[PATCH iptables 1/3] extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft

[PATCH iptables 1/3] extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

When I want to translate SNAT target to nft rule, an error message
was printed out:
  # iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
  iptables-translate v1.6.0: OOM

Because ipt_natinfo{} started with a xt_entry_target{}, so when we
get the ipt_natinfo pointer, we should use the target itself,
not its data pointer. Yes, it is a little tricky and it's different
with other targets.

Fixes: 7a0992da44cf ("src: introduce struct xt_xlate_{mt,tg}_params")
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libipt_DNAT.c | 2 +-
 extensions/libipt_SNAT.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index c463f07..7890719 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -265,7 +265,7 @@ static void print_range_xlate(const struct nf_nat_ipv4_range *r,
 static int DNAT_xlate(struct xt_xlate *xl,
 		      const struct xt_xlate_tg_params *params)
 {
-	const struct ipt_natinfo *info = (const void *)params->target->data;
+	const struct ipt_natinfo *info = (const void *)params->target;
 	unsigned int i = 0;
 	bool sep_need = false;
 	const char *sep = " ";
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 71717fd..5c699d3 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -276,7 +276,7 @@ static void print_range_xlate(const struct nf_nat_ipv4_range *r,
 static int SNAT_xlate(struct xt_xlate *xl,
 		      const struct xt_xlate_tg_params *params)
 {
-	const struct ipt_natinfo *info = (const void *)params->target->data;
+	const struct ipt_natinfo *info = (const void *)params->target;
 	unsigned int i = 0;
 	bool sep_need = false;
 	const char *sep = " ";
-- 
2.5.5

[PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

After commit "src: add 'to' for snat and dnat" in nftables tree,
we should recommend the end user to use the new syntax.

Before this patch:
  # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
  nft add rule ip nat POSTROUTING counter snat 1.1.1.1
  # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
  2001::1
  nft add rule ip6 nat PREROUTING counter dnat 2001::1

Apply this patch:
  # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
  nft add rule ip nat POSTROUTING counter snat to 1.1.1.1
  # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
  2001::1
  nft add rule ip6 nat PREROUTING counter dnat to 2001::1

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libip6t_DNAT.c | 2 +-
 extensions/libip6t_SNAT.c | 2 +-
 extensions/libipt_DNAT.c  | 2 +-
 extensions/libipt_SNAT.c  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 3925c3b..97a8b1c 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -259,7 +259,7 @@ static int DNAT_xlate(struct xt_xlate *xl,
 	bool sep_need = false;
 	const char *sep = " ";
 
-	xt_xlate_add(xl, "dnat ");
+	xt_xlate_add(xl, "dnat to ");
 	print_range_xlate(range, xl);
 	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
 		xt_xlate_add(xl, " random");
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 4d742ea..c3d8190 100644
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -269,7 +269,7 @@ static int SNAT_xlate(struct xt_xlate *xl,
 	bool sep_need = false;
 	const char *sep = " ";
 
-	xt_xlate_add(xl, "snat ");
+	xt_xlate_add(xl, "snat to ");
 	print_range_xlate(range, xl);
 	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
 		xt_xlate_add(xl, " random");
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 7890719..a14d16f 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -271,7 +271,7 @@ static int DNAT_xlate(struct xt_xlate *xl,
 	const char *sep = " ";
 
 	for (i = 0; i < info->mr.rangesize; i++) {
-		xt_xlate_add(xl, "dnat ");
+		xt_xlate_add(xl, "dnat to ");
 		print_range_xlate(&info->mr.range[i], xl);
 		if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) {
 			xt_xlate_add(xl, " random");
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 5c699d3..e92d811 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -282,7 +282,7 @@ static int SNAT_xlate(struct xt_xlate *xl,
 	const char *sep = " ";
 
 	for (i = 0; i < info->mr.rangesize; i++) {
-		xt_xlate_add(xl, "snat ");
+		xt_xlate_add(xl, "snat to ");
 		print_range_xlate(&info->mr.range[i], xl);
 		if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) {
 			xt_xlate_add(xl, " random");
-- 
2.5.5

[PATCH iptables 3/3] extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

After commit "parser_bison: redirect to :port for consistency with
nat/masq statement" in nftables tree, we should recommend the end
user to use the new syntax.

Before this patch:
  # iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
  nft add rule ip nat PREROUTING ip protocol tcp counter redirect to 1

Apply this patch:
  # iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
  nft add rule ip nat PREROUTING ip protocol tcp counter redirect to :1

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libip6t_REDIRECT.c | 2 +-
 extensions/libipt_REDIRECT.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libip6t_REDIRECT.c b/extensions/libip6t_REDIRECT.c
index 32f85b9..8e04d2c 100644
--- a/extensions/libip6t_REDIRECT.c
+++ b/extensions/libip6t_REDIRECT.c
@@ -138,7 +138,7 @@ static int REDIRECT_xlate(struct xt_xlate *xl,
 	const struct nf_nat_range *range = (const void *)params->target->data;
 
 	if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
-		xt_xlate_add(xl, "redirect to %hu",
+		xt_xlate_add(xl, "redirect to :%hu",
 			   ntohs(range->min_proto.tcp.port));
 		if (range->max_proto.tcp.port != range->min_proto.tcp.port)
 			xt_xlate_add(xl, "-%hu ",
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 31ca88c..7850306 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -143,7 +143,7 @@ static int REDIRECT_xlate(struct xt_xlate *xl,
 	const struct nf_nat_ipv4_range *r = &mr->range[0];
 
 	if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
-		xt_xlate_add(xl, "redirect to %hu", ntohs(r->min.tcp.port));
+		xt_xlate_add(xl, "redirect to :%hu", ntohs(r->min.tcp.port));
 		if (r->max.tcp.port != r->min.tcp.port)
 			xt_xlate_add(xl, "-%hu ", ntohs(r->max.tcp.port));
 		if (mr->range[0].flags & NF_NAT_RANGE_PROTO_RANDOM)
-- 
2.5.5

Re: [PATCH iptables 1/3] extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft

[Pablo Neira Ayuso]

On Sun, Aug 28, 2016 at 04:50:46PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> When I want to translate SNAT target to nft rule, an error message
> was printed out:
>   # iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
>   iptables-translate v1.6.0: OOM
> 
> Because ipt_natinfo{} started with a xt_entry_target{}, so when we
> get the ipt_natinfo pointer, we should use the target itself,
> not its data pointer. Yes, it is a little tricky and it's different
> with other targets.

Applied, thanks!

Re: [PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

[Pablo Neira Ayuso]

On Sun, Aug 28, 2016 at 04:50:47PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> After commit "src: add 'to' for snat and dnat" in nftables tree,
> we should recommend the end user to use the new syntax.
> 
> Before this patch:
>   # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
>   nft add rule ip nat POSTROUTING counter snat 1.1.1.1
>   # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
>   2001::1
>   nft add rule ip6 nat PREROUTING counter dnat 2001::1
> 
> Apply this patch:
>   # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
>   nft add rule ip nat POSTROUTING counter snat to 1.1.1.1
>   # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
>   2001::1
>   nft add rule ip6 nat PREROUTING counter dnat to 2001::1

Applied, thanks!

BTW, if you have some spare cycles, it would be great to use the
square brackets in the translation output too I think.

# ip6tables-translate -t nat -A PREROUTING -p tcp -j DNAT --to-destination [abcd::1]:30
nft add rule ip6 nat PREROUTING meta l4proto tcp counter dnat abcd::1 :30

Re: [PATCH iptables 3/3] extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate

[Pablo Neira Ayuso]

On Sun, Aug 28, 2016 at 04:50:48PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> After commit "parser_bison: redirect to :port for consistency with
> nat/masq statement" in nftables tree, we should recommend the end
> user to use the new syntax.
> 
> Before this patch:
>   # iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
>   nft add rule ip nat PREROUTING ip protocol tcp counter redirect to 1
> 
> Apply this patch:
>   # iptables-translate -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1
>   nft add rule ip nat PREROUTING ip protocol tcp counter redirect to :1

Also applied, thanks.

Re: [PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

[Liping Zhang]

2016-08-30 17:59 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:

> BTW, if you have some spare cycles, it would be great to use the
> square brackets in the translation output too I think.
>
> # ip6tables-translate -t nat -A PREROUTING -p tcp -j DNAT --to-destination [abcd::1]:30
> nft add rule ip6 nat PREROUTING meta l4proto tcp counter dnat abcd::1 :30

OK. I will send another patch later.
Thanks