* [PATCH v5] extensions: libxt_multiport: Add translation to nft
@ 2016-03-13 8:46 Piyush Pangtey
2016-03-15 1:06 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Piyush Pangtey @ 2016-03-13 8:46 UTC (permalink / raw)
To: netfilter-devel
Added full translation for multiport
Examples :
$ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
nft add rule ip filter input ip protocol tcp tcp dport ssh - http tcp sport
ssh - http counter accept
$ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol sctp sctp dport 11 - 18 counter
accept
$ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol dccp dccp sport 11 - 18 counter
accept
$ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
nft add rule ip6 filter input meta l4proto udplite udplite sport 11 - 18
counter accept
Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
v2:
Corrected the translations , as suggested by Arturo Borrero González
v3:
Removed static variable trick. Now utilizes ipt_ip and ip6t_ip
which is now passed to xlate ,from the patch
http://patchwork.ozlabs.org/patch/595128/
v4:
Corrected code as per coding style.
v5:
Improved translation. Unnecessary sets are not generated.
Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
extensions/libxt_multiport.c | 206 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 206 insertions(+)
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..ecc8e1f 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric)
}
static void
+print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
+ int numeric)
+{
+ const char *service;
+
+ if (numeric || (service = port_to_service(port, protocol)) == NULL)
+ xt_xlate_add(xl, "%u", port);
+ else
+ xt_xlate_add(xl, "%s", service);
+}
+
+static void
__multiport_print(const struct xt_entry_match *match, int numeric,
uint16_t proto)
{
@@ -318,6 +330,21 @@ static void multiport_print(const void *ip_void,
__multiport_print(match, numeric, ip->proto);
}
+static void multiport_print_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t proto,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ print_port_xlate(xl, multiinfo->ports[i],
+ proto, numeric);
+ }
+}
+
static void multiport_print6(const void *ip_void,
const struct xt_entry_match *match, int numeric)
{
@@ -372,6 +399,25 @@ static void multiport_print_v1(const void *ip_void,
__multiport_print_v1(match, numeric, ip->proto);
}
+static void multiport_print_v1_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t proto,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl, " - ");
+ print_port_xlate(xl, multiinfo->ports[++i],
+ proto, numeric);
+ }
+ }
+}
+
static void multiport_print6_v1(const void *ip_void,
const struct xt_entry_match *match, int numeric)
{
@@ -468,6 +514,162 @@ static void multiport_save6_v1(const void *ip_void,
__multiport_save_v1(match, ip->proto);
}
+static int __multiport_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t protocol,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ const char *proto_name;
+ bool have_multiple = false, have_invert = false;
+
+ if ((proto_name = proto_to_name(protocol)) != NULL) {
+ if (multiinfo->count > 1)
+ have_multiple = true;
+ if (multiinfo->invert)
+ have_invert = true;
+ if (have_multiple && have_invert)
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ break;
+ default:
+ return 0;
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+ return 1;
+}
+
+static int __multiport_xlate_v1(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t protocol,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ const char *proto_name;
+ unsigned int i, have_multiple = 0;
+ bool have_invert = false;
+
+ if ((proto_name = proto_to_name(protocol)) != NULL) {
+ if (multiinfo->count > 1)
+ have_multiple++;
+ for (i = 0; i < multiinfo->count; i++)
+ if (multiinfo->pflags[i])
+ have_multiple++;
+ if (multiinfo->invert)
+ have_invert = true;
+ if (have_multiple && have_invert)
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple > 2) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple > 2) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple > 2) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ if (have_multiple > 2)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple > 2) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ break;
+ default:
+ return 0;
+ }
+ if (have_multiple > 2)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+ return 1;
+}
+
+static int multiport_xlate(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ipt_ip *ip = ip_void;
+ return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ip6t_ip6 *ip = ip_void;
+ return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate_v1(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ipt_ip *ip = ip_void;
+ return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6_v1(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ip6t_ip6 *ip = ip_void;
+ return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
static struct xtables_match multiport_mt_reg[] = {
{
.family = NFPROTO_IPV4,
@@ -482,6 +684,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print,
.save = multiport_save,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate,
},
{
.family = NFPROTO_IPV6,
@@ -496,6 +699,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6,
.save = multiport_save6,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate6,
},
{
.family = NFPROTO_IPV4,
@@ -510,6 +714,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print_v1,
.save = multiport_save_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate_v1,
},
{
.family = NFPROTO_IPV6,
@@ -524,6 +729,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6_v1,
.save = multiport_save6_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate6_v1,
},
};
--
1.9.1
--
With regards,
Piyush Pangtey <gokuvsvegita@gmail.com>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v5] extensions: libxt_multiport: Add translation to nft
2016-03-13 8:46 [PATCH v5] extensions: libxt_multiport: Add translation to nft Piyush Pangtey
@ 2016-03-15 1:06 ` Pablo Neira Ayuso
2016-03-15 3:39 ` Piyush Pangtey
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-15 1:06 UTC (permalink / raw)
To: Piyush Pangtey; +Cc: netfilter-devel
On Sun, Mar 13, 2016 at 02:16:18PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport
>
> Examples :
> $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> nft add rule ip filter input ip protocol tcp tcp dport ssh - http tcp sport ssh - http counter accept
--ports is not so easy to translate as this implies an 'or'. But what
you expressed above is an 'and'.
So please return 0 for this case so we remember that we currently have
no translation for this. Actually, I remember Shivani documented this
on wiki.nftables.org.
> $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol sctp sctp dport 11 - 18 counter accept
Almost there.
Note that nft generates the dependencies for you, so you can simplify
this translation above to:
$ iptables-translate -A input -p tcp -m multiport --dports ssh:http -j ACCEPT
nft add rule ip filter input tcp dport 22-80 counter accept
> $ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol dccp dccp sport 11 - 18 counter
> accept
You can remove "ip protocol dccp".
> $ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip6 filter input meta l4proto udplite udplite sport 11 - 18
> counter accept
You can also remove "meta l4proto udplite".
Please, don't forget to test that nft accepts the syntax that you
propose as translation.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v5] extensions: libxt_multiport: Add translation to nft
2016-03-15 1:06 ` Pablo Neira Ayuso
@ 2016-03-15 3:39 ` Piyush Pangtey
0 siblings, 0 replies; 3+ messages in thread
From: Piyush Pangtey @ 2016-03-15 3:39 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Tue, Mar 15, 2016 at 02:06:04AM +0100, Pablo Neira Ayuso wrote:
> On Sun, Mar 13, 2016 at 02:16:18PM +0530, Piyush Pangtey wrote:
> > Added full translation for multiport
> >
> > Examples :
> > $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> > nft add rule ip filter input ip protocol tcp tcp dport ssh - http tcp sport ssh - http counter accept
>
> --ports is not so easy to translate as this implies an 'or'. But what
> you expressed above is an 'and'.
>
Ok
> So please return 0 for this case so we remember that we currently have
> no translation for this. Actually, I remember Shivani documented this
> on wiki.nftables.org.
>
> > $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT
> > nft add rule ip filter input ip protocol sctp sctp dport 11 - 18 counter accept
>
> Almost there.
>
> Note that nft generates the dependencies for you, so you can simplify
> this translation above to:
>
> $ iptables-translate -A input -p tcp -m multiport --dports ssh:http -j ACCEPT
> nft add rule ip filter input tcp dport 22-80 counter accept
>
> > $ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
> > nft add rule ip filter input ip protocol dccp dccp sport 11 - 18 counter
> > accept
>
> You can remove "ip protocol dccp".
>
As per v1, I was concerned about this "ip protocol" , because it was not
introduced by libxt_multiport and so it may break others.
Arturo Borrero Gonzalez also suggested that translation should include
"ip protocol" and "meta l4proto", which are redundant.
> > $ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
> > nft add rule ip6 filter input meta l4proto udplite udplite sport 11 - 18
> > counter accept
>
> You can also remove "meta l4proto udplite".
>
> Please, don't forget to test that nft accepts the syntax that you
> propose as translation.
>
Ok . I always test translation before sending. :)
> Thanks.
--
With regards,
Piyush Pangtey <gokuvsvegita@gmail.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-03-15 3:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-13 8:46 [PATCH v5] extensions: libxt_multiport: Add translation to nft Piyush Pangtey
2016-03-15 1:06 ` Pablo Neira Ayuso
2016-03-15 3:39 ` Piyush Pangtey
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).