* [PATCH] extensions: libip6t_hbh: Add translation to nft
@ 2016-06-01 22:08 Laura Garcia Liebana
2016-06-02 11:08 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Laura Garcia Liebana @ 2016-06-01 22:08 UTC (permalink / raw)
To: netfilter-devel
Add translation for Hop-By-Hop header to nftables. Hbh options are not
supported yet in nft.
$ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength 22 counter
$ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength != 22 counter
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
extensions/libip6t_hbh.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..416681d 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
}
+static int hbh_xlate(const void *ip, const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ if (!(optinfo->flags & IP6T_OPTS_LEN) ||
+ (optinfo->flags & IP6T_OPTS_OPTS))
+ return 0;
+
+ xt_xlate_add(xl, "hbh hdrlength %s%u ",
+ (optinfo->invflags & IP6T_OPTS_INV_LEN) ? "!= " : "",
+ optinfo->hdrlen);
+
+ return 1;
+}
+
static struct xtables_match hbh_mt6_reg = {
.name = "hbh",
.version = XTABLES_VERSION,
@@ -175,6 +191,7 @@ static struct xtables_match hbh_mt6_reg = {
.save = hbh_save,
.x6_parse = hbh_parse,
.x6_options = hbh_opts,
+ .xlate = hbh_xlate,
};
void
--
2.7.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] extensions: libip6t_hbh: Add translation to nft
2016-06-01 22:08 [PATCH] extensions: libip6t_hbh: Add translation to nft Laura Garcia Liebana
@ 2016-06-02 11:08 ` Pablo Neira Ayuso
2016-06-02 15:31 ` Laura Garcia
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2016-06-02 11:08 UTC (permalink / raw)
To: Laura Garcia Liebana; +Cc: netfilter-devel
On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote:
> Add translation for Hop-By-Hop header to nftables. Hbh options are not
> supported yet in nft.
It would be good to document this in the wiki, as Shivani did already.
It would be also good if you can document what is missing to be
capable of matching these hbh options there.
> $ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22
> nft add rule ip6 filter INPUT hbh hdrlength 22 counter
>
> $ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22
> nft add rule ip6 filter INPUT hbh hdrlength != 22 counter
Applied, thanks Laura.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] extensions: libip6t_hbh: Add translation to nft
2016-06-02 11:08 ` Pablo Neira Ayuso
@ 2016-06-02 15:31 ` Laura Garcia
0 siblings, 0 replies; 7+ messages in thread
From: Laura Garcia @ 2016-06-02 15:31 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Thu, Jun 02, 2016 at 01:08:47PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote:
> > Add translation for Hop-By-Hop header to nftables. Hbh options are not
> > supported yet in nft.
>
> It would be good to document this in the wiki, as Shivani did already.
> It would be also good if you can document what is missing to be
> capable of matching these hbh options there.
>
It seems that is already documented in the official wiki.
ip6
hbh
[Waiting for support of options] (partial translations available)
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] extensions: libip6t_hbh: Add translation to nft
2016-03-02 13:47 ` Shivani Bhardwaj
@ 2016-03-09 19:01 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-09 19:01 UTC (permalink / raw)
To: Shivani Bhardwaj; +Cc: Netfilter Development Mailing list
On Wed, Mar 02, 2016 at 07:17:36PM +0530, Shivani Bhardwaj wrote:
> On Wed, Mar 2, 2016 at 5:19 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
> >> Add translation for module hop-by-hop to nftables.
> >> Full translation of this match awaits the support for --hbh-opts option.
> >>
> >> Examples:
> >>
> >> $ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
> >> nft add rule ip6 filter INPUT hbh hdrlength 33 counter
> >>
> >> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
> >> nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
> >>
> >> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
> >> ---
> >> extensions/libip6t_hbh.c | 17 +++++++++++++++++
> >> 1 file changed, 17 insertions(+)
> >>
> >> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
> >> index c0389ed..f968036 100644
> >> --- a/extensions/libip6t_hbh.c
> >> +++ b/extensions/libip6t_hbh.c
> >> @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
> >> print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
> >> }
> >>
> >> +static int hbh_xlate(const struct xt_entry_match *match,
> >> + struct xt_xlate *xl, int numeric)
> >> +{
> >> + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
> >> +
> >> + xt_xlate_add(xl, "hbh ");
> >> +
> >> + if (optinfo->flags & IP6T_OPTS_LEN) {
> >
> > If no header length is passed, then this will print:
> >
> > nft add rule ip6 filter INPUT hbh counter
> >
>
> What should be the rule generated in case none of the options is mentioned?
>
> # iptables-translate -A INPUT -m hbh
> ?
Please, have a look at linux/net/ipv6/netfilter/ip6t_hbh.c and
evaluate what is the behaviour in case -m hbh is passed with not
options.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] extensions: libip6t_hbh: Add translation to nft
2016-03-02 11:49 ` Pablo Neira Ayuso
@ 2016-03-02 13:47 ` Shivani Bhardwaj
2016-03-09 19:01 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Shivani Bhardwaj @ 2016-03-02 13:47 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Netfilter Development Mailing list
On Wed, Mar 2, 2016 at 5:19 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
>> Add translation for module hop-by-hop to nftables.
>> Full translation of this match awaits the support for --hbh-opts option.
>>
>> Examples:
>>
>> $ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
>> nft add rule ip6 filter INPUT hbh hdrlength 33 counter
>>
>> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
>> nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
>>
>> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
>> ---
>> extensions/libip6t_hbh.c | 17 +++++++++++++++++
>> 1 file changed, 17 insertions(+)
>>
>> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
>> index c0389ed..f968036 100644
>> --- a/extensions/libip6t_hbh.c
>> +++ b/extensions/libip6t_hbh.c
>> @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
>> print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
>> }
>>
>> +static int hbh_xlate(const struct xt_entry_match *match,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
>> +
>> + xt_xlate_add(xl, "hbh ");
>> +
>> + if (optinfo->flags & IP6T_OPTS_LEN) {
>
> If no header length is passed, then this will print:
>
> nft add rule ip6 filter INPUT hbh counter
>
What should be the rule generated in case none of the options is mentioned?
# iptables-translate -A INPUT -m hbh
?
> which will not work.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] extensions: libip6t_hbh: Add translation to nft
2016-03-01 21:52 Shivani Bhardwaj
@ 2016-03-02 11:49 ` Pablo Neira Ayuso
2016-03-02 13:47 ` Shivani Bhardwaj
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-02 11:49 UTC (permalink / raw)
To: Shivani Bhardwaj; +Cc: netfilter-devel
On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
> Add translation for module hop-by-hop to nftables.
> Full translation of this match awaits the support for --hbh-opts option.
>
> Examples:
>
> $ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
> nft add rule ip6 filter INPUT hbh hdrlength 33 counter
>
> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
> nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
>
> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
> ---
> extensions/libip6t_hbh.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
> index c0389ed..f968036 100644
> --- a/extensions/libip6t_hbh.c
> +++ b/extensions/libip6t_hbh.c
> @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
> print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
> }
>
> +static int hbh_xlate(const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
> +
> + xt_xlate_add(xl, "hbh ");
> +
> + if (optinfo->flags & IP6T_OPTS_LEN) {
If no header length is passed, then this will print:
nft add rule ip6 filter INPUT hbh counter
which will not work.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] extensions: libip6t_hbh: Add translation to nft
@ 2016-03-01 21:52 Shivani Bhardwaj
2016-03-02 11:49 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Shivani Bhardwaj @ 2016-03-01 21:52 UTC (permalink / raw)
To: netfilter-devel
Add translation for module hop-by-hop to nftables.
Full translation of this match awaits the support for --hbh-opts option.
Examples:
$ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
nft add rule ip6 filter INPUT hbh hdrlength 33 counter
$ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
extensions/libip6t_hbh.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..f968036 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
}
+static int hbh_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ xt_xlate_add(xl, "hbh ");
+
+ if (optinfo->flags & IP6T_OPTS_LEN) {
+ xt_xlate_add(xl, "hdrlength%s %u ",
+ optinfo->invflags & IP6T_OPTS_INV_LEN ? " !=" : "",
+ optinfo->hdrlen);
+ }
+
+ return 1;
+}
+
static struct xtables_match hbh_mt6_reg = {
.name = "hbh",
.version = XTABLES_VERSION,
@@ -175,6 +191,7 @@ static struct xtables_match hbh_mt6_reg = {
.save = hbh_save,
.x6_parse = hbh_parse,
.x6_options = hbh_opts,
+ .xlate = hbh_xlate,
};
void
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-06-02 15:31 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-01 22:08 [PATCH] extensions: libip6t_hbh: Add translation to nft Laura Garcia Liebana
2016-06-02 11:08 ` Pablo Neira Ayuso
2016-06-02 15:31 ` Laura Garcia
-- strict thread matches above, loose matches on Subject: below --
2016-03-01 21:52 Shivani Bhardwaj
2016-03-02 11:49 ` Pablo Neira Ayuso
2016-03-02 13:47 ` Shivani Bhardwaj
2016-03-09 19:01 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.