[iptables PATCH 0/5] Fixes around ebtables' --proto match

[iptables PATCH 0/5] Fixes around ebtables' --proto match

[Phil Sutter]

During some code merge, I created an ugly situation where local OPT_*
defines in xtables-eb.c override OPT_* enum values from xshared.h with
same name but different value.

The above became problematic when I curtly added --verbose support to
ebtables-nft in order to support -vv debug output. The used OPT_VERBOSE
symbol stemmed from xshared.h and its value clashed with OPT_PROTOCOL.
In practice, this turned verbose mode on for rules with protocol match.

Fix all the above by merging the different OPT_* symbols in the first
three patches.

The second more relevant issue was ebtables' lack of support for '-p
LENGTH', foremost a mandatory prerequisite for 802_3 extension matches
validity. The last two patches resolve this.

Phil Sutter (5):
  ebtables: Drop unused OPT_* defines
  ebtables: Eliminate OPT_TABLE
  ebtables: Merge OPT_* flags with xshared ones
  nft-shared: Introduce __get_cmp_data()
  ebtables: Support '-p Length'

 extensions/generic.txlate |  6 +++++
 extensions/libebt_802_3.t |  6 +++--
 iptables/nft-bridge.c     | 46 ++++++++++++++++++++++++++++++---------
 iptables/nft-shared.c     | 17 +++++++++------
 iptables/nft-shared.h     |  1 +
 iptables/xshared.h        |  5 +++++
 iptables/xtables-eb.c     | 28 ++++++------------------
 7 files changed, 69 insertions(+), 40 deletions(-)

-- 
2.34.1

[iptables PATCH 1/5] ebtables: Drop unused OPT_* defines

[Phil Sutter]

Obviously copied from legacy ebtables, not needed by ebtables-nft.
OPT_CNT_* ones seem not even used in legacy anymore.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-eb.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index b986fd9e84799..3887ea1a39f27 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -168,10 +168,7 @@ int ebt_get_current_chain(const char *chain)
 #define OPT_ZERO	0x100
 #define OPT_LOGICALIN	0x200
 #define OPT_LOGICALOUT	0x400
-#define OPT_KERNELDATA	0x800 /* This value is also defined in ebtablesd.c */
 #define OPT_COUNT	0x1000 /* This value is also defined in libebtc.c */
-#define OPT_CNT_INCR	0x2000 /* This value is also defined in libebtc.c */
-#define OPT_CNT_DECR	0x4000 /* This value is also defined in libebtc.c */
 
 /* Default command line options. Do not mess around with the already
  * assigned numbers unless you know what you are doing */
-- 
2.34.1

[iptables PATCH 2/5] ebtables: Eliminate OPT_TABLE

[Phil Sutter]

The flag is used for duplicate option checking only and there is a
boolean indicating the same already. So copy the error message from
EBT_CHECK_OPTION() in situ and just take care not to disturb restore
mode handling.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-eb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3887ea1a39f27..9aab35977396f 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -158,7 +158,6 @@ int ebt_get_current_chain(const char *chain)
 #define OPT_COMMANDS (flags & OPT_COMMAND || flags & OPT_ZERO)
 
 #define OPT_COMMAND	0x01
-#define OPT_TABLE	0x02
 #define OPT_IN		0x04
 #define OPT_OUT		0x08
 #define OPT_JUMP	0x10
@@ -894,11 +893,13 @@ print_zero:
 			}
 			break;
 		case 't': /* Table */
-			ebt_check_option2(&flags, OPT_TABLE);
 			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
 					      "The -t option cannot be used in %s.\n",
 					      xt_params->program_name);
+			else if (table_set)
+				xtables_error(PARAMETER_PROBLEM,
+					      "Multiple use of same option not allowed");
 			if (!nft_table_builtin_find(h, optarg))
 				xtables_error(VERSION_PROBLEM,
 					      "table '%s' does not exist",
-- 
2.34.1

[iptables PATCH 3/5] ebtables: Merge OPT_* flags with xshared ones

[Phil Sutter]

Despite also including xshared.h, xtables-eb.c defined its own OPT_*
flags with clashing values. Albeit ugly, this wasn't a problem in
practice until commit 51d9d9e081344 ("ebtables: Support verbose mode")
which introduced use of OPT_VERBOSE from xshared - with same value as
the local OPT_PROTOCOL define.

Eliminate the clash by appending ebtables-specific flags to the xshared
enum and adjust for the different names of some others.

Fixes: 51d9d9e081344 ("ebtables: Support verbose mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xshared.h    |  5 +++++
 iptables/xtables-eb.c | 20 ++++----------------
 2 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/iptables/xshared.h b/iptables/xshared.h
index 1a019a7c04882..f43c28f519a9c 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -37,6 +37,11 @@ enum {
 	OPT_OPCODE	= 1 << 15,
 	OPT_H_TYPE	= 1 << 16,
 	OPT_P_TYPE	= 1 << 17,
+	/* below are for ebtables only */
+	OPT_LOGICALIN	= 1 << 18,
+	OPT_LOGICALOUT	= 1 << 19,
+	OPT_COMMAND	= 1 << 20,
+	OPT_ZERO	= 1 << 21,
 };
 
 enum {
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 9aab35977396f..631a3cebf11a7 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -157,18 +157,6 @@ int ebt_get_current_chain(const char *chain)
 /* Checks whether a command has already been specified */
 #define OPT_COMMANDS (flags & OPT_COMMAND || flags & OPT_ZERO)
 
-#define OPT_COMMAND	0x01
-#define OPT_IN		0x04
-#define OPT_OUT		0x08
-#define OPT_JUMP	0x10
-#define OPT_PROTOCOL	0x20
-#define OPT_SOURCE	0x40
-#define OPT_DEST	0x80
-#define OPT_ZERO	0x100
-#define OPT_LOGICALIN	0x200
-#define OPT_LOGICALOUT	0x400
-#define OPT_COUNT	0x1000 /* This value is also defined in libebtc.c */
-
 /* Default command line options. Do not mess around with the already
  * assigned numbers unless you know what you are doing */
 struct option ebt_original_options[] =
@@ -923,7 +911,7 @@ print_zero:
 				xtables_error(PARAMETER_PROBLEM,
 					      "Command and option do not match");
 			if (c == 'i') {
-				ebt_check_option2(&flags, OPT_IN);
+				ebt_check_option2(&flags, OPT_VIANAMEIN);
 				if (selected_chain > 2 && selected_chain < NF_BR_BROUTING)
 					xtables_error(PARAMETER_PROBLEM,
 						      "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains");
@@ -943,7 +931,7 @@ print_zero:
 				ebtables_parse_interface(optarg, cs.eb.logical_in);
 				break;
 			} else if (c == 'o') {
-				ebt_check_option2(&flags, OPT_OUT);
+				ebt_check_option2(&flags, OPT_VIANAMEOUT);
 				if (selected_chain < 2 || selected_chain == NF_BR_BROUTING)
 					xtables_error(PARAMETER_PROBLEM,
 						      "Use -o only in OUTPUT, FORWARD and POSTROUTING chains");
@@ -980,7 +968,7 @@ print_zero:
 				cs.eb.bitmask |= EBT_SOURCEMAC;
 				break;
 			} else if (c == 'd') {
-				ebt_check_option2(&flags, OPT_DEST);
+				ebt_check_option2(&flags, OPT_DESTINATION);
 				if (ebt_check_inverse2(optarg, argc, argv))
 					cs.eb.invflags |= EBT_IDEST;
 
@@ -991,7 +979,7 @@ print_zero:
 				cs.eb.bitmask |= EBT_DESTMAC;
 				break;
 			} else if (c == 'c') {
-				ebt_check_option2(&flags, OPT_COUNT);
+				ebt_check_option2(&flags, OPT_COUNTERS);
 				if (ebt_check_inverse2(optarg, argc, argv))
 					xtables_error(PARAMETER_PROBLEM,
 						      "Unexpected '!' after -c");
-- 
2.34.1

[iptables PATCH 4/5] nft-shared: Introduce __get_cmp_data()

[Phil Sutter]

This is an inner function to get_cmp_data() returning the op value as-is
for caller examination.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-shared.c | 17 ++++++++++-------
 iptables/nft-shared.h |  1 +
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 71e2f18dab929..616e6a4dcf3a6 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -466,17 +466,20 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 		ctx->h->ops->parse_match(match, ctx->cs);
 }
 
-void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv)
+void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op)
 {
 	uint32_t len;
-	uint8_t op;
 
 	memcpy(data, nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len), dlen);
-	op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP);
-	if (op == NFT_CMP_NEQ)
-		*inv = true;
-	else
-		*inv = false;
+	*op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP);
+}
+
+void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv)
+{
+	uint8_t op;
+
+	__get_cmp_data(e, data, dlen, &op);
+	*inv = (op == NFT_CMP_NEQ);
 }
 
 static void nft_meta_set_to_target(struct nft_xt_ctx *ctx)
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 0718dc23e8b77..d866dcb512766 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -159,6 +159,7 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
 	       char *iniface, unsigned char *iniface_mask, char *outiface,
 	       unsigned char *outiface_mask, uint8_t *invflags);
+void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op);
 void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
 void nft_rule_to_iptables_command_state(struct nft_handle *h,
 					const struct nftnl_rule *r,
-- 
2.34.1

[iptables PATCH 5/5] ebtables: Support '-p Length'

[Phil Sutter]

To match on Ethernet frames using the etherproto field as length value,
ebtables accepts the special protocol name "LENGTH". Implement this in
ebtables-nft using a native match for 'ether type < 0x0600'.

Since extension 802_3 matches are valid only with such Ethernet frames,
add a local add_match() wrapper which complains if the extension is used
without '-p Length' parameter. Legacy ebtables does this within the
extension's final_check callback, but it's not possible here due for lack of
fw->bitmask field access.

While being at it, add xlate support, adjust tests and make ebtables-nft
print the case-insensitive argument with capital 'L' like legacy
ebtables does.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/generic.txlate |  6 +++++
 extensions/libebt_802_3.t |  6 +++--
 iptables/nft-bridge.c     | 46 ++++++++++++++++++++++++++++++---------
 3 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 9ae9a5b54c1b9..6779d6f86dec8 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -67,6 +67,12 @@ nft add rule bridge filter FORWARD iifname != "iname" meta ibrname "ilogname" oi
 ebtables-translate -I INPUT -p ip -d 1:2:3:4:5:6/ff:ff:ff:ff:00:00
 nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:00 and ff:ff:ff:ff:00:00 == 01:02:03:04:00:00 counter
 
+ebtables-translate -I INPUT -p Length
+nft insert rule bridge filter INPUT ether type < 0x0600 counter
+
+ebtables-translate -I INPUT -p ! Length
+nft insert rule bridge filter INPUT ether type >= 0x0600 counter
+
 # asterisk is not special in iptables and it is even a valid interface name
 iptables-translate -A FORWARD -i '*' -o 'eth*foo'
 nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
diff --git a/extensions/libebt_802_3.t b/extensions/libebt_802_3.t
index ddfb2f0a72baf..a138f35d2c756 100644
--- a/extensions/libebt_802_3.t
+++ b/extensions/libebt_802_3.t
@@ -1,3 +1,5 @@
 :INPUT,FORWARD,OUTPUT
---802_3-sap ! 0x0a -j CONTINUE;=;OK
---802_3-type 0x000a -j RETURN;=;OK
+--802_3-sap ! 0x0a -j CONTINUE;=;FAIL
+--802_3-type 0x000a -j RETURN;=;FAIL
+-p Length --802_3-sap ! 0x0a -j CONTINUE;=;OK
+-p Length --802_3-type 0x000a -j RETURN;=;OK
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 106bcc72889f6..33b0b85eaf935 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -100,6 +100,18 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
 	return add_action(r, cs, false);
 }
 
+static int
+nft_bridge_add_match(struct nft_handle *h, const struct ebt_entry *fw,
+		     struct nftnl_rule *r, struct xt_entry_match *m)
+{
+	if (!strcmp(m->u.user.name, "802_3") &&
+	    !(fw->bitmask & EBT_802_3))
+		xtables_error(PARAMETER_PROBLEM,
+			      "For 802.3 DSAP/SSAP filtering the protocol must be LENGTH");
+
+	return add_match(h, r, m);
+}
+
 static int nft_bridge_add(struct nft_handle *h,
 			  struct nftnl_rule *r,
 			  struct iptables_command_state *cs)
@@ -143,19 +155,26 @@ static int nft_bridge_add(struct nft_handle *h,
 	}
 
 	if ((fw->bitmask & EBT_NOPROTO) == 0) {
+		uint16_t ethproto = fw->ethproto;
 		uint8_t reg;
 
 		op = nft_invflags2cmp(fw->invflags, EBT_IPROTO);
 		add_payload(h, r, offsetof(struct ethhdr, h_proto), 2,
 			    NFT_PAYLOAD_LL_HEADER, &reg);
-		add_cmp_u16(r, fw->ethproto, op, reg);
+
+		if (fw->bitmask & EBT_802_3) {
+			op = (op == NFT_CMP_EQ ? NFT_CMP_LT : NFT_CMP_GTE);
+			ethproto = htons(0x0600);
+		}
+
+		add_cmp_u16(r, ethproto, op, reg);
 	}
 
 	add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO);
 
 	for (iter = cs->match_list; iter; iter = iter->next) {
 		if (iter->ismatch) {
-			if (add_match(h, r, iter->u.match->m))
+			if (nft_bridge_add_match(h, fw, r, iter->u.match->m))
 				break;
 		} else {
 			if (add_target(r, iter->u.watcher->t))
@@ -212,6 +231,7 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
 	struct ebt_entry *fw = &cs->eb;
 	unsigned char addr[ETH_ALEN];
 	unsigned short int ethproto;
+	uint8_t op;
 	bool inv;
 	int i;
 
@@ -248,8 +268,14 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
 		fw->bitmask |= EBT_ISOURCE;
 		break;
 	case offsetof(struct ethhdr, h_proto):
-		get_cmp_data(e, &ethproto, sizeof(ethproto), &inv);
-		fw->ethproto = ethproto;
+		__get_cmp_data(e, &ethproto, sizeof(ethproto), &op);
+		if (ethproto == htons(0x0600)) {
+			fw->bitmask |= EBT_802_3;
+			inv = (op == NFT_CMP_GTE);
+		} else {
+			fw->ethproto = ethproto;
+			inv = (op == NFT_CMP_NEQ);
+		}
 		if (inv)
 			fw->invflags |= EBT_IPROTO;
 		fw->bitmask &= ~EBT_NOPROTO;
@@ -587,7 +613,7 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)
 		printf("! ");
 
 	if (bitmask & EBT_802_3) {
-		printf("length ");
+		printf("Length ");
 		return;
 	}
 
@@ -601,7 +627,7 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)
 static void __nft_bridge_save_rule(const struct iptables_command_state *cs,
 				   unsigned int format)
 {
-	if (cs->eb.ethproto)
+	if (!(cs->eb.bitmask & EBT_NOPROTO))
 		print_protocol(cs->eb.ethproto, cs->eb.invflags & EBT_IPROTO,
 			       cs->eb.bitmask);
 	if (cs->eb.bitmask & EBT_ISOURCE)
@@ -840,7 +866,10 @@ static int nft_bridge_xlate(const struct iptables_command_state *cs,
 	xlate_ifname(xl, "meta obrname", cs->eb.logical_out,
 		     cs->eb.invflags & EBT_ILOGICALOUT);
 
-	if ((cs->eb.bitmask & EBT_NOPROTO) == 0) {
+	if (cs->eb.bitmask & EBT_802_3) {
+		xt_xlate_add(xl, "ether type %s 0x0600 ",
+			     cs->eb.invflags & EBT_IPROTO ? ">=" : "<");
+	} else if ((cs->eb.bitmask & EBT_NOPROTO) == 0) {
 		const char *implicit = NULL;
 
 		switch (ntohs(cs->eb.ethproto)) {
@@ -863,9 +892,6 @@ static int nft_bridge_xlate(const struct iptables_command_state *cs,
 				     ntohs(cs->eb.ethproto));
 	}
 
-	if (cs->eb.bitmask & EBT_802_3)
-		return 0;
-
 	if (cs->eb.bitmask & EBT_ISOURCE)
 		nft_bridge_xlate_mac(xl, "saddr", cs->eb.invflags & EBT_ISOURCE,
 				     cs->eb.sourcemac, cs->eb.sourcemsk);
-- 
2.34.1

Re: [iptables PATCH 0/5] Fixes around ebtables' --proto match

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> During some code merge, I created an ugly situation where local OPT_*
> defines in xtables-eb.c override OPT_* enum values from xshared.h with
> same name but different value.
> 
> The above became problematic when I curtly added --verbose support to
> ebtables-nft in order to support -vv debug output. The used OPT_VERBOSE
> symbol stemmed from xshared.h and its value clashed with OPT_PROTOCOL.
> In practice, this turned verbose mode on for rules with protocol match.
> 
> Fix all the above by merging the different OPT_* symbols in the first
> three patches.
> 
> The second more relevant issue was ebtables' lack of support for '-p
> LENGTH', foremost a mandatory prerequisite for 802_3 extension matches
> validity. The last two patches resolve this.

Series:
Reviewed-by: Florian Westphal <fw@strlen.de>

Re: [iptables PATCH 5/5] ebtables: Support '-p Length'

[Phil Sutter]

On Wed, Sep 28, 2022 at 12:15:12AM +0200, Phil Sutter wrote:
> To match on Ethernet frames using the etherproto field as length value,
> ebtables accepts the special protocol name "LENGTH". Implement this in
> ebtables-nft using a native match for 'ether type < 0x0600'.
> 
> Since extension 802_3 matches are valid only with such Ethernet frames,
> add a local add_match() wrapper which complains if the extension is used
> without '-p Length' parameter. Legacy ebtables does this within the
> extension's final_check callback, but it's not possible here due for lack of
> fw->bitmask field access.
> 
> While being at it, add xlate support, adjust tests and make ebtables-nft
> print the case-insensitive argument with capital 'L' like legacy
> ebtables does.

Missed needed adjustment in ebtables/0002-ebtables-save-restore_0 shell
testcase, folded this into the commit.