If a mask is specified, it is 7 | logically ANDed with the TOS mark before the comparison. 8 | .TP 9 | [\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP 10 | You can specify a symbolic name when using the tos match for IPv4. The list of 11 | recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP. 12 | Note that this implies a mask of 0x3F, i.e. all but the ECN bits. 13 | -------------------------------------------------------------------------------- /extensions/libxt_tos.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m tos --tos Minimize-Delay;-m tos --tos 0x10/0x3f;OK 3 | -m tos --tos Maximize-Throughput;-m tos --tos 0x08/0x3f;OK 4 | -m tos --tos Maximize-Reliability;-m tos --tos 0x04/0x3f;OK 5 | -m tos --tos Minimize-Cost;-m tos --tos 0x02/0x3f;OK 6 | -m tos --tos Normal-Service;-m tos --tos 0x00/0x3f;OK 7 | -m tos --tos 0xff;-m tos --tos 0xff/0xff;OK 8 | -m tos ! --tos 0xff;-m tos ! --tos 0xff/0xff;OK 9 | -m tos --tos 0x00;-m tos --tos 0x00/0xff;OK 10 | -m tos --tos 0x0f;-m tos --tos 0x0f/0xff;OK 11 | -m tos --tos 0x0f/0x0f;=;OK 12 | -m tos --tos wrong;;FAIL 13 | -m tos;;FAIL 14 | -------------------------------------------------------------------------------- /extensions/libxt_u32.t: -------------------------------------------------------------------------------- 1 | :INPUT,FORWARD,OUTPUT 2 | -m u32 --u32 "0x0=0x0&&0x0=0x1";=;OK 3 | -------------------------------------------------------------------------------- /extensions/libxt_udp.man: -------------------------------------------------------------------------------- 1 | These extensions can be used if `\-\-protocol udp' is specified. It 2 | provides the following options: 3 | .TP 4 | [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] 5 | Source port or port range specification. 6 | See the description of the 7 | \fB\-\-source\-port\fP 8 | option of the TCP extension for details. 9 | .TP 10 | [\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] 11 | Destination port or port range specification. 12 | See the description of the 13 | \fB\-\-destination\-port\fP 14 | option of the TCP extension for details. 15 | -------------------------------------------------------------------------------- /include/Makefile.am: -------------------------------------------------------------------------------- 1 | # -*- Makefile -*- 2 | 3 | include_HEADERS = xtables.h 4 | nodist_include_HEADERS = xtables-version.h 5 | 6 | if ENABLE_LIBIPQ 7 | include_HEADERS += libipq/libipq.h 8 | endif 9 | 10 | nobase_include_HEADERS = \ 11 | libiptc/ipt_kernel_headers.h libiptc/libiptc.h \ 12 | libiptc/libip6tc.h libiptc/libxtc.h libiptc/xtcshared.h 13 | 14 | EXTRA_DIST = iptables linux iptables.h ip6tables.h xtables_internal.h 15 | 16 | uninstall-hook: 17 | dir=${includedir}/libiptc; { \ 18 | test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; \ 19 | } || rmdir -p --ignore-fail-on-non-empty "$$dir" 20 | -------------------------------------------------------------------------------- /include/ip6tables.h: -------------------------------------------------------------------------------- 1 | #ifndef _IP6TABLES_USER_H 2 | #define _IP6TABLES_USER_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | /* Your shared library should call one of these. */ 10 | extern int do_command6(int argc, char *argv[], char **table, 11 | struct xtc_handle **handle, bool restore); 12 | 13 | extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle); 14 | extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); 15 | extern int delete_chain6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); 16 | void print_rule6(const struct ip6t_entry *e, struct xtc_handle *h, const char *chain, int counters); 17 | 18 | extern struct xtables_globals ip6tables_globals; 19 | 20 | #endif /*_IP6TABLES_USER_H*/ 21 | -------------------------------------------------------------------------------- /include/iptables/internal.h: -------------------------------------------------------------------------------- 1 | #ifndef IPTABLES_INTERNAL_H 2 | #define IPTABLES_INTERNAL_H 1 3 | 4 | /** 5 | * Program's own name and version. 6 | */ 7 | extern const char *program_name, *program_version; 8 | 9 | extern int line; 10 | 11 | #endif /* IPTABLES_INTERNAL_H */ 12 | -------------------------------------------------------------------------------- /include/libiptc/ipt_kernel_headers.h: -------------------------------------------------------------------------------- 1 | /* This is the userspace/kernel interface for Generic IP Chains, 2 | required for libc6. */ 3 | #ifndef _FWCHAINS_KERNEL_HEADERS_H 4 | #define _FWCHAINS_KERNEL_HEADERS_H 5 | 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #endif 16 | -------------------------------------------------------------------------------- /include/libiptc/libxtc.h: -------------------------------------------------------------------------------- 1 | #ifndef _LIBXTC_H 2 | #define _LIBXTC_H 3 | /* Library which manipulates filtering rules. */ 4 | 5 | #include 6 | #include 7 | 8 | #ifdef __cplusplus 9 | extern "C" { 10 | #endif 11 | 12 | #ifndef XT_MIN_ALIGN 13 | /* xt_entry has pointers and uint64_t's in it, so if you align to 14 | it, you'll also align to any crazy matches and targets someone 15 | might write */ 16 | #define XT_MIN_ALIGN (__alignof__(struct xt_entry)) 17 | #endif 18 | 19 | #ifndef XT_ALIGN 20 | #define XT_ALIGN(s) (((s) + ((XT_MIN_ALIGN)-1)) & ~((XT_MIN_ALIGN)-1)) 21 | #endif 22 | 23 | #define XTC_LABEL_ACCEPT "ACCEPT" 24 | #define XTC_LABEL_DROP "DROP" 25 | #define XTC_LABEL_QUEUE "QUEUE" 26 | #define XTC_LABEL_RETURN "RETURN" 27 | 28 | 29 | #ifdef __cplusplus 30 | } 31 | #endif 32 | 33 | #endif /* _LIBXTC_H */ 34 | -------------------------------------------------------------------------------- /include/linux/kernel.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 | #ifndef _LINUX_KERNEL_H 3 | #define _LINUX_KERNEL_H 4 | 5 | #include 6 | #include 7 | 8 | #endif /* _LINUX_KERNEL_H */ 9 | -------------------------------------------------------------------------------- /include/linux/netfilter/nf_conntrack_tuple_common.h: -------------------------------------------------------------------------------- 1 | #ifndef _NF_CONNTRACK_TUPLE_COMMON_H 2 | #define _NF_CONNTRACK_TUPLE_COMMON_H 3 | 4 | enum ip_conntrack_dir { 5 | IP_CT_DIR_ORIGINAL, 6 | IP_CT_DIR_REPLY, 7 | IP_CT_DIR_MAX 8 | }; 9 | 10 | /* The protocol-specific manipulable parts of the tuple: always in 11 | * network order 12 | */ 13 | union nf_conntrack_man_proto { 14 | /* Add other protocols here. */ 15 | __be16 all; 16 | 17 | struct { 18 | __be16 port; 19 | } tcp; 20 | struct { 21 | __be16 port; 22 | } udp; 23 | struct { 24 | __be16 id; 25 | } icmp; 26 | struct { 27 | __be16 port; 28 | } dccp; 29 | struct { 30 | __be16 port; 31 | } sctp; 32 | struct { 33 | __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ 34 | } gre; 35 | }; 36 | 37 | #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) 38 | 39 | #endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ 40 | -------------------------------------------------------------------------------- /include/linux/netfilter/nf_log.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 | #ifndef _NETFILTER_NF_LOG_H 3 | #define _NETFILTER_NF_LOG_H 4 | 5 | #define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ 6 | #define NF_LOG_TCPOPT 0x02 /* Log TCP options */ 7 | #define NF_LOG_IPOPT 0x04 /* Log IP options */ 8 | #define NF_LOG_UID 0x08 /* Log UID owning local socket */ 9 | #define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ 10 | #define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ 11 | #define NF_LOG_MASK 0x2f 12 | 13 | #define NF_LOG_PREFIXLEN 128 14 | 15 | #endif /* _NETFILTER_NF_LOG_H */ 16 | -------------------------------------------------------------------------------- /include/linux/netfilter/nf_tables_compat.h: -------------------------------------------------------------------------------- 1 | #ifndef _NFT_COMPAT_NFNETLINK_H_ 2 | #define _NFT_COMPAT_NFNETLINK_H_ 3 | 4 | #define NFT_COMPAT_NAME_MAX 32 5 | 6 | enum { 7 | NFNL_MSG_COMPAT_GET, 8 | NFNL_MSG_COMPAT_MAX 9 | }; 10 | 11 | enum { 12 | NFTA_COMPAT_UNSPEC = 0, 13 | NFTA_COMPAT_NAME, 14 | NFTA_COMPAT_REV, 15 | NFTA_COMPAT_TYPE, 16 | __NFTA_COMPAT_MAX, 17 | }; 18 | #define NFTA_COMPAT_MAX (__NFTA_COMPAT_MAX - 1) 19 | 20 | #endif 21 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_AUDIT.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Header file for iptables xt_AUDIT target 3 | * 4 | * (C) 2010-2011 Thomas Graf 5 | * (C) 2010-2011 Red Hat, Inc. 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License version 2 as 9 | * published by the Free Software Foundation. 10 | */ 11 | 12 | #ifndef _XT_AUDIT_TARGET_H 13 | #define _XT_AUDIT_TARGET_H 14 | 15 | #include 16 | 17 | enum { 18 | XT_AUDIT_TYPE_ACCEPT = 0, 19 | XT_AUDIT_TYPE_DROP, 20 | XT_AUDIT_TYPE_REJECT, 21 | __XT_AUDIT_TYPE_MAX, 22 | }; 23 | 24 | #define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1) 25 | 26 | struct xt_audit_info { 27 | __u8 type; /* XT_AUDIT_TYPE_* */ 28 | }; 29 | 30 | #endif /* _XT_AUDIT_TARGET_H */ 31 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_CHECKSUM.h: -------------------------------------------------------------------------------- 1 | /* Header file for iptables ipt_CHECKSUM target 2 | * 3 | * (C) 2002 by Harald Welte 4 | * (C) 2010 Red Hat Inc 5 | * Author: Michael S. Tsirkin 6 | * 7 | * This software is distributed under GNU GPL v2, 1991 8 | */ 9 | #ifndef _XT_CHECKSUM_TARGET_H 10 | #define _XT_CHECKSUM_TARGET_H 11 | 12 | #include 13 | 14 | #define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ 15 | 16 | struct xt_CHECKSUM_info { 17 | __u8 operation; /* bitset of operations */ 18 | }; 19 | 20 | #endif /* _XT_CHECKSUM_TARGET_H */ 21 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_CLASSIFY.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_CLASSIFY_H 2 | #define _XT_CLASSIFY_H 3 | 4 | #include 5 | 6 | struct xt_classify_target_info { 7 | __u32 priority; 8 | }; 9 | 10 | #endif /*_XT_CLASSIFY_H */ 11 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_CONNMARK.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 | #ifndef _XT_CONNMARK_H_target 3 | #define _XT_CONNMARK_H_target 4 | 5 | #include 6 | 7 | #endif /*_XT_CONNMARK_H_target*/ 8 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_CONNSECMARK.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_CONNSECMARK_H_target 2 | #define _XT_CONNSECMARK_H_target 3 | 4 | #include 5 | 6 | enum { 7 | CONNSECMARK_SAVE = 1, 8 | CONNSECMARK_RESTORE, 9 | }; 10 | 11 | struct xt_connsecmark_target_info { 12 | __u8 mode; 13 | }; 14 | 15 | #endif /*_XT_CONNSECMARK_H_target */ 16 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_CT.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_CT_H 2 | #define _XT_CT_H 3 | 4 | #include 5 | 6 | enum { 7 | XT_CT_NOTRACK = 1 << 0, 8 | XT_CT_NOTRACK_ALIAS = 1 << 1, 9 | XT_CT_ZONE_DIR_ORIG = 1 << 2, 10 | XT_CT_ZONE_DIR_REPL = 1 << 3, 11 | XT_CT_ZONE_MARK = 1 << 4, 12 | }; 13 | 14 | struct xt_ct_target_info { 15 | __u16 flags; 16 | __u16 zone; 17 | __u32 ct_events; 18 | __u32 exp_events; 19 | char helper[16]; 20 | 21 | /* Used internally by the kernel */ 22 | struct nf_conn *ct __attribute__((aligned(8))); 23 | }; 24 | 25 | struct xt_ct_target_info_v1 { 26 | __u16 flags; 27 | __u16 zone; 28 | __u32 ct_events; 29 | __u32 exp_events; 30 | char helper[16]; 31 | char timeout[32]; 32 | 33 | /* Used internally by the kernel */ 34 | struct nf_conn *ct __attribute__((aligned(8))); 35 | }; 36 | 37 | #endif /* _XT_CT_H */ 38 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_DSCP.h: -------------------------------------------------------------------------------- 1 | /* x_tables module for setting the IPv4/IPv6 DSCP field 2 | * 3 | * (C) 2002 Harald Welte 4 | * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh 5 | * This software is distributed under GNU GPL v2, 1991 6 | * 7 | * See RFC2474 for a description of the DSCP field within the IP Header. 8 | * 9 | * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp 10 | */ 11 | #ifndef _XT_DSCP_TARGET_H 12 | #define _XT_DSCP_TARGET_H 13 | #include 14 | #include 15 | 16 | /* target info */ 17 | struct xt_DSCP_info { 18 | __u8 dscp; 19 | }; 20 | 21 | struct xt_tos_target_info { 22 | __u8 tos_value; 23 | __u8 tos_mask; 24 | }; 25 | 26 | #endif /* _XT_DSCP_TARGET_H */ 27 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_LED.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_LED_H 2 | #define _XT_LED_H 3 | 4 | #include 5 | 6 | struct xt_led_info { 7 | char id[27]; /* Unique ID for this trigger in the LED class */ 8 | __u8 always_blink; /* Blink even if the LED is already on */ 9 | __u32 delay; /* Delay until LED is switched off after trigger */ 10 | 11 | /* Kernel data used in the module */ 12 | void *internal_data __attribute__((aligned(8))); 13 | }; 14 | 15 | #endif /* _XT_LED_H */ 16 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_LOG.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 | #ifndef _XT_LOG_H 3 | #define _XT_LOG_H 4 | 5 | /* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */ 6 | #define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ 7 | #define XT_LOG_TCPOPT 0x02 /* Log TCP options */ 8 | #define XT_LOG_IPOPT 0x04 /* Log IP options */ 9 | #define XT_LOG_UID 0x08 /* Log UID owning local socket */ 10 | #define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ 11 | #define XT_LOG_MACDECODE 0x20 /* Decode MAC header */ 12 | #define XT_LOG_MASK 0x2f 13 | 14 | struct xt_log_info { 15 | unsigned char level; 16 | unsigned char logflags; 17 | char prefix[30]; 18 | }; 19 | 20 | #endif /* _XT_LOG_H */ 21 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_MARK.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_MARK_H_target 2 | #define _XT_MARK_H_target 3 | 4 | #include 5 | 6 | #endif /*_XT_MARK_H_target */ 7 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_NFLOG.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_NFLOG_TARGET 2 | #define _XT_NFLOG_TARGET 3 | 4 | #include 5 | 6 | #define XT_NFLOG_DEFAULT_GROUP 0x1 7 | #define XT_NFLOG_DEFAULT_THRESHOLD 0 8 | 9 | #define XT_NFLOG_MASK 0x1 10 | 11 | /* This flag indicates that 'len' field in xt_nflog_info is set*/ 12 | #define XT_NFLOG_F_COPY_LEN 0x1 13 | 14 | struct xt_nflog_info { 15 | /* 'len' will be used iff you set XT_NFLOG_F_COPY_LEN in flags */ 16 | __u32 len; 17 | __u16 group; 18 | __u16 threshold; 19 | __u16 flags; 20 | __u16 pad; 21 | char prefix[64]; 22 | }; 23 | 24 | #endif /* _XT_NFLOG_TARGET */ 25 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_NFQUEUE.h: -------------------------------------------------------------------------------- 1 | /* iptables module for using NFQUEUE mechanism 2 | * 3 | * (C) 2005 Harald Welte 4 | * 5 | * This software is distributed under GNU GPL v2, 1991 6 | * 7 | */ 8 | #ifndef _XT_NFQ_TARGET_H 9 | #define _XT_NFQ_TARGET_H 10 | 11 | #include 12 | 13 | /* target info */ 14 | struct xt_NFQ_info { 15 | __u16 queuenum; 16 | }; 17 | 18 | struct xt_NFQ_info_v1 { 19 | __u16 queuenum; 20 | __u16 queues_total; 21 | }; 22 | 23 | struct xt_NFQ_info_v2 { 24 | __u16 queuenum; 25 | __u16 queues_total; 26 | __u16 bypass; 27 | }; 28 | 29 | struct xt_NFQ_info_v3 { 30 | __u16 queuenum; 31 | __u16 queues_total; 32 | __u16 flags; 33 | #define NFQ_FLAG_BYPASS 0x01 /* for compatibility with v2 */ 34 | #define NFQ_FLAG_CPU_FANOUT 0x02 /* use current CPU (no hashing) */ 35 | #define NFQ_FLAG_MASK 0x03 36 | }; 37 | 38 | #endif /* _XT_NFQ_TARGET_H */ 39 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_RATEEST.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_RATEEST_TARGET_H 2 | #define _XT_RATEEST_TARGET_H 3 | 4 | #include 5 | 6 | struct xt_rateest_target_info { 7 | char name[IFNAMSIZ]; 8 | __s8 interval; 9 | __u8 ewma_log; 10 | 11 | /* Used internally by the kernel */ 12 | struct xt_rateest *est __attribute__((aligned(8))); 13 | }; 14 | 15 | #endif /* _XT_RATEEST_TARGET_H */ 16 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_SECMARK.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_SECMARK_H_target 2 | #define _XT_SECMARK_H_target 3 | 4 | #include 5 | 6 | /* 7 | * This is intended for use by various security subsystems (but not 8 | * at the same time). 9 | * 10 | * 'mode' refers to the specific security subsystem which the 11 | * packets are being marked for. 12 | */ 13 | #define SECMARK_MODE_SEL 0x01 /* SELinux */ 14 | #define SECMARK_SECCTX_MAX 256 15 | 16 | struct xt_secmark_target_info { 17 | __u8 mode; 18 | __u32 secid; 19 | char secctx[SECMARK_SECCTX_MAX]; 20 | }; 21 | 22 | struct xt_secmark_target_info_v1 { 23 | __u8 mode; 24 | char secctx[SECMARK_SECCTX_MAX]; 25 | __u32 secid; 26 | }; 27 | 28 | #endif /*_XT_SECMARK_H_target */ 29 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_SYNPROXY.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_SYNPROXY_H 2 | #define _XT_SYNPROXY_H 3 | 4 | #define XT_SYNPROXY_OPT_MSS 0x01 5 | #define XT_SYNPROXY_OPT_WSCALE 0x02 6 | #define XT_SYNPROXY_OPT_SACK_PERM 0x04 7 | #define XT_SYNPROXY_OPT_TIMESTAMP 0x08 8 | #define XT_SYNPROXY_OPT_ECN 0x10 9 | 10 | struct xt_synproxy_info { 11 | __u8 options; 12 | __u8 wscale; 13 | __u16 mss; 14 | }; 15 | 16 | #endif /* _XT_SYNPROXY_H */ 17 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_TCPMSS.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_TCPMSS_H 2 | #define _XT_TCPMSS_H 3 | 4 | #include 5 | 6 | struct xt_tcpmss_info { 7 | __u16 mss; 8 | }; 9 | 10 | #define XT_TCPMSS_CLAMP_PMTU 0xffff 11 | 12 | #endif /* _XT_TCPMSS_H */ 13 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_TCPOPTSTRIP.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_TCPOPTSTRIP_H 2 | #define _XT_TCPOPTSTRIP_H 3 | 4 | #include 5 | 6 | #define tcpoptstrip_set_bit(bmap, idx) \ 7 | (bmap[(idx) >> 5] |= 1U << (idx & 31)) 8 | #define tcpoptstrip_test_bit(bmap, idx) \ 9 | (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0) 10 | 11 | struct xt_tcpoptstrip_target_info { 12 | __u32 strip_bmap[8]; 13 | }; 14 | 15 | #endif /* _XT_TCPOPTSTRIP_H */ 16 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_TEE.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_TEE_TARGET_H 2 | #define _XT_TEE_TARGET_H 3 | 4 | struct xt_tee_tginfo { 5 | union nf_inet_addr gw; 6 | char oif[16]; 7 | 8 | /* used internally by the kernel */ 9 | struct xt_tee_priv *priv __attribute__((aligned(8))); 10 | }; 11 | 12 | #endif /* _XT_TEE_TARGET_H */ 13 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_TPROXY.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_TPROXY_H 2 | #define _XT_TPROXY_H 3 | 4 | #include 5 | 6 | /* TPROXY target is capable of marking the packet to perform 7 | * redirection. We can get rid of that whenever we get support for 8 | * mutliple targets in the same rule. */ 9 | struct xt_tproxy_target_info { 10 | __u32 mark_mask; 11 | __u32 mark_value; 12 | __be32 laddr; 13 | __be16 lport; 14 | }; 15 | 16 | struct xt_tproxy_target_info_v1 { 17 | __u32 mark_mask; 18 | __u32 mark_value; 19 | union nf_inet_addr laddr; 20 | __be16 lport; 21 | }; 22 | 23 | #endif /* _XT_TPROXY_H */ 24 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_cluster.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_CLUSTER_MATCH_H 2 | #define _XT_CLUSTER_MATCH_H 3 | 4 | #include 5 | 6 | enum xt_cluster_flags { 7 | XT_CLUSTER_F_INV = (1 << 0) 8 | }; 9 | 10 | struct xt_cluster_match_info { 11 | __u32 total_nodes; 12 | __u32 node_mask; 13 | __u32 hash_seed; 14 | __u32 flags; 15 | }; 16 | 17 | #define XT_CLUSTER_NODES_MAX 32 18 | 19 | #endif /* _XT_CLUSTER_MATCH_H */ 20 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_comment.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_COMMENT_H 2 | #define _XT_COMMENT_H 3 | 4 | #define XT_MAX_COMMENT_LEN 256 5 | 6 | struct xt_comment_info { 7 | char comment[XT_MAX_COMMENT_LEN]; 8 | }; 9 | 10 | #endif /* XT_COMMENT_H */ 11 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_connbytes.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_CONNBYTES_H 2 | #define _XT_CONNBYTES_H 3 | 4 | #include 5 | 6 | enum xt_connbytes_what { 7 | XT_CONNBYTES_PKTS, 8 | XT_CONNBYTES_BYTES, 9 | XT_CONNBYTES_AVGPKT, 10 | }; 11 | 12 | enum xt_connbytes_direction { 13 | XT_CONNBYTES_DIR_ORIGINAL, 14 | XT_CONNBYTES_DIR_REPLY, 15 | XT_CONNBYTES_DIR_BOTH, 16 | }; 17 | 18 | struct xt_connbytes_info { 19 | struct { 20 | __aligned_u64 from; /* count to be matched */ 21 | __aligned_u64 to; /* count to be matched */ 22 | } count; 23 | __u8 what; /* ipt_connbytes_what */ 24 | __u8 direction; /* ipt_connbytes_direction */ 25 | }; 26 | #endif 27 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_connlabel.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define XT_CONNLABEL_MAXBIT 127 4 | enum xt_connlabel_mtopts { 5 | XT_CONNLABEL_OP_INVERT = 1 << 0, 6 | XT_CONNLABEL_OP_SET = 1 << 1, 7 | }; 8 | 9 | struct xt_connlabel_mtinfo { 10 | __u16 bit; 11 | __u16 options; 12 | }; 13 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_connlimit.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_CONNLIMIT_H 2 | #define _XT_CONNLIMIT_H 3 | 4 | #include 5 | 6 | struct xt_connlimit_data; 7 | 8 | enum { 9 | XT_CONNLIMIT_INVERT = 1 << 0, 10 | XT_CONNLIMIT_DADDR = 1 << 1, 11 | }; 12 | 13 | struct xt_connlimit_info { 14 | union { 15 | union nf_inet_addr mask; 16 | union { 17 | __be32 v4_mask; 18 | __be32 v6_mask[4]; 19 | }; 20 | }; 21 | unsigned int limit; 22 | union { 23 | /* revision 0 */ 24 | unsigned int inverse; 25 | 26 | /* revision 1 */ 27 | __u32 flags; 28 | }; 29 | 30 | /* Used internally by the kernel */ 31 | struct xt_connlimit_data *data __attribute__((aligned(8))); 32 | }; 33 | 34 | #endif /* _XT_CONNLIMIT_H */ 35 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_connmark.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ 2 | /* Copyright (C) 2002,2004 MARA Systems AB 3 | * by Henrik Nordstrom 4 | */ 5 | 6 | #ifndef _XT_CONNMARK_H 7 | #define _XT_CONNMARK_H 8 | 9 | #include 10 | 11 | enum { 12 | XT_CONNMARK_SET = 0, 13 | XT_CONNMARK_SAVE, 14 | XT_CONNMARK_RESTORE 15 | }; 16 | 17 | enum { 18 | D_SHIFT_LEFT = 0, 19 | D_SHIFT_RIGHT, 20 | }; 21 | 22 | struct xt_connmark_tginfo1 { 23 | __u32 ctmark, ctmask, nfmask; 24 | __u8 mode; 25 | }; 26 | 27 | struct xt_connmark_tginfo2 { 28 | __u32 ctmark, ctmask, nfmask; 29 | __u8 shift_dir, shift_bits, mode; 30 | }; 31 | 32 | struct xt_connmark_mtinfo1 { 33 | __u32 mark, mask; 34 | __u8 invert; 35 | }; 36 | 37 | #endif /*_XT_CONNMARK_H*/ 38 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_cpu.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_CPU_H 2 | #define _XT_CPU_H 3 | 4 | #include 5 | 6 | struct xt_cpu_info { 7 | __u32 cpu; 8 | __u32 invert; 9 | }; 10 | 11 | #endif /*_XT_CPU_H*/ 12 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_dccp.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_DCCP_H_ 2 | #define _XT_DCCP_H_ 3 | 4 | #include 5 | 6 | #define XT_DCCP_SRC_PORTS 0x01 7 | #define XT_DCCP_DEST_PORTS 0x02 8 | #define XT_DCCP_TYPE 0x04 9 | #define XT_DCCP_OPTION 0x08 10 | 11 | #define XT_DCCP_VALID_FLAGS 0x0f 12 | 13 | struct xt_dccp_info { 14 | __u16 dpts[2]; /* Min, Max */ 15 | __u16 spts[2]; /* Min, Max */ 16 | 17 | __u16 flags; 18 | __u16 invflags; 19 | 20 | __u16 typemask; 21 | __u8 option; 22 | }; 23 | 24 | #endif /* _XT_DCCP_H_ */ 25 | 26 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_devgroup.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_DEVGROUP_H 2 | #define _XT_DEVGROUP_H 3 | 4 | #include 5 | 6 | enum xt_devgroup_flags { 7 | XT_DEVGROUP_MATCH_SRC = 0x1, 8 | XT_DEVGROUP_INVERT_SRC = 0x2, 9 | XT_DEVGROUP_MATCH_DST = 0x4, 10 | XT_DEVGROUP_INVERT_DST = 0x8, 11 | }; 12 | 13 | struct xt_devgroup_info { 14 | __u32 flags; 15 | __u32 src_group; 16 | __u32 src_mask; 17 | __u32 dst_group; 18 | __u32 dst_mask; 19 | }; 20 | 21 | #endif /* _XT_DEVGROUP_H */ 22 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_dscp.h: -------------------------------------------------------------------------------- 1 | /* x_tables module for matching the IPv4/IPv6 DSCP field 2 | * 3 | * (C) 2002 Harald Welte 4 | * This software is distributed under GNU GPL v2, 1991 5 | * 6 | * See RFC2474 for a description of the DSCP field within the IP Header. 7 | * 8 | * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp 9 | */ 10 | #ifndef _XT_DSCP_H 11 | #define _XT_DSCP_H 12 | 13 | #include 14 | 15 | #define XT_DSCP_MASK 0xfc /* 11111100 */ 16 | #define XT_DSCP_SHIFT 2 17 | #define XT_DSCP_MAX 0x3f /* 00111111 */ 18 | 19 | /* match info */ 20 | struct xt_dscp_info { 21 | __u8 dscp; 22 | __u8 invert; 23 | }; 24 | 25 | struct xt_tos_match_info { 26 | __u8 tos_mask; 27 | __u8 tos_value; 28 | __u8 invert; 29 | }; 30 | 31 | #endif /* _XT_DSCP_H */ 32 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_ecn.h: -------------------------------------------------------------------------------- 1 | /* iptables module for matching the ECN header in IPv4 and TCP header 2 | * 3 | * (C) 2002 Harald Welte 4 | * 5 | * This software is distributed under GNU GPL v2, 1991 6 | */ 7 | #ifndef _XT_ECN_H 8 | #define _XT_ECN_H 9 | 10 | #include 11 | #include 12 | 13 | #define XT_ECN_IP_MASK (~XT_DSCP_MASK) 14 | 15 | #define XT_ECN_OP_MATCH_IP 0x01 16 | #define XT_ECN_OP_MATCH_ECE 0x10 17 | #define XT_ECN_OP_MATCH_CWR 0x20 18 | 19 | #define XT_ECN_OP_MATCH_MASK 0xce 20 | 21 | /* match info */ 22 | struct xt_ecn_info { 23 | __u8 operation; 24 | __u8 invert; 25 | __u8 ip_ect; 26 | union { 27 | struct { 28 | __u8 ect; 29 | } tcp; 30 | } proto; 31 | }; 32 | 33 | #endif /* _XT_ECN_H */ 34 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_esp.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_ESP_H 2 | #define _XT_ESP_H 3 | 4 | #include 5 | 6 | struct xt_esp { 7 | __u32 spis[2]; /* Security Parameter Index */ 8 | __u8 invflags; /* Inverse flags */ 9 | }; 10 | 11 | /* Values for "invflags" field in struct xt_esp. */ 12 | #define XT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ 13 | #define XT_ESP_INV_MASK 0x01 /* All possible flags. */ 14 | 15 | #endif /*_XT_ESP_H*/ 16 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_helper.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_HELPER_H 2 | #define _XT_HELPER_H 3 | 4 | struct xt_helper_info { 5 | int invert; 6 | char name[30]; 7 | }; 8 | #endif /* _XT_HELPER_H */ 9 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_ipcomp.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_IPCOMP_H 2 | #define _XT_IPCOMP_H 3 | 4 | #include 5 | 6 | struct xt_ipcomp { 7 | __u32 spis[2]; /* Security Parameter Index */ 8 | __u8 invflags; /* Inverse flags */ 9 | __u8 hdrres; /* Test of the Reserved Filed */ 10 | }; 11 | 12 | /* Values for "invflags" field in struct xt_ipcomp. */ 13 | #define XT_IPCOMP_INV_SPI 0x01 /* Invert the sense of spi. */ 14 | #define XT_IPCOMP_INV_MASK 0x01 /* All possible flags. */ 15 | 16 | #endif /*_XT_IPCOMP_H*/ 17 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_iprange.h: -------------------------------------------------------------------------------- 1 | #ifndef _LINUX_NETFILTER_XT_IPRANGE_H 2 | #define _LINUX_NETFILTER_XT_IPRANGE_H 1 3 | 4 | #include 5 | 6 | enum { 7 | IPRANGE_SRC = 1 << 0, /* match source IP address */ 8 | IPRANGE_DST = 1 << 1, /* match destination IP address */ 9 | IPRANGE_SRC_INV = 1 << 4, /* negate the condition */ 10 | IPRANGE_DST_INV = 1 << 5, /* -"- */ 11 | }; 12 | 13 | struct xt_iprange_mtinfo { 14 | union nf_inet_addr src_min, src_max; 15 | union nf_inet_addr dst_min, dst_max; 16 | __u8 flags; 17 | }; 18 | 19 | #endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ 20 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_ipvs.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_IPVS_H 2 | #define _XT_IPVS_H 3 | 4 | #include 5 | 6 | enum { 7 | XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */ 8 | XT_IPVS_PROTO = 1 << 1, 9 | XT_IPVS_VADDR = 1 << 2, 10 | XT_IPVS_VPORT = 1 << 3, 11 | XT_IPVS_DIR = 1 << 4, 12 | XT_IPVS_METHOD = 1 << 5, 13 | XT_IPVS_VPORTCTL = 1 << 6, 14 | XT_IPVS_MASK = (1 << 7) - 1, 15 | XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY 16 | }; 17 | 18 | struct xt_ipvs_mtinfo { 19 | union nf_inet_addr vaddr, vmask; 20 | __be16 vport; 21 | __u8 l4proto; 22 | __u8 fwd_method; 23 | __be16 vportctl; 24 | 25 | __u8 invert; 26 | __u8 bitmask; 27 | }; 28 | 29 | #endif /* _XT_IPVS_H */ 30 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_length.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_LENGTH_H 2 | #define _XT_LENGTH_H 3 | 4 | #include 5 | 6 | struct xt_length_info { 7 | __u16 min, max; 8 | __u8 invert; 9 | }; 10 | 11 | #endif /*_XT_LENGTH_H*/ 12 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_limit.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_RATE_H 2 | #define _XT_RATE_H 3 | 4 | #include 5 | 6 | /* timings are in milliseconds. */ 7 | #define XT_LIMIT_SCALE 10000 8 | 9 | struct xt_limit_priv; 10 | 11 | /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 12 | seconds, or one every 59 hours. */ 13 | struct xt_rateinfo { 14 | __u32 avg; /* Average secs between packets * scale */ 15 | __u32 burst; /* Period multiplier for upper limit. */ 16 | 17 | /* Used internally by the kernel */ 18 | unsigned long prev; /* moved to xt_limit_priv */ 19 | __u32 credit; /* moved to xt_limit_priv */ 20 | __u32 credit_cap, cost; 21 | 22 | struct xt_limit_priv *master; 23 | }; 24 | #endif /*_XT_RATE_H*/ 25 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_mac.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_MAC_H 2 | #define _XT_MAC_H 3 | 4 | struct xt_mac_info { 5 | unsigned char srcaddr[ETH_ALEN]; 6 | int invert; 7 | }; 8 | #endif /*_XT_MAC_H*/ 9 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_mark.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_MARK_H 2 | #define _XT_MARK_H 3 | 4 | #include 5 | 6 | struct xt_mark_tginfo2 { 7 | __u32 mark, mask; 8 | }; 9 | 10 | struct xt_mark_mtinfo1 { 11 | __u32 mark, mask; 12 | __u8 invert; 13 | }; 14 | 15 | #endif /*_XT_MARK_H*/ 16 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_multiport.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_MULTIPORT_H 2 | #define _XT_MULTIPORT_H 3 | 4 | #include 5 | 6 | enum xt_multiport_flags { 7 | XT_MULTIPORT_SOURCE, 8 | XT_MULTIPORT_DESTINATION, 9 | XT_MULTIPORT_EITHER 10 | }; 11 | 12 | #define XT_MULTI_PORTS 15 13 | 14 | /* Must fit inside union xt_matchinfo: 16 bytes */ 15 | struct xt_multiport { 16 | __u8 flags; /* Type of comparison */ 17 | __u8 count; /* Number of ports */ 18 | __u16 ports[XT_MULTI_PORTS]; /* Ports */ 19 | }; 20 | 21 | struct xt_multiport_v1 { 22 | __u8 flags; /* Type of comparison */ 23 | __u8 count; /* Number of ports */ 24 | __u16 ports[XT_MULTI_PORTS]; /* Ports */ 25 | __u8 pflags[XT_MULTI_PORTS]; /* Port flags */ 26 | __u8 invert; /* Invert flag */ 27 | }; 28 | 29 | #endif /*_XT_MULTIPORT_H*/ 30 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_nfacct.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_NFACCT_MATCH_H 2 | #define _XT_NFACCT_MATCH_H 3 | 4 | #include 5 | 6 | #ifndef NFACCT_NAME_MAX 7 | #define NFACCT_NAME_MAX 32 8 | #endif 9 | 10 | struct nf_acct; 11 | 12 | struct xt_nfacct_match_info { 13 | char name[NFACCT_NAME_MAX]; 14 | struct nf_acct *nfacct; 15 | }; 16 | 17 | struct xt_nfacct_match_info_v1 { 18 | char name[NFACCT_NAME_MAX]; 19 | struct nf_acct *nfacct __attribute__((aligned(8))); 20 | }; 21 | 22 | #endif /* _XT_NFACCT_MATCH_H */ 23 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_owner.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_OWNER_MATCH_H 2 | #define _XT_OWNER_MATCH_H 3 | 4 | #include 5 | 6 | enum { 7 | XT_OWNER_UID = 1 << 0, 8 | XT_OWNER_GID = 1 << 1, 9 | XT_OWNER_SOCKET = 1 << 2, 10 | XT_OWNER_SUPPL_GROUPS = 1 << 3, 11 | }; 12 | 13 | struct xt_owner_match_info { 14 | __u32 uid_min, uid_max; 15 | __u32 gid_min, gid_max; 16 | __u8 match, invert; 17 | }; 18 | 19 | #endif /* _XT_OWNER_MATCH_H */ 20 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_physdev.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_PHYSDEV_H 2 | #define _XT_PHYSDEV_H 3 | 4 | #include 5 | 6 | 7 | #define XT_PHYSDEV_OP_IN 0x01 8 | #define XT_PHYSDEV_OP_OUT 0x02 9 | #define XT_PHYSDEV_OP_BRIDGED 0x04 10 | #define XT_PHYSDEV_OP_ISIN 0x08 11 | #define XT_PHYSDEV_OP_ISOUT 0x10 12 | #define XT_PHYSDEV_OP_MASK (0x20 - 1) 13 | 14 | struct xt_physdev_info { 15 | char physindev[IFNAMSIZ]; 16 | char in_mask[IFNAMSIZ]; 17 | char physoutdev[IFNAMSIZ]; 18 | char out_mask[IFNAMSIZ]; 19 | __u8 invert; 20 | __u8 bitmask; 21 | }; 22 | 23 | #endif /*_XT_PHYSDEV_H*/ 24 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_pkttype.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_PKTTYPE_H 2 | #define _XT_PKTTYPE_H 3 | 4 | struct xt_pkttype_info { 5 | int pkttype; 6 | int invert; 7 | }; 8 | #endif /*_XT_PKTTYPE_H*/ 9 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_quota.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_QUOTA_H 2 | #define _XT_QUOTA_H 3 | 4 | #include 5 | 6 | enum xt_quota_flags { 7 | XT_QUOTA_INVERT = 0x1, 8 | }; 9 | #define XT_QUOTA_MASK 0x1 10 | 11 | struct xt_quota_priv; 12 | 13 | struct xt_quota_info { 14 | __u32 flags; 15 | __u32 pad; 16 | __aligned_u64 quota; 17 | 18 | /* Used internally by the kernel */ 19 | struct xt_quota_priv *master; 20 | }; 21 | 22 | #endif /* _XT_QUOTA_H */ 23 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_quota2.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_QUOTA_H 2 | #define _XT_QUOTA_H 3 | 4 | enum xt_quota_flags { 5 | XT_QUOTA_INVERT = 1 << 0, 6 | XT_QUOTA_GROW = 1 << 1, 7 | XT_QUOTA_PACKET = 1 << 2, 8 | XT_QUOTA_NO_CHANGE = 1 << 3, 9 | XT_QUOTA_MASK = 0x0F, 10 | }; 11 | 12 | struct xt_quota_counter; 13 | 14 | struct xt_quota_mtinfo2 { 15 | char name[15]; 16 | u_int8_t flags; 17 | 18 | /* Comparison-invariant */ 19 | aligned_u64 quota; 20 | 21 | /* Used internally by the kernel */ 22 | struct xt_quota_counter *master __attribute__((aligned(8))); 23 | }; 24 | 25 | #endif /* _XT_QUOTA_H */ 26 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_realm.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_REALM_H 2 | #define _XT_REALM_H 3 | 4 | #include 5 | 6 | struct xt_realm_info { 7 | __u32 id; 8 | __u32 mask; 9 | __u8 invert; 10 | }; 11 | 12 | #endif /* _XT_REALM_H */ 13 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_rpfilter.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_RPATH_H 2 | #define _XT_RPATH_H 3 | 4 | #include 5 | 6 | enum { 7 | XT_RPFILTER_LOOSE = 1 << 0, 8 | XT_RPFILTER_VALID_MARK = 1 << 1, 9 | XT_RPFILTER_ACCEPT_LOCAL = 1 << 2, 10 | XT_RPFILTER_INVERT = 1 << 3, 11 | }; 12 | 13 | struct xt_rpfilter_info { 14 | __u8 flags; 15 | }; 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_socket.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_SOCKET_H 2 | #define _XT_SOCKET_H 3 | 4 | #include 5 | 6 | enum { 7 | XT_SOCKET_TRANSPARENT = 1 << 0, 8 | XT_SOCKET_NOWILDCARD = 1 << 1, 9 | XT_SOCKET_RESTORESKMARK = 1 << 2, 10 | }; 11 | 12 | struct xt_socket_mtinfo1 { 13 | __u8 flags; 14 | }; 15 | #define XT_SOCKET_FLAGS_V1 XT_SOCKET_TRANSPARENT 16 | 17 | struct xt_socket_mtinfo2 { 18 | __u8 flags; 19 | }; 20 | #define XT_SOCKET_FLAGS_V2 (XT_SOCKET_TRANSPARENT | XT_SOCKET_NOWILDCARD) 21 | 22 | struct xt_socket_mtinfo3 { 23 | __u8 flags; 24 | }; 25 | #define XT_SOCKET_FLAGS_V3 (XT_SOCKET_TRANSPARENT \ 26 | | XT_SOCKET_NOWILDCARD \ 27 | | XT_SOCKET_RESTORESKMARK) 28 | 29 | #endif /* _XT_SOCKET_H */ 30 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_state.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_STATE_H 2 | #define _XT_STATE_H 3 | 4 | #define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) 5 | #define XT_STATE_INVALID (1 << 0) 6 | 7 | #define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) 8 | 9 | struct xt_state_info { 10 | unsigned int statemask; 11 | }; 12 | #endif /*_XT_STATE_H*/ 13 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_statistic.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_STATISTIC_H 2 | #define _XT_STATISTIC_H 3 | 4 | #include 5 | 6 | enum xt_statistic_mode { 7 | XT_STATISTIC_MODE_RANDOM, 8 | XT_STATISTIC_MODE_NTH, 9 | __XT_STATISTIC_MODE_MAX 10 | }; 11 | #define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1) 12 | 13 | enum xt_statistic_flags { 14 | XT_STATISTIC_INVERT = 0x1, 15 | }; 16 | #define XT_STATISTIC_MASK 0x1 17 | 18 | struct xt_statistic_priv; 19 | 20 | struct xt_statistic_info { 21 | __u16 mode; 22 | __u16 flags; 23 | union { 24 | struct { 25 | __u32 probability; 26 | } random; 27 | struct { 28 | __u32 every; 29 | __u32 packet; 30 | __u32 count; /* unused */ 31 | } nth; 32 | } u; 33 | struct xt_statistic_priv *master __attribute__((aligned(8))); 34 | }; 35 | 36 | #endif /* _XT_STATISTIC_H */ 37 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_string.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_STRING_H 2 | #define _XT_STRING_H 3 | 4 | #include 5 | 6 | #define XT_STRING_MAX_PATTERN_SIZE 128 7 | #define XT_STRING_MAX_ALGO_NAME_SIZE 16 8 | 9 | enum { 10 | XT_STRING_FLAG_INVERT = 0x01, 11 | XT_STRING_FLAG_IGNORECASE = 0x02 12 | }; 13 | 14 | struct xt_string_info { 15 | __u16 from_offset; 16 | __u16 to_offset; 17 | char algo[XT_STRING_MAX_ALGO_NAME_SIZE]; 18 | char pattern[XT_STRING_MAX_PATTERN_SIZE]; 19 | __u8 patlen; 20 | union { 21 | struct { 22 | __u8 invert; 23 | } v0; 24 | 25 | struct { 26 | __u8 flags; 27 | } v1; 28 | } u; 29 | 30 | /* Used internally by the kernel */ 31 | struct ts_config __attribute__((aligned(8))) *config; 32 | }; 33 | 34 | #endif /*_XT_STRING_H*/ 35 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_tcpmss.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_TCPMSS_MATCH_H 2 | #define _XT_TCPMSS_MATCH_H 3 | 4 | #include 5 | 6 | struct xt_tcpmss_match_info { 7 | __u16 mss_min, mss_max; 8 | __u8 invert; 9 | }; 10 | 11 | #endif /*_XT_TCPMSS_MATCH_H*/ 12 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_time.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_TIME_H 2 | #define _XT_TIME_H 1 3 | 4 | #include 5 | 6 | struct xt_time_info { 7 | __u32 date_start; 8 | __u32 date_stop; 9 | __u32 daytime_start; 10 | __u32 daytime_stop; 11 | __u32 monthdays_match; 12 | __u8 weekdays_match; 13 | __u8 flags; 14 | }; 15 | 16 | enum { 17 | /* Match against local time (instead of UTC) */ 18 | XT_TIME_LOCAL_TZ = 1 << 0, 19 | XT_TIME_CONTIGUOUS = 1 << 1, 20 | 21 | /* Shortcuts */ 22 | XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE, 23 | XT_TIME_ALL_WEEKDAYS = 0xFE, 24 | XT_TIME_MIN_DAYTIME = 0, 25 | XT_TIME_MAX_DAYTIME = 24 * 60 * 60 - 1, 26 | }; 27 | 28 | #endif /* _XT_TIME_H */ 29 | -------------------------------------------------------------------------------- /include/linux/netfilter/xt_u32.h: -------------------------------------------------------------------------------- 1 | #ifndef _XT_U32_H 2 | #define _XT_U32_H 1 3 | 4 | #include 5 | 6 | enum xt_u32_ops { 7 | XT_U32_AND, 8 | XT_U32_LEFTSH, 9 | XT_U32_RIGHTSH, 10 | XT_U32_AT, 11 | }; 12 | 13 | struct xt_u32_location_element { 14 | __u32 number; 15 | __u8 nextop; 16 | }; 17 | 18 | struct xt_u32_value_element { 19 | __u32 min; 20 | __u32 max; 21 | }; 22 | 23 | /* 24 | * Any way to allow for an arbitrary number of elements? 25 | * For now, I settle with a limit of 10 each. 26 | */ 27 | #define XT_U32_MAXSIZE 10 28 | 29 | struct xt_u32_test { 30 | struct xt_u32_location_element location[XT_U32_MAXSIZE+1]; 31 | struct xt_u32_value_element value[XT_U32_MAXSIZE+1]; 32 | __u8 nnums; 33 | __u8 nvalues; 34 | }; 35 | 36 | struct xt_u32 { 37 | struct xt_u32_test tests[XT_U32_MAXSIZE+1]; 38 | __u8 ntests; 39 | __u8 invert; 40 | }; 41 | 42 | #endif /* _XT_U32_H */ 43 | -------------------------------------------------------------------------------- /include/linux/netfilter_arp.h: -------------------------------------------------------------------------------- 1 | #ifndef __LINUX_ARP_NETFILTER_H 2 | #define __LINUX_ARP_NETFILTER_H 3 | 4 | /* ARP-specific defines for netfilter. 5 | * (C)2002 Rusty Russell IBM -- This code is GPL. 6 | */ 7 | 8 | #include 9 | 10 | /* There is no PF_ARP. */ 11 | #define NF_ARP 0 12 | 13 | /* ARP Hooks */ 14 | #define NF_ARP_IN 0 15 | #define NF_ARP_OUT 1 16 | #define NF_ARP_FORWARD 2 17 | #define NF_ARP_NUMHOOKS 3 18 | 19 | #endif /* __LINUX_ARP_NETFILTER_H */ 20 | -------------------------------------------------------------------------------- /include/linux/netfilter_arp/arpt_mangle.h: -------------------------------------------------------------------------------- 1 | #ifndef _ARPT_MANGLE_H 2 | #define _ARPT_MANGLE_H 3 | #include 4 | 5 | #define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr) 6 | struct arpt_mangle 7 | { 8 | char src_devaddr[ARPT_DEV_ADDR_LEN_MAX]; 9 | char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX]; 10 | union { 11 | struct in_addr src_ip; 12 | } u_s; 13 | union { 14 | struct in_addr tgt_ip; 15 | } u_t; 16 | __u8 flags; 17 | int target; 18 | }; 19 | 20 | #define ARPT_MANGLE_SDEV 0x01 21 | #define ARPT_MANGLE_TDEV 0x02 22 | #define ARPT_MANGLE_SIP 0x04 23 | #define ARPT_MANGLE_TIP 0x08 24 | #define ARPT_MANGLE_MASK 0x0f 25 | 26 | #endif /* _ARPT_MANGLE_H */ 27 | -------------------------------------------------------------------------------- /include/linux/netfilter_bridge/ebt_mark_m.h: -------------------------------------------------------------------------------- 1 | #ifndef __LINUX_BRIDGE_EBT_MARK_M_H 2 | #define __LINUX_BRIDGE_EBT_MARK_M_H 3 | 4 | #include 5 | 6 | #define EBT_MARK_AND 0x01 7 | #define EBT_MARK_OR 0x02 8 | #define EBT_MARK_MASK (EBT_MARK_AND | EBT_MARK_OR) 9 | struct ebt_mark_m_info { 10 | unsigned long mark, mask; 11 | __u8 invert; 12 | __u8 bitmask; 13 | }; 14 | #define EBT_MARK_MATCH "mark_m" 15 | 16 | #endif 17 | -------------------------------------------------------------------------------- /include/linux/netfilter_bridge/ebt_mark_t.h: -------------------------------------------------------------------------------- 1 | #ifndef __LINUX_BRIDGE_EBT_MARK_T_H 2 | #define __LINUX_BRIDGE_EBT_MARK_T_H 3 | 4 | /* The target member is reused for adding new actions, the 5 | * value of the real target is -1 to -NUM_STANDARD_TARGETS. 6 | * For backward compatibility, the 4 lsb (2 would be enough, 7 | * but let's play it safe) are kept to designate this target. 8 | * The remaining bits designate the action. By making the set 9 | * action 0xfffffff0, the result will look ok for older 10 | * versions. [September 2006] */ 11 | #define MARK_SET_VALUE (0xfffffff0) 12 | #define MARK_OR_VALUE (0xffffffe0) 13 | #define MARK_AND_VALUE (0xffffffd0) 14 | #define MARK_XOR_VALUE (0xffffffc0) 15 | 16 | struct ebt_mark_t_info { 17 | unsigned long mark; 18 | /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */ 19 | int target; 20 | }; 21 | #define EBT_MARK_TARGET "mark" 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv4/ipt_CLUSTERIP.h: -------------------------------------------------------------------------------- 1 | #ifndef _IPT_CLUSTERIP_H_target 2 | #define _IPT_CLUSTERIP_H_target 3 | 4 | #include 5 | 6 | enum clusterip_hashmode { 7 | CLUSTERIP_HASHMODE_SIP = 0, 8 | CLUSTERIP_HASHMODE_SIP_SPT, 9 | CLUSTERIP_HASHMODE_SIP_SPT_DPT, 10 | }; 11 | 12 | #define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT 13 | 14 | #define CLUSTERIP_MAX_NODES 16 15 | 16 | #define CLUSTERIP_FLAG_NEW 0x00000001 17 | 18 | struct clusterip_config; 19 | 20 | struct ipt_clusterip_tgt_info { 21 | 22 | __u32 flags; 23 | 24 | /* only relevant for new ones */ 25 | __u8 clustermac[6]; 26 | __u16 num_total_nodes; 27 | __u16 num_local_nodes; 28 | __u16 local_nodes[CLUSTERIP_MAX_NODES]; 29 | __u32 hash_mode; 30 | __u32 hash_initval; 31 | 32 | /* Used internally by the kernel */ 33 | struct clusterip_config *config; 34 | }; 35 | 36 | #endif /*_IPT_CLUSTERIP_H_target*/ 37 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv4/ipt_REJECT.h: -------------------------------------------------------------------------------- 1 | #ifndef _IPT_REJECT_H 2 | #define _IPT_REJECT_H 3 | 4 | enum ipt_reject_with { 5 | IPT_ICMP_NET_UNREACHABLE, 6 | IPT_ICMP_HOST_UNREACHABLE, 7 | IPT_ICMP_PROT_UNREACHABLE, 8 | IPT_ICMP_PORT_UNREACHABLE, 9 | IPT_ICMP_ECHOREPLY, 10 | IPT_ICMP_NET_PROHIBITED, 11 | IPT_ICMP_HOST_PROHIBITED, 12 | IPT_TCP_RESET, 13 | IPT_ICMP_ADMIN_PROHIBITED 14 | }; 15 | 16 | struct ipt_reject_info { 17 | enum ipt_reject_with with; /* reject type */ 18 | }; 19 | 20 | #endif /*_IPT_REJECT_H*/ 21 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv4/ipt_TTL.h: -------------------------------------------------------------------------------- 1 | /* TTL modification module for IP tables 2 | * (C) 2000 by Harald Welte */ 3 | 4 | #ifndef _IPT_TTL_H 5 | #define _IPT_TTL_H 6 | 7 | #include 8 | 9 | enum { 10 | IPT_TTL_SET = 0, 11 | IPT_TTL_INC, 12 | IPT_TTL_DEC 13 | }; 14 | 15 | #define IPT_TTL_MAXMODE IPT_TTL_DEC 16 | 17 | struct ipt_TTL_info { 18 | __u8 mode; 19 | __u8 ttl; 20 | }; 21 | 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv4/ipt_addrtype.h: -------------------------------------------------------------------------------- 1 | #ifndef _IPT_ADDRTYPE_H 2 | #define _IPT_ADDRTYPE_H 3 | 4 | #include 5 | 6 | enum { 7 | IPT_ADDRTYPE_INVERT_SOURCE = 0x0001, 8 | IPT_ADDRTYPE_INVERT_DEST = 0x0002, 9 | IPT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004, 10 | IPT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008, 11 | }; 12 | 13 | struct ipt_addrtype_info_v1 { 14 | __u16 source; /* source-type mask */ 15 | __u16 dest; /* dest-type mask */ 16 | __u32 flags; 17 | }; 18 | 19 | /* revision 0 */ 20 | struct ipt_addrtype_info { 21 | __u16 source; /* source-type mask */ 22 | __u16 dest; /* dest-type mask */ 23 | __u32 invert_source; 24 | __u32 invert_dest; 25 | }; 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv4/ipt_ah.h: -------------------------------------------------------------------------------- 1 | #ifndef _IPT_AH_H 2 | #define _IPT_AH_H 3 | 4 | #include 5 | 6 | struct ipt_ah { 7 | __u32 spis[2]; /* Security Parameter Index */ 8 | __u8 invflags; /* Inverse flags */ 9 | }; 10 | 11 | 12 | 13 | /* Values for "invflags" field in struct ipt_ah. */ 14 | #define IPT_AH_INV_SPI 0x01 /* Invert the sense of spi. */ 15 | #define IPT_AH_INV_MASK 0x01 /* All possible flags. */ 16 | 17 | #endif /*_IPT_AH_H*/ 18 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv4/ipt_realm.h: -------------------------------------------------------------------------------- 1 | #ifndef _IPT_REALM_H 2 | #define _IPT_REALM_H 3 | 4 | #include 5 | #define ipt_realm_info xt_realm_info 6 | 7 | #endif /* _IPT_REALM_H */ 8 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv4/ipt_ttl.h: -------------------------------------------------------------------------------- 1 | /* IP tables module for matching the value of the TTL 2 | * (C) 2000 by Harald Welte */ 3 | 4 | #ifndef _IPT_TTL_H 5 | #define _IPT_TTL_H 6 | 7 | #include 8 | 9 | enum { 10 | IPT_TTL_EQ = 0, /* equals */ 11 | IPT_TTL_NE, /* not equals */ 12 | IPT_TTL_LT, /* less than */ 13 | IPT_TTL_GT, /* greater than */ 14 | }; 15 | 16 | 17 | struct ipt_ttl_info { 18 | __u8 mode; 19 | __u8 ttl; 20 | }; 21 | 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_HL.h: -------------------------------------------------------------------------------- 1 | /* Hop Limit modification module for ip6tables 2 | * Maciej Soltysiak 3 | * Based on HW's TTL module */ 4 | 5 | #ifndef _IP6T_HL_H 6 | #define _IP6T_HL_H 7 | 8 | #include 9 | 10 | enum { 11 | IP6T_HL_SET = 0, 12 | IP6T_HL_INC, 13 | IP6T_HL_DEC 14 | }; 15 | 16 | #define IP6T_HL_MAXMODE IP6T_HL_DEC 17 | 18 | struct ip6t_HL_info { 19 | __u8 mode; 20 | __u8 hop_limit; 21 | }; 22 | 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_NPT.h: -------------------------------------------------------------------------------- 1 | #ifndef __NETFILTER_IP6T_NPT 2 | #define __NETFILTER_IP6T_NPT 3 | 4 | #include 5 | #include 6 | 7 | struct ip6t_npt_tginfo { 8 | union nf_inet_addr src_pfx; 9 | union nf_inet_addr dst_pfx; 10 | __u8 src_pfx_len; 11 | __u8 dst_pfx_len; 12 | /* Used internally by the kernel */ 13 | __sum16 adjustment; 14 | }; 15 | 16 | #endif /* __NETFILTER_IP6T_NPT */ 17 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_REJECT.h: -------------------------------------------------------------------------------- 1 | #ifndef _IP6T_REJECT_H 2 | #define _IP6T_REJECT_H 3 | 4 | #include 5 | 6 | enum ip6t_reject_with { 7 | IP6T_ICMP6_NO_ROUTE, 8 | IP6T_ICMP6_ADM_PROHIBITED, 9 | IP6T_ICMP6_NOT_NEIGHBOUR, 10 | IP6T_ICMP6_ADDR_UNREACH, 11 | IP6T_ICMP6_PORT_UNREACH, 12 | IP6T_ICMP6_ECHOREPLY, 13 | IP6T_TCP_RESET, 14 | IP6T_ICMP6_POLICY_FAIL, 15 | IP6T_ICMP6_REJECT_ROUTE 16 | }; 17 | 18 | struct ip6t_reject_info { 19 | __u32 with; /* reject type */ 20 | }; 21 | 22 | #endif /*_IP6T_REJECT_H*/ 23 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_ah.h: -------------------------------------------------------------------------------- 1 | #ifndef _IP6T_AH_H 2 | #define _IP6T_AH_H 3 | 4 | #include 5 | 6 | struct ip6t_ah { 7 | __u32 spis[2]; /* Security Parameter Index */ 8 | __u32 hdrlen; /* Header Length */ 9 | __u8 hdrres; /* Test of the Reserved Filed */ 10 | __u8 invflags; /* Inverse flags */ 11 | }; 12 | 13 | #define IP6T_AH_SPI 0x01 14 | #define IP6T_AH_LEN 0x02 15 | #define IP6T_AH_RES 0x04 16 | 17 | /* Values for "invflags" field in struct ip6t_ah. */ 18 | #define IP6T_AH_INV_SPI 0x01 /* Invert the sense of spi. */ 19 | #define IP6T_AH_INV_LEN 0x02 /* Invert the sense of length. */ 20 | #define IP6T_AH_INV_MASK 0x03 /* All possible flags. */ 21 | 22 | #endif /*_IP6T_AH_H*/ 23 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_frag.h: -------------------------------------------------------------------------------- 1 | #ifndef _IP6T_FRAG_H 2 | #define _IP6T_FRAG_H 3 | 4 | #include 5 | 6 | struct ip6t_frag { 7 | __u32 ids[2]; /* Security Parameter Index */ 8 | __u32 hdrlen; /* Header Length */ 9 | __u8 flags; /* */ 10 | __u8 invflags; /* Inverse flags */ 11 | }; 12 | 13 | #define IP6T_FRAG_IDS 0x01 14 | #define IP6T_FRAG_LEN 0x02 15 | #define IP6T_FRAG_RES 0x04 16 | #define IP6T_FRAG_FST 0x08 17 | #define IP6T_FRAG_MF 0x10 18 | #define IP6T_FRAG_NMF 0x20 19 | 20 | /* Values for "invflags" field in struct ip6t_frag. */ 21 | #define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */ 22 | #define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */ 23 | #define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */ 24 | 25 | #endif /*_IP6T_FRAG_H*/ 26 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_hl.h: -------------------------------------------------------------------------------- 1 | /* ip6tables module for matching the Hop Limit value 2 | * Maciej Soltysiak 3 | * Based on HW's ttl module */ 4 | 5 | #ifndef _IP6T_HL_H 6 | #define _IP6T_HL_H 7 | 8 | #include 9 | 10 | enum { 11 | IP6T_HL_EQ = 0, /* equals */ 12 | IP6T_HL_NE, /* not equals */ 13 | IP6T_HL_LT, /* less than */ 14 | IP6T_HL_GT, /* greater than */ 15 | }; 16 | 17 | 18 | struct ip6t_hl_info { 19 | __u8 mode; 20 | __u8 hop_limit; 21 | }; 22 | 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_ipv6header.h: -------------------------------------------------------------------------------- 1 | /* ipv6header match - matches IPv6 packets based 2 | on whether they contain certain headers */ 3 | 4 | /* Original idea: Brad Chapman 5 | * Rewritten by: Andras Kis-Szabo */ 6 | 7 | 8 | #ifndef __IPV6HEADER_H 9 | #define __IPV6HEADER_H 10 | 11 | #include 12 | 13 | struct ip6t_ipv6header_info { 14 | __u8 matchflags; 15 | __u8 invflags; 16 | __u8 modeflag; 17 | }; 18 | 19 | #define MASK_HOPOPTS 128 20 | #define MASK_DSTOPTS 64 21 | #define MASK_ROUTING 32 22 | #define MASK_FRAGMENT 16 23 | #define MASK_AH 8 24 | #define MASK_ESP 4 25 | #define MASK_NONE 2 26 | #define MASK_PROTO 1 27 | 28 | #endif /* __IPV6HEADER_H */ 29 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_mh.h: -------------------------------------------------------------------------------- 1 | #ifndef _IP6T_MH_H 2 | #define _IP6T_MH_H 3 | 4 | #include 5 | 6 | /* MH matching stuff */ 7 | struct ip6t_mh { 8 | __u8 types[2]; /* MH type range */ 9 | __u8 invflags; /* Inverse flags */ 10 | }; 11 | 12 | /* Values for "invflags" field in struct ip6t_mh. */ 13 | #define IP6T_MH_INV_TYPE 0x01 /* Invert the sense of type. */ 14 | #define IP6T_MH_INV_MASK 0x01 /* All possible flags. */ 15 | 16 | #endif /*_IP6T_MH_H*/ 17 | -------------------------------------------------------------------------------- /include/linux/netfilter_ipv6/ip6t_opts.h: -------------------------------------------------------------------------------- 1 | #ifndef _IP6T_OPTS_H 2 | #define _IP6T_OPTS_H 3 | 4 | #include 5 | 6 | #define IP6T_OPTS_OPTSNR 16 7 | 8 | struct ip6t_opts { 9 | __u32 hdrlen; /* Header Length */ 10 | __u8 flags; /* */ 11 | __u8 invflags; /* Inverse flags */ 12 | __u16 opts[IP6T_OPTS_OPTSNR]; /* opts */ 13 | __u8 optsnr; /* Nr of OPts */ 14 | }; 15 | 16 | #define IP6T_OPTS_LEN 0x01 17 | #define IP6T_OPTS_OPTS 0x02 18 | #define IP6T_OPTS_NSTRICT 0x04 19 | 20 | /* Values for "invflags" field in struct ip6t_rt. */ 21 | #define IP6T_OPTS_INV_LEN 0x01 /* Invert the sense of length. */ 22 | #define IP6T_OPTS_INV_MASK 0x01 /* All possible flags. */ 23 | 24 | #endif /*_IP6T_OPTS_H*/ 25 | -------------------------------------------------------------------------------- /include/xtables-version.h: -------------------------------------------------------------------------------- 1 | #define XTABLES_VERSION "libxtables.so.12" 2 | #define XTABLES_VERSION_CODE 12 3 | -------------------------------------------------------------------------------- /include/xtables-version.h.in: -------------------------------------------------------------------------------- 1 | #define XTABLES_VERSION "libxtables.so.@libxtables_vmajor@" 2 | #define XTABLES_VERSION_CODE @libxtables_vmajor@ 3 | -------------------------------------------------------------------------------- /include/xtables_internal.h: -------------------------------------------------------------------------------- 1 | #ifndef XTABLES_INTERNAL_H 2 | #define XTABLES_INTERNAL_H 1 3 | 4 | extern bool xtables_strtoul_base(const char *, char **, uintmax_t *, 5 | uintmax_t, uintmax_t, unsigned int); 6 | 7 | #endif /* XTABLES_INTERNAL_H */ 8 | -------------------------------------------------------------------------------- /iptables/.gitignore: -------------------------------------------------------------------------------- 1 | /arptables-translate.8 2 | /ebtables-translate.8 3 | /ip6tables 4 | /ip6tables.8 5 | /ip6tables-apply.8 6 | /ip6tables-save 7 | /ip6tables-save.8 8 | /ip6tables-restore 9 | /ip6tables-restore.8 10 | /ip6tables-static 11 | /ip6tables-translate.8 12 | /ip6tables-restore-translate.8 13 | /iptables 14 | /iptables.8 15 | /iptables-extensions.8 16 | /iptables-extensions.8.tmpl 17 | /iptables-save 18 | /iptables-save.8 19 | /iptables-restore 20 | /iptables-restore.8 21 | /iptables-static 22 | /iptables-translate.8 23 | /iptables-restore-translate.8 24 | /iptables-xml 25 | /iptables-xml.1 26 | /xtables-multi 27 | /xtables-legacy-multi 28 | /xtables-nft-multi 29 | /xtables-monitor.8 30 | 31 | /xtables.pc 32 | -------------------------------------------------------------------------------- /iptables/NOTICE: -------------------------------------------------------------------------------- 1 | ../NOTICE -------------------------------------------------------------------------------- /iptables/ip6tables-multi.h: -------------------------------------------------------------------------------- 1 | #ifndef _IP6TABLES_MULTI_H 2 | #define _IP6TABLES_MULTI_H 1 3 | 4 | extern int ip6tables_main(int, char **); 5 | extern int ip6tables_save_main(int, char **); 6 | extern int ip6tables_restore_main(int, char **); 7 | 8 | #endif /* _IP6TABLES_MULTI_H */ 9 | -------------------------------------------------------------------------------- /iptables/iptables-multi.h: -------------------------------------------------------------------------------- 1 | #ifndef _IPTABLES_MULTI_H 2 | #define _IPTABLES_MULTI_H 1 3 | 4 | extern int iptables_main(int, char **); 5 | extern int iptables_save_main(int, char **); 6 | extern int iptables_restore_main(int, char **); 7 | 8 | #endif /* _IPTABLES_MULTI_H */ 9 | -------------------------------------------------------------------------------- /iptables/nft-chain.h: -------------------------------------------------------------------------------- 1 | #ifndef _NFT_CHAIN_H_ 2 | #define _NFT_CHAIN_H_ 3 | 4 | #include 5 | #include 6 | 7 | struct nft_handle; 8 | 9 | struct nft_chain { 10 | struct list_head head; 11 | struct hlist_node hnode; 12 | struct nft_chain **base_slot; 13 | struct nftnl_chain *nftnl; 14 | bool fake; 15 | }; 16 | 17 | #define CHAIN_NAME_HSIZE 512 18 | 19 | struct nft_chain_list { 20 | struct list_head list; 21 | struct hlist_head names[CHAIN_NAME_HSIZE]; 22 | }; 23 | 24 | struct nft_chain *nft_chain_alloc(struct nftnl_chain *nftnl, bool fake); 25 | void nft_chain_free(struct nft_chain *c); 26 | 27 | struct nft_chain_list *nft_chain_list_alloc(void); 28 | void nft_chain_list_free(struct nft_chain_list *list); 29 | void nft_chain_list_del(struct nft_chain *c); 30 | 31 | #endif /* _NFT_CHAIN_H_ */ 32 | -------------------------------------------------------------------------------- /iptables/tests/shell/README: -------------------------------------------------------------------------------- 1 | To run the test suite (as root): 2 | $ cd iptables/tests/shell 3 | # ./run-tests.sh 4 | 5 | Test files are executable files with the pattern <> , where N is the 6 | expected return code of the executable. Since they are located with `find', 7 | test-files can be spreaded in any sub-directories. 8 | 9 | You can turn on a verbose execution by calling: 10 | # ./run-tests.sh -v 11 | 12 | And to run test suite for pariticular test files: 13 | # ./run-tests.sh 14 | 15 | Also, test-files will receive the environment variable $XT_MULTI which contains 16 | the path to the old iptables (xtables-legacy-multi) or new iptables (xtables-nft-multi) 17 | binary being tested. 18 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | # there is no legacy backend to test 6 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 7 | 8 | # arptables-restore reuses preloaded targets and matches, make sure defaults 9 | # apply to consecutive rules using the same target/match as a previous one 10 | 11 | DUMP='*filter 12 | :OUTPUT ACCEPT 13 | -A OUTPUT -j mangle --mangle-ip-s 10.0.0.1 14 | -A OUTPUT -j mangle --mangle-ip-d 10.0.0.2' 15 | 16 | # note how mangle-ip-s is unset in second rule 17 | 18 | EXPECT='*filter 19 | :INPUT ACCEPT 20 | :OUTPUT ACCEPT 21 | -A OUTPUT -j mangle --mangle-ip-s 10.0.0.1 22 | -A OUTPUT -j mangle --mangle-ip-d 10.0.0.2' 23 | 24 | $XT_MULTI arptables -F 25 | $XT_MULTI arptables-restore <<<$DUMP 26 | diff -u <(echo -e "$EXPECT") <($XT_MULTI arptables-save | grep -v '^#') 27 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/chain/0001duplicate_1: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | 5 | $XT_MULTI iptables -t filter -N c1 || exit 0 6 | $XT_MULTI iptables -t filter -N c1 || exit 1 7 | 8 | $XT_MULTI ip6tables -t filter -N c1 || exit 0 9 | $XT_MULTI ip6tables -t filter -N c1 || exit 1 10 | 11 | echo "E: Duplicate chains" >&2 12 | exit 0 13 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/chain/0002newchain_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | $XT_MULTI iptables -N c1 6 | $XT_MULTI ip6tables -N c1 7 | 8 | $XT_MULTI iptables -N c2 9 | $XT_MULTI ip6tables -N c2 10 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/chain/0004extra-base_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | case $XT_MULTI in 4 | *xtables-nft-multi) 5 | ;; 6 | *) 7 | echo skip $XT_MULTI 8 | exit 0 9 | ;; 10 | esac 11 | 12 | set -e 13 | 14 | nft -f - < for providing it. 9 | 10 | RULE='-p tcp --dport 81 -j DNAT --to-destination [::1]:81' 11 | 12 | $XT_MULTI ip6tables -t nat -N testchain || exit 1 13 | $XT_MULTI ip6tables -t nat -A testchain $RULE || exit 1 14 | $XT_MULTI ip6tables -t nat -C testchain $RULE || exit 1 15 | 16 | $XT_MULTI ip6tables -t nat -C testchain ${RULE//81/82} 2>/dev/null && exit 1 17 | exit 0 18 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | RET=0 4 | tmpfile="" 5 | 6 | set -x 7 | 8 | clean_tempfile() 9 | { 10 | if [ -n "${tmpfile}" ]; then 11 | rm -f "${tmpfile}" 12 | fi 13 | } 14 | 15 | trap clean_tempfile EXIT 16 | 17 | tmpfile=$(mktemp) || exit 1 18 | 19 | do_simple() 20 | { 21 | iptables="${1}" 22 | table="${2}" 23 | dumpfile="$(dirname "${0}")/dumps/${iptables}.dump" 24 | 25 | "$XT_MULTI" "${iptables}-restore" --table="${table}" "${dumpfile}"; rv=$? 26 | 27 | if [ "${rv}" -ne 0 ]; then 28 | RET=1 29 | fi 30 | } 31 | 32 | do_simple "iptables" "filter" 33 | do_simple "iptables" "mangle" 34 | do_simple "iptables" "raw" 35 | do_simple "iptables" "nat" 36 | do_simple "ip6tables" "filter" 37 | do_simple "ip6tables" "mangle" 38 | do_simple "ip6tables" "raw" 39 | do_simple "ip6tables" "nat" 40 | 41 | exit "${RET}" 42 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/ipt-restore/0002-parameters_0: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | # make sure wait options are accepted 6 | 7 | clean_tempfile() 8 | { 9 | if [ -n "${tmpfile}" ]; then 10 | rm -f "${tmpfile}" 11 | fi 12 | } 13 | 14 | trap clean_tempfile EXIT 15 | 16 | tmpfile=$(mktemp) || exit 1 17 | 18 | $XT_MULTI iptables-save -f $tmpfile 19 | $XT_MULTI iptables-restore $tmpfile 20 | $XT_MULTI iptables-restore -w 5 $tmpfile 21 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Make sure iptables-restore simply ignores 4 | # rules starting with -6 5 | 6 | set -e 7 | 8 | # show rules, drop uninteresting policy settings 9 | ipt_show() { 10 | $XT_MULTI iptables -S | grep -v '^-P' 11 | } 12 | 13 | # issue reproducer for iptables-restore 14 | 15 | $XT_MULTI iptables-restore <' so standard rule parsing routines may be used. This means 5 | # that it has to detect and reject rules which already contain a table option. 6 | 7 | families="ip ip6" 8 | [[ $(basename $XT_MULTI) == xtables-nft-multi ]] && families+=" eb" 9 | 10 | for fam in $families; do 11 | $XT_MULTI ${fam}tables-restore < $tmpfile1< $tmpfile2 27 | 28 | diff -u $tmpfile1 $tmpfile2 29 | 30 | rm -f $tmpfile1 $tmpfile2 31 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | dump=$(dirname $0)/dumps/fedora27-iptables 4 | diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump) 5 | diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump) 6 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt: -------------------------------------------------------------------------------- 1 | # Generated by xtables-save v1.6.2 on Tue Jun 26 22:28:41 2018 2 | *filter 3 | :INPUT DROP [0:0] 4 | :FORWARD DROP [0:0] 5 | :OUTPUT DROP [0:0] 6 | -A OUTPUT -j ACCEPT 7 | COMMIT 8 | # Completed on Tue Jun 26 22:28:41 2018 9 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/iptables/0001-chain-refs_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # make sure rules are not counted in references of iptables output 4 | 5 | set -e 6 | 7 | $XT_MULTI iptables -N foo 8 | $XT_MULTI iptables -L | grep 'Chain foo (0 references)' 9 | 10 | $XT_MULTI iptables -A foo -j ACCEPT 11 | $XT_MULTI iptables -L | grep 'Chain foo (0 references)' 12 | 13 | $XT_MULTI iptables -A FORWARD -j foo 14 | $XT_MULTI iptables -L | grep 'Chain foo (1 references)' 15 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/iptables/0005-delete-rules_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # test for crash when comparing rules with standard target 4 | 5 | $XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j DROP 6 | $XT_MULTI iptables -D FORWARD -i eth23 -o eth42 -j REJECT 7 | [[ $? -eq 1 ]] || exit 1 8 | 9 | # test incorrect deletion of rules with deviating payload 10 | # in non-standard target 11 | 12 | $XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j MARK --set-mark 23 13 | $XT_MULTI iptables -D FORWARD -i eth23 -o eth42 -j MARK --set-mark 42 14 | [[ $? -eq 1 ]] || exit 1 15 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/iptables/0009-unknown-arg_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rc=0 4 | 5 | check() { 6 | local cmd="$1" 7 | local msg="$2" 8 | 9 | $XT_MULTI $cmd 2>&1 | grep -q "$msg" || { 10 | echo "cmd: $XT_MULTI $1" 11 | echo "exp: $msg" 12 | echo "res: $($XT_MULTI $cmd 2>&1)" 13 | rc=1 14 | } 15 | } 16 | 17 | cmds="iptables ip6tables" 18 | [[ $XT_MULTI == *xtables-nft-multi ]] && { 19 | cmds+=" ebtables" 20 | cmds+=" iptables-translate" 21 | cmds+=" ip6tables-translate" 22 | cmds+=" ebtables-translate" 23 | } 24 | 25 | for cmd in $cmds; do 26 | check "${cmd} --foo" 'unknown option "--foo"' 27 | check "${cmd} -A" 'option "-A" requires an argument' 28 | check "${cmd} -aL" 'unknown option "-a"' 29 | done 30 | 31 | exit $rc 32 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0001compat_0: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # test case for bug fixed in 4 | # commit 873c5d5d293991ee3c06aed2b1dfc5764872582f (HEAD -> master) 5 | # xtables: avoid bogus 'is incompatible' warning 6 | 7 | case "$XT_MULTI" in 8 | *xtables-nft-multi) 9 | ;; 10 | *) 11 | echo skip $XT_MULTI 12 | exit 0 13 | ;; 14 | esac 15 | 16 | nft -v >/dev/null || exit 0 17 | nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1 18 | nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1 19 | 20 | $XT_MULTI iptables -L -t filter || exit 1 21 | $XT_MULTI ip6tables -L -t filter || exit 1 22 | exit 0 23 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0002invflags_0: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 6 | 7 | $XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT 8 | $XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT 9 | $XT_MULTI ebtables -A INPUT -p IPv4 --ip-src 10.0.0.1 ! -i lo -j ACCEPT 10 | 11 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 6 | 7 | comment1="foo bar" 8 | comment2="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 9 | 10 | for ipt in iptables ip6tables; do 11 | for comment in "$comment1" "$comment2"; do 12 | $XT_MULTI $ipt -A INPUT -m comment --comment "$comment" -j ACCEPT 13 | $XT_MULTI $ipt -D INPUT -m comment --comment "$comment" -j ACCEPT 14 | done 15 | done 16 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0006-policy-override_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 4 | 5 | # make sure none of the commands invoking nft_xt_builtin_init() override 6 | # non-default chain policies via needless chain add. 7 | 8 | RC=0 9 | 10 | do_test() { 11 | $XT_MULTI $@ 12 | $XT_MULTI iptables -S | grep -q -- '-P FORWARD DROP' && return 13 | 14 | echo "command '$@' kills chain policies" 15 | $XT_MULTI iptables -P FORWARD DROP 16 | RC=1 17 | } 18 | 19 | $XT_MULTI iptables -P FORWARD DROP 20 | 21 | do_test iptables -A OUTPUT -j ACCEPT 22 | do_test iptables -F 23 | do_test iptables -N foo 24 | do_test iptables -E foo foo2 25 | do_test iptables -I OUTPUT -j ACCEPT 26 | do_test iptables -nL 27 | do_test iptables -S 28 | 29 | exit $RC 30 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0007-mid-restore-flush_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 4 | nft -v >/dev/null || { echo "skip $XT_MULTI (no nft)"; exit 0; } 5 | 6 | coproc $XT_MULTI iptables-restore --noflush 7 | 8 | cat >&"${COPROC[1]}" <&"${COPROC[1]}" 21 | # close the pipe to make iptables-restore exit if it didn't error out yet 22 | eval "exec ${COPROC[1]}>&-" 23 | wait $COPROC_PID 24 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 4 | nft -v >/dev/null || exit 0 5 | 6 | set -e 7 | 8 | unshare -n bash -c "nft -f $(dirname $0)/0010-nft-native.txt; 9 | diff -u -Z $(dirname $0)/0010-iptables-nft-save.txt <($XT_MULTI iptables-save | grep -v '^#')" 10 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 4 | 5 | set -e 6 | 7 | rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080" 8 | for cmd in iptables ip6tables; do 9 | $XT_MULTI $cmd -t mangle -A PREROUTING $rule 10 | $XT_MULTI $cmd -t mangle -Z 11 | $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}" 12 | done 13 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0013-zero-non-existent_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 4 | nft --version >/dev/null 2>&1 || { echo "skip nft"; exit 0; } 5 | 6 | set -e 7 | 8 | nft flush ruleset 9 | $XT_MULTI iptables -Z INPUT 10 | 11 | EXP="Zeroing chain \`INPUT'" 12 | diff -u <(echo "$EXP") <($XT_MULTI iptables -v -Z INPUT) 13 | 14 | EXP="Zeroing chain \`INPUT' 15 | Zeroing chain \`FORWARD' 16 | Zeroing chain \`OUTPUT'" 17 | diff -u <(echo "$EXP") <($XT_MULTI iptables -v -Z) 18 | -------------------------------------------------------------------------------- /iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } 4 | 5 | $XT_MULTI iptables -N test 6 | $XT_MULTI iptables -A test -i lo \! -o lo -j REJECT 7 | $XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1 8 | 9 | exit 0 10 | -------------------------------------------------------------------------------- /iptables/xtables.lock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aosp-mirror/platform_external_iptables/672d4a9452846646a3017d255fae319e12d92295/iptables/xtables.lock -------------------------------------------------------------------------------- /iptables/xtables.pc.in: -------------------------------------------------------------------------------- 1 | 2 | prefix=@prefix@ 3 | exec_prefix=@exec_prefix@ 4 | libdir=@libdir@ 5 | xtlibdir=@xtlibdir@ 6 | includedir=@includedir@ 7 | 8 | Name: xtables 9 | Description: Shared Xtables code for extensions and iproute2 10 | Version: @PACKAGE_VERSION@ 11 | Cflags: -I${includedir} 12 | Libs: -L${libdir} -lxtables 13 | Libs.private: -ldl 14 | -------------------------------------------------------------------------------- /libipq/.gitignore: -------------------------------------------------------------------------------- 1 | /libipq.pc 2 | -------------------------------------------------------------------------------- /libipq/Makefile.am: -------------------------------------------------------------------------------- 1 | # -*- Makefile -*- 2 | 3 | AM_CFLAGS = ${regular_CFLAGS} 4 | AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include 5 | AM_LDFLAGS = ${regular_LDFLAGS} 6 | 7 | libipq_la_SOURCES = libipq.c 8 | lib_LTLIBRARIES = libipq.la 9 | dist_man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ 10 | ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \ 11 | ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \ 12 | libipq.3 13 | 14 | pkgconfig_DATA = libipq.pc 15 | -------------------------------------------------------------------------------- /libipq/ipq_destroy_handle.3: -------------------------------------------------------------------------------- 1 | .so man3/ipq_create_handle.3 2 | -------------------------------------------------------------------------------- /libipq/ipq_get_msgerr.3: -------------------------------------------------------------------------------- 1 | .so man3/ipq_message_type.3 2 | -------------------------------------------------------------------------------- /libipq/ipq_get_packet.3: -------------------------------------------------------------------------------- 1 | .so man3/ipq_message_type.3 2 | -------------------------------------------------------------------------------- /libipq/ipq_perror.3: -------------------------------------------------------------------------------- 1 | .so man3/ipq_errstr.3 2 | -------------------------------------------------------------------------------- /libipq/libipq.pc.in: -------------------------------------------------------------------------------- 1 | 2 | prefix=@prefix@ 3 | exec_prefix=@exec_prefix@ 4 | libdir=@libdir@ 5 | includedir=@includedir@ 6 | 7 | Name: libipq 8 | Description: Interface to the (old) ip_queue mechanism 9 | Version: @PACKAGE_VERSION@ 10 | Libs: -L${libdir} -lipq 11 | Cflags: -I${includedir} 12 | -------------------------------------------------------------------------------- /libiptc/.gitignore: -------------------------------------------------------------------------------- 1 | /*.pc 2 | -------------------------------------------------------------------------------- /libiptc/Android.bp: -------------------------------------------------------------------------------- 1 | package { 2 | // See: http://go/android-license-faq 3 | // A large-scale-change added 'default_applicable_licenses' to import 4 | // all of the 'license_kinds' from "external_iptables_license" 5 | // to get the below license kinds: 6 | // SPDX-license-identifier-GPL 7 | default_applicable_licenses: ["external_iptables_license"], 8 | } 9 | 10 | cc_defaults { 11 | name: "libiptc_defaults", 12 | defaults: ["iptables_defaults"], 13 | 14 | cflags: ["-Wno-pointer-sign"], 15 | } 16 | 17 | cc_library_static { 18 | name: "libip4tc", 19 | defaults: ["libiptc_defaults"], 20 | 21 | srcs: ["libip4tc.c"], 22 | } 23 | 24 | cc_library_static { 25 | name: "libip6tc", 26 | defaults: ["libiptc_defaults"], 27 | 28 | cflags: ["-Wno-unused-function"], 29 | 30 | srcs: ["libip6tc.c"], 31 | } 32 | -------------------------------------------------------------------------------- /libiptc/Makefile.am: -------------------------------------------------------------------------------- 1 | # -*- Makefile -*- 2 | 3 | AM_CFLAGS = ${regular_CFLAGS} 4 | AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS} 5 | AM_LDFLAGS = ${regular_LDFLAGS} 6 | 7 | pkgconfig_DATA = libiptc.pc libip4tc.pc libip6tc.pc 8 | 9 | lib_LTLIBRARIES = libip4tc.la libip6tc.la 10 | libip4tc_la_SOURCES = libip4tc.c 11 | libip4tc_la_LDFLAGS = -version-info 2:0:0 12 | libip6tc_la_SOURCES = libip6tc.c 13 | libip6tc_la_LDFLAGS = -version-info 2:0:0 14 | 15 | EXTRA_DIST = libiptc.c linux_list.h 16 | -------------------------------------------------------------------------------- /libiptc/libip4tc.pc.in: -------------------------------------------------------------------------------- 1 | prefix=@prefix@ 2 | exec_prefix=@exec_prefix@ 3 | libdir=@libdir@ 4 | includedir=@includedir@ 5 | 6 | Name: libip4tc 7 | Description: iptables IPv4 ruleset ADT and kernel interface 8 | Version: @PACKAGE_VERSION@ 9 | Libs: -L${libdir} -lip4tc 10 | Cflags: -I${includedir} 11 | -------------------------------------------------------------------------------- /libiptc/libip6tc.pc.in: -------------------------------------------------------------------------------- 1 | prefix=@prefix@ 2 | exec_prefix=@exec_prefix@ 3 | libdir=@libdir@ 4 | includedir=@includedir@ 5 | 6 | Name: libip6tc 7 | Description: iptables IPv6 ruleset ADT and kernel interface 8 | Version: @PACKAGE_VERSION@ 9 | Libs: -L${libdir} -lip6tc 10 | Cflags: -I${includedir} 11 | -------------------------------------------------------------------------------- /libiptc/libiptc.pc.in: -------------------------------------------------------------------------------- 1 | 2 | prefix=@prefix@ 3 | exec_prefix=@exec_prefix@ 4 | libdir=@libdir@ 5 | includedir=@includedir@ 6 | 7 | Name: libiptc 8 | Description: iptables v4/v6 ruleset ADT and kernel interface 9 | Version: @PACKAGE_VERSION@ 10 | Requires: libip4tc libip6tc 11 | -------------------------------------------------------------------------------- /libxtables/Makefile.am: -------------------------------------------------------------------------------- 1 | # -*- Makefile -*- 2 | 3 | AM_CFLAGS = ${regular_CFLAGS} 4 | AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS} 5 | AM_LDFLAGS = ${regular_LDFLAGS} 6 | 7 | lib_LTLIBRARIES = libxtables.la 8 | libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c 9 | libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage} 10 | libxtables_la_LIBADD = 11 | if ENABLE_STATIC 12 | # With --enable-static, shipped extensions are linked into the main executable, 13 | # so we need all the LIBADDs here too 14 | libxtables_la_LIBADD += -lm ${libnetfilter_conntrack_LIBS} 15 | endif 16 | if ENABLE_SHARED 17 | libxtables_la_CFLAGS = ${AM_CFLAGS} 18 | libxtables_la_LIBADD += -ldl 19 | else 20 | libxtables_la_CFLAGS = ${AM_CFLAGS} -DNO_SHARED_LIBS=1 21 | endif 22 | -------------------------------------------------------------------------------- /m4/.gitignore: -------------------------------------------------------------------------------- 1 | /libtool.m4 2 | /lt*.m4 3 | -------------------------------------------------------------------------------- /utils/.gitignore: -------------------------------------------------------------------------------- 1 | /nfnl_osf 2 | /nfnl_osf.8 3 | /nfbpf_compile 4 | /nfbpf_compile.8 5 | /nfsynproxy 6 | --------------------------------------------------------------------------------