All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH iptables] extensions: libxt_multiport: add translation for -m multiport --ports
@ 2021-06-25 21:08 Pablo Neira Ayuso
  0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-06-25 21:08 UTC (permalink / raw)
  To: netfilter-devel

Add a translation for -m multiport --ports. Extend the existing testcase.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_multiport.c      | 38 ++++++++++++++++++++++++-------
 extensions/libxt_multiport.txlate |  3 +++
 2 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 4a42fa38238b..6b0c8190a102 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -465,7 +465,8 @@ static void multiport_save6_v1(const void *ip_void,
 }
 
 static int __multiport_xlate(struct xt_xlate *xl,
-			     const struct xt_xlate_mt_params *params)
+			     const struct xt_xlate_mt_params *params,
+			     uint8_t proto)
 {
 	const struct xt_multiport *multiinfo
 		= (const struct xt_multiport *)params->match->data;
@@ -479,7 +480,17 @@ static int __multiport_xlate(struct xt_xlate *xl,
 		xt_xlate_add(xl, " dport ");
 		break;
 	case XT_MULTIPORT_EITHER:
-		return 0;
+		xt_xlate_add(xl, " sport . %s dport { ", proto_to_name(proto));
+		for (i = 0; i < multiinfo->count; i++) {
+			if (i != 0)
+				xt_xlate_add(xl, ", ");
+
+			xt_xlate_add(xl, "0-65535 . %u, %u . 0-65535",
+				     multiinfo->ports[i], multiinfo->ports[i]);
+		}
+		xt_xlate_add(xl, " }");
+
+		return 1;
 	}
 
 	if (multiinfo->count > 1)
@@ -500,7 +511,7 @@ static int multiport_xlate(struct xt_xlate *xl,
 	uint8_t proto = ((const struct ipt_ip *)params->ip)->proto;
 
 	xt_xlate_add(xl, "%s", proto_to_name(proto));
-	return __multiport_xlate(xl, params);
+	return __multiport_xlate(xl, params, proto);
 }
 
 static int multiport_xlate6(struct xt_xlate *xl,
@@ -509,11 +520,12 @@ static int multiport_xlate6(struct xt_xlate *xl,
 	uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
 
 	xt_xlate_add(xl, "%s", proto_to_name(proto));
-	return __multiport_xlate(xl, params);
+	return __multiport_xlate(xl, params, proto);
 }
 
 static int __multiport_xlate_v1(struct xt_xlate *xl,
-				const struct xt_xlate_mt_params *params)
+				const struct xt_xlate_mt_params *params,
+				uint8_t proto)
 {
 	const struct xt_multiport_v1 *multiinfo =
 		(const struct xt_multiport_v1 *)params->match->data;
@@ -527,7 +539,17 @@ static int __multiport_xlate_v1(struct xt_xlate *xl,
 		xt_xlate_add(xl, " dport ");
 		break;
 	case XT_MULTIPORT_EITHER:
-		return 0;
+		xt_xlate_add(xl, " sport . %s dport { ", proto_to_name(proto));
+		for (i = 0; i < multiinfo->count; i++) {
+			if (i != 0)
+				xt_xlate_add(xl, ", ");
+
+			xt_xlate_add(xl, "0-65535 . %u, %u . 0-65535",
+				     multiinfo->ports[i], multiinfo->ports[i]);
+		}
+		xt_xlate_add(xl, " }");
+
+		return 1;
 	}
 
 	if (multiinfo->invert)
@@ -556,7 +578,7 @@ static int multiport_xlate_v1(struct xt_xlate *xl,
 	uint8_t proto = ((const struct ipt_ip *)params->ip)->proto;
 
 	xt_xlate_add(xl, "%s", proto_to_name(proto));
-	return __multiport_xlate_v1(xl, params);
+	return __multiport_xlate_v1(xl, params, proto);
 }
 
 static int multiport_xlate6_v1(struct xt_xlate *xl,
@@ -565,7 +587,7 @@ static int multiport_xlate6_v1(struct xt_xlate *xl,
 	uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
 
 	xt_xlate_add(xl, "%s", proto_to_name(proto));
-	return __multiport_xlate_v1(xl, params);
+	return __multiport_xlate_v1(xl, params, proto);
 }
 
 static struct xtables_match multiport_mt_reg[] = {
diff --git a/extensions/libxt_multiport.txlate b/extensions/libxt_multiport.txlate
index 752e7148f2be..bced1b84c447 100644
--- a/extensions/libxt_multiport.txlate
+++ b/extensions/libxt_multiport.txlate
@@ -9,3 +9,6 @@ nft add rule ip filter INPUT ip protocol tcp tcp dport != 80-88 counter accept
 
 iptables-translate -t filter -A INPUT -p tcp -m multiport --sports 50 -j ACCEPT
 nft add rule ip filter INPUT ip protocol tcp tcp sport 50 counter accept
+
+iptables-translate -t filter -I INPUT -p tcp -m multiport --ports 10
+nft insert rule ip filter INPUT ip protocol tcp tcp sport . tcp dport { 0-65535 . 10, 10 . 0-65535 } counter
-- 
2.20.1


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-06-25 21:08 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-25 21:08 [PATCH iptables] extensions: libxt_multiport: add translation for -m multiport --ports Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.