sys/linux: improve netfilter descriptions

Put the underflow entry at the end.
Entries must end on an unconditional, non-goto entry,
otherwise fallthrough from the last entry is invalid.

Add arp tables support.

Split unspec matches/targets to unspec and inet.

Reset ipv6 and arp tables in executor.

Fix number of counters in tables.

Plus a bunch of assorted fixes for matches/targets.

executor/common_linux.h

@@ -959,6 +959,13 @@ static int do_sandbox_namespace(int executor_pid, bool enable_tun)
 // however it's too slow (1-1.5 seconds per namespace, not parallelizable).
 
 // Linux headers do not compile for C++, so we have to define the structs manualy.
+#define XT_TABLE_SIZE 1536
+#define XT_MAX_ENTRIES 10
+
+struct xt_counters {
+	uint64 pcnt, bcnt;
+};
+
 struct ipt_getinfo {
 	char name[32];
 	unsigned int valid_hooks;
@@ -971,11 +978,7 @@ struct ipt_getinfo {
 struct ipt_get_entries {
 	char name[32];
 	unsigned int size;
-	void* entrytable[1024 / sizeof(void*)];
-};
-
-struct xt_counters {
-	uint64 pcnt, bcnt;
+	void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
 };
 
 struct ipt_replace {
@@ -987,15 +990,13 @@ struct ipt_replace {
 	unsigned int underflow[5];
 	unsigned int num_counters;
 	struct xt_counters* counters;
-	char entrytable[1024];
+	char entrytable[XT_TABLE_SIZE];
 };
 
 struct ipt_table_desc {
 	const char* name;
 	struct ipt_getinfo info;
-	struct ipt_get_entries entries;
 	struct ipt_replace replace;
-	struct xt_counters counters[10];
 };
 
 static struct ipt_table_desc ipv4_tables[] = {
@@ -1006,27 +1007,76 @@ static struct ipt_table_desc ipv4_tables[] = {
     {.name = "security"},
 };
 
+static struct ipt_table_desc ipv6_tables[] = {
+    {.name = "filter"},
+    {.name = "nat"},
+    {.name = "mangle"},
+    {.name = "raw"},
+    {.name = "security"},
+};
+
 #define IPT_BASE_CTL 64
 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
 #define IPT_SO_GET_INFO (IPT_BASE_CTL)
 #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
 
-static void checkpoint_net_namespace(void)
-{
-	socklen_t optlen;
-	unsigned i;
-	int fd;
+struct arpt_getinfo {
+	char name[32];
+	unsigned int valid_hooks;
+	unsigned int hook_entry[3];
+	unsigned int underflow[3];
+	unsigned int num_entries;
+	unsigned int size;
+};
 
-	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+struct arpt_get_entries {
+	char name[32];
+	unsigned int size;
+	void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct arpt_replace {
+	char name[32];
+	unsigned int valid_hooks;
+	unsigned int num_entries;
+	unsigned int size;
+	unsigned int hook_entry[3];
+	unsigned int underflow[3];
+	unsigned int num_counters;
+	struct xt_counters* counters;
+	char entrytable[XT_TABLE_SIZE];
+};
+
+struct arpt_table_desc {
+	const char* name;
+	struct arpt_getinfo info;
+	struct arpt_replace replace;
+};
+
+static struct arpt_table_desc arpt_tables[] = {
+    {.name = "filter"},
+};
+
+#define ARPT_BASE_CTL 96
+#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
+#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
+
+static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
+{
+	struct ipt_get_entries entries;
+	socklen_t optlen;
+	int fd, i;
+
+	fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
 	if (fd == -1)
-		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
-	for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) {
-		struct ipt_table_desc* table = &ipv4_tables[i];
+		fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family);
+	for (i = 0; i < num_tables; i++) {
+		struct ipt_table_desc* table = &tables[i];
 		strcpy(table->info.name, table->name);
-		strcpy(table->entries.name, table->name);
 		strcpy(table->replace.name, table->name);
 		optlen = sizeof(table->info);
-		if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &table->info, &optlen)) {
+		if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
 			switch (errno) {
 			case EPERM:
 			case ENOENT:
@@ -1035,63 +1085,169 @@ static void checkpoint_net_namespace(void)
 			}
 			fail("getsockopt(IPT_SO_GET_INFO)");
 		}
-		if (table->info.size > sizeof(table->entries.entrytable))
+		debug("checkpoint iptable %s/%d: entries=%d hooks=%x size=%d\n",
+		      table->name, family, table->info.num_entries, table->info.valid_hooks,
+		      table->info.size);
+		if (table->info.size > sizeof(table->replace.entrytable))
 			fail("table size is too large: %u", table->info.size);
-		if (table->info.num_entries > sizeof(table->counters) / sizeof(table->counters[0]))
+		if (table->info.num_entries > XT_MAX_ENTRIES)
 			fail("too many counters: %u", table->info.num_entries);
-		table->entries.size = table->info.size;
-		optlen = sizeof(table->entries) - sizeof(table->entries.entrytable) + table->info.size;
-		if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &table->entries, &optlen))
+		memset(&entries, 0, sizeof(entries));
+		strcpy(entries.name, table->name);
+		entries.size = table->info.size;
+		optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+		if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
 			fail("getsockopt(IPT_SO_GET_ENTRIES)");
 		table->replace.valid_hooks = table->info.valid_hooks;
 		table->replace.num_entries = table->info.num_entries;
-		table->replace.counters = table->counters;
 		table->replace.size = table->info.size;
 		memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
 		memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
-		memcpy(table->replace.entrytable, table->entries.entrytable, table->info.size);
+		memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
 	}
 	close(fd);
 }
 
-static void reset_net_namespace(void)
+static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
 {
+	struct xt_counters counters[XT_MAX_ENTRIES];
 	struct ipt_get_entries entries;
 	struct ipt_getinfo info;
 	socklen_t optlen;
-	unsigned i;
-	int fd;
+	int fd, i;
 
-	memset(&info, 0, sizeof(info));
-	memset(&entries, 0, sizeof(entries));
-	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
 	if (fd == -1)
-		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
-	for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) {
-		struct ipt_table_desc* table = &ipv4_tables[i];
+		fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family);
+	for (i = 0; i < num_tables; i++) {
+		struct ipt_table_desc* table = &tables[i];
 		if (table->info.valid_hooks == 0)
 			continue;
+		memset(&info, 0, sizeof(info));
 		strcpy(info.name, table->name);
 		optlen = sizeof(info);
-		if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen))
+		if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
 			fail("getsockopt(IPT_SO_GET_INFO)");
 		if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+			memset(&entries, 0, sizeof(entries));
 			strcpy(entries.name, table->name);
 			entries.size = table->info.size;
 			optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
-			if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &entries, &optlen))
+			if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
 				fail("getsockopt(IPT_SO_GET_ENTRIES)");
-			if (memcmp(&table->entries, &entries, optlen) == 0)
+			if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
 				continue;
 		}
 		debug("resetting iptable %s\n", table->name);
 		table->replace.num_counters = info.num_entries;
+		table->replace.counters = counters;
 		optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
-		if (setsockopt(fd, SOL_IP, IPT_SO_SET_REPLACE, &table->replace, optlen))
+		if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
 			fail("setsockopt(IPT_SO_SET_REPLACE)");
 	}
 	close(fd);
 }
+
+static void checkpoint_arptables(void)
+{
+	struct arpt_get_entries entries;
+	socklen_t optlen;
+	unsigned i;
+	int fd;
+
+	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (fd == -1)
+		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+	for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+		struct arpt_table_desc* table = &arpt_tables[i];
+		strcpy(table->info.name, table->name);
+		strcpy(table->replace.name, table->name);
+		optlen = sizeof(table->info);
+		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
+			switch (errno) {
+			case EPERM:
+			case ENOENT:
+			case ENOPROTOOPT:
+				continue;
+			}
+			fail("getsockopt(ARPT_SO_GET_INFO)");
+		}
+		debug("checkpoint arptable %s: entries=%d hooks=%x size=%d\n",
+		      table->name, table->info.num_entries, table->info.valid_hooks, table->info.size);
+		if (table->info.size > sizeof(table->replace.entrytable))
+			fail("table size is too large: %u", table->info.size);
+		if (table->info.num_entries > XT_MAX_ENTRIES)
+			fail("too many counters: %u", table->info.num_entries);
+		memset(&entries, 0, sizeof(entries));
+		strcpy(entries.name, table->name);
+		entries.size = table->info.size;
+		optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+			fail("getsockopt(ARPT_SO_GET_ENTRIES)");
+		table->replace.valid_hooks = table->info.valid_hooks;
+		table->replace.num_entries = table->info.num_entries;
+		table->replace.size = table->info.size;
+		memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
+		memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
+		memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+	}
+	close(fd);
+}
+
+static void reset_arptables()
+{
+	struct xt_counters counters[XT_MAX_ENTRIES];
+	struct arpt_get_entries entries;
+	struct arpt_getinfo info;
+	socklen_t optlen;
+	unsigned i;
+	int fd;
+
+	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (fd == -1)
+		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+	for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+		struct arpt_table_desc* table = &arpt_tables[i];
+		if (table->info.valid_hooks == 0)
+			continue;
+		memset(&info, 0, sizeof(info));
+		strcpy(info.name, table->name);
+		optlen = sizeof(info);
+		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
+			fail("getsockopt(ARPT_SO_GET_INFO)");
+		if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+			memset(&entries, 0, sizeof(entries));
+			strcpy(entries.name, table->name);
+			entries.size = table->info.size;
+			optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+			if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+				fail("getsockopt(ARPT_SO_GET_ENTRIES)");
+			if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
+				continue;
+		}
+		debug("resetting arptable %s\n", table->name);
+		table->replace.num_counters = info.num_entries;
+		table->replace.counters = counters;
+		optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
+		if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
+			fail("setsockopt(ARPT_SO_SET_REPLACE)");
+	}
+	close(fd);
+}
+
+static void checkpoint_net_namespace(void)
+{
+	checkpoint_arptables();
+	checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
+	checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
+}
+
+static void reset_net_namespace(void)
+{
+	reset_arptables();
+	reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
+	reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
+}
 #endif
 
 #if defined(SYZ_EXECUTOR) || (defined(SYZ_REPEAT) && defined(SYZ_WAIT_REPEAT) && defined(SYZ_USE_TMP_DIR))

executor/syscalls_linux.h

@@ -2,8 +2,8 @@
 
 #if defined(__i386__) || 0
 #define GOARCH "386"
-#define SYZ_REVISION "47ec3cf48f6c1c8a279acf0ac6752173b5a2d6c1"
-unsigned syscall_count = 1581;
+#define SYZ_REVISION "67eb9eadac89980dc20b01fc8861359a1bb38c63"
+unsigned syscall_count = 1582;
 call_t syscalls[] = {
     {"accept4", 364},
     {"accept4$alg", 364},
@@ -1199,6 +1199,7 @@ call_t syscalls[] = {
     {"setsockopt", 366},
     {"setsockopt$ALG_SET_AEAD_AUTHSIZE", 366},
     {"setsockopt$ALG_SET_KEY", 366},
+    {"setsockopt$ARPT_SO_SET_REPLACE", 366},
     {"setsockopt$IP6T_SO_SET_REPLACE", 366},
     {"setsockopt$IPT_SO_SET_REPLACE", 366},
     {"setsockopt$RDS_CANCEL_SENT_TO", 366},
@@ -1592,8 +1593,8 @@ call_t syscalls[] = {
 
 #if defined(__x86_64__) || 0
 #define GOARCH "amd64"
-#define SYZ_REVISION "cbf77bff7fbf168a36293cc240e1fd599718aae4"
-unsigned syscall_count = 1634;
+#define SYZ_REVISION "a71eb1f658a04d8e2dec810cc23df01f68770093"
+unsigned syscall_count = 1635;
 call_t syscalls[] = {
     {"accept", 43},
     {"accept$alg", 43},
@@ -2830,6 +2831,7 @@ call_t syscalls[] = {
     {"setsockopt", 54},
     {"setsockopt$ALG_SET_AEAD_AUTHSIZE", 54},
     {"setsockopt$ALG_SET_KEY", 54},
+    {"setsockopt$ARPT_SO_SET_REPLACE", 54},
     {"setsockopt$IP6T_SO_SET_REPLACE", 54},
     {"setsockopt$IPT_SO_SET_REPLACE", 54},
     {"setsockopt$RDS_CANCEL_SENT_TO", 54},
@@ -3235,8 +3237,8 @@ call_t syscalls[] = {
 
 #if defined(__arm__) || 0
 #define GOARCH "arm"
-#define SYZ_REVISION "2bcd2d52a7f0e89565375875e7487c79257c1b8d"
-unsigned syscall_count = 1591;
+#define SYZ_REVISION "d5c13287ed0c6e02f77bfe251b77852a2dba43c0"
+unsigned syscall_count = 1592;
 call_t syscalls[] = {
     {"accept", 285},
     {"accept$alg", 285},
@@ -4433,6 +4435,7 @@ call_t syscalls[] = {
     {"setsockopt", 294},
     {"setsockopt$ALG_SET_AEAD_AUTHSIZE", 294},
     {"setsockopt$ALG_SET_KEY", 294},
+    {"setsockopt$ARPT_SO_SET_REPLACE", 294},
     {"setsockopt$IP6T_SO_SET_REPLACE", 294},
     {"setsockopt$IPT_SO_SET_REPLACE", 294},
     {"setsockopt$RDS_CANCEL_SENT_TO", 294},
@@ -4835,8 +4838,8 @@ call_t syscalls[] = {
 
 #if defined(__aarch64__) || 0
 #define GOARCH "arm64"
-#define SYZ_REVISION "de8c14c28805b67f66696e7afa155ea7e8243cbf"
-unsigned syscall_count = 1563;
+#define SYZ_REVISION "3259e2eab38706f39ed08f998834cded740681ab"
+unsigned syscall_count = 1564;
 call_t syscalls[] = {
     {"accept", 202},
     {"accept$alg", 202},
@@ -6014,6 +6017,7 @@ call_t syscalls[] = {
     {"setsockopt", 208},
     {"setsockopt$ALG_SET_AEAD_AUTHSIZE", 208},
     {"setsockopt$ALG_SET_KEY", 208},
+    {"setsockopt$ARPT_SO_SET_REPLACE", 208},
     {"setsockopt$IP6T_SO_SET_REPLACE", 208},
     {"setsockopt$IPT_SO_SET_REPLACE", 208},
     {"setsockopt$RDS_CANCEL_SENT_TO", 208},
@@ -6407,8 +6411,8 @@ call_t syscalls[] = {
 
 #if defined(__ppc64__) || defined(__PPC64__) || defined(__powerpc64__) || 0
 #define GOARCH "ppc64le"
-#define SYZ_REVISION "22e496aa45301c44268e52fce477f4dc1ee30157"
-unsigned syscall_count = 1550;
+#define SYZ_REVISION "d76549b3801a4d21411b03ca98e3bbd2176ee5dd"
+unsigned syscall_count = 1554;
 call_t syscalls[] = {
     {"accept", 330},
     {"accept$alg", 330},
@@ -7441,6 +7445,9 @@ call_t syscalls[] = {
     {"pipe", 42},
     {"pipe2", 317},
     {"pivot_root", 203},
+    {"pkey_alloc", 384},
+    {"pkey_free", 385},
+    {"pkey_mprotect", 386},
     {"poll", 167},
     {"ppoll", 281},
     {"prctl$getname", 171},
@@ -7574,6 +7581,7 @@ call_t syscalls[] = {
     {"setsockopt", 339},
     {"setsockopt$ALG_SET_AEAD_AUTHSIZE", 339},
     {"setsockopt$ALG_SET_KEY", 339},
+    {"setsockopt$ARPT_SO_SET_REPLACE", 339},
     {"setsockopt$IP6T_SO_SET_REPLACE", 339},
     {"setsockopt$IPT_SO_SET_REPLACE", 339},
     {"setsockopt$RDS_CANCEL_SENT_TO", 339},

pkg/csource/linux_common.go

@@ -1991,6 +1991,13 @@ static int do_sandbox_namespace(int executor_pid, bool enable_tun)
 
 #if defined(SYZ_EXECUTOR) || defined(SYZ_RESET_NET_NAMESPACE)
 
+#define XT_TABLE_SIZE 1536
+#define XT_MAX_ENTRIES 10
+
+struct xt_counters {
+	uint64 pcnt, bcnt;
+};
+
 struct ipt_getinfo {
 	char name[32];
 	unsigned int valid_hooks;
@@ -2003,11 +2010,7 @@ struct ipt_getinfo {
 struct ipt_get_entries {
 	char name[32];
 	unsigned int size;
-	void* entrytable[1024 / sizeof(void*)];
-};
-
-struct xt_counters {
-	uint64 pcnt, bcnt;
+	void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
 };
 
 struct ipt_replace {
@@ -2019,15 +2022,13 @@ struct ipt_replace {
 	unsigned int underflow[5];
 	unsigned int num_counters;
 	struct xt_counters* counters;
-	char entrytable[1024];
+	char entrytable[XT_TABLE_SIZE];
 };
 
 struct ipt_table_desc {
 	const char* name;
 	struct ipt_getinfo info;
-	struct ipt_get_entries entries;
 	struct ipt_replace replace;
-	struct xt_counters counters[10];
 };
 
 static struct ipt_table_desc ipv4_tables[] = {
@@ -2038,27 +2039,76 @@ static struct ipt_table_desc ipv4_tables[] = {
     {.name = "security"},
 };
 
+static struct ipt_table_desc ipv6_tables[] = {
+    {.name = "filter"},
+    {.name = "nat"},
+    {.name = "mangle"},
+    {.name = "raw"},
+    {.name = "security"},
+};
+
 #define IPT_BASE_CTL 64
 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
 #define IPT_SO_GET_INFO (IPT_BASE_CTL)
 #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
 
-static void checkpoint_net_namespace(void)
-{
-	socklen_t optlen;
-	unsigned i;
-	int fd;
+struct arpt_getinfo {
+	char name[32];
+	unsigned int valid_hooks;
+	unsigned int hook_entry[3];
+	unsigned int underflow[3];
+	unsigned int num_entries;
+	unsigned int size;
+};
 
-	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+struct arpt_get_entries {
+	char name[32];
+	unsigned int size;
+	void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct arpt_replace {
+	char name[32];
+	unsigned int valid_hooks;
+	unsigned int num_entries;
+	unsigned int size;
+	unsigned int hook_entry[3];
+	unsigned int underflow[3];
+	unsigned int num_counters;
+	struct xt_counters* counters;
+	char entrytable[XT_TABLE_SIZE];
+};
+
+struct arpt_table_desc {
+	const char* name;
+	struct arpt_getinfo info;
+	struct arpt_replace replace;
+};
+
+static struct arpt_table_desc arpt_tables[] = {
+    {.name = "filter"},
+};
+
+#define ARPT_BASE_CTL 96
+#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
+#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
+
+static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
+{
+	struct ipt_get_entries entries;
+	socklen_t optlen;
+	int fd, i;
+
+	fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
 	if (fd == -1)
-		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
-	for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) {
-		struct ipt_table_desc* table = &ipv4_tables[i];
+		fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family);
+	for (i = 0; i < num_tables; i++) {
+		struct ipt_table_desc* table = &tables[i];
 		strcpy(table->info.name, table->name);
-		strcpy(table->entries.name, table->name);
 		strcpy(table->replace.name, table->name);
 		optlen = sizeof(table->info);
-		if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &table->info, &optlen)) {
+		if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
 			switch (errno) {
 			case EPERM:
 			case ENOENT:
@@ -2067,63 +2117,169 @@ static void checkpoint_net_namespace(void)
 			}
 			fail("getsockopt(IPT_SO_GET_INFO)");
 		}
-		if (table->info.size > sizeof(table->entries.entrytable))
+		debug("checkpoint iptable %s/%d: entries=%d hooks=%x size=%d\n",
+		      table->name, family, table->info.num_entries, table->info.valid_hooks,
+		      table->info.size);
+		if (table->info.size > sizeof(table->replace.entrytable))
 			fail("table size is too large: %u", table->info.size);
-		if (table->info.num_entries > sizeof(table->counters) / sizeof(table->counters[0]))
+		if (table->info.num_entries > XT_MAX_ENTRIES)
 			fail("too many counters: %u", table->info.num_entries);
-		table->entries.size = table->info.size;
-		optlen = sizeof(table->entries) - sizeof(table->entries.entrytable) + table->info.size;
-		if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &table->entries, &optlen))
+		memset(&entries, 0, sizeof(entries));
+		strcpy(entries.name, table->name);
+		entries.size = table->info.size;
+		optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+		if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
 			fail("getsockopt(IPT_SO_GET_ENTRIES)");
 		table->replace.valid_hooks = table->info.valid_hooks;
 		table->replace.num_entries = table->info.num_entries;
-		table->replace.counters = table->counters;
 		table->replace.size = table->info.size;
 		memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
 		memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
-		memcpy(table->replace.entrytable, table->entries.entrytable, table->info.size);
+		memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
 	}
 	close(fd);
 }
 
-static void reset_net_namespace(void)
+static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
 {
+	struct xt_counters counters[XT_MAX_ENTRIES];
 	struct ipt_get_entries entries;
 	struct ipt_getinfo info;
 	socklen_t optlen;
-	unsigned i;
-	int fd;
+	int fd, i;
 
-	memset(&info, 0, sizeof(info));
-	memset(&entries, 0, sizeof(entries));
-	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
 	if (fd == -1)
-		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
-	for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) {
-		struct ipt_table_desc* table = &ipv4_tables[i];
+		fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family);
+	for (i = 0; i < num_tables; i++) {
+		struct ipt_table_desc* table = &tables[i];
 		if (table->info.valid_hooks == 0)
 			continue;
+		memset(&info, 0, sizeof(info));
 		strcpy(info.name, table->name);
 		optlen = sizeof(info);
-		if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen))
+		if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
 			fail("getsockopt(IPT_SO_GET_INFO)");
 		if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+			memset(&entries, 0, sizeof(entries));
 			strcpy(entries.name, table->name);
 			entries.size = table->info.size;
 			optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
-			if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &entries, &optlen))
+			if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
 				fail("getsockopt(IPT_SO_GET_ENTRIES)");
-			if (memcmp(&table->entries, &entries, optlen) == 0)
+			if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
 				continue;
 		}
 		debug("resetting iptable %s\n", table->name);
 		table->replace.num_counters = info.num_entries;
+		table->replace.counters = counters;
 		optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
-		if (setsockopt(fd, SOL_IP, IPT_SO_SET_REPLACE, &table->replace, optlen))
+		if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
 			fail("setsockopt(IPT_SO_SET_REPLACE)");
 	}
 	close(fd);
 }
+
+static void checkpoint_arptables(void)
+{
+	struct arpt_get_entries entries;
+	socklen_t optlen;
+	unsigned i;
+	int fd;
+
+	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (fd == -1)
+		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+	for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+		struct arpt_table_desc* table = &arpt_tables[i];
+		strcpy(table->info.name, table->name);
+		strcpy(table->replace.name, table->name);
+		optlen = sizeof(table->info);
+		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
+			switch (errno) {
+			case EPERM:
+			case ENOENT:
+			case ENOPROTOOPT:
+				continue;
+			}
+			fail("getsockopt(ARPT_SO_GET_INFO)");
+		}
+		debug("checkpoint arptable %s: entries=%d hooks=%x size=%d\n",
+		      table->name, table->info.num_entries, table->info.valid_hooks, table->info.size);
+		if (table->info.size > sizeof(table->replace.entrytable))
+			fail("table size is too large: %u", table->info.size);
+		if (table->info.num_entries > XT_MAX_ENTRIES)
+			fail("too many counters: %u", table->info.num_entries);
+		memset(&entries, 0, sizeof(entries));
+		strcpy(entries.name, table->name);
+		entries.size = table->info.size;
+		optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+			fail("getsockopt(ARPT_SO_GET_ENTRIES)");
+		table->replace.valid_hooks = table->info.valid_hooks;
+		table->replace.num_entries = table->info.num_entries;
+		table->replace.size = table->info.size;
+		memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
+		memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
+		memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+	}
+	close(fd);
+}
+
+static void reset_arptables()
+{
+	struct xt_counters counters[XT_MAX_ENTRIES];
+	struct arpt_get_entries entries;
+	struct arpt_getinfo info;
+	socklen_t optlen;
+	unsigned i;
+	int fd;
+
+	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (fd == -1)
+		fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+	for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+		struct arpt_table_desc* table = &arpt_tables[i];
+		if (table->info.valid_hooks == 0)
+			continue;
+		memset(&info, 0, sizeof(info));
+		strcpy(info.name, table->name);
+		optlen = sizeof(info);
+		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
+			fail("getsockopt(ARPT_SO_GET_INFO)");
+		if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+			memset(&entries, 0, sizeof(entries));
+			strcpy(entries.name, table->name);
+			entries.size = table->info.size;
+			optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+			if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+				fail("getsockopt(ARPT_SO_GET_ENTRIES)");
+			if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
+				continue;
+		}
+		debug("resetting arptable %s\n", table->name);
+		table->replace.num_counters = info.num_entries;
+		table->replace.counters = counters;
+		optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
+		if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
+			fail("setsockopt(ARPT_SO_SET_REPLACE)");
+	}
+	close(fd);
+}
+
+static void checkpoint_net_namespace(void)
+{
+	checkpoint_arptables();
+	checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
+	checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
+}
+
+static void reset_net_namespace(void)
+{
+	reset_arptables();
+	reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
+	reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
+}
 #endif
 
 #if defined(SYZ_EXECUTOR) || (defined(SYZ_REPEAT) && defined(SYZ_WAIT_REPEAT) && defined(SYZ_USE_TMP_DIR))

prog/prog.go

@@ -430,6 +430,16 @@ func replaceArg(arg, arg1 Arg) {
 		*a = *arg1.(*UnionArg)
 	case *DataArg:
 		*a = *arg1.(*DataArg)
+	case *GroupArg:
+		a1 := arg1.(*GroupArg)
+		if len(a.Inner) != len(a1.Inner) {
+			panic(fmt.Sprintf("replaceArg: group fields don't match: %v/%v",
+				len(a.Inner), len(a1.Inner)))
+		}
+		a.ArgCommon = a1.ArgCommon
+		for i := range a.Inner {
+			replaceArg(a.Inner[i], a1.Inner[i])
+		}
 	default:
 		panic(fmt.Sprintf("replaceArg: bad arg kind %#v", arg))
 	}

sys/linux/init.go

@@ -51,6 +51,7 @@ func initTarget(target *prog.Target) {
 		"alg_blkcipher_name": arch.generateAlgBlkcipherhName,
 		"ipt_replace":        arch.generateIptables,
 		"ip6t_replace":       arch.generateIptables,
+		"arpt_replace":       arch.generateArptables,
 	}
 	target.StringDictionary = stringDictionary
 

sys/linux/init_iptables.go

@@ -11,46 +11,79 @@ import (
 
 func (arch *arch) generateIptables(g *prog.Gen, typ prog.Type, old prog.Arg) (
 	arg prog.Arg, calls []*prog.Call) {
+	return arch.generateNetfilterTable(g, typ, old, true, 5)
+}
+
+func (arch *arch) generateArptables(g *prog.Gen, typ prog.Type, old prog.Arg) (
+	arg prog.Arg, calls []*prog.Call) {
+	return arch.generateNetfilterTable(g, typ, old, false, 3)
+}
+
+func (arch *arch) generateNetfilterTable(g *prog.Gen, typ prog.Type, old prog.Arg,
+	hasUnion bool, hookCount int) (arg prog.Arg, calls []*prog.Call) {
+	const (
+		hookStart     = 4
+		nonHookFields = 7
+		unused        = uint64(^uint32(0))
+	)
 	if old == nil {
 		arg = g.GenerateSpecialArg(typ, &calls)
 	} else {
+		// TODO(dvyukov): try to restore original hook order after mutation
+		// instead of assigning brand new offsets.
 		arg = old
 		calls = g.MutateArg(arg)
 	}
-	tableArg := arg.(*prog.UnionArg).Option.(*prog.GroupArg)
-	if len(tableArg.Inner) != 17 {
-		panic("iptable is expected to have 17 fields")
+	var tableArg *prog.GroupArg
+	if hasUnion {
+		tableArg = arg.(*prog.UnionArg).Option.(*prog.GroupArg)
+	} else {
+		tableArg = arg.(*prog.GroupArg)
 	}
-	entriesArg := tableArg.Inner[16].(*prog.GroupArg)
+	numFileds := nonHookFields + 2*hookCount
+	if len(tableArg.Inner) != numFileds {
+		panic("wrong number of fields in netfilter table")
+	}
+	entriesArg := tableArg.Inner[numFileds-1].(*prog.GroupArg)
 	if len(entriesArg.Inner) != 2 {
-		panic("iptable entries is expected to have 2 fields")
+		panic("netfilter entries is expected to have 2 fields")
 	}
-	underflowArg := entriesArg.Inner[0].(*prog.GroupArg)
-	entriesArray := entriesArg.Inner[1].(*prog.GroupArg)
+	entriesArray := entriesArg.Inner[0].(*prog.GroupArg)
 	// Collect offsets of entries.
 	offsets := make([]uint64, len(entriesArray.Inner))
-	pos := underflowArg.Size()
+	var pos uint64
 	for i, entryArg := range entriesArray.Inner {
 		offsets[i] = pos
 		pos += entryArg.Size()
 	}
+	if pos != entriesArray.Size() {
+		panic("netfilter offsets are broken")
+	}
 	genOffset := func() uint64 {
 		if g.Rand().Intn(100) == 0 {
 			// Assign the underflow entry once in a while.
 			// We have it in underflow hooks, so no point in using it frequently.
-			return 0
+			return pos
 		} else {
 			return offsets[g.Rand().Intn(len(offsets))]
 		}
 	}
 	// Assign offsets to used hooks.
-	for hook := 4; hook < 9; hook++ {
+	for hook := hookStart; hook < hookStart+hookCount; hook++ {
 		hookArg := tableArg.Inner[hook].(*prog.ConstArg)
-		if hookArg.Type().(*prog.ConstType).Val == uint64(^uint32(0)) {
+		if hookArg.Type().(*prog.ConstType).Val == unused {
 			continue // unused hook
 		}
 		hookArg.Val = genOffset()
 	}
+	// Assign offsets to used underflow entries.
+	for hook := hookStart + hookCount; hook < hookStart+2*hookCount; hook++ {
+		hookArg := tableArg.Inner[hook].(*prog.ConstArg)
+		if hookArg.Type().(*prog.ConstType).Val == unused {
+			continue // unused hook
+		}
+		hookArg.Val = pos
+	}
 	// Now update standard target jump offsets.
 	prog.ForeachSubarg(arg, func(arg, _ prog.Arg, _ *[]prog.Arg) {
 		if !strings.HasPrefix(arg.Type().Name(), `xt_target_t["", `) {
@@ -58,7 +91,11 @@ func (arch *arch) generateIptables(g *prog.Gen, typ prog.Type, old prog.Arg) (
 		}
 		targetArg := arg.(*prog.GroupArg)
 		valArg := targetArg.Inner[3].(*prog.ConstArg)
-		if flagsType, ok := valArg.Type().(*prog.FlagsType); ok && int64(valArg.Val) < 0 {
+		flagsType, ok := valArg.Type().(*prog.FlagsType)
+		if !ok {
+			return
+		}
+		if int64(valArg.Val) < 0 {
 			for _, val := range flagsType.Vals {
 				if val == valArg.Val {
 					return // verdict

sys/linux/netfilter.txt

@@ -54,6 +54,8 @@ include <uapi/linux/netfilter/xt_state.h>
 
 # Netfilter matches shared between ipv6/ipv6.
 
+# TODO: add CONFIG_NF_FLOW_TABLE* support.
+
 define IPT_FILTER_VALID_HOOKS	NF_INET_LOCAL_IN_BIT | NF_INET_FORWARD_BIT | NF_INET_LOCAL_OUT_BIT
 define IPT_NAT_VALID_HOOKS	NF_INET_PRE_ROUTING_BIT | NF_INET_POST_ROUTING_BIT | NF_INET_LOCAL_OUT_BIT | NF_INET_LOCAL_IN_BIT
 define IPT_MANGLE_VALID_HOOKS	NF_INET_PRE_ROUTING_BIT | NF_INET_POST_ROUTING_BIT | NF_INET_FORWARD_BIT |NF_INET_LOCAL_OUT_BIT | NF_INET_LOCAL_IN_BIT
@@ -65,7 +67,6 @@ define NF_INET_LOCAL_IN_BIT	1 << NF_INET_LOCAL_IN
 define NF_INET_FORWARD_BIT	1 << NF_INET_FORWARD
 define NF_INET_LOCAL_OUT_BIT	1 << NF_INET_LOCAL_OUT
 define NF_INET_POST_ROUTING_BIT	1 << NF_INET_POST_ROUTING
-define NF_INET_NUMHOOKS_BIT	1 << NF_INET_NUMHOOKS
 
 xt_counters {
 	pcnt	const[0, int64]
@@ -96,17 +97,42 @@ xt_unspec_matches [
 	cgroup1		xt_entry_match["cgroup", xt_cgroup_info_v1, 1]
 	helper		xt_entry_match["helper", xt_helper_info, 0]
 	rateest		xt_entry_match["rateest", xt_rateest_match_info, 0]
-	l2tp		xt_entry_match["l2tp", xt_l2tp_info, 0]
 	time		xt_entry_match["time", xt_time_info, 0]
 	bpf0		xt_entry_match["bpf", xt_bpf_info, 0]
 	bpf1		xt_entry_match["bpf", xt_bpf_info_v1, 1]
-	socket1		xt_entry_match["socket", flags[xt_socket_flags_v1, int8], 1]
-	socket2		xt_entry_match["socket", flags[xt_socket_flags_v2, int8], 2]
-	socket3		xt_entry_match["socket", flags[xt_socket_flags_v3, int8], 3]
 	connlimit	xt_entry_match["connlimit", xt_connlimit_info, 0]
 	conntrack1	xt_entry_match["conntrack", xt_conntrack_mtinfo1, 1]
 	conntrack2	xt_entry_match["conntrack", xt_conntrack_mtinfo2, 2]
 	conntrack3	xt_entry_match["conntrack", xt_conntrack_mtinfo3, 3]
+	mark		xt_entry_match["mark", xt_mark_mtinfo1, 1]
+	connmark	xt_entry_match["connmark", xt_connmark_mtinfo1, 1]
+	realm		xt_entry_match["realm", xt_realm_info, 0]
+	connbytes	xt_entry_match["connbytes", xt_connbytes_info, 0]
+	quota		xt_entry_match["quota", xt_quota_info, 0]
+	limit		xt_entry_match["limit", xt_rateinfo, 0]
+	addrtype1	xt_entry_match["addrtype", xt_addrtype_info_v1, 1]
+	ipvs		xt_entry_match["ipvs", xt_ipvs_mtinfo, 0]
+	nfacct		xt_entry_match["nfacct", xt_nfacct_match_info, 0]
+	mac		xt_entry_match["mac", xt_mac_info, 0]
+	comment		xt_entry_match["comment", xt_comment_info, 0]
+	statistic	xt_entry_match["statistic", xt_statistic_info, 0]
+	string		xt_entry_match["string", xt_string_info, 1]
+	physdev		xt_entry_match["physdev", xt_physdev_info, 0]
+	connlabel	xt_entry_match["connlabel", xt_connlabel_mtinfo, 0]
+	devgroup	xt_entry_match["devgroup", xt_devgroup_info, 0]
+	cluster		xt_entry_match["cluster", xt_cluster_match_info, 0]
+	owner		xt_entry_match["owner", xt_owner_match_info, 0]
+	pkttype		xt_entry_match["pkttype", xt_pkttype_info, 0]
+	u32		xt_entry_match["u32", xt_u32, 0]
+	cpu		xt_entry_match["cpu", xt_cpu_info, 0]
+	state		xt_entry_match["state", xt_state_info, 0]
+] [varlen]
+
+xt_inet_matches [
+	l2tp		xt_entry_match["l2tp", xt_l2tp_info, 0]
+	socket1		xt_entry_match["socket", flags[xt_socket_flags_v1, int8], 1]
+	socket2		xt_entry_match["socket", flags[xt_socket_flags_v2, int8], 2]
+	socket3		xt_entry_match["socket", flags[xt_socket_flags_v3, int8], 3]
 	tcp		xt_entry_match["tcp", xt_tcp, 0]
 	udp		xt_entry_match["udp", xt_udp, 0]
 	udplite		xt_entry_match["udplite", xt_udp, 0]
@@ -114,57 +140,31 @@ xt_unspec_matches [
 	set2		xt_entry_match["set", xt_set_info_match_v1, 2]
 	set3		xt_entry_match["set", xt_set_info_match_v3, 3]
 	set4		xt_entry_match["set", xt_set_info_match_v4, 4]
-	mark		xt_entry_match["mark", xt_mark_mtinfo1, 1]
-	connmark	xt_entry_match["connmark", xt_connmark_mtinfo1, 1]
-	realm		xt_entry_match["realm", xt_realm_info, 0]
-	connbytes	xt_entry_match["connbytes", xt_connbytes_info, 0]
-	quota		xt_entry_match["quota", xt_quota_info, 0]
 	sctp		xt_entry_match["sctp", xt_sctp_info, 0]
-	limit		xt_entry_match["limit", xt_rateinfo, 0]
-	addrtype1	xt_entry_match["addrtype", xt_addrtype_info_v1, 1]
-	ipvs		xt_entry_match["ipvs", xt_ipvs_mtinfo, 0]
 	dccp		xt_entry_match["dccp", xt_dccp_info, 0]
 	hashlimit1	xt_entry_match["hashlimit", xt_hashlimit_mtinfo1, 1]
 	hashlimit2	xt_entry_match["hashlimit", xt_hashlimit_mtinfo2, 2]
 	hashlimit3	xt_entry_match["hashlimit", xt_hashlimit_mtinfo3, 3]
-	nfacct		xt_entry_match["nfacct", xt_nfacct_match_info, 0]
 	length		xt_entry_match["length", xt_length_info, 0]
-	mac		xt_entry_match["mac", xt_mac_info, 0]
-	comment		xt_entry_match["comment", xt_comment_info, 0]
 	ipcomp		xt_entry_match["ipcomp", xt_ipcomp, 0]
-	statistic	xt_entry_match["statistic", xt_statistic_info, 0]
 	recent0		xt_entry_match["recent", xt_recent_mtinfo, 0]
 	recent1		xt_entry_match["recent", xt_recent_mtinfo_v1, 0]
 	dscp		xt_entry_match["dscp", xt_dscp_info, 0]
 	tos		xt_entry_match["tos", xt_tos_match_info, 0]
 	policy		xt_entry_match["policy", xt_policy_info, 0]
 	tcpmss		xt_entry_match["tcpmss", xt_tcpmss_match_info, 0]
-	string		xt_entry_match["string", xt_string_info, 1]
-	physdev		xt_entry_match["physdev", xt_physdev_info, 0]
-	connlabel	xt_entry_match["connlabel", xt_connlabel_mtinfo, 0]
-	devgroup	xt_entry_match["devgroup", xt_devgroup_info, 0]
 	multiport	xt_entry_match["multiport", xt_multiport_v1, 1]
-	cluster		xt_entry_match["cluster", xt_cluster_match_info, 0]
 	ecn		xt_entry_match["ecn", xt_ecn_info, 0]
-	owner		xt_entry_match["owner", xt_owner_match_info, 0]
-	pkttype		xt_entry_match["pkttype", xt_pkttype_info, 0]
-	u32		xt_entry_match["u32", xt_u32, 0]
 	iprange		xt_entry_match["iprange", xt_iprange_mtinfo, 1]
 	esp		xt_entry_match["esp", xt_esp, 0]
-	cpu		xt_entry_match["cpu", xt_cpu_info, 0]
-	state		xt_entry_match["state", xt_state_info, 0]
 ] [varlen]
 
-xt_unspec_mangle_matches [
+xt_inet_mangle_matches [
 	rpfilter	xt_entry_match["rpfilter", xt_rpfilter_info, 0]
-# TODO: just so that we have second union option.
-	void		void
 ] [varlen]
 
-xt_unspec_raw_matches [
+xt_inet_raw_matches [
 	rpfilter	xt_entry_match["rpfilter", xt_rpfilter_info, 0]
-# TODO: just so that we have second union option.
-	void		void
 ] [varlen]
 
 xt_socket_flags_v1 = XT_SOCKET_TRANSPARENT
@@ -242,7 +242,7 @@ xt_time_flags = XT_TIME_LOCAL_TZ, XT_TIME_CONTIGUOUS
 xt_bpf_info {
 	bpf_program_num_elem	int16[0:XT_BPF_MAX_NUM_INSTR]
 	bpf_program		array[sock_filter, XT_BPF_MAX_NUM_INSTR]
-	filter			ptr64[in, array[int8]]
+	filter			intptr
 }
 
 xt_bpf_info_v1 [
@@ -256,7 +256,7 @@ xt_bpf_info_bytecode {
 	bpf_program_num_elem	int16[0:XT_BPF_MAX_NUM_INSTR]
 	fd			const[0, int32]
 	bpf_program		array[sock_filter, XT_BPF_MAX_NUM_INSTR]
-	filter			ptr64[in, array[int8]]
+	filter			intptr
 }
 
 xt_bpf_info_pinned {
@@ -265,7 +265,7 @@ xt_bpf_info_pinned {
 	fd			const[0, int32]
 # TODO: we need fixed-size filename here.
 	path			array[int8, XT_BPF_PATH_MAX]
-	filter			ptr64[in, array[int8]]
+	filter			intptr
 }
 
 xt_bpf_info_fd {
@@ -543,7 +543,6 @@ xt_hashlimit_mask = 0, 8, 24, 32, 64, 120, 128
 
 xt_nfacct_match_info {
 	name	string[xt_nfacct_match_names, NFACCT_NAME_MAX]
-# TODO: this seems to leak from kernel (there were another similar place, but can't find it now):
 	nfacct	intptr
 }
 
@@ -579,7 +578,6 @@ xt_statistic_info {
 	every	int32
 	packet	int32
 	count	int32
-# TODO: this seem to leak to userspace:
 	master	intptr
 }
 

sys/linux/netfilter_arp.txt

@@ -0,0 +1,120 @@
+# Copyright 2018 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+include <linux/socket.h>
+include <uapi/linux/netfilter_arp/arp_tables.h>
+include <uapi/linux/netfilter_arp/arpt_mangle.h>
+
+setsockopt$ARPT_SO_SET_REPLACE(fd sock_in, level const[SOL_IP], opt const[ARPT_SO_SET_REPLACE], val ptr[in, arpt_replace], len len[val])
+
+arpt_replace {
+	name			string["filter", XT_TABLE_MAXNAMELEN]
+	valid_hooks		const[ARPT_FILTER_VALID_HOOKS, int32]
+	num_entries		const[4, int32]
+	size			bytesize[entries, int32]
+	hook_in			ipt_hook
+	hook_out		ipt_hook
+	hook_forward		ipt_hook
+	underflow_in		ipt_hook
+	underflow_out		ipt_hook
+	underflow_forward	ipt_hook
+	num_counters		const[4, int32]
+	counters		ptr[out, array[xt_counters, 4]]
+	entries			arpt_replace_entries
+}
+
+define ARPT_FILTER_VALID_HOOKS	(1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD)
+
+arpt_replace_entries {
+	entries		array[arpt_entry, 3]
+	underflow	arpt_entry_underflow
+} [packed, align_ptr]
+
+arpt_entry {
+	matches	arpt_entry_matches
+	target	arpt_targets
+} [packed, align_ptr]
+
+arpt_entry_matches {
+	arp		arpt_arp_or_uncond
+	target_offset	len[parent, int16]
+	next_offset	len[arpt_entry, int16]
+	comefrom	const[0, int32]
+	counters	xt_counters
+# Note: matches should go here, but they seem to be unused in arp tables.
+} [align_ptr]
+
+arpt_entry_underflow {
+	matches	arpt_entry_underflow_matches
+	target	xt_target_t["", const[NF_ACCEPT_VERDICT, int32], 0]
+} [align_ptr]
+
+arpt_entry_underflow_matches {
+	arp		arpt_arp_uncond
+	target_offset	len[parent, int16]
+	next_offset	len[arpt_entry_underflow, int16]
+	comefrom	const[0, int32]
+	counters	xt_counters
+}
+
+arpt_arp_or_uncond [
+	arp	arpt_arp
+	uncond	arpt_arp_uncond
+]
+
+type arpt_arp_uncond array[const[0, int8], ARPT_ARP_SIZE]
+define ARPT_ARP_SIZE	sizeof(struct arpt_arp)
+
+arpt_arp {
+	src		ipv4_addr
+	dst		ipv4_addr
+	smsk		ipv4_addr_mask
+	dmsk		ipv4_addr_mask
+	src_devaddr	arpt_devaddr
+	src_devmask	arpt_devmask
+	tgt_devaddr	arpt_devaddr
+	tgt_devmask	arpt_devmask
+	arpop		int16be
+	arpop_mask	int16be
+	arhrd		int16be
+	arhrd_mask	int16be
+	arpro		int16be
+	arpro_mask	int16be
+	iniface		devname
+	outiface	devname
+	iniface_mask	devname_mask
+	outiface_mask	devname_mask
+	flags		const[0, int8]
+	invflags	flags[arpt_arp_invflags, int16]
+}
+
+arpt_devaddr [
+	empty	array[const[0, int8], ARPT_DEV_ADDR_LEN_MAX]
+	mac	mac_addr
+]
+
+arpt_devmask {
+	mac	array[flags[arpt_devmask_vals, int8], 6]
+	pad	array[const[0, int8], 10]
+}
+
+arpt_devmask_vals = 0, 0xff
+
+arpt_arp_invflags = ARPT_INV_VIA_IN, ARPT_INV_VIA_OUT, ARPT_INV_SRCIP, ARPT_INV_TGTIP, ARPT_INV_SRCDEVADDR, ARPT_INV_TGTDEVADDR, ARPT_INV_ARPOP, ARPT_INV_ARPHRD, ARPT_INV_ARPPRO, ARPT_INV_ARPHLN
+
+arpt_targets [
+	unspec	xt_unspec_targets
+	mangle	xt_target_t["mangle", arpt_mangle, 0]
+] [varlen]
+
+arpt_mangle {
+	src_devaddr	arpt_devaddr
+	tgt_devaddr	arpt_devaddr
+	src_ip		ipv4_addr
+	tgt_ip		ipv4_addr
+	flags		flags[arpt_mangle_flags, int8]
+	target		flags[arpt_mangle_targets, int32]
+}
+
+arpt_mangle_flags = ARPT_MANGLE_SDEV, ARPT_MANGLE_TDEV, ARPT_MANGLE_SIP, ARPT_MANGLE_TIP, ARPT_MANGLE_MASK
+arpt_mangle_targets = NF_DROP, NF_ACCEPT, XT_CONTINUE

sys/linux/netfilter_arp_386.const

@@ -0,0 +1,27 @@
+# AUTOGENERATED FILE
+ARPT_ARP_SIZE = 164
+ARPT_DEV_ADDR_LEN_MAX = 16
+ARPT_FILTER_VALID_HOOKS = 7
+ARPT_INV_ARPHLN = 512
+ARPT_INV_ARPHRD = 128
+ARPT_INV_ARPOP = 64
+ARPT_INV_ARPPRO = 256
+ARPT_INV_SRCDEVADDR = 16
+ARPT_INV_SRCIP = 4
+ARPT_INV_TGTDEVADDR = 32
+ARPT_INV_TGTIP = 8
+ARPT_INV_VIA_IN = 1
+ARPT_INV_VIA_OUT = 2
+ARPT_MANGLE_MASK = 15
+ARPT_MANGLE_SDEV = 1
+ARPT_MANGLE_SIP = 4
+ARPT_MANGLE_TDEV = 2
+ARPT_MANGLE_TIP = 8
+ARPT_SO_SET_REPLACE = 96
+NF_ACCEPT = 1
+# NF_ACCEPT_VERDICT is not set
+NF_DROP = 0
+SOL_IP = 0
+XT_CONTINUE = 4294967295
+XT_TABLE_MAXNAMELEN = 32
+__NR_setsockopt = 366

sys/linux/netfilter_arp_amd64.const

@@ -0,0 +1,27 @@
+# AUTOGENERATED FILE
+ARPT_ARP_SIZE = 164
+ARPT_DEV_ADDR_LEN_MAX = 16
+ARPT_FILTER_VALID_HOOKS = 7
+ARPT_INV_ARPHLN = 512
+ARPT_INV_ARPHRD = 128
+ARPT_INV_ARPOP = 64
+ARPT_INV_ARPPRO = 256
+ARPT_INV_SRCDEVADDR = 16
+ARPT_INV_SRCIP = 4
+ARPT_INV_TGTDEVADDR = 32
+ARPT_INV_TGTIP = 8
+ARPT_INV_VIA_IN = 1
+ARPT_INV_VIA_OUT = 2
+ARPT_MANGLE_MASK = 15
+ARPT_MANGLE_SDEV = 1
+ARPT_MANGLE_SIP = 4
+ARPT_MANGLE_TDEV = 2
+ARPT_MANGLE_TIP = 8
+ARPT_SO_SET_REPLACE = 96
+NF_ACCEPT = 1
+# NF_ACCEPT_VERDICT is not set
+NF_DROP = 0
+SOL_IP = 0
+XT_CONTINUE = 4294967295
+XT_TABLE_MAXNAMELEN = 32
+__NR_setsockopt = 54

sys/linux/netfilter_arp_arm.const

@@ -0,0 +1,27 @@
+# AUTOGENERATED FILE
+ARPT_ARP_SIZE = 164
+ARPT_DEV_ADDR_LEN_MAX = 16
+ARPT_FILTER_VALID_HOOKS = 7
+ARPT_INV_ARPHLN = 512
+ARPT_INV_ARPHRD = 128
+ARPT_INV_ARPOP = 64
+ARPT_INV_ARPPRO = 256
+ARPT_INV_SRCDEVADDR = 16
+ARPT_INV_SRCIP = 4
+ARPT_INV_TGTDEVADDR = 32
+ARPT_INV_TGTIP = 8
+ARPT_INV_VIA_IN = 1
+ARPT_INV_VIA_OUT = 2
+ARPT_MANGLE_MASK = 15
+ARPT_MANGLE_SDEV = 1
+ARPT_MANGLE_SIP = 4
+ARPT_MANGLE_TDEV = 2
+ARPT_MANGLE_TIP = 8
+ARPT_SO_SET_REPLACE = 96
+NF_ACCEPT = 1
+# NF_ACCEPT_VERDICT is not set
+NF_DROP = 0
+SOL_IP = 0
+XT_CONTINUE = 4294967295
+XT_TABLE_MAXNAMELEN = 32
+__NR_setsockopt = 294

sys/linux/netfilter_arp_arm64.const

@@ -0,0 +1,27 @@
+# AUTOGENERATED FILE
+ARPT_ARP_SIZE = 164
+ARPT_DEV_ADDR_LEN_MAX = 16
+ARPT_FILTER_VALID_HOOKS = 7
+ARPT_INV_ARPHLN = 512
+ARPT_INV_ARPHRD = 128
+ARPT_INV_ARPOP = 64
+ARPT_INV_ARPPRO = 256
+ARPT_INV_SRCDEVADDR = 16
+ARPT_INV_SRCIP = 4
+ARPT_INV_TGTDEVADDR = 32
+ARPT_INV_TGTIP = 8
+ARPT_INV_VIA_IN = 1
+ARPT_INV_VIA_OUT = 2
+ARPT_MANGLE_MASK = 15
+ARPT_MANGLE_SDEV = 1
+ARPT_MANGLE_SIP = 4
+ARPT_MANGLE_TDEV = 2
+ARPT_MANGLE_TIP = 8
+ARPT_SO_SET_REPLACE = 96
+NF_ACCEPT = 1
+# NF_ACCEPT_VERDICT is not set
+NF_DROP = 0
+SOL_IP = 0
+XT_CONTINUE = 4294967295
+XT_TABLE_MAXNAMELEN = 32
+__NR_setsockopt = 208

sys/linux/netfilter_arp_ppc64le.const

@@ -0,0 +1,27 @@
+# AUTOGENERATED FILE
+ARPT_ARP_SIZE = 164
+ARPT_DEV_ADDR_LEN_MAX = 16
+ARPT_FILTER_VALID_HOOKS = 7
+ARPT_INV_ARPHLN = 512
+ARPT_INV_ARPHRD = 128
+ARPT_INV_ARPOP = 64
+ARPT_INV_ARPPRO = 256
+ARPT_INV_SRCDEVADDR = 16
+ARPT_INV_SRCIP = 4
+ARPT_INV_TGTDEVADDR = 32
+ARPT_INV_TGTIP = 8
+ARPT_INV_VIA_IN = 1
+ARPT_INV_VIA_OUT = 2
+ARPT_MANGLE_MASK = 15
+ARPT_MANGLE_SDEV = 1
+ARPT_MANGLE_SIP = 4
+ARPT_MANGLE_TDEV = 2
+ARPT_MANGLE_TIP = 8
+ARPT_SO_SET_REPLACE = 96
+NF_ACCEPT = 1
+# NF_ACCEPT_VERDICT is not set
+NF_DROP = 0
+SOL_IP = 0
+XT_CONTINUE = 4294967295
+XT_TABLE_MAXNAMELEN = 32
+__NR_setsockopt = 339

sys/linux/netfilter_ipv4.txt

@@ -14,17 +14,17 @@ include <uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 setsockopt$IPT_SO_SET_REPLACE(fd sock_in, level const[SOL_IP], opt const[IPT_SO_SET_REPLACE], val ptr[in, ipt_replace], len len[val])
 
 ipt_replace [
-	filter		ipt_replace_t["filter", IPT_FILTER_VALID_HOOKS, ipt_filter_matches, ipt_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
-	nat		ipt_replace_t["nat", IPT_NAT_VALID_HOOKS, ipt_nat_matches, ipt_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook]
-	mangle		ipt_replace_t["mangle", IPT_MANGLE_VALID_HOOKS, ipt_mangle_matches, ipt_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook]
-	raw		ipt_replace_t["raw", IPT_RAW_VALID_HOOKS, ipt_raw_matches, ipt_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused]
-	security	ipt_replace_t["security", IPT_SECURITY_VALID_HOOKS, ipt_security_matches, ipt_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
+	filter		ipt_replace_t["filter", 3, 4, IPT_FILTER_VALID_HOOKS, ipt_filter_matches, ipt_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
+	nat		ipt_replace_t["nat", 4, 5, IPT_NAT_VALID_HOOKS, ipt_nat_matches, ipt_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook]
+	mangle		ipt_replace_t["mangle", 5, 6, IPT_MANGLE_VALID_HOOKS, ipt_mangle_matches, ipt_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook]
+	raw		ipt_replace_t["raw", 2, 3, IPT_RAW_VALID_HOOKS, ipt_raw_matches, ipt_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused]
+	security	ipt_replace_t["security", 3, 4, IPT_SECURITY_VALID_HOOKS, ipt_security_matches, ipt_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
 ] [varlen]
 
-type ipt_replace_t[NAME, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] {
+type ipt_replace_t[NAME, NENTRIES, NHOOKS, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] {
 	name				string[NAME, XT_TABLE_MAXNAMELEN]
 	valid_hooks			const[HOOKS, int32]
-	num_entries			const[4, int32]
+	num_entries			const[NHOOKS, int32]
 	size				bytesize[entries, int32]
 	hook_pre_routing		H0
 	hook_pre_local_in		H1
@@ -36,14 +36,14 @@ type ipt_replace_t[NAME, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2
 	underflow_pre_forward		U2
 	underflow_pre_local_out		U3
 	underflow_pre_post_routing	U4
-	num_counters			const[4, int32]
-	counters			ptr[in, array[xt_counters, 4]]
-	entries				ipt_replace_entries[MATCHES, TARGETS]
+	num_counters			const[NHOOKS, int32]
+	counters			ptr[out, array[xt_counters, NHOOKS]]
+	entries				ipt_replace_entries[NENTRIES, MATCHES, TARGETS]
 }
 
-type ipt_replace_entries[MATCHES, TARGETS] {
+type ipt_replace_entries[NENTRIES, MATCHES, TARGETS] {
+	entries		array[ipt_entry[MATCHES, TARGETS], NENTRIES]
 	underflow	ipt_entry_underflow
-	entries		array[ipt_entry[MATCHES, TARGETS], 3]
 } [packed, align_ptr]
 
 type ipt_hook const[0, int32]
@@ -52,7 +52,7 @@ type ipt_unused const[0xffffffff, int32]
 type ipt_entry[MATCHES, TARGETS] {
 	matches	ipt_entry_matches[MATCHES]
 	target	TARGETS
-} [packed, align_8]
+} [packed, align_ptr]
 
 type ipt_entry_matches[MATCHES] {
 	ip		ipt_ip_or_uncond
@@ -62,7 +62,7 @@ type ipt_entry_matches[MATCHES] {
 	comefrom	const[0, int32]
 	counters	xt_counters
 	matches		array[MATCHES, 0:2]
-} [packed, align_ptr]
+} [align_ptr]
 
 ipt_entry_underflow {
 	matches	ipt_entry_underflow_matches
@@ -107,6 +107,7 @@ ipt_ip_invflags = IPT_INV_VIA_IN, IPT_INV_VIA_OUT, IPT_INV_TOS, IPT_INV_SRCIP, I
 
 ipt_matches [
 	unspec		xt_unspec_matches
+	inet		xt_inet_matches
 	icmp		xt_entry_match["icmp", ipt_icmp, 0]
 	ah		xt_entry_match["ah", ipt_ah, 0]
 	socket0		xt_entry_match["socket", void, 0]
@@ -126,12 +127,12 @@ ipt_nat_matches [
 
 ipt_mangle_matches [
 	common	ipt_matches
-	unspec	xt_unspec_mangle_matches
+	inet	xt_inet_mangle_matches
 ] [varlen]
 
 ipt_raw_matches [
 	common	ipt_matches
-	unspec	xt_unspec_raw_matches
+	inet	xt_inet_raw_matches
 ] [varlen]
 
 ipt_security_matches [
@@ -146,8 +147,8 @@ ipt_icmp {
 }
 
 ipt_ah {
-	spi_min		int8
-	spi_max		int8
+	spi_min		int32
+	spi_max		int32
 	invflags	bool8
 }
 
@@ -174,6 +175,7 @@ ipt_ttl_mode = IPT_TTL_EQ, IPT_TTL_NE, IPT_TTL_LT, IPT_TTL_GT
 
 ipt_targets [
 	unspec		xt_unspec_targets
+	inet		xt_inet_targets
 	SET		xt_target_t["SET", xt_set_info_target_v0, 0]
 	CLUSTERIP	xt_target_t["CLUSTERIP", ipt_clusterip_tgt_info, 0]
 ] [varlen]
@@ -185,11 +187,10 @@ ipt_filter_targets [
 
 ipt_nat_targets [
 	common		ipt_targets
+	unspec		xt_unspec_nat_targets
 	NETMAP		xt_target_t["NETMAP", nf_nat_ipv4_multi_range_compat, 0]
 	SNAT0		xt_target_t["SNAT", nf_nat_ipv4_multi_range_compat, 0]
 	DNAT0		xt_target_t["DNAT", nf_nat_ipv4_multi_range_compat, 0]
-	SNAT1		xt_target_t["SNAT", nf_nat_range, 1]
-	DNAT1		xt_target_t["DNAT", nf_nat_range, 1]
 	REDIRECT	xt_target_t["REDIRECT", nf_nat_ipv4_multi_range_compat, 0]
 	MASQUERADE	xt_target_t["MASQUERADE", nf_nat_ipv4_multi_range_compat, 0]
 ] [varlen]
@@ -197,6 +198,7 @@ ipt_nat_targets [
 ipt_mangle_targets [
 	common	ipt_targets
 	unspec	xt_unspec_mangle_targets
+	inet	xt_inet_mangle_targets
 	ECN	xt_target_t["ECN", ipt_ECN_info, 0]
 	TPROXY	xt_target_t["TPROXY", xt_tproxy_target_info, 0]
 	TTL	xt_target_t["TTL", ipt_TTL_info, 0]
@@ -234,8 +236,8 @@ ipt_clusterip_tgt_info {
 	flags		bool32
 	clustermac	mac_addr
 	num_total_nodes	int16
-	num_local_nodes	int16
-	local_nodes	array[int16, CLUSTERIP_MAX_NODES]
+	num_local_nodes	int16[0:CLUSTERIP_MAX_NODES]
+	local_nodes	array[int16[0:64], CLUSTERIP_MAX_NODES]
 	hash_mode	flags[ipt_clusterip_hash_mode, int32]
 	hash_initval	int32
 	config		intptr

sys/linux/netfilter_ipv4_386.const

@@ -35,7 +35,6 @@ IPT_TTL_GT = 3
 IPT_TTL_LT = 2
 IPT_TTL_NE = 1
 MAXGENRELEN = 32
-# NF_ACCEPT_VERDICT is not set
 SOL_IP = 0
 XT_OSF_GENRE = 1
 XT_OSF_INVERT = 8

sys/linux/netfilter_ipv4_amd64.const

@@ -35,7 +35,6 @@ IPT_TTL_GT = 3
 IPT_TTL_LT = 2
 IPT_TTL_NE = 1
 MAXGENRELEN = 32
-# NF_ACCEPT_VERDICT is not set
 SOL_IP = 0
 XT_OSF_GENRE = 1
 XT_OSF_INVERT = 8

sys/linux/netfilter_ipv4_arm64.const

@@ -35,7 +35,6 @@ IPT_TTL_GT = 3
 IPT_TTL_LT = 2
 IPT_TTL_NE = 1
 MAXGENRELEN = 32
-# NF_ACCEPT_VERDICT is not set
 SOL_IP = 0
 XT_OSF_GENRE = 1
 XT_OSF_INVERT = 8

sys/linux/netfilter_ipv4_ppc64le.const

@@ -35,7 +35,6 @@ IPT_TTL_GT = 3
 IPT_TTL_LT = 2
 IPT_TTL_NE = 1
 MAXGENRELEN = 32
-# NF_ACCEPT_VERDICT is not set
 SOL_IP = 0
 XT_OSF_GENRE = 1
 XT_OSF_INVERT = 8

sys/linux/netfilter_ipv6.txt

@@ -9,6 +9,7 @@ include <uapi/linux/netfilter_ipv6/ip6t_opts.h>
 include <uapi/linux/netfilter_ipv6/ip6t_frag.h>
 include <uapi/linux/netfilter_ipv6/ip6t_ipv6header.h>
 include <uapi/linux/netfilter_ipv6/ip6t_ah.h>
+include <uapi/linux/netfilter_ipv6/ip6t_srh.h>
 include <uapi/linux/netfilter_ipv6/ip6t_REJECT.h>
 include <uapi/linux/netfilter_ipv6/ip6t_NPT.h>
 include <uapi/linux/netfilter_ipv6/ip6t_HL.h>
@@ -16,17 +17,17 @@ include <uapi/linux/netfilter_ipv6/ip6t_HL.h>
 setsockopt$IP6T_SO_SET_REPLACE(fd sock_in6, level const[SOL_IPV6], opt const[IP6T_SO_SET_REPLACE], val ptr[in, ip6t_replace], len len[val])
 
 ip6t_replace [
-	filter		ip6t_replace_t["filter", IPT_FILTER_VALID_HOOKS, ip6t_filter_matches, ip6t_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
-	nat		ip6t_replace_t["nat", IPT_NAT_VALID_HOOKS, ip6t_nat_matches, ip6t_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook]
-	mangle		ip6t_replace_t["mangle", IPT_MANGLE_VALID_HOOKS, ip6t_mangle_matches, ip6t_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook]
-	raw		ip6t_replace_t["raw", IPT_RAW_VALID_HOOKS, ip6t_raw_matches, ip6t_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused]
-	security	ip6t_replace_t["security", IPT_SECURITY_VALID_HOOKS, ip6t_security_matches, ip6t_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
+	filter		ip6t_replace_t["filter", 3, 4, IPT_FILTER_VALID_HOOKS, ip6t_filter_matches, ip6t_filter_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
+	nat		ip6t_replace_t["nat", 4, 5, IPT_NAT_VALID_HOOKS, ip6t_nat_matches, ip6t_nat_targets, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_hook, ipt_hook]
+	mangle		ip6t_replace_t["mangle", 5, 6, IPT_MANGLE_VALID_HOOKS, ip6t_mangle_matches, ip6t_mangle_targets, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook, ipt_hook]
+	raw		ip6t_replace_t["raw", 2, 3, IPT_RAW_VALID_HOOKS, ip6t_raw_matches, ip6t_raw_targets, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_unused]
+	security	ip6t_replace_t["security", 3, 4, IPT_SECURITY_VALID_HOOKS, ip6t_security_matches, ip6t_security_targets, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused, ipt_unused, ipt_hook, ipt_hook, ipt_hook, ipt_unused]
 ] [varlen]
 
-type ip6t_replace_t[NAME, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] {
+type ip6t_replace_t[NAME, NENTRIES, NHOOKS, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U2, U3, U4] {
 	name				string[NAME, XT_TABLE_MAXNAMELEN]
 	valid_hooks			const[HOOKS, int32]
-	num_entries			const[4, int32]
+	num_entries			const[NHOOKS, int32]
 	size				bytesize[entries, int32]
 	hook_pre_routing		H0
 	hook_pre_local_in		H1
@@ -38,20 +39,20 @@ type ip6t_replace_t[NAME, HOOKS, MATCHES, TARGETS, H0, H1, H2, H3, H4, U0, U1, U
 	underflow_pre_forward		U2
 	underflow_pre_local_out		U3
 	underflow_pre_post_routing	U4
-	num_counters			const[4, int32]
-	counters			ptr[in, array[xt_counters, 4]]
-	entries				ip6t_replace_entries[MATCHES, TARGETS]
+	num_counters			const[NHOOKS, int32]
+	counters			ptr[out, array[xt_counters, NHOOKS]]
+	entries				ip6t_replace_entries[NENTRIES, MATCHES, TARGETS]
 }
 
-type ip6t_replace_entries[MATCHES, TARGETS] {
+type ip6t_replace_entries[NENTRIES, MATCHES, TARGETS] {
+	entries		array[ip6t_entry[MATCHES, TARGETS], NENTRIES]
 	underflow	ip6t_entry_underflow
-	entries		array[ip6t_entry[MATCHES, TARGETS], 3]
 } [packed, align_ptr]
 
 type ip6t_entry[MATCHES, TARGETS] {
 	matches	ip6t_entry_matches[MATCHES]
 	target	TARGETS
-} [packed, align_8]
+} [packed, align_ptr]
 
 type ip6t_entry_matches[MATCHES] {
 	ipv6		ip6t_ip6_or_uncond
@@ -61,7 +62,7 @@ type ip6t_entry_matches[MATCHES] {
 	comefrom	const[0, int32]
 	counters	xt_counters
 	matches		array[MATCHES, 0:2]
-} [packed, align_ptr]
+} [align_ptr]
 
 ip6t_entry_underflow {
 	matches	ip6t_entry_underflow_matches
@@ -107,6 +108,7 @@ ip6t_ip6_invflags = IP6T_INV_VIA_IN, IP6T_INV_VIA_OUT, IP6T_INV_TOS, IP6T_INV_SR
 
 ipt6_matches [
 	unspec		xt_unspec_matches
+	inet		xt_inet_matches
 	icmp6		xt_entry_match["icmp6", ip6t_icmp, 0]
 	rt		xt_entry_match["rt", ip6t_rt, 0]
 	mh		xt_entry_match["mh", ip6t_mh, 0]
@@ -117,6 +119,7 @@ ipt6_matches [
 	ah		xt_entry_match["ah", ip6t_ah, 0]
 	ipv6header	xt_entry_match["ipv6header", ip6t_ipv6header_info, 0]
 	hl		xt_entry_match["hl", ipt_ttl_info, 0]
+	srh		xt_entry_match["srh", ip6t_srh, 0]
 ] [varlen]
 
 ip6t_filter_matches [
@@ -129,12 +132,12 @@ ip6t_nat_matches [
 
 ip6t_mangle_matches [
 	common	ipt6_matches
-	unspec	xt_unspec_mangle_matches
+	inet	xt_inet_mangle_matches
 ] [varlen]
 
 ip6t_raw_matches [
 	common	ipt6_matches
-	unspec	xt_unspec_raw_matches
+	inet	xt_inet_raw_matches
 ] [varlen]
 
 ip6t_security_matches [
@@ -208,10 +211,23 @@ ip6t_ah {
 
 ip6t_ah_flags = IP6T_AH_INV_SPI, IP6T_AH_INV_LEN
 
+ip6t_srh {
+	next_hdr	flags[ipv6_types, int8]
+	hdr_len		int8
+	segs_left	int8
+	last_entry	int8
+	tag		int16
+	mt_flags	flags[ip6t_srh_flags, int16]
+	mt_invflags	flags[ip6t_srh_flags, int16]
+}
+
+ip6t_srh_flags = IP6T_SRH_NEXTHDR, IP6T_SRH_LEN_EQ, IP6T_SRH_LEN_GT, IP6T_SRH_LEN_LT, IP6T_SRH_SEGS_EQ, IP6T_SRH_SEGS_GT, IP6T_SRH_SEGS_LT, IP6T_SRH_LAST_EQ, IP6T_SRH_LAST_GT, IP6T_SRH_LAST_LT, IP6T_SRH_TAG
+
 # TARGETS:
 
 ip6t_targets [
 	unspec	xt_unspec_targets
+	inet	xt_inet_targets
 ] [varlen]
 
 ip6t_filter_targets [
@@ -221,6 +237,7 @@ ip6t_filter_targets [
 
 ip6t_nat_targets [
 	common		ip6t_targets
+	unspec		xt_unspec_nat_targets
 	NETMAP		xt_target_t["NETMAP", nf_nat_range, 0]
 	REDIRECT	xt_target_t["REDIRECT", nf_nat_range, 0]
 	MASQUERADE	xt_target_t["MASQUERADE", nf_nat_range, 0]
@@ -229,6 +246,7 @@ ip6t_nat_targets [
 ip6t_mangle_targets [
 	common	ip6t_targets
 	unspec	xt_unspec_mangle_targets
+	inet	xt_inet_mangle_targets
 	SNPT	xt_target_t["SNPT", ip6t_npt_tginfo, 0]
 	DNPT	xt_target_t["DNPT", ip6t_npt_tginfo, 0]
 	HL	xt_target_t["HL", ipt_TTL_info, 0]

sys/linux/netfilter_ipv6_386.const

@@ -45,6 +45,17 @@ IP6T_RT_RES = 8
 IP6T_RT_SGS = 2
 IP6T_RT_TYP = 1
 IP6T_SO_SET_REPLACE = 64
+IP6T_SRH_LAST_EQ = 128
+IP6T_SRH_LAST_GT = 256
+IP6T_SRH_LAST_LT = 512
+IP6T_SRH_LEN_EQ = 2
+IP6T_SRH_LEN_GT = 4
+IP6T_SRH_LEN_LT = 8
+IP6T_SRH_NEXTHDR = 1
+IP6T_SRH_SEGS_EQ = 16
+IP6T_SRH_SEGS_GT = 32
+IP6T_SRH_SEGS_LT = 64
+IP6T_SRH_TAG = 1024
 IP6T_TCP_RESET = 6
 # IPT_FILTER_VALID_HOOKS is not set
 # IPT_MANGLE_VALID_HOOKS is not set

sys/linux/netfilter_ipv6_amd64.const

@@ -45,6 +45,17 @@ IP6T_RT_RES = 8
 IP6T_RT_SGS = 2
 IP6T_RT_TYP = 1
 IP6T_SO_SET_REPLACE = 64
+IP6T_SRH_LAST_EQ = 128
+IP6T_SRH_LAST_GT = 256
+IP6T_SRH_LAST_LT = 512
+IP6T_SRH_LEN_EQ = 2
+IP6T_SRH_LEN_GT = 4
+IP6T_SRH_LEN_LT = 8
+IP6T_SRH_NEXTHDR = 1
+IP6T_SRH_SEGS_EQ = 16
+IP6T_SRH_SEGS_GT = 32
+IP6T_SRH_SEGS_LT = 64
+IP6T_SRH_TAG = 1024
 IP6T_TCP_RESET = 6
 # IPT_FILTER_VALID_HOOKS is not set
 # IPT_MANGLE_VALID_HOOKS is not set

sys/linux/netfilter_ipv6_arm64.const

@@ -45,6 +45,17 @@ IP6T_RT_RES = 8
 IP6T_RT_SGS = 2
 IP6T_RT_TYP = 1
 IP6T_SO_SET_REPLACE = 64
+IP6T_SRH_LAST_EQ = 128
+IP6T_SRH_LAST_GT = 256
+IP6T_SRH_LAST_LT = 512
+IP6T_SRH_LEN_EQ = 2
+IP6T_SRH_LEN_GT = 4
+IP6T_SRH_LEN_LT = 8
+IP6T_SRH_NEXTHDR = 1
+IP6T_SRH_SEGS_EQ = 16
+IP6T_SRH_SEGS_GT = 32
+IP6T_SRH_SEGS_LT = 64
+IP6T_SRH_TAG = 1024
 IP6T_TCP_RESET = 6
 # IPT_FILTER_VALID_HOOKS is not set
 # IPT_MANGLE_VALID_HOOKS is not set

sys/linux/netfilter_ipv6_ppc64le.const

@@ -45,6 +45,17 @@ IP6T_RT_RES = 8
 IP6T_RT_SGS = 2
 IP6T_RT_TYP = 1
 IP6T_SO_SET_REPLACE = 64
+IP6T_SRH_LAST_EQ = 128
+IP6T_SRH_LAST_GT = 256
+IP6T_SRH_LAST_LT = 512
+IP6T_SRH_LEN_EQ = 2
+IP6T_SRH_LEN_GT = 4
+IP6T_SRH_LEN_LT = 8
+IP6T_SRH_NEXTHDR = 1
+IP6T_SRH_SEGS_EQ = 16
+IP6T_SRH_SEGS_GT = 32
+IP6T_SRH_SEGS_LT = 64
+IP6T_SRH_TAG = 1024
 IP6T_TCP_RESET = 6
 # IPT_FILTER_VALID_HOOKS is not set
 # IPT_MANGLE_VALID_HOOKS is not set

sys/linux/netfilter_targets.txt

@@ -40,9 +40,7 @@ type xt_target_t[NAME, DATA, REV] {
 xt_unspec_targets [
 	STANDARD	xt_target_t["", flags[nf_verdicts, int32], 0]
 	ERROR		xt_target_t["ERROR", array[int8, XT_FUNCTION_MAXNAMELEN], 0]
-	TEE		xt_target_t["TEE", xt_tee_tginfo, 1]
 	LED		xt_target_t["LED", xt_led_info, 0]
-	TCPMSS		xt_target_t["TCPMSS", xt_tcpmss_info, 0]
 	RATEEST		xt_target_t["RATEEST", xt_rateest_target_info, 0]
 	NFQUEUE0	xt_target_t["NFQUEUE", xt_NFQ_info, 0]
 	NFQUEUE1	xt_target_t["NFQUEUE", xt_NFQ_info_v1, 1]
@@ -50,19 +48,12 @@ xt_unspec_targets [
 	NFQUEUE3	xt_target_t["NFQUEUE", xt_NFQ_info_v3, 3]
 	CLASSIFY	xt_target_t["CLASSIFY", xt_classify_target_info, 0]
 	IDLETIMER	xt_target_t["IDLETIMER", idletimer_tg_info, 0]
-	TCPOPTSTRIP	xt_target_t["TCPOPTSTRIP", xt_tcpoptstrip_target_info, 0]
 	AUDIT		xt_target_t["AUDIT", xt_audit_info, 0]
-	HMARK		xt_target_t["HMARK", xt_hmark_info, 0]
-	SET1		xt_target_t["SET", xt_set_info_target_v1, 1]
-	SET2		xt_target_t["SET", xt_set_info_target_v2, 2]
-	SET3		xt_target_t["SET", xt_set_info_target_v3, 3]
 	MARK		xt_target_t["MARK", xt_mark_tginfo2, 2]
-	LOG		xt_target_t["LOG", xt_log_info, 0]
 	CONNSECMARK	xt_target_t["CONNSECMARK", xt_connsecmark_target_info, 0]
 	SECMARK		xt_target_t["SECMARK", xt_secmark_target_info, 0]
 	NFLOG		xt_target_t["NFLOG", xt_nflog_info, 0]
 	CONNMARK	xt_target_t["CONNMARK", xt_connmark_tginfo1, 1]
-	SYNPROXY	xt_target_t["SYNPROXY", xt_synproxy_info, 0]
 ] [varlen]
 
 nf_verdicts = 0, NF_DROP_VERDICT, NF_ACCEPT_VERDICT, NF_STOLEN_VERDICT, NF_QUEUE_VERDICT, NF_REPEAT_VERDICT
@@ -74,12 +65,14 @@ define NF_QUEUE_VERDICT	-NF_QUEUE - 1
 define NF_REPEAT_VERDICT	-NF_REPEAT - 1
 
 xt_unspec_mangle_targets [
-	DSCP		xt_target_t["DSCP", xt_DSCP_info, 0]
-	TOS		xt_target_t["TOS", xt_tos_target_info, 0]
-	TPROXY1		xt_target_t["TPROXY", xt_tproxy_target_info_v1, 1]
 	CHECKSUM	xt_target_t["CHECKSUM", xt_CHECKSUM_info, 0]
 ] [varlen]
 
+xt_unspec_nat_targets [
+	SNAT1	xt_target_t["SNAT", nf_nat_range, 1]
+	DNAT1	xt_target_t["DNAT", nf_nat_range, 1]
+] [varlen]
+
 xt_unspec_raw_targets [
 	TRACE	xt_target_t["TRACE", void, 0]
 	CT0	xt_target_t["CT", xt_ct_target_info, 0]
@@ -88,6 +81,24 @@ xt_unspec_raw_targets [
 	NOTRACK	xt_target_t["NOTRACK", void, 0]
 ] [varlen]
 
+xt_inet_targets [
+	TEE		xt_target_t["TEE", xt_tee_tginfo, 1]
+	TCPMSS		xt_target_t["TCPMSS", xt_tcpmss_info, 0]
+	TCPOPTSTRIP	xt_target_t["TCPOPTSTRIP", xt_tcpoptstrip_target_info, 0]
+	HMARK		xt_target_t["HMARK", xt_hmark_info, 0]
+	SET1		xt_target_t["SET", xt_set_info_target_v1, 1]
+	SET2		xt_target_t["SET", xt_set_info_target_v2, 2]
+	SET3		xt_target_t["SET", xt_set_info_target_v3, 3]
+	LOG		xt_target_t["LOG", xt_log_info, 0]
+	SYNPROXY	xt_target_t["SYNPROXY", xt_synproxy_info, 0]
+] [varlen]
+
+xt_inet_mangle_targets [
+	DSCP	xt_target_t["DSCP", xt_DSCP_info, 0]
+	TOS	xt_target_t["TOS", xt_tos_target_info, 0]
+	TPROXY1	xt_target_t["TPROXY", xt_tproxy_target_info_v1, 1]
+] [varlen]
+
 xt_tee_tginfo {
 	gw	nf_inet_addr
 # TODO: make it possible to mark strings as opt (empty string), this must be opt:

sys/linux/sys_ppc64le.const

@@ -764,9 +764,9 @@ __NR_personality = 136
 __NR_pipe = 42
 __NR_pipe2 = 317
 __NR_pivot_root = 203
-# __NR_pkey_alloc is not set
-# __NR_pkey_free is not set
-# __NR_pkey_mprotect is not set
+__NR_pkey_alloc = 384
+__NR_pkey_free = 385
+__NR_pkey_mprotect = 386
 __NR_poll = 167
 __NR_ppoll = 281
 __NR_prctl = 171

sys/linux/vnet.txt

@@ -646,6 +646,7 @@ ipv6_tlv_enc_lim {
 } [packed]
 
 # TODO: add ipv6_rt_hdr header.
+# TODO: add ipv6_sr_hdr header.
 
 ipv6_packet {
 	priority	int8:4