* [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state as set
@ 2021-04-01 13:47 Alexander Mikhalitsyn
2021-04-01 13:47 ` [iptables PATCH v5 2/2] extensions: libxt_conntrack: print xlate status " Alexander Mikhalitsyn
2021-04-02 15:08 ` [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state " Florian Westphal
0 siblings, 2 replies; 5+ messages in thread
From: Alexander Mikhalitsyn @ 2021-04-01 13:47 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, fw
Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled
statemask flags. But if we have inverted conntrack ctstate condition then we have to use more
complex expression because nft not supports syntax like "ct state != related,established".
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
---
extensions/libxt_conntrack.c | 38 +++++++++++++++++++++++++-------------
extensions/libxt_conntrack.txlate | 5 ++++-
2 files changed, 29 insertions(+), 14 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7734509..91f9e4a 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1148,30 +1148,43 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
state_print_state(sinfo->statemask);
}
-static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
+static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted)
{
const char *sep = "";
+ int one_flag_set;
+
+ one_flag_set = !(statemask & (statemask - 1));
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, "& (");
+ else if (inverted)
+ xt_xlate_add(xl, "& ");
if (statemask & XT_CONNTRACK_STATE_INVALID) {
xt_xlate_add(xl, "%s%s", sep, "invalid");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
xt_xlate_add(xl, "%s%s", sep, "new");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
xt_xlate_add(xl, "%s%s", sep, "related");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
xt_xlate_add(xl, "%s%s", sep, "established");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
xt_xlate_add(xl, "%s%s", sep, "untracked");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, ") == 0");
+ else if (inverted)
+ xt_xlate_add(xl, " == 0");
}
static int state_xlate(struct xt_xlate *xl,
@@ -1180,9 +1193,9 @@ static int state_xlate(struct xt_xlate *xl,
const struct xt_conntrack_mtinfo3 *sinfo =
(const void *)params->match->data;
- xt_xlate_add(xl, "ct state %s", sinfo->invert_flags & XT_CONNTRACK_STATE ?
- "!= " : "");
- state_xlate_print(xl, sinfo->state_mask);
+ xt_xlate_add(xl, "ct state ");
+ state_xlate_print(xl, sinfo->state_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATE);
xt_xlate_add(xl, " ");
return 1;
}
@@ -1256,10 +1269,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
sinfo->state_mask & XT_CONNTRACK_STATE_SNAT ? "snat" : "dnat");
space = " ";
} else {
- xt_xlate_add(xl, "%sct state %s", space,
- sinfo->invert_flags & XT_CONNTRACK_STATE ?
- "!= " : "");
- state_xlate_print(xl, sinfo->state_mask);
+ xt_xlate_add(xl, "%sct state ", space);
+ state_xlate_print(xl, sinfo->state_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATE);
space = " ";
}
}
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index d374f8a..5ab85b1 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -2,7 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE
nft add rule ip filter INPUT ct state new,related counter accept
ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
-nft add rule ip6 filter INPUT ct state != new,related counter accept
+nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept
+
+ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT
+nft add rule ip6 filter INPUT ct state & new == 0 counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct original protocol 17 counter accept
--
1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [iptables PATCH v5 2/2] extensions: libxt_conntrack: print xlate status as set
2021-04-01 13:47 [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state as set Alexander Mikhalitsyn
@ 2021-04-01 13:47 ` Alexander Mikhalitsyn
2021-04-02 15:08 ` Florian Westphal
2021-04-02 15:08 ` [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state " Florian Westphal
1 sibling, 1 reply; 5+ messages in thread
From: Alexander Mikhalitsyn @ 2021-04-01 13:47 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, fw
At the moment, status_xlate_print function prints statusmask as comma-separated
sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
condition then we have to use more complex expression (if more than one flag enabled)
because nft not supports syntax like "ct status != expected,assured".
Examples:
! --ctstatus CONFIRMED,ASSURED
should be translated as
ct status & (assured|confirmed) == 0
! --ctstatus CONFIRMED
can be translated as
ct status & confirmed == 0
See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference).
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
---
extensions/libxt_conntrack.c | 30 +++++++++++++++++++++---------
extensions/libxt_conntrack.txlate | 8 +++++++-
2 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 91f9e4a..7f7b45e 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1200,26 +1200,39 @@ static int state_xlate(struct xt_xlate *xl,
return 1;
}
-static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
+static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
{
const char *sep = "";
+ int one_flag_set;
+
+ one_flag_set = !(statusmask & (statusmask - 1));
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, "& (");
+ else if (inverted)
+ xt_xlate_add(xl, "& ");
if (statusmask & IPS_EXPECTED) {
xt_xlate_add(xl, "%s%s", sep, "expected");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statusmask & IPS_SEEN_REPLY) {
xt_xlate_add(xl, "%s%s", sep, "seen-reply");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statusmask & IPS_ASSURED) {
xt_xlate_add(xl, "%s%s", sep, "assured");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statusmask & IPS_CONFIRMED) {
xt_xlate_add(xl, "%s%s", sep, "confirmed");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, ") == 0");
+ else if (inverted)
+ xt_xlate_add(xl, " == 0");
}
static void addr_xlate_print(struct xt_xlate *xl,
@@ -1277,10 +1290,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if (sinfo->match_flags & XT_CONNTRACK_STATUS) {
- xt_xlate_add(xl, "%sct status %s", space,
- sinfo->invert_flags & XT_CONNTRACK_STATUS ?
- "!= " : "");
- status_xlate_print(xl, sinfo->status_mask);
+ xt_xlate_add(xl, "%sct status ", space);
+ status_xlate_print(xl, sinfo->status_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATUS);
space = " ";
}
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 5ab85b1..8cc7c50 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -35,7 +35,13 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
nft add rule ip filter INPUT ct status expected counter accept
iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
-nft add rule ip filter INPUT ct status != confirmed counter accept
+nft add rule ip filter INPUT ct status & confirmed == 0 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
+nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT
+nft add rule ip filter INPUT ct status assured,confirmed counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
nft add rule ip filter INPUT ct expiration 3 counter accept
--
1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [iptables PATCH v5 2/2] extensions: libxt_conntrack: print xlate status as set
2021-04-01 13:47 ` [iptables PATCH v5 2/2] extensions: libxt_conntrack: print xlate status " Alexander Mikhalitsyn
@ 2021-04-02 15:08 ` Florian Westphal
2021-04-02 18:48 ` Alexander Mikhalitsyn
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2021-04-02 15:08 UTC (permalink / raw)
To: Alexander Mikhalitsyn; +Cc: netfilter-devel, pablo, fw
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> wrote:
> At the moment, status_xlate_print function prints statusmask as comma-separated
> sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
> condition then we have to use more complex expression (if more than one flag enabled)
> because nft not supports syntax like "ct status != expected,assured".
Also applied.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [iptables PATCH v5 2/2] extensions: libxt_conntrack: print xlate status as set
2021-04-02 15:08 ` Florian Westphal
@ 2021-04-02 18:48 ` Alexander Mikhalitsyn
0 siblings, 0 replies; 5+ messages in thread
From: Alexander Mikhalitsyn @ 2021-04-02 18:48 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Fri, 2 Apr 2021 17:08:35 +0200
Florian Westphal <fw@strlen.de> wrote:
> Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> wrote:
> > At the moment, status_xlate_print function prints statusmask as comma-separated
> > sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
> > condition then we have to use more complex expression (if more than one flag enabled)
> > because nft not supports syntax like "ct status != expected,assured".
>
> Also applied.
Thank you for your help and review!
Regards,
Alex
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state as set
2021-04-01 13:47 [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state as set Alexander Mikhalitsyn
2021-04-01 13:47 ` [iptables PATCH v5 2/2] extensions: libxt_conntrack: print xlate status " Alexander Mikhalitsyn
@ 2021-04-02 15:08 ` Florian Westphal
1 sibling, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2021-04-02 15:08 UTC (permalink / raw)
To: Alexander Mikhalitsyn; +Cc: netfilter-devel, pablo, fw
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> wrote:
> Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled
> statemask flags. But if we have inverted conntrack ctstate condition then we have to use more
> complex expression because nft not supports syntax like "ct state != related,established".
Applied, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-02 18:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-01 13:47 [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state as set Alexander Mikhalitsyn
2021-04-01 13:47 ` [iptables PATCH v5 2/2] extensions: libxt_conntrack: print xlate status " Alexander Mikhalitsyn
2021-04-02 15:08 ` Florian Westphal
2021-04-02 18:48 ` Alexander Mikhalitsyn
2021-04-02 15:08 ` [iptables PATCH v5 1/2] extensions: libxt_conntrack: print xlate state " Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.