* [PATCH] extensions: libip6t_REJECT: Add translation to nft
@ 2016-01-05 6:55 Shivani Bhardwaj
2016-01-05 11:30 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 4+ messages in thread
From: Shivani Bhardwaj @ 2016-01-05 6:55 UTC (permalink / raw)
To: netfilter-devel
Add translation for target REJECT to nftables.
Examples:
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
extensions/libip6t_REJECT.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
index d62f431..6d33ecd 100644
--- a/extensions/libip6t_REJECT.c
+++ b/extensions/libip6t_REJECT.c
@@ -17,6 +17,11 @@ struct reject_names {
const char *desc;
};
+struct reject_names_xlate {
+ const char *name;
+ enum ip6t_reject_with with;
+};
+
enum {
O_REJECT_WITH = 0,
};
@@ -124,6 +129,38 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
printf(" --reject-with %s", reject_table[i].name);
}
+static const struct reject_names_xlate reject_table_xlate[] = {
+ {"no-route", IP6T_ICMP6_NO_ROUTE},
+ {"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
+#if 0
+ {"not-neighbour", IP6T_ICMP6_NOT_NEIGHBOR},
+#endif
+ {"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
+ {"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
+ {"tcp reset", IP6T_TCP_RESET},
+ {"policy-fail", IP6T_ICMP6_POLICY_FAIL},
+ {"reject-route", IP6T_ICMP6_REJECT_ROUTE}
+};
+
+static int REJECT_xlate(const struct xt_entry_target *target,
+ struct xt_buf *buf, int numeric)
+{
+ const struct ip6t_reject_info *reject =
+ (const struct ip6t_reject_info *)target->data;
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
+ if (reject_table_xlate[i].with == reject->with)
+ break;
+ if (reject->with == IP6T_TCP_RESET)
+ xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
+ else
+ xt_buf_add(buf, "reject with icmpv6 type %s",
+ reject_table_xlate[i].name);
+
+ return 1;
+}
+
static struct xtables_target reject_tg6_reg = {
.name = "REJECT",
.version = XTABLES_VERSION,
@@ -136,6 +173,7 @@ static struct xtables_target reject_tg6_reg = {
.save = REJECT_save,
.x6_parse = REJECT_parse,
.x6_options = REJECT_opts,
+ .xlate = REJECT_xlate,
};
void _init(void)
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] extensions: libip6t_REJECT: Add translation to nft
2016-01-05 6:55 [PATCH] extensions: libip6t_REJECT: Add translation to nft Shivani Bhardwaj
@ 2016-01-05 11:30 ` Arturo Borrero Gonzalez
2016-01-05 12:48 ` Shivani Bhardwaj
0 siblings, 1 reply; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2016-01-05 11:30 UTC (permalink / raw)
To: Shivani Bhardwaj; +Cc: Netfilter Development Mailing list
On 5 January 2016 at 07:55, Shivani Bhardwaj <shivanib134@gmail.com> wrote:
>
> +static const struct reject_names_xlate reject_table_xlate[] = {
> + {"no-route", IP6T_ICMP6_NO_ROUTE},
> + {"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
> +#if 0
> + {"not-neighbour", IP6T_ICMP6_NOT_NEIGHBOR},
> +#endif
> + {"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
> + {"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
> + {"tcp reset", IP6T_TCP_RESET},
> + {"policy-fail", IP6T_ICMP6_POLICY_FAIL},
> + {"reject-route", IP6T_ICMP6_REJECT_ROUTE}
> +};
I wonder the reason behind including code which seems is not going to
be compiled.
It was in the original extension code, perhaps you can revisit that now.
> +
> +static int REJECT_xlate(const struct xt_entry_target *target,
> + struct xt_buf *buf, int numeric)
> +{
> + const struct ip6t_reject_info *reject =
> + (const struct ip6t_reject_info *)target->data;
> + unsigned int i;
> +
> + for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
> + if (reject_table_xlate[i].with == reject->with)
> + break;
> + if (reject->with == IP6T_TCP_RESET)
> + xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
> + else
> + xt_buf_add(buf, "reject with icmpv6 type %s",
> + reject_table_xlate[i].name);
> +
> + return 1;
> +}
> +
AFAIK, -j REJECT can be used without further options. However, this
_xlate() function doesn't seem to support it.
I would print unconditionally the 'reject' keyword and in case some
option was used, then include the 'with XXX' thing.
i.e:
the rule:
% [...] -p tcp --dport 22 -j REJECT
translates to:
% nft add rule [...] tcp dport 22 reject
and the rule:
% [...] -p tcp --dport 22 -j REJECT --reject-with no-route
translates to:
% nft add rule [...] tcp dport 22 reject with icmpv6 type no-route
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] extensions: libip6t_REJECT: Add translation to nft
2016-01-05 11:30 ` Arturo Borrero Gonzalez
@ 2016-01-05 12:48 ` Shivani Bhardwaj
2016-01-05 13:49 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 4+ messages in thread
From: Shivani Bhardwaj @ 2016-01-05 12:48 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: Netfilter Development Mailing list
On Tue, Jan 5, 2016 at 5:00 PM, Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com> wrote:
> On 5 January 2016 at 07:55, Shivani Bhardwaj <shivanib134@gmail.com> wrote:
>>
>> +static const struct reject_names_xlate reject_table_xlate[] = {
>> + {"no-route", IP6T_ICMP6_NO_ROUTE},
>> + {"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
>> +#if 0
>> + {"not-neighbour", IP6T_ICMP6_NOT_NEIGHBOR},
>> +#endif
>> + {"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
>> + {"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
>> + {"tcp reset", IP6T_TCP_RESET},
>> + {"policy-fail", IP6T_ICMP6_POLICY_FAIL},
>> + {"reject-route", IP6T_ICMP6_REJECT_ROUTE}
>> +};
>
> I wonder the reason behind including code which seems is not going to
> be compiled.
> It was in the original extension code, perhaps you can revisit that now.
>
Hi Arturo,
I've removed the if endif block. Thanks for pointing out.
If you're referring to some other thing please let me know.
>> +
>> +static int REJECT_xlate(const struct xt_entry_target *target,
>> + struct xt_buf *buf, int numeric)
>> +{
>> + const struct ip6t_reject_info *reject =
>> + (const struct ip6t_reject_info *)target->data;
>> + unsigned int i;
>> +
>> + for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
>> + if (reject_table_xlate[i].with == reject->with)
>> + break;
>> + if (reject->with == IP6T_TCP_RESET)
>> + xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
>> + else
>> + xt_buf_add(buf, "reject with icmpv6 type %s",
>> + reject_table_xlate[i].name);
>> +
>> + return 1;
>> +}
>> +
>
> AFAIK, -j REJECT can be used without further options. However, this
> _xlate() function doesn't seem to support it.
>
> I would print unconditionally the 'reject' keyword and in case some
> option was used, then include the 'with XXX' thing.
>
In the reject module for ip, port unreachable is mentioned as the
default option if the reject target is called.
static const struct reject_names reject_table[] = {
...
{"icmp-port-unreachable", "port-unreach",
IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"}
...
}
Same is happening in case of ipv6. Should I be removing this default
nature of both of them?
Thank you
> i.e:
>
> the rule:
> % [...] -p tcp --dport 22 -j REJECT
> translates to:
> % nft add rule [...] tcp dport 22 reject
>
> and the rule:
> % [...] -p tcp --dport 22 -j REJECT --reject-with no-route
> translates to:
> % nft add rule [...] tcp dport 22 reject with icmpv6 type no-route
>
> --
> Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] extensions: libip6t_REJECT: Add translation to nft
2016-01-05 12:48 ` Shivani Bhardwaj
@ 2016-01-05 13:49 ` Arturo Borrero Gonzalez
0 siblings, 0 replies; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2016-01-05 13:49 UTC (permalink / raw)
To: Shivani Bhardwaj; +Cc: Netfilter Development Mailing list
On 5 January 2016 at 13:48, Shivani Bhardwaj <shivanib134@gmail.com> wrote:
> On Tue, Jan 5, 2016 at 5:00 PM, Arturo Borrero Gonzalez
> <arturo.borrero.glez@gmail.com> wrote:
>> On 5 January 2016 at 07:55, Shivani Bhardwaj <shivanib134@gmail.com> wrote:
>>>
>>> +static const struct reject_names_xlate reject_table_xlate[] = {
>>> + {"no-route", IP6T_ICMP6_NO_ROUTE},
>>> + {"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
>>> +#if 0
>>> + {"not-neighbour", IP6T_ICMP6_NOT_NEIGHBOR},
>>> +#endif
>>> + {"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
>>> + {"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
>>> + {"tcp reset", IP6T_TCP_RESET},
>>> + {"policy-fail", IP6T_ICMP6_POLICY_FAIL},
>>> + {"reject-route", IP6T_ICMP6_REJECT_ROUTE}
>>> +};
>>
>> I wonder the reason behind including code which seems is not going to
>> be compiled.
>> It was in the original extension code, perhaps you can revisit that now.
>>
> Hi Arturo,
>
> I've removed the if endif block. Thanks for pointing out.
> If you're referring to some other thing please let me know.
>
>>> +
>>> +static int REJECT_xlate(const struct xt_entry_target *target,
>>> + struct xt_buf *buf, int numeric)
>>> +{
>>> + const struct ip6t_reject_info *reject =
>>> + (const struct ip6t_reject_info *)target->data;
>>> + unsigned int i;
>>> +
>>> + for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
>>> + if (reject_table_xlate[i].with == reject->with)
>>> + break;
>>> + if (reject->with == IP6T_TCP_RESET)
>>> + xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
>>> + else
>>> + xt_buf_add(buf, "reject with icmpv6 type %s",
>>> + reject_table_xlate[i].name);
>>> +
>>> + return 1;
>>> +}
>>> +
>>
>> AFAIK, -j REJECT can be used without further options. However, this
>> _xlate() function doesn't seem to support it.
>>
>> I would print unconditionally the 'reject' keyword and in case some
>> option was used, then include the 'with XXX' thing.
>>
>
> In the reject module for ip, port unreachable is mentioned as the
> default option if the reject target is called.
>
> static const struct reject_names reject_table[] = {
> ...
> {"icmp-port-unreachable", "port-unreach",
> IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"}
> ...
> }
>
> Same is happening in case of ipv6. Should I be removing this default
> nature of both of them?
>
Ok,
reading now the code in depth, I see there is no way the _xlate() can
get a REJECT target without the 'with' option.
So your patch looks good.
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-01-05 13:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-05 6:55 [PATCH] extensions: libip6t_REJECT: Add translation to nft Shivani Bhardwaj
2016-01-05 11:30 ` Arturo Borrero Gonzalez
2016-01-05 12:48 ` Shivani Bhardwaj
2016-01-05 13:49 ` Arturo Borrero Gonzalez
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.