* [PATCHv3] extensions: libipt_icmp: Add translation to nft
@ 2016-03-07 21:21 Laura Garcia Liebana
2016-03-08 10:53 ` Pablo Neira Ayuso
0 siblings, 1 reply; 14+ messages in thread
From: Laura Garcia Liebana @ 2016-03-07 21:21 UTC (permalink / raw)
To: netfilter-devel; +Cc: shivanib134, pablo, outreachy-kernel
Add translation for icmp to nftables. Not supported types in nftables
are: any, network-unreachable, host-unreachable, protocol-unreachable,
port-unreachable, fragmentation-needed, source-route-failed,
network-unknown, host-unknown, network-prohibited, host-prohibited,
TOS-network-unreachable, TOS-host-unreachable, communication-prohibited,
host-precedence-violation, precedence-cutoff, network-redirect,
host-redirect, TOS-network-redirect, TOS-host-redirect,
router-advertisement, router-solicitation, ttl-zero-during-transit,
ttl-zero-during-reassembly, ip-header-bad and required-option-missing.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j LOG
nft add rule ip filter INPUT icmp type echo-reply counter log level warn
$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j LOG
nft add rule ip filter INPUT icmp type destination-unreachable counter log level warn
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
v2:
- Detection of not supported types in nftables, as Shivani suggested.
v3:
- Fix array iteration protection.
extensions/libipt_icmp.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index 666e7da..2c8be87 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type,
}
static void icmp_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
+ int numeric)
{
const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
@@ -249,6 +249,52 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
}
}
+static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
+ unsigned int code_min, unsigned int code_max)
+{
+ unsigned int i;
+
+ if (code_min == code_max)
+ return 0;
+
+ switch (icmptype) {
+ case 0xFF:
+ case 9:
+ case 10:
+ return 0;
+ default:
+ for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i)
+ if (icmp_codes[i].type == icmptype &&
+ icmp_codes[i].code_min == code_min &&
+ icmp_codes[i].code_max == code_max)
+ break;
+
+ if (i != ARRAY_SIZE(icmp_codes))
+ xt_xlate_add(xl, icmp_codes[i].name);
+ else
+ return 0;
+ }
+
+ return 1;
+}
+
+static int icmp_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
+ int numeric)
+{
+ const struct ipt_icmp *info = (struct ipt_icmp *)match->data;
+
+ xt_xlate_add(xl, "icmp type%s ",
+ (info->invflags & IPT_ICMP_INV) ? " !=" : "");
+
+ if (!type_xlate_print(xl, info->type, info->code[0], info->code[1]))
+ return 0;
+
+ xt_xlate_add(xl, " ");
+
+ return 1;
+}
+
+
static struct xtables_match icmp_mt_reg = {
.name = "icmp",
.version = XTABLES_VERSION,
@@ -261,6 +307,7 @@ static struct xtables_match icmp_mt_reg = {
.save = icmp_save,
.x6_parse = icmp_parse,
.x6_options = icmp_opts,
+ .xlate = icmp_xlate,
};
void _init(void)
--
2.7.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCHv3] extensions: libipt_icmp: Add translation to nft
2016-03-07 21:21 [PATCHv3] extensions: libipt_icmp: Add translation to nft Laura Garcia Liebana
@ 2016-03-08 10:53 ` Pablo Neira Ayuso
2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-08 10:53 UTC (permalink / raw)
To: Laura Garcia Liebana; +Cc: netfilter-devel, shivanib134, outreachy-kernel
On Mon, Mar 07, 2016 at 10:21:44PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables. Not supported types in nftables
These are actually icmp codes that we don't support yet, right?
> are: any, network-unreachable, host-unreachable, protocol-unreachable,
> port-unreachable, fragmentation-needed, source-route-failed,
> network-unknown, host-unknown, network-prohibited, host-prohibited,
> TOS-network-unreachable, TOS-host-unreachable, communication-prohibited,
> host-precedence-violation, precedence-cutoff, network-redirect,
> host-redirect, TOS-network-redirect, TOS-host-redirect,
> router-advertisement, router-solicitation, ttl-zero-during-transit,
> ttl-zero-during-reassembly, ip-header-bad and required-option-missing.
>
> Examples:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j LOG
> nft add rule ip filter INPUT icmp type echo-reply counter log level warn
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j LOG
> nft add rule ip filter INPUT icmp type destination-unreachable counter log level warn
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
> nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn
>
> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
> ---
> v2:
> - Detection of not supported types in nftables, as Shivani suggested.
> v3:
> - Fix array iteration protection.
>
> extensions/libipt_icmp.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 48 insertions(+), 1 deletion(-)
>
> diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
> index 666e7da..2c8be87 100644
> --- a/extensions/libipt_icmp.c
> +++ b/extensions/libipt_icmp.c
> @@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type,
> }
>
> static void icmp_print(const void *ip, const struct xt_entry_match *match,
> - int numeric)
> + int numeric)
I think this change doesn't below this patch.
> {
> const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
>
> @@ -249,6 +249,52 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
> }
> }
>
> +static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
> + unsigned int code_min, unsigned int code_max)
^^^^^^
This should be aligned with the line above:
static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
unsigned int code_min,
unsigned int code_max)
> +{
> + unsigned int i;
> +
> + if (code_min == code_max)
> + return 0;
> +
> + switch (icmptype) {
> + case 0xFF:
You can skip the 0xff case by adding nothing.
> + case 9:
> + case 10:
You can send me a two-liner for this for nft, so we don't need this I
think.
> + return 0;
> + default:
> + for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i)
> + if (icmp_codes[i].type == icmptype &&
> + icmp_codes[i].code_min == code_min &&
> + icmp_codes[i].code_max == code_max)
> + break;
> +
> + if (i != ARRAY_SIZE(icmp_codes))
> + xt_xlate_add(xl, icmp_codes[i].name);
> + else
> + return 0;
> + }
> +
> + return 1;
> +}
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] libxt_multiport: Add translation to nft
2016-03-08 10:53 ` Pablo Neira Ayuso
@ 2016-03-09 6:58 ` FaTe
2016-03-09 12:32 ` Pablo Neira Ayuso
2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe
2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe
2 siblings, 1 reply; 14+ messages in thread
From: FaTe @ 2016-03-09 6:58 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Added translation for the match multiport.
Example :
$ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 }
counter accept
$ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j
ACCEPT
nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept
$ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept
$ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333
-j ACCEPT
nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 }
counter accept
Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 170 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..41e1e2b 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -18,6 +18,8 @@ enum {
F_ANY = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS,
};
+static const char *xlate_proto;
+
/* Function which prints out usage message. */
static void multiport_help(void)
{
@@ -150,8 +152,10 @@ check_proto(uint16_t pnum, uint8_t invflags)
xtables_error(PARAMETER_PROBLEM,
"multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
- if ((proto = proto_to_name(pnum)) != NULL)
+ if ((proto = proto_to_name(pnum)) != NULL){
+ xlate_proto = proto;
return proto;
+ }
else if (!pnum)
xtables_error(PARAMETER_PROBLEM,
"multiport needs `-p tcp', `-p udp', `-p udplite', "
@@ -468,6 +472,167 @@ static void multiport_save6_v1(const void *ip_void,
__multiport_save_v1(match, ip->proto);
}
+static int multiport_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+ bool have_multiple = false, have_invert = false;
+
+ if(xlate_proto != NULL){
+ if (multiinfo->count > 1)
+ have_multiple = true;
+ if (multiinfo->invert)
+ have_invert = true;
+ if (xlate_proto == NULL || (have_multiple && have_invert))
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl,"sport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl,"dport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl,"dport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+
+ xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ break;
+
+
+ default:
+ return 0;
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+
+ return 1;
+}
+
+static int multiport_xlate_v1(const struct xt_entry_match *match, struct xt_xlate *xl,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+ bool have_multiple = false, have_invert = false ;
+
+ if(xlate_proto != NULL){
+ if (multiinfo->count > 1)
+ have_multiple = true;
+ if (multiinfo->invert)
+ have_invert = true;
+ if (xlate_proto == NULL || (have_multiple && have_invert))
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl,"sport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl,"dport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl,"dport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+
+ xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ break;
+
+ default:
+ return 0;
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+
+ return 1;
+}
+
static struct xtables_match multiport_mt_reg[] = {
{
.family = NFPROTO_IPV4,
@@ -482,6 +647,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print,
.save = multiport_save,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate,
},
{
.family = NFPROTO_IPV6,
@@ -496,6 +662,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6,
.save = multiport_save6,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate,
},
{
.family = NFPROTO_IPV4,
@@ -510,6 +677,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print_v1,
.save = multiport_save_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate_v1,
},
{
.family = NFPROTO_IPV6,
@@ -524,6 +692,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6_v1,
.save = multiport_save6_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate_v1,
},
};
--
1.9.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Regarding libxt_multiport translation in nft
2016-03-08 10:53 ` Pablo Neira Ayuso
2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe
@ 2016-03-09 7:05 ` FaTe
2016-03-09 10:06 ` Arturo Borrero Gonzalez
2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe
2 siblings, 1 reply; 14+ messages in thread
From: FaTe @ 2016-03-09 7:05 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Hello Pablo,
I would require some guidance regarding the libxt_multiport translation in nft.
If the translation is over ip4 family :
$ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept
^^^^^^^^^^^
this causes problem.
Similarly for ipv6 :
$ ip6tables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT
nft add rule ip6 filter input meta l4proto tcp dport { 1024-2048,2049-3333 } counter accept
^^^^^^^^^^^^
this is causing problem.
both the strings "ip protocol" and "meta l4proto" is not introduced by libxt_multiport.
And in the absence of both , the command works.
For example ,
$ nft add rule ip filter INPUT tcp dport { 3-4 } tcp sport { 3-4 } counter accept
$ nft add rule ip6 filter input tcp dport { 1024-2048,2049-3333 } counter accept
Any comment regarding this behaviour ?
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] libip6t_hbh: Add translation to nft
2016-03-08 10:53 ` Pablo Neira Ayuso
2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe
2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe
@ 2016-03-09 7:12 ` FaTe
2016-03-10 18:47 ` Pablo Neira Ayuso
2 siblings, 1 reply; 14+ messages in thread
From: FaTe @ 2016-03-09 7:12 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Added translation for hbh module .
Note: Currently, --hbh-opts support dont exist in nftables .
Example :
$ ip6tables-translate -A INPUT -m hbh --hbh-len 40
nft add rule ip6 filter INPUT hbh hdrlength 40 counter
$ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 40
nft add rule ip6 filter INPUT hbh hdrlength != 40 counter
Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
extensions/libip6t_hbh.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..98dcade 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -164,6 +164,27 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
}
+static int hbh_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
+ int numeric)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ if (optinfo->flags & IP6T_OPTS_LEN) {
+ xt_xlate_add(xl," hbh hdrlength %s %u",
+ (optinfo->invflags & IP6T_OPTS_INV_LEN) ? " !=" :
+ "", optinfo->hdrlen);
+ } else {
+ return 0;
+ }
+
+ if (optinfo->flags & IP6T_OPTS_OPTS)
+ return 0;
+
+ xt_xlate_add(xl, " ");
+
+ return 1;
+
+}
static struct xtables_match hbh_mt6_reg = {
.name = "hbh",
.version = XTABLES_VERSION,
@@ -175,6 +196,7 @@ static struct xtables_match hbh_mt6_reg = {
.save = hbh_save,
.x6_parse = hbh_parse,
.x6_options = hbh_opts,
+ .xlate = hbh_xlate,
};
void
--
1.9.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: Regarding libxt_multiport translation in nft
2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe
@ 2016-03-09 10:06 ` Arturo Borrero Gonzalez
2016-03-09 14:34 ` Piyush Pangtey
0 siblings, 1 reply; 14+ messages in thread
From: Arturo Borrero Gonzalez @ 2016-03-09 10:06 UTC (permalink / raw)
To: FaTe; +Cc: Pablo Neira Ayuso, Netfilter Development Mailing list
On 9 March 2016 at 08:05, FaTe <gokuvsvegita@gmail.com> wrote:
> Hello Pablo,
>
> I would require some guidance regarding the libxt_multiport translation in nft.
>
> If the translation is over ip4 family :
> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept
> ^^^^^^^^^^^
> this causes problem.
> Similarly for ipv6 :
> $ ip6tables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT
> nft add rule ip6 filter input meta l4proto tcp dport { 1024-2048,2049-3333 } counter accept
> ^^^^^^^^^^^^
> this is causing problem.
>
> both the strings "ip protocol" and "meta l4proto" is not introduced by libxt_multiport.
> And in the absence of both , the command works.
>
> For example ,
> $ nft add rule ip filter INPUT tcp dport { 3-4 } tcp sport { 3-4 } counter accept
>
> $ nft add rule ip6 filter input tcp dport { 1024-2048,2049-3333 } counter accept
>
> Any comment regarding this behaviour ?
They are different statements, rules should be something like:
* meta l4proto tcp tcp dport XX
* ip protocol tcp tcp dport XX
However, the two statements are redundants... the second implies the first.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] libxt_multiport: Add translation to nft
2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe
@ 2016-03-09 12:32 ` Pablo Neira Ayuso
2016-03-09 14:37 ` Piyush Pangtey
2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey
0 siblings, 2 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-09 12:32 UTC (permalink / raw)
To: FaTe; +Cc: netfilter-devel
On Wed, Mar 09, 2016 at 12:28:29PM +0530, FaTe wrote:
> Added translation for the match multiport.
>
> Example :
> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 }
> counter accept
>
> $ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j
> ACCEPT
> nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept
>
> $ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT
> nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept
>
> $ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333
> -j ACCEPT
> nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 }
> counter accept
This translation is not correct as it's been discussed in a different
thread.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Regarding libxt_multiport translation in nft
2016-03-09 10:06 ` Arturo Borrero Gonzalez
@ 2016-03-09 14:34 ` Piyush Pangtey
0 siblings, 0 replies; 14+ messages in thread
From: Piyush Pangtey @ 2016-03-09 14:34 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: netfilter-devel
On Wednesday 09 March 2016 03:36 PM, Arturo Borrero Gonzalez wrote:
> On 9 March 2016 at 08:05, FaTe <gokuvsvegita@gmail.com> wrote:
>> Hello Pablo,
>>
>> I would require some guidance regarding the libxt_multiport translation in nft.
>>
>> If the translation is over ip4 family :
>> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
>> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept
>> ^^^^^^^^^^^
>> this causes problem.
>> Similarly for ipv6 :
>> $ ip6tables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT
>> nft add rule ip6 filter input meta l4proto tcp dport { 1024-2048,2049-3333 } counter accept
>> ^^^^^^^^^^^^
>> this is causing problem.
>>
>> both the strings "ip protocol" and "meta l4proto" is not introduced by libxt_multiport.
>> And in the absence of both , the command works.
>>
>> For example ,
>> $ nft add rule ip filter INPUT tcp dport { 3-4 } tcp sport { 3-4 } counter accept
>>
>> $ nft add rule ip6 filter input tcp dport { 1024-2048,2049-3333 } counter accept
>>
>> Any comment regarding this behaviour ?
>
> They are different statements, rules should be something like:
> * meta l4proto tcp tcp dport XX
> * ip protocol tcp tcp dport XX
>
> However, the two statements are redundants... the second implies the first.
Thanks Arturo !
It works.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] libxt_multiport: Add translation to nft
2016-03-09 12:32 ` Pablo Neira Ayuso
@ 2016-03-09 14:37 ` Piyush Pangtey
2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey
1 sibling, 0 replies; 14+ messages in thread
From: Piyush Pangtey @ 2016-03-09 14:37 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Wednesday 09 March 2016 06:02 PM, Pablo Neira Ayuso wrote:
> On Wed, Mar 09, 2016 at 12:28:29PM +0530, FaTe wrote:
>> Added translation for the match multiport.
>>
>> Example :
>> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
>> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 }
>> counter accept
>>
>> $ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j
>> ACCEPT
>> nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept
>>
>> $ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT
>> nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept
>>
>> $ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333
>> -j ACCEPT
>> nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 }
>> counter accept
>
> This translation is not correct as it's been discussed in a different
> thread.
>
I am unable to find that thread :( .
BTW i'm sending v2 for multiport translation which works correctly.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2] libxt_multiport: Add translation to nft
2016-03-09 12:32 ` Pablo Neira Ayuso
2016-03-09 14:37 ` Piyush Pangtey
@ 2016-03-09 14:39 ` Piyush Pangtey
2016-03-09 17:30 ` Pablo Neira Ayuso
1 sibling, 1 reply; 14+ messages in thread
From: Piyush Pangtey @ 2016-03-09 14:39 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Added full translation for multiport.
Examples :
$ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport { 3-4 } tcp sport { 3-4 }
counter accept
$ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol sctp sctp dport { 11-18 } counter
accept
$ iptables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol dccp dccp dport { 11-18 } dccp sport {
11-18 } counter accept
$ ip6tables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT
nft add rule ip6 filter input meta l4proto dccp dccp dport { 11-18 } dccp sport
{ 11-18 } counter accept
Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
v2:
Corrected the translations , as suggested by Arturo Borrero González
extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 170 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..6358ffd 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -18,6 +18,8 @@ enum {
F_ANY = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS,
};
+static const char *xlate_proto;
+
/* Function which prints out usage message. */
static void multiport_help(void)
{
@@ -150,8 +152,10 @@ check_proto(uint16_t pnum, uint8_t invflags)
xtables_error(PARAMETER_PROBLEM,
"multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
- if ((proto = proto_to_name(pnum)) != NULL)
+ if ((proto = proto_to_name(pnum)) != NULL){
+ xlate_proto = proto;
return proto;
+ }
else if (!pnum)
xtables_error(PARAMETER_PROBLEM,
"multiport needs `-p tcp', `-p udp', `-p udplite', "
@@ -468,6 +472,167 @@ static void multiport_save6_v1(const void *ip_void,
__multiport_save_v1(match, ip->proto);
}
+static int multiport_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+ bool have_multiple = false, have_invert = false;
+
+ if(xlate_proto != NULL){
+ if (multiinfo->count > 1)
+ have_multiple = true;
+ if (multiinfo->invert)
+ have_invert = true;
+ if (xlate_proto == NULL || (have_multiple && have_invert))
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl,"sport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl,"dport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl,"dport %s%s",
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+
+ xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ }
+ break;
+
+
+ default:
+ return 0;
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+
+ return 1;
+}
+
+static int multiport_xlate_v1(const struct xt_entry_match *match, struct xt_xlate *xl,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+ bool have_multiple = false, have_invert = false ;
+
+ if(xlate_proto != NULL){
+ if (multiinfo->count > 1)
+ have_multiple = true;
+ if (multiinfo->invert)
+ have_invert = true;
+ if (xlate_proto == NULL || (have_multiple && have_invert))
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl,"%s dport %s%s", xlate_proto,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl,"%s dport %s%s", xlate_proto,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+
+ xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl,"-%u",
+ multiinfo->ports[++i]);
+ }
+ }
+ break;
+
+ default:
+ return 0;
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+
+ return 1;
+}
+
static struct xtables_match multiport_mt_reg[] = {
{
.family = NFPROTO_IPV4,
@@ -482,6 +647,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print,
.save = multiport_save,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate,
},
{
.family = NFPROTO_IPV6,
@@ -496,6 +662,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6,
.save = multiport_save6,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate,
},
{
.family = NFPROTO_IPV4,
@@ -510,6 +677,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print_v1,
.save = multiport_save_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate_v1,
},
{
.family = NFPROTO_IPV6,
@@ -524,6 +692,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6_v1,
.save = multiport_save6_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate_v1,
},
};
--
1.9.1
On Wednesday 09 March 2016 06:02 PM, Pablo Neira Ayuso wrote:
> On Wed, Mar 09, 2016 at 12:28:29PM +0530, FaTe wrote:
>> Added translation for the match multiport.
>>
>> Example :
>> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
>> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 }
>> counter accept
>>
>> $ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j
>> ACCEPT
>> nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept
>>
>> $ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT
>> nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept
>>
>> $ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333
>> -j ACCEPT
>> nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 }
>> counter accept
>
> This translation is not correct as it's been discussed in a different
> thread.
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2] libxt_multiport: Add translation to nft
2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey
@ 2016-03-09 17:30 ` Pablo Neira Ayuso
2016-03-10 12:50 ` [PATCH v3] " Piyush Pangtey
0 siblings, 1 reply; 14+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-09 17:30 UTC (permalink / raw)
To: Piyush Pangtey; +Cc: netfilter-devel
On Wed, Mar 09, 2016 at 08:09:27PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport.
>
> Examples :
> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
> nft add rule ip filter INPUT ip protocol tcp tcp dport { 3-4 } tcp sport { 3-4 }
> counter accept
>
> $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol sctp sctp dport { 11-18 } counter
> accept
>
> $ iptables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol dccp dccp dport { 11-18 } dccp sport {
> 11-18 } counter accept
>
> $ ip6tables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT
> nft add rule ip6 filter input meta l4proto dccp dccp dport { 11-18 } dccp sport
> { 11-18 } counter accept
>
> Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
> ---
> v2:
> Corrected the translations , as suggested by Arturo Borrero González
>
> extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 170 insertions(+), 1 deletion(-)
>
> diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
> index 03af5a9..6358ffd 100644
> --- a/extensions/libxt_multiport.c
> +++ b/extensions/libxt_multiport.c
> @@ -18,6 +18,8 @@ enum {
> F_ANY = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS,
> };
>
> +static const char *xlate_proto;
I don't like this global variable trick.
Please, use the ipt_ip and ip6t_ip information instead, which is will
be now available through this patch, so we pass information as
parameter to functions.
http://patchwork.ozlabs.org/patch/595128/
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v3] libxt_multiport: Add translation to nft
2016-03-09 17:30 ` Pablo Neira Ayuso
@ 2016-03-10 12:50 ` Piyush Pangtey
2016-03-10 18:31 ` Pablo Neira Ayuso
0 siblings, 1 reply; 14+ messages in thread
From: Piyush Pangtey @ 2016-03-10 12:50 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Added full translation for multiport
Examples :
$ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
{ ssh - http } counter accept
$ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter
accept
$ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter
accept
$ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 }
counter accept
Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
v2:
Corrected the translations , as suggested by Arturo Borrero González
v3:
Removed static variable trick. Now utilizes ipt_ip and ip6t_ip which
is now passed to xlate ,from the patch
http://patchwork.ozlabs.org/patch/595128/
Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 199 insertions(+)
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..4dccc1b 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric)
}
static void
+print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
+ int numeric)
+{
+ const char *service;
+
+ if (numeric || (service = port_to_service(port, protocol)) == NULL)
+ xt_xlate_add(xl, "%u", port);
+ else
+ xt_xlate_add(xl, "%s", service);
+}
+
+static void
__multiport_print(const struct xt_entry_match *match, int numeric,
uint16_t proto)
{
@@ -318,6 +330,20 @@ static void multiport_print(const void *ip_void,
__multiport_print(match, numeric, ip->proto);
}
+static void multiport_print_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t proto,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ print_port_xlate(xl, multiinfo->ports[i],
+ proto, numeric);
+ }
+}
+
static void multiport_print6(const void *ip_void,
const struct xt_entry_match *match, int numeric)
{
@@ -372,6 +398,24 @@ static void multiport_print_v1(const void *ip_void,
__multiport_print_v1(match, numeric, ip->proto);
}
+static void multiport_print_v1_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t proto,
+ int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+ for (i = 0; i < multiinfo->count; i++) {
+ xt_xlate_add(xl, "%s", i ? "," : "");
+ print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
+ if (multiinfo->pflags[i]) {
+ xt_xlate_add(xl, " - ");
+ print_port_xlate(xl, multiinfo->ports[++i],
+ proto, numeric);
+ }
+ }
+}
+
static void multiport_print6_v1(const void *ip_void,
const struct xt_entry_match *match, int numeric)
{
@@ -468,6 +512,157 @@ static void multiport_save6_v1(const void *ip_void,
__multiport_save_v1(match, ip->proto);
}
+static int __multiport_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t protocol, int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ const char *proto_name;
+ bool have_multiple = false, have_invert = false ;
+
+ if((proto_name = proto_to_name(protocol)) != NULL){
+ if (multiinfo->count > 1) have_multiple = true;
+ if (multiinfo->invert) have_invert = true;
+ if (have_multiple && have_invert)
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_xlate(match, xl, protocol,
+ numeric);
+ break;
+ default:
+ return 0;
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+ return 1;
+}
+
+static int __multiport_xlate_v1(const struct xt_entry_match *match,
+ struct xt_xlate *xl, uint16_t protocol, int numeric)
+{
+ const struct xt_multiport_v1 *multiinfo =
+ (const struct xt_multiport_v1 *)match->data;
+ const char *proto_name;
+ bool have_multiple = false, have_invert = false ;
+
+ if((proto_name = proto_to_name(protocol)) != NULL){
+ if (multiinfo->count > 1) have_multiple = true;
+ if (multiinfo->invert) have_invert = true;
+ if (have_multiple && have_invert)
+ return 0;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_DESTINATION:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ break;
+ case XT_MULTIPORT_EITHER:
+ xt_xlate_add(xl, "%s dport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+
+ xt_xlate_add(xl, "%s sport %s%s", proto_name,
+ (have_invert == true) ? "!= " : "",
+ (have_multiple == true) ? "{ " : "");
+ multiport_print_v1_xlate(match, xl, protocol,
+ numeric);
+ break;
+ default:
+ return 0;
+ }
+ if (have_multiple)
+ xt_xlate_add(xl, " } ");
+ else
+ xt_xlate_add(xl, " ");
+ }
+
+ return 1;
+}
+
+static int multiport_xlate(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ipt_ip *ip = ip_void;
+ return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+
+ const struct ip6t_ip6 *ip = ip_void;
+ return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate_v1(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+
+ const struct ipt_ip *ip = ip_void;
+ return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6_v1(const void *ip_void,
+ const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+
+ const struct ip6t_ip6 *ip = ip_void;
+ return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
static struct xtables_match multiport_mt_reg[] = {
{
.family = NFPROTO_IPV4,
@@ -482,6 +677,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print,
.save = multiport_save,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate,
},
{
.family = NFPROTO_IPV6,
@@ -496,6 +692,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6,
.save = multiport_save6,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate6,
},
{
.family = NFPROTO_IPV4,
@@ -510,6 +707,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print_v1,
.save = multiport_save_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate_v1,
},
{
.family = NFPROTO_IPV6,
@@ -524,6 +722,7 @@ static struct xtables_match multiport_mt_reg[] = {
.print = multiport_print6_v1,
.save = multiport_save6_v1,
.x6_options = multiport_opts,
+ .xlate = multiport_xlate6_v1,
},
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v3] libxt_multiport: Add translation to nft
2016-03-10 12:50 ` [PATCH v3] " Piyush Pangtey
@ 2016-03-10 18:31 ` Pablo Neira Ayuso
0 siblings, 0 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-10 18:31 UTC (permalink / raw)
To: Piyush Pangtey; +Cc: netfilter-devel
On Thu, Mar 10, 2016 at 06:20:48PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport
>
> Examples :
> $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
> { ssh - http } counter accept
>
> $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter
> accept
>
> $ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter
> accept
>
> $ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 }
> counter accept
>
> Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
> ---
> v2:
> Corrected the translations , as suggested by Arturo Borrero González
> v3:
> Removed static variable trick. Now utilizes ipt_ip and ip6t_ip which
> is now passed to xlate ,from the patch
> http://patchwork.ozlabs.org/patch/595128/
>
> Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
> ---
> extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 199 insertions(+)
>
> diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
> index 03af5a9..4dccc1b 100644
> --- a/extensions/libxt_multiport.c
> +++ b/extensions/libxt_multiport.c
> @@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric)
> }
>
> static void
> +print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
> + int numeric)
> +{
> + const char *service;
> +
> + if (numeric || (service = port_to_service(port, protocol)) == NULL)
> + xt_xlate_add(xl, "%u", port);
> + else
> + xt_xlate_add(xl, "%s", service);
> +}
> +
> +static void
> __multiport_print(const struct xt_entry_match *match, int numeric,
> uint16_t proto)
> {
> @@ -318,6 +330,20 @@ static void multiport_print(const void *ip_void,
> __multiport_print(match, numeric, ip->proto);
> }
>
> +static void multiport_print_xlate(const struct xt_entry_match *match,
> + struct xt_xlate *xl, uint16_t proto,
> + int numeric)
> +{
> + const struct xt_multiport_v1 *multiinfo =
> + (const struct xt_multiport_v1 *)match->data;
> + unsigned int i;
Missing line break here.
> + for (i = 0; i < multiinfo->count; i++) {
> + xt_xlate_add(xl, "%s", i ? "," : "");
> + print_port_xlate(xl, multiinfo->ports[i],
> + proto, numeric);
> + }
> +}
> +
> static void multiport_print6(const void *ip_void,
> const struct xt_entry_match *match, int numeric)
> {
> @@ -372,6 +398,24 @@ static void multiport_print_v1(const void *ip_void,
> __multiport_print_v1(match, numeric, ip->proto);
> }
>
> +static void multiport_print_v1_xlate(const struct xt_entry_match *match,
> + struct xt_xlate *xl, uint16_t proto,
> + int numeric)
> +{
> + const struct xt_multiport_v1 *multiinfo =
> + (const struct xt_multiport_v1 *)match->data;
> + unsigned int i;
Missing line break here to separate variable declaration and function
body.
> + for (i = 0; i < multiinfo->count; i++) {
> + xt_xlate_add(xl, "%s", i ? "," : "");
> + print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
> + if (multiinfo->pflags[i]) {
> + xt_xlate_add(xl, " - ");
> + print_port_xlate(xl, multiinfo->ports[++i],
> + proto, numeric);
> + }
> + }
> +}
> +
> static void multiport_print6_v1(const void *ip_void,
> const struct xt_entry_match *match, int numeric)
> {
> @@ -468,6 +512,157 @@ static void multiport_save6_v1(const void *ip_void,
> __multiport_save_v1(match, ip->proto);
> }
>
> +static int __multiport_xlate(const struct xt_entry_match *match,
> + struct xt_xlate *xl, uint16_t protocol, int numeric)
> +{
> + const struct xt_multiport_v1 *multiinfo =
> + (const struct xt_multiport_v1 *)match->data;
> + const char *proto_name;
> + bool have_multiple = false, have_invert = false ;
^
remove this space.
> +
> + if((proto_name = proto_to_name(protocol)) != NULL){
^ ^
missing space after if.
> + if (multiinfo->count > 1) have_multiple = true;
if (multiinfo->count > 1)
have_multiple = true;
Please, review coding style and resubmit. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] libip6t_hbh: Add translation to nft
2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe
@ 2016-03-10 18:47 ` Pablo Neira Ayuso
0 siblings, 0 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-10 18:47 UTC (permalink / raw)
To: FaTe; +Cc: netfilter-devel
On Wed, Mar 09, 2016 at 12:42:45PM +0530, FaTe wrote:
> Added translation for hbh module .
>
> Note: Currently, --hbh-opts support dont exist in nftables .
>
> Example :
> $ ip6tables-translate -A INPUT -m hbh --hbh-len 40
> nft add rule ip6 filter INPUT hbh hdrlength 40 counter
>
> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 40
> nft add rule ip6 filter INPUT hbh hdrlength != 40 counter
>
> Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
> ---
> extensions/libip6t_hbh.c | 22 ++++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
> index c0389ed..98dcade 100644
> --- a/extensions/libip6t_hbh.c
> +++ b/extensions/libip6t_hbh.c
> @@ -164,6 +164,27 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
> print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
> }
>
> +static int hbh_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
> + int numeric)
> +{
> + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
> +
> + if (optinfo->flags & IP6T_OPTS_LEN) {
> + xt_xlate_add(xl," hbh hdrlength %s %u",
> + (optinfo->invflags & IP6T_OPTS_INV_LEN) ? " !=" :
> + "", optinfo->hdrlen);
I suggested Shivani you check how to translate:
ip6tables -I INPUT -m hbh
which seems to be value too.
http://www.spinics.net/lists/netfilter-devel/msg41045.html
So we make sure we provide a right translation for that too.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2016-03-10 18:47 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-07 21:21 [PATCHv3] extensions: libipt_icmp: Add translation to nft Laura Garcia Liebana
2016-03-08 10:53 ` Pablo Neira Ayuso
2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe
2016-03-09 12:32 ` Pablo Neira Ayuso
2016-03-09 14:37 ` Piyush Pangtey
2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey
2016-03-09 17:30 ` Pablo Neira Ayuso
2016-03-10 12:50 ` [PATCH v3] " Piyush Pangtey
2016-03-10 18:31 ` Pablo Neira Ayuso
2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe
2016-03-09 10:06 ` Arturo Borrero Gonzalez
2016-03-09 14:34 ` Piyush Pangtey
2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe
2016-03-10 18:47 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.