From f67f6ae5f022b6d87feb0067edaeb6f388fdf2c3 Mon Sep 17 00:00:00 2001 From: Sven Auhagen Date: Tue, 25 Jun 2019 09:44:51 +0200 Subject: [PATCH] NFTables fixes and scripts This commit fixes the list detection and uses the inet chain for ipv4. The scripts got reworked as well and a display script was added. --- miniupnpd/netfilter_nft/nftnlrdr.c | 2 +- miniupnpd/netfilter_nft/nftnlrdr_misc.c | 6 ++-- .../netfilter_nft/scripts/nft_delete_chain.sh | 8 ++--- .../netfilter_nft/scripts/nft_display.sh | 8 +++++ miniupnpd/netfilter_nft/scripts/nft_flush.sh | 8 ++--- miniupnpd/netfilter_nft/scripts/nft_init.sh | 32 +++++++++---------- .../netfilter_nft/scripts/nft_removeall.sh | 7 ++-- 7 files changed, 39 insertions(+), 32 deletions(-) create mode 100644 miniupnpd/netfilter_nft/scripts/nft_display.sh diff --git a/miniupnpd/netfilter_nft/nftnlrdr.c b/miniupnpd/netfilter_nft/nftnlrdr.c index 93c0d88..ff879e3 100644 --- a/miniupnpd/netfilter_nft/nftnlrdr.c +++ b/miniupnpd/netfilter_nft/nftnlrdr.c @@ -132,7 +132,7 @@ add_redirect_rule2(const char * ifname, d_printf(("add redirect rule2(%s, %s, %u, %s, %u, %d, %s)!\n", ifname, rhost, eport, iaddr, iport, proto, desc)); - r = rule_set_dnat(NFPROTO_IPV4, ifname, proto, + r = rule_set_dnat(NFPROTO_INET, ifname, proto, 0, eport, inet_addr(iaddr), iport, desc, NULL); diff --git a/miniupnpd/netfilter_nft/nftnlrdr_misc.c b/miniupnpd/netfilter_nft/nftnlrdr_misc.c index a138a42..6358b49 100644 --- a/miniupnpd/netfilter_nft/nftnlrdr_misc.c +++ b/miniupnpd/netfilter_nft/nftnlrdr_misc.c @@ -604,15 +604,15 @@ table_cb(const struct nlmsghdr *nlh, void *data) if (r->type == RULE_NONE) { free(r); - } else if (strcmp(r->chain, miniupnpd_nat_postrouting_chain) == 0) { + } else if (r->type == RULE_NAT && r->nat_type == NFT_NAT_SNAT) { r->index = index_peer; LIST_INSERT_HEAD(&head_peer, r, entry); index_peer++; - } else if (strcmp(r->chain, miniupnpd_nat_chain) == 0) { + } else if (r->type == RULE_NAT && r->nat_type == NFT_NAT_DNAT) { r->index = index_redirect; LIST_INSERT_HEAD(&head_redirect, r, entry); index_redirect++; - } else { + } else if (r->type == RULE_FILTER) { r->index = index_filter; LIST_INSERT_HEAD(&head_filter, r, entry); index_filter++; diff --git a/miniupnpd/netfilter_nft/scripts/nft_delete_chain.sh b/miniupnpd/netfilter_nft/scripts/nft_delete_chain.sh index d0e049f..e441786 100755 --- a/miniupnpd/netfilter_nft/scripts/nft_delete_chain.sh +++ b/miniupnpd/netfilter_nft/scripts/nft_delete_chain.sh @@ -1,5 +1,5 @@ -#! /sbin/nft -f +#!/bin/sh -delete chain nat MINIUPNPD -delete chain nat MINIUPNPD-POSTROUTING -delete chain filter MINIUPNPD +nft delete chain nat MINIUPNPD +nft delete chain nat MINIUPNPD-POSTROUTING +nft delete chain filter MINIUPNPD diff --git a/miniupnpd/netfilter_nft/scripts/nft_display.sh b/miniupnpd/netfilter_nft/scripts/nft_display.sh new file mode 100644 index 0000000..c1a7928 --- /dev/null +++ b/miniupnpd/netfilter_nft/scripts/nft_display.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +# Prerouting +nft list chain ip nat MINIUPNPD +# Postrouting +nft list chain ip nat MINIUPNPD-POSTROUTING +# Filter +nft list chain inet filter MINIUPNPD diff --git a/miniupnpd/netfilter_nft/scripts/nft_flush.sh b/miniupnpd/netfilter_nft/scripts/nft_flush.sh index 5898d68..ad93539 100755 --- a/miniupnpd/netfilter_nft/scripts/nft_flush.sh +++ b/miniupnpd/netfilter_nft/scripts/nft_flush.sh @@ -1,5 +1,5 @@ -#! /sbin/nft -f +#!/bin/sh -flush chain ip nat MINIUPNPD -flush chain ip nat MINIUPNPD-POSTROUTING -flush chain inet filter MINIUPNPD +nft flush chain ip nat MINIUPNPD +nft flush chain ip nat MINIUPNPD-POSTROUTING +nft flush chain inet filter MINIUPNPD diff --git a/miniupnpd/netfilter_nft/scripts/nft_init.sh b/miniupnpd/netfilter_nft/scripts/nft_init.sh index 93e2f5d..938f5d7 100755 --- a/miniupnpd/netfilter_nft/scripts/nft_init.sh +++ b/miniupnpd/netfilter_nft/scripts/nft_init.sh @@ -1,11 +1,11 @@ -#! /bin/sh +#!/bin/sh nft list table nat > /dev/null nft_nat_exists=$? -nft list table filter > /dev/null +nft list table inet filter > /dev/null nft_filter_exists=$? -nft list table mangle > /dev/null -nft_mangle_exists=$? +#nft list table inet mangle > /dev/null +#nft_mangle_exists=$? if [ $nft_nat_exists -eq "1" ]; then echo "create nat" @@ -15,19 +15,19 @@ if [ $nft_filter_exists -eq "1" ]; then echo "create filter" nft "add table inet filter" fi -if [ $nft_mangle_exists -eq "1" ]; then - echo "create mangle" - nft "add table mangle" -fi +#if [ $nft_mangle_exists -eq "1" ]; then +# echo "create mangle" +# nft "add table mangle" +#fi nft list chain nat MINIUPNPD > /dev/null nft_nat_miniupnpd_exists=$? nft list chain nat MINIUPNPD-POSTROUTING > /dev/null nft_nat_miniupnpd_pcp_peer_exists=$? -nft list chain filter MINIUPNPD > /dev/null +nft list chain inet filter MINIUPNPD > /dev/null nft_filter_miniupnpd_exists=$? -nft list chain mangle MINIUPNPD > /dev/null -nft_mangle_miniupnpd_exists=$? +#nft list chain inet mangle MINIUPNPD > /dev/null +#nft_mangle_miniupnpd_exists=$? if [ $nft_nat_miniupnpd_exists -eq "1" ]; then echo "create chain in nat" @@ -39,9 +39,9 @@ if [ $nft_nat_miniupnpd_pcp_peer_exists -eq "1" ]; then fi if [ $nft_filter_miniupnpd_exists -eq "1" ]; then echo "create chain in filter " - nft "add chain filter MINIUPNPD" -fi -if [ $nft_mangle_miniupnpd_exists -eq "1" ]; then - echo "create chain in mangle" - nft "add chain mangle MINIUPNPD" + nft "add chain inet filter MINIUPNPD" fi +#if [ $nft_mangle_miniupnpd_exists -eq "1" ]; then +# echo "create chain in mangle" +# nft "add chain inet mangle MINIUPNPD" +#fi diff --git a/miniupnpd/netfilter_nft/scripts/nft_removeall.sh b/miniupnpd/netfilter_nft/scripts/nft_removeall.sh index e6fd75c..84ad594 100755 --- a/miniupnpd/netfilter_nft/scripts/nft_removeall.sh +++ b/miniupnpd/netfilter_nft/scripts/nft_removeall.sh @@ -1,5 +1,4 @@ -#! /sbin/nft -f +#!/bin/sh -delete rule nat MINIUPNPD -delete rule nat MINIUPNPD-POSTROUTING -delete rule filter MINIUPNPD +# Remove all rules in nft not just miniupnpd +nft flush ruleset