* [PATCH] extensions: libxt_devgroup: Add translation to nft
@ 2015-12-20 12:03 Shivani Bhardwaj
2015-12-22 17:00 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Shivani Bhardwaj @ 2015-12-20 12:03 UTC (permalink / raw)
To: netfilter-devel
Add translation of device group to nftables.
Examples:
$ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept
$ sudo iptables-translate -A FORWARD -m devgroup --src-group 20 -j ACCEPT
nft add rule ip filter FORWARD iifgroup 0x14 counter accept
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
extensions/libxt_devgroup.c | 62 +++++++++++++++++++++++++++++++++++++++++----
1 file changed, 57 insertions(+), 5 deletions(-)
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index 4a69c82..281b223 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -37,6 +37,7 @@ static struct xtables_lmap *devgroups;
static void devgroup_init(struct xt_entry_match *match)
{
const char file[] = "/etc/iproute2/group_map";
+
devgroups = xtables_lmap_init(file);
if (devgroups == NULL && errno != ENOENT)
fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
@@ -52,7 +53,7 @@ static void devgroup_parse_groupspec(const char *arg, unsigned int *group,
if (ok && (*end == '/' || *end == '\0')) {
if (*end == '/')
ok = xtables_strtoui(end + 1, NULL, mask,
- 0, UINT32_MAX);
+ 0, UINT32_MAX);
else
*mask = ~0U;
if (!ok)
@@ -124,12 +125,12 @@ static void devgroup_show(const char *pfx, const struct xt_devgroup_info *info,
if (info->flags & XT_DEVGROUP_INVERT_DST)
printf(" !");
printf(" %sdst-group ", pfx);
- print_devgroup(info->src_group, info->src_mask, numeric);
+ print_devgroup(info->dst_group, info->dst_mask, numeric);
}
}
static void devgroup_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
+ int numeric)
{
const struct xt_devgroup_info *info = (const void *)match->data;
@@ -147,8 +148,58 @@ static void devgroup_check(struct xt_fcheck_call *cb)
{
if (cb->xflags == 0)
xtables_error(PARAMETER_PROBLEM,
- "devgroup match: You must specify either "
- "'--src-group' or '--dst-group'");
+ "devgroup match: You must specify either '--src-group' or '--dst-group'");
+}
+
+static void
+print_devgroup_xlate(unsigned int id, unsigned int mask,
+ struct xt_buf *buf, int numeric)
+{
+ const char *name = NULL;
+
+ if (mask != 0xffffffffU)
+ xt_buf_add(buf, "and 0x%x == 0x%x ", id, mask);
+ else {
+ if (numeric == 0)
+ name = xtables_lmap_id2name(devgroups, id);
+ if (name)
+ xt_buf_add(buf, "%s ", name);
+ else
+ xt_buf_add(buf, "0x%x ", id);
+ }
+}
+
+static void
+devgroup_show_xlate(const char *pfx, const struct xt_devgroup_info *info,
+ struct xt_buf *buf, int numeric)
+{
+ if (info->flags & XT_DEVGROUP_MATCH_SRC) {
+ if (info->flags & XT_DEVGROUP_INVERT_SRC)
+ xt_buf_add(buf, " !=");
+
+ xt_buf_add(buf, " %siifgroup ", pfx);
+ print_devgroup_xlate(info->src_group, info->src_mask,
+ buf, numeric);
+ }
+
+ if (info->flags & XT_DEVGROUP_MATCH_DST) {
+ if (info->flags & XT_DEVGROUP_INVERT_DST)
+ xt_buf_add(buf, " !=");
+
+ xt_buf_add(buf, " %soifgroup ", pfx);
+ print_devgroup_xlate(info->dst_group, info->dst_mask,
+ buf, numeric);
+ }
+}
+
+static int devgroup_xlate(const struct xt_entry_match *match,
+ struct xt_buf *buf, int numeric)
+{
+ const struct xt_devgroup_info *info = (const void *)match->data;
+
+ devgroup_show_xlate("", info, buf, 0);
+
+ return 1;
}
static struct xtables_match devgroup_mt_reg = {
@@ -164,6 +215,7 @@ static struct xtables_match devgroup_mt_reg = {
.x6_parse = devgroup_parse,
.x6_fcheck = devgroup_check,
.x6_options = devgroup_opts,
+ .xlate = devgroup_xlate,
};
void _init(void)
--
1.9.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] extensions: libxt_devgroup: Add translation to nft
2015-12-20 12:03 [PATCH] extensions: libxt_devgroup: Add translation to nft Shivani Bhardwaj
@ 2015-12-22 17:00 ` Pablo Neira Ayuso
2015-12-22 17:20 ` Shivani Bhardwaj
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:00 UTC (permalink / raw)
To: Shivani Bhardwaj; +Cc: netfilter-devel
On Sun, Dec 20, 2015 at 05:33:37PM +0530, Shivani Bhardwaj wrote:
> Add translation of device group to nftables.
git am /tmp/extensions-libxt_devgroup-Add-translation-to-nft.patch -s
Applying: extensions: libxt_devgroup: Add translation to nft
error: patch failed: extensions/libxt_devgroup.c:37
error: extensions/libxt_devgroup.c: patch does not apply
Patch failed at 0001 extensions: libxt_devgroup: Add translation to nft
The copy of the patch that failed is found in:
/home/pablo/devel/scm/git-netfilter/iptables/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
This one doesn't apply for some reason.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] extensions: libxt_devgroup: Add translation to nft
2015-12-22 17:00 ` Pablo Neira Ayuso
@ 2015-12-22 17:20 ` Shivani Bhardwaj
2015-12-22 17:29 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Shivani Bhardwaj @ 2015-12-22 17:20 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Tue, Dec 22, 2015 at 10:30 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sun, Dec 20, 2015 at 05:33:37PM +0530, Shivani Bhardwaj wrote:
>> Add translation of device group to nftables.
>
> git am /tmp/extensions-libxt_devgroup-Add-translation-to-nft.patch -s
> Applying: extensions: libxt_devgroup: Add translation to nft
> error: patch failed: extensions/libxt_devgroup.c:37
> error: extensions/libxt_devgroup.c: patch does not apply
> Patch failed at 0001 extensions: libxt_devgroup: Add translation to nft
> The copy of the patch that failed is found in:
> /home/pablo/devel/scm/git-netfilter/iptables/.git/rebase-apply/patch
> When you have resolved this problem, run "git am --continue".
> If you prefer to skip this patch, run "git am --skip" instead.
> To restore the original branch and stop patching, run "git am --abort".
>
> This one doesn't apply for some reason.
Should I be sending this one again then?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] extensions: libxt_devgroup: Add translation to nft
2015-12-22 17:20 ` Shivani Bhardwaj
@ 2015-12-22 17:29 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:29 UTC (permalink / raw)
To: Shivani Bhardwaj; +Cc: netfilter-devel
On Tue, Dec 22, 2015 at 10:50:34PM +0530, Shivani Bhardwaj wrote:
> On Tue, Dec 22, 2015 at 10:30 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Sun, Dec 20, 2015 at 05:33:37PM +0530, Shivani Bhardwaj wrote:
> >> Add translation of device group to nftables.
> >
> > git am /tmp/extensions-libxt_devgroup-Add-translation-to-nft.patch -s
> > Applying: extensions: libxt_devgroup: Add translation to nft
> > error: patch failed: extensions/libxt_devgroup.c:37
> > error: extensions/libxt_devgroup.c: patch does not apply
> > Patch failed at 0001 extensions: libxt_devgroup: Add translation to nft
> > The copy of the patch that failed is found in:
> > /home/pablo/devel/scm/git-netfilter/iptables/.git/rebase-apply/patch
> > When you have resolved this problem, run "git am --continue".
> > If you prefer to skip this patch, run "git am --skip" instead.
> > To restore the original branch and stop patching, run "git am --abort".
> >
> > This one doesn't apply for some reason.
>
> Should I be sending this one again then?
Of course. If you can't see a patch here:
http://git.netfilter.org/iptables/log/?h=xlate3
Then it needs to be submitted again.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] extensions: libxt_devgroup: Add translation to nft
@ 2015-12-22 19:10 Shivani Bhardwaj
2015-12-22 20:30 ` Shivani Bhardwaj
0 siblings, 1 reply; 6+ messages in thread
From: Shivani Bhardwaj @ 2015-12-22 19:10 UTC (permalink / raw)
To: netfilter-devel
Add translation for device group to nftables.
Examples:
$ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept
$ sudo iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
extensions/libxt_devgroup.c | 56 +++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 54 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index 1a52627..207f106 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -37,6 +37,7 @@ static struct xtables_lmap *devgroups;
static void devgroup_init(struct xt_entry_match *match)
{
const char file[] = "/etc/iproute2/group";
+
devgroups = xtables_lmap_init(file);
if (devgroups == NULL && errno != ENOENT)
fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
@@ -52,7 +53,7 @@ static void devgroup_parse_groupspec(const char *arg, unsigned int *group,
if (ok && (*end == '/' || *end == '\0')) {
if (*end == '/')
ok = xtables_strtoui(end + 1, NULL, mask,
- 0, UINT32_MAX);
+ 0, UINT32_MAX);
else
*mask = ~0U;
if (!ok)
@@ -129,7 +130,7 @@ static void devgroup_show(const char *pfx, const struct xt_devgroup_info *info,
}
static void devgroup_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
+ int numeric)
{
const struct xt_devgroup_info *info = (const void *)match->data;
@@ -151,6 +152,56 @@ static void devgroup_check(struct xt_fcheck_call *cb)
"'--src-group' or '--dst-group'");
}
+static void
+print_devgroup_xlate(unsigned int id, const char *str, unsigned int mask,
+ struct xt_buf *buf, int numeric)
+{
+ const char *name = NULL;
+
+ if (mask != 0xffffffff)
+ xt_buf_add(buf, "and 0x%x %s 0x%x ", id, str, mask);
+ else {
+ if (numeric == 0)
+ name = xtables_lmap_id2name(devgroups, id);
+ if (name)
+ xt_buf_add(buf, "%s ", name);
+ else
+ xt_buf_add(buf, "0x%x ", id);
+ }
+}
+
+static void devgroup_show_xlate(const struct xt_devgroup_info *info,
+ struct xt_buf *buf, int numeric)
+{
+ const char *str = "==";
+
+ if (info->flags & XT_DEVGROUP_MATCH_SRC) {
+ if (info->flags & XT_DEVGROUP_INVERT_SRC)
+ str = "!=";
+ xt_buf_add(buf, "iifgroup ");
+ print_devgroup_xlate(info->src_group, str,
+ info->src_mask, buf, numeric);
+ }
+
+ if (info->flags & XT_DEVGROUP_MATCH_DST) {
+ if (info->flags & XT_DEVGROUP_INVERT_DST)
+ str = "!=";
+ xt_buf_add(buf, "oifgroup ");
+ print_devgroup_xlate(info->dst_group, str,
+ info->dst_mask, buf, numeric);
+ }
+}
+
+static int devgroup_xlate(const struct xt_entry_match *match,
+ struct xt_buf *buf, int numeric)
+{
+ const struct xt_devgroup_info *info = (const void *)match->data;
+
+ devgroup_show_xlate(info, buf, 0);
+
+ return 1;
+}
+
static struct xtables_match devgroup_mt_reg = {
.name = "devgroup",
.version = XTABLES_VERSION,
@@ -164,6 +215,7 @@ static struct xtables_match devgroup_mt_reg = {
.x6_parse = devgroup_parse,
.x6_fcheck = devgroup_check,
.x6_options = devgroup_opts,
+ .xlate = devgroup_xlate,
};
void _init(void)
--
1.9.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] extensions: libxt_devgroup: Add translation to nft
2015-12-22 19:10 Shivani Bhardwaj
@ 2015-12-22 20:30 ` Shivani Bhardwaj
0 siblings, 0 replies; 6+ messages in thread
From: Shivani Bhardwaj @ 2015-12-22 20:30 UTC (permalink / raw)
To: netfilter-devel
On Wed, Dec 23, 2015 at 12:40 AM, Shivani Bhardwaj
<shivanib134@gmail.com> wrote:
> Add translation for device group to nftables.
>
> Examples:
>
> $ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
> nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
> nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept
>
> $ sudo iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT
> nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept
>
> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
> ---
> extensions/libxt_devgroup.c | 56 +++++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 54 insertions(+), 2 deletions(-)
>
> diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
> index 1a52627..207f106 100644
> --- a/extensions/libxt_devgroup.c
> +++ b/extensions/libxt_devgroup.c
> @@ -37,6 +37,7 @@ static struct xtables_lmap *devgroups;
> static void devgroup_init(struct xt_entry_match *match)
> {
> const char file[] = "/etc/iproute2/group";
> +
> devgroups = xtables_lmap_init(file);
> if (devgroups == NULL && errno != ENOENT)
> fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
> @@ -52,7 +53,7 @@ static void devgroup_parse_groupspec(const char *arg, unsigned int *group,
> if (ok && (*end == '/' || *end == '\0')) {
> if (*end == '/')
> ok = xtables_strtoui(end + 1, NULL, mask,
> - 0, UINT32_MAX);
> + 0, UINT32_MAX);
> else
> *mask = ~0U;
> if (!ok)
> @@ -129,7 +130,7 @@ static void devgroup_show(const char *pfx, const struct xt_devgroup_info *info,
> }
>
> static void devgroup_print(const void *ip, const struct xt_entry_match *match,
> - int numeric)
> + int numeric)
> {
> const struct xt_devgroup_info *info = (const void *)match->data;
>
> @@ -151,6 +152,56 @@ static void devgroup_check(struct xt_fcheck_call *cb)
> "'--src-group' or '--dst-group'");
> }
>
> +static void
> +print_devgroup_xlate(unsigned int id, const char *str, unsigned int mask,
> + struct xt_buf *buf, int numeric)
> +{
> + const char *name = NULL;
> +
> + if (mask != 0xffffffff)
> + xt_buf_add(buf, "and 0x%x %s 0x%x ", id, str, mask);
> + else {
> + if (numeric == 0)
> + name = xtables_lmap_id2name(devgroups, id);
> + if (name)
> + xt_buf_add(buf, "%s ", name);
> + else
> + xt_buf_add(buf, "0x%x ", id);
> + }
> +}
> +
> +static void devgroup_show_xlate(const struct xt_devgroup_info *info,
> + struct xt_buf *buf, int numeric)
> +{
> + const char *str = "==";
> +
> + if (info->flags & XT_DEVGROUP_MATCH_SRC) {
> + if (info->flags & XT_DEVGROUP_INVERT_SRC)
> + str = "!=";
> + xt_buf_add(buf, "iifgroup ");
> + print_devgroup_xlate(info->src_group, str,
> + info->src_mask, buf, numeric);
> + }
> +
> + if (info->flags & XT_DEVGROUP_MATCH_DST) {
> + if (info->flags & XT_DEVGROUP_INVERT_DST)
> + str = "!=";
> + xt_buf_add(buf, "oifgroup ");
> + print_devgroup_xlate(info->dst_group, str,
> + info->dst_mask, buf, numeric);
> + }
> +}
> +
> +static int devgroup_xlate(const struct xt_entry_match *match,
> + struct xt_buf *buf, int numeric)
> +{
> + const struct xt_devgroup_info *info = (const void *)match->data;
> +
> + devgroup_show_xlate(info, buf, 0);
> +
> + return 1;
> +}
> +
> static struct xtables_match devgroup_mt_reg = {
> .name = "devgroup",
> .version = XTABLES_VERSION,
> @@ -164,6 +215,7 @@ static struct xtables_match devgroup_mt_reg = {
> .x6_parse = devgroup_parse,
> .x6_fcheck = devgroup_check,
> .x6_options = devgroup_opts,
> + .xlate = devgroup_xlate,
> };
>
> void _init(void)
> --
> 1.9.1
>
Please do not consider this one. There's still a case left to be fixed.
Sorry for the inconvenience.
Sending v3.
Thank you.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-12-22 20:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-20 12:03 [PATCH] extensions: libxt_devgroup: Add translation to nft Shivani Bhardwaj
2015-12-22 17:00 ` Pablo Neira Ayuso
2015-12-22 17:20 ` Shivani Bhardwaj
2015-12-22 17:29 ` Pablo Neira Ayuso
2015-12-22 19:10 Shivani Bhardwaj
2015-12-22 20:30 ` Shivani Bhardwaj
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.