[PATCH iptables 0/8] iptables-translate: fix some bugs and add more translations to nft

[PATCH iptables 0/8] iptables-translate: fix some bugs and add more translations to nft

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

This patch set fixes some bugs related to translation:
  * libipt_realm: add a missing space
  * libxt_iprange: ip6tables translation's format is not correct
  * libxt_iprange & libxt_devgroup: handle the invert flag properly
  * libxt_ipcomp: add range support

Also add libxt_quota, libxt_DSCP, libxt_statistic translation to nft.
Note: we only support statistic's nth mode translation, because random
mode is not completely supported in nft.

Liping Zhang (8):
  extensions: libipt_realm: add a missing space in translation
  extensions: libxt_iprange: rename "ip saddr" to "ip6 saddr" in
    ip6tables-xlate
  extensions: libxt_iprange: handle the invert flag properly in
    translation
  extensions: libxt_devgroup: handle the invert flag properly in
    translation
  extensions: libxt_ipcomp: add range support in translation
  extensions: libxt_quota: add translation to nft
  extensions: libxt_DSCP: add translation to nft
  extensions: libxt_statistic: add translation to nft

 extensions/libipt_realm.c    |  2 +-
 extensions/libxt_DSCP.c      | 64 +++++++++++++++++++++++++++++++++++---------
 extensions/libxt_devgroup.c  |  5 ++--
 extensions/libxt_ipcomp.c    | 10 ++++---
 extensions/libxt_iprange.c   | 52 ++++++++++++++---------------------
 extensions/libxt_quota.c     | 12 +++++++++
 extensions/libxt_statistic.c | 21 +++++++++++++++
 7 files changed, 115 insertions(+), 51 deletions(-)

-- 
2.5.5

[PATCH iptables 1/8] extensions: libipt_realm: add a missing space in translation

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

We missed a blank space when do translate to nft, so if rt_realm can be
mapped to name, the result looks ugly:
  # iptables-translate -A OUTPUT -m realm --realm 0
  nft add rule ip filter OUTPUT rtclassidcosmos counter
                                         ^

Apply this patch:
  # iptables-translate -A OUTPUT -m realm --realm 0
  nft add rule ip filter OUTPUT rtclassid cosmos counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libipt_realm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index fd0622a..8eea787 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -121,7 +121,7 @@ print_realm_xlate(unsigned long id, unsigned long mask,
 		if (numeric == 0)
 			name = xtables_lmap_id2name(realms, id);
 		if (name)
-			xt_xlate_add(xl, "%s%s",
+			xt_xlate_add(xl, " %s%s",
 				   op == XT_OP_EQ ? "" : "!= ", name);
 		else
 			xt_xlate_add(xl, " %s0x%lx",
-- 
2.5.5

[PATCH iptables 2/8] extensions: libxt_iprange: rename "ip saddr" to "ip6 saddr" in ip6tables-xlate

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

nft will complain the syntax error if we use "ip saddr" or "ip daddr" in
ip6 family, so the current translation is wrong:
  # ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
  nft add rule ip6 filter OUTPUT ip saddr 2003::1-2003::3 counter
                                 ^^

Apply this patch:
  # ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
  nft add rule ip6 filter OUTPUT ip6 saddr 2003::1-2003::3 counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_iprange.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 9e6f555..a76f1e9 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -380,7 +380,7 @@ static int iprange_mt6_xlate(struct xt_xlate *xl,
 	if (info->flags & IPRANGE_SRC) {
 		if (info->flags & IPRANGE_SRC_INV)
 			xt_xlate_add(xl, "!= ");
-		xt_xlate_add(xl, "ip saddr %s",
+		xt_xlate_add(xl, "ip6 saddr %s",
 			   xtables_ip6addr_to_numeric(&info->src_min.in6));
 		xt_xlate_add(xl, "-%s",
 			   xtables_ip6addr_to_numeric(&info->src_max.in6));
@@ -391,7 +391,7 @@ static int iprange_mt6_xlate(struct xt_xlate *xl,
 			xt_xlate_add(xl, "%s!= ", space);
 			space = "";
 		}
-		xt_xlate_add(xl, "%sip daddr %s", space,
+		xt_xlate_add(xl, "%sip6 daddr %s", space,
 			   xtables_ip6addr_to_numeric(&info->dst_min.in6));
 		xt_xlate_add(xl, "-%s",
 			   xtables_ip6addr_to_numeric(&info->dst_max.in6));
-- 
2.5.5

[PATCH iptables 3/8] extensions: libxt_iprange: handle the invert flag properly in translation

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
  # iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
  nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter

  # ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
  nft add rule ip6 filter OUTPUT != ip6 saddr 2003::1-2003::3 counter

Apply this patch:
  # iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
  nft add rule ip filter OUTPUT ip daddr != 1.1.1.1-1.1.1.2 counter

  # ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
  nft add rule ip6 filter OUTPUT ip6 saddr != 2003::1-2003::3 counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_iprange.c | 52 ++++++++++++++++++----------------------------
 1 file changed, 20 insertions(+), 32 deletions(-)

diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index a76f1e9..8be2481 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -322,18 +322,14 @@ static int iprange_xlate(struct xt_xlate *xl,
 	char *space = "";
 
 	if (info->flags & IPRANGE_SRC) {
-		if (info->flags & IPRANGE_SRC_INV)
-			xt_xlate_add(xl, "!= ");
-		xt_xlate_add(xl, "ip saddr");
+		xt_xlate_add(xl, "ip saddr%s",
+			     info->flags & IPRANGE_SRC_INV ? " !=" : "");
 		print_iprange_xlate(&info->src, xl);
 		space = " ";
 	}
 	if (info->flags & IPRANGE_DST) {
-		if (info->flags & IPRANGE_DST_INV) {
-			xt_xlate_add(xl, "%s!= ", space);
-			space = "";
-		}
-		xt_xlate_add(xl, "%sip daddr", space);
+		xt_xlate_add(xl, "%sip daddr%s", space,
+			     info->flags & IPRANGE_DST_INV ? " !=" : "");
 		print_iprange_xlate(&info->dst, xl);
 	}
 
@@ -348,23 +344,19 @@ static int iprange_mt4_xlate(struct xt_xlate *xl,
 	char *space = "";
 
 	if (info->flags & IPRANGE_SRC) {
-		if (info->flags & IPRANGE_SRC_INV)
-			xt_xlate_add(xl, "!= ");
-		xt_xlate_add(xl, "ip saddr %s",
-			   xtables_ipaddr_to_numeric(&info->src_min.in));
+		xt_xlate_add(xl, "ip saddr%s %s",
+			     info->flags & IPRANGE_SRC_INV ? " !=" : "",
+			     xtables_ipaddr_to_numeric(&info->src_min.in));
 		xt_xlate_add(xl, "-%s",
-			   xtables_ipaddr_to_numeric(&info->src_max.in));
+			     xtables_ipaddr_to_numeric(&info->src_max.in));
 		space = " ";
 	}
 	if (info->flags & IPRANGE_DST) {
-		if (info->flags & IPRANGE_DST_INV) {
-			xt_xlate_add(xl, "%s!= ", space);
-			space = "";
-		}
-		xt_xlate_add(xl, "%sip daddr %s", space,
-			   xtables_ipaddr_to_numeric(&info->dst_min.in));
+		xt_xlate_add(xl, "%sip daddr%s %s", space,
+			     info->flags & IPRANGE_DST_INV ? " !=" : "",
+			     xtables_ipaddr_to_numeric(&info->dst_min.in));
 		xt_xlate_add(xl, "-%s",
-			   xtables_ipaddr_to_numeric(&info->dst_max.in));
+			     xtables_ipaddr_to_numeric(&info->dst_max.in));
 	}
 
 	return 1;
@@ -378,23 +370,19 @@ static int iprange_mt6_xlate(struct xt_xlate *xl,
 	char *space = "";
 
 	if (info->flags & IPRANGE_SRC) {
-		if (info->flags & IPRANGE_SRC_INV)
-			xt_xlate_add(xl, "!= ");
-		xt_xlate_add(xl, "ip6 saddr %s",
-			   xtables_ip6addr_to_numeric(&info->src_min.in6));
+		xt_xlate_add(xl, "ip6 saddr%s %s",
+			     info->flags & IPRANGE_SRC_INV ? " !=" : "",
+			     xtables_ip6addr_to_numeric(&info->src_min.in6));
 		xt_xlate_add(xl, "-%s",
-			   xtables_ip6addr_to_numeric(&info->src_max.in6));
+			     xtables_ip6addr_to_numeric(&info->src_max.in6));
 		space = " ";
 	}
 	if (info->flags & IPRANGE_DST) {
-		if (info->flags & IPRANGE_DST_INV) {
-			xt_xlate_add(xl, "%s!= ", space);
-			space = "";
-		}
-		xt_xlate_add(xl, "%sip6 daddr %s", space,
-			   xtables_ip6addr_to_numeric(&info->dst_min.in6));
+		xt_xlate_add(xl, "%sip6 daddr%s %s", space,
+			     info->flags & IPRANGE_DST_INV ? " !=" : "",
+			     xtables_ip6addr_to_numeric(&info->dst_min.in6));
 		xt_xlate_add(xl, "-%s",
-			   xtables_ip6addr_to_numeric(&info->dst_max.in6));
+			     xtables_ip6addr_to_numeric(&info->dst_max.in6));
 	}
 
 	return 1;
-- 
2.5.5

[PATCH iptables 4/8] extensions: libxt_devgroup: handle the invert flag properly in translation

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
  # iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
  nft add rule ip filter OUTPUT oifgroup default counter

Apply this patch:
  # iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
  nft add rule ip filter OUTPUT oifgroup != default counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_devgroup.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index d155680..2ec3905 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -163,11 +163,12 @@ print_devgroup_xlate(unsigned int id, uint32_t op,  unsigned int mask,
 	else {
 		if (numeric == 0)
 			name = xtables_lmap_id2name(devgroups, id);
+
+		xt_xlate_add(xl, "%s", op == XT_OP_EQ ? "" : "!= ");
 		if (name)
 			xt_xlate_add(xl, "%s", name);
 		else
-			xt_xlate_add(xl, "%s0x%x",
-				   op == XT_OP_EQ ? "" : "!= ", id);
+			xt_xlate_add(xl, "0x%x", id);
 	}
 }
 
-- 
2.5.5

[PATCH iptables 5/8] extensions: libxt_ipcomp: add range support in translation

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

When translate to nft rules, ipcompspi range is not supported, so:
  # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
  nft add rule ip filter OUTPUT comp cpi 1 counter

  # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
  nft add rule ip filter OUTPUT comp cpi != 3 counter

Apply this patch:
  # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
  nft add rule ip filter OUTPUT comp cpi 1-2 counter

  # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
  nft add rule ip filter OUTPUT comp cpi != 3-30 counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_ipcomp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c
index 9f7c0ef..b5c4312 100644
--- a/extensions/libxt_ipcomp.c
+++ b/extensions/libxt_ipcomp.c
@@ -101,9 +101,13 @@ static int comp_xlate(struct xt_xlate *xl,
 	const struct xt_ipcomp *compinfo =
 		(struct xt_ipcomp *)params->match->data;
 
-	xt_xlate_add(xl, "comp cpi %s%u",
-		     (compinfo->invflags & XT_IPCOMP_INV_SPI) ? "!= " : "",
-		     compinfo->spis[0]);
+	xt_xlate_add(xl, "comp cpi %s",
+		     compinfo->invflags & XT_IPCOMP_INV_SPI ? "!= " : "");
+	if (compinfo->spis[0] != compinfo->spis[1])
+		xt_xlate_add(xl, "%u-%u", compinfo->spis[0],
+			     compinfo->spis[1]);
+	else
+		xt_xlate_add(xl, "%u", compinfo->spis[0]);
 
 	return 1;
 }
-- 
2.5.5

[PATCH iptables 6/8] extensions: libxt_quota: add translation to nft

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

For example:
  # iptables-translate -A OUTPUT -m quota --quota 111
  nft add rule ip filter OUTPUT quota 111 bytes counter

  # iptables-translate -A OUTPUT -m quota ! --quota 111
  nft add rule ip filter OUTPUT quota over 111 bytes counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_quota.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index ff7dd2a..bad77d2 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -50,6 +50,17 @@ static void quota_parse(struct xt_option_call *cb)
 		info->flags |= XT_QUOTA_INVERT;
 }
 
+static int quota_xlate(struct xt_xlate *xl,
+		       const struct xt_xlate_mt_params *params)
+{
+	const struct xt_quota_info *q = (void *)params->match->data;
+
+	xt_xlate_add(xl, "quota %s%llu bytes",
+		     q->flags & XT_QUOTA_INVERT ? "over " : "",
+		     (unsigned long long) q->quota);
+	return 1;
+}
+
 static struct xtables_match quota_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "quota",
@@ -61,6 +72,7 @@ static struct xtables_match quota_match = {
 	.save		= quota_save,
 	.x6_parse	= quota_parse,
 	.x6_options	= quota_opts,
+	.xlate		= quota_xlate,
 };
 
 void
-- 
2.5.5

[PATCH iptables 7/8] extensions: libxt_DSCP: add translation to nft

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

For example:
  # iptables-translate -A OUTPUT -j DSCP --set-dscp 1
  nft add rule ip filter OUTPUT counter ip dscp set 0x01

  # ip6tables-translate -A OUTPUT -j DSCP --set-dscp 6
  nft add rule ip6 filter OUTPUT counter ip6 dscp set 0x06

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_DSCP.c | 64 +++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 51 insertions(+), 13 deletions(-)

diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c
index e16e93c..cae0d83 100644
--- a/extensions/libxt_DSCP.c
+++ b/extensions/libxt_DSCP.c
@@ -92,21 +92,59 @@ static void DSCP_save(const void *ip, const struct xt_entry_target *target)
 	printf(" --set-dscp 0x%02x", dinfo->dscp);
 }
 
-static struct xtables_target dscp_target = {
-	.family		= NFPROTO_UNSPEC,
-	.name		= "DSCP",
-	.version	= XTABLES_VERSION,
-	.size		= XT_ALIGN(sizeof(struct xt_DSCP_info)),
-	.userspacesize	= XT_ALIGN(sizeof(struct xt_DSCP_info)),
-	.help		= DSCP_help,
-	.print		= DSCP_print,
-	.save		= DSCP_save,
-	.x6_parse	= DSCP_parse,
-	.x6_fcheck	= DSCP_check,
-	.x6_options	= DSCP_opts,
+
+static int DSCP_xlate(struct xt_xlate *xl,
+		      const struct xt_xlate_tg_params *params)
+{
+	const struct xt_DSCP_info *dinfo =
+		(struct xt_DSCP_info *)params->target->data;
+
+	xt_xlate_add(xl, "ip dscp set 0x%02x", dinfo->dscp);
+	return 1;
+}
+
+static int DSCP_xlate6(struct xt_xlate *xl,
+		       const struct xt_xlate_tg_params *params)
+{
+	const struct xt_DSCP_info *dinfo =
+		(struct xt_DSCP_info *)params->target->data;
+
+	xt_xlate_add(xl, "ip6 dscp set 0x%02x", dinfo->dscp);
+	return 1;
+}
+
+static struct xtables_target dscp_target[] = {
+	{
+		.family		= NFPROTO_IPV4,
+		.name		= "DSCP",
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_DSCP_info)),
+		.userspacesize	= XT_ALIGN(sizeof(struct xt_DSCP_info)),
+		.help		= DSCP_help,
+		.print		= DSCP_print,
+		.save		= DSCP_save,
+		.x6_parse	= DSCP_parse,
+		.x6_fcheck	= DSCP_check,
+		.x6_options	= DSCP_opts,
+		.xlate		= DSCP_xlate,
+	},
+	{
+		.family		= NFPROTO_IPV6,
+		.name		= "DSCP",
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_DSCP_info)),
+		.userspacesize	= XT_ALIGN(sizeof(struct xt_DSCP_info)),
+		.help		= DSCP_help,
+		.print		= DSCP_print,
+		.save		= DSCP_save,
+		.x6_parse	= DSCP_parse,
+		.x6_fcheck	= DSCP_check,
+		.x6_options	= DSCP_opts,
+		.xlate		= DSCP_xlate6,
+	},
 };
 
 void _init(void)
 {
-	xtables_register_target(&dscp_target);
+	xtables_register_targets(dscp_target, ARRAY_SIZE(dscp_target));
 }
-- 
2.5.5

[PATCH iptables 8/8] extensions: libxt_statistic: add translation to nft

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

For example:
  # iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
  --packet 1
  nft add rule ip filter OUTPUT numgen inc mod 10 1 counter

  # iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
  --packet 5
  nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter

Note, mode random is not completely supported in nft, so:
  # iptables-translate -A OUTPUT -m statistic --mode random \
  --probability 0.1
  nft # -A OUTPUT -m statistic --mode random --probability 0.1

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_statistic.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index b6ae5f5..4f3341a 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -133,6 +133,26 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
 	print_match(info, "--");
 }
 
+static int statistic_xlate(struct xt_xlate *xl,
+			   const struct xt_xlate_mt_params *params)
+{
+	const struct xt_statistic_info *info =
+		(struct xt_statistic_info *)params->match->data;
+
+	switch (info->mode) {
+	case XT_STATISTIC_MODE_RANDOM:
+		return 0;
+	case XT_STATISTIC_MODE_NTH:
+		xt_xlate_add(xl, "numgen inc mod %u %s%u",
+			     info->u.nth.every + 1,
+			     info->flags & XT_STATISTIC_INVERT ? "!= " : "",
+			     info->u.nth.packet);
+		break;
+	}
+
+	return 1;
+}
+
 static struct xtables_match statistic_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "statistic",
@@ -145,6 +165,7 @@ static struct xtables_match statistic_match = {
 	.print		= statistic_print,
 	.save		= statistic_save,
 	.x6_options	= statistic_opts,
+	.xlate		= statistic_xlate,
 };
 
 void _init(void)
-- 
2.5.5

Re: [PATCH iptables 0/8] iptables-translate: fix some bugs and add more translations to nft

[Pablo Neira Ayuso]

On Fri, Oct 07, 2016 at 07:08:48PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> This patch set fixes some bugs related to translation:
>   * libipt_realm: add a missing space
>   * libxt_iprange: ip6tables translation's format is not correct
>   * libxt_iprange & libxt_devgroup: handle the invert flag properly
>   * libxt_ipcomp: add range support
> 
> Also add libxt_quota, libxt_DSCP, libxt_statistic translation to nft.
> Note: we only support statistic's nth mode translation, because random
> mode is not completely supported in nft.

Series applied, thanks Liping.