[PATCH] extensions: libipt_SNAT: Add translation to nft

[PATCH] extensions: libipt_SNAT: Add translation to nft

[Shivani Bhardwaj]

Add translation for target SNAT to nftables.

Examples:

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4-1.2.3.6

$ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4:1-1023

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random-fully
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 fully-random

$ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4 --persistent
nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4 persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
 extensions/libipt_SNAT.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 78d2c2b..f1b8d9a 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -252,6 +252,47 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target)
 	}
 }
 
+static void print_range_xlate(const struct nf_nat_ipv4_range *r,
+			      struct xt_buf *buf)
+{
+	if (r->flags & NF_NAT_RANGE_MAP_IPS) {
+		struct in_addr a;
+
+		a.s_addr = r->min_ip;
+		xt_buf_add(buf, "%s", xtables_ipaddr_to_numeric(&a));
+		if (r->max_ip != r->min_ip) {
+			a.s_addr = r->max_ip;
+			xt_buf_add(buf, "-%s", xtables_ipaddr_to_numeric(&a));
+		}
+	}
+	if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+		xt_buf_add(buf, ":");
+		xt_buf_add(buf, "%hu", ntohs(r->min.tcp.port));
+		if (r->max.tcp.port != r->min.tcp.port)
+			xt_buf_add(buf, "-%hu", ntohs(r->max.tcp.port));
+	}
+}
+
+static int SNAT_xlate(const struct xt_entry_target *target,
+		      struct xt_buf *buf, int numeric)
+{
+	const struct ipt_natinfo *info = (const void *)target;
+	unsigned int i = 0;
+
+	for (i = 0; i < info->mr.rangesize; i++) {
+		xt_buf_add(buf, "snat ");
+		print_range_xlate(&info->mr.range[i], buf);
+		if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM)
+			xt_buf_add(buf, " random");
+		if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+			xt_buf_add(buf, " fully-random");
+		if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
+			xt_buf_add(buf, " persistent");
+	}
+
+	return 1;
+}
+
 static struct xtables_target snat_tg_reg = {
 	.name		= "SNAT",
 	.version	= XTABLES_VERSION,
@@ -264,6 +305,7 @@ static struct xtables_target snat_tg_reg = {
 	.print		= SNAT_print,
 	.save		= SNAT_save,
 	.x6_options	= SNAT_opts,
+	.xlate		= SNAT_xlate,
 };
 
 void _init(void)
-- 
1.9.1

Re: [PATCH] extensions: libipt_SNAT: Add translation to nft

[Pablo Neira Ayuso]

On Fri, Dec 25, 2015 at 10:46:59PM +0530, Shivani Bhardwaj wrote:
> Add translation for target SNAT to nftables.
> 
> Examples:
> 
> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4
> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4
> 
> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4-1.2.3.6
> 
> $ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
> nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4:1-1023
> 
> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random
> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random
> 
> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random-fully
> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 fully-random

If two flags are specified, then this should look like:

... postrouting oifname eth0 counter snat 1.2.3.4 fully-random,persistent
                                                              ^

In nft, we always represents flags as command separated values.

Same applied to NFQUEUE translation and its flags; BTW you sent a
patch for this:

http://patchwork.ozlabs.org/patch/559554/

It would be good if you can send a v2:

Thanks.

Re: [PATCH] extensions: libipt_SNAT: Add translation to nft

[Shivani Bhardwaj]

On Mon, Dec 28, 2015 at 5:50 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Dec 25, 2015 at 10:46:59PM +0530, Shivani Bhardwaj wrote:
>> Add translation for target SNAT to nftables.
>>
>> Examples:
>>
>> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4
>> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4
>>
>> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
>> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4-1.2.3.6
>>
>> $ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
>> nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4:1-1023
>>
>> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random
>> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random
>>
>> $ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random-fully
>> nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 fully-random
>
> If two flags are specified, then this should look like:
>
> ... postrouting oifname eth0 counter snat 1.2.3.4 fully-random,persistent
>                                                               ^
>
> In nft, we always represents flags as command separated values.
>
> Same applied to NFQUEUE translation and its flags; BTW you sent a
> patch for this:
>
> http://patchwork.ozlabs.org/patch/559554/
>
> It would be good if you can send a v2:
>

I'm sending v2 for this and DNAT. NFQUEUE and MARK is going to take
some time. I'm having some trouble with their options. I'll send it
soon. Thanks for your patience.

> Thanks.

[PATCH] extensions: libipt_SNAT: Add translation to nft

[Shivani Bhardwaj]

Add translation for target SNAT to nftables.

Examples:

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4-1.2.3.6

$ sudo iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat 1.2.3.4:1-1023

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random

$ sudo iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random --persistent
nft add rule ip nat postrouting oifname eth0 counter snat 1.2.3.4 random,persistent

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
 extensions/libipt_SNAT.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 78d2c2b..42fe92d 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -252,6 +252,58 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target)
 	}
 }
 
+static void print_range_xlate(const struct nf_nat_ipv4_range *r,
+			      struct xt_buf *buf)
+{
+	if (r->flags & NF_NAT_RANGE_MAP_IPS) {
+		struct in_addr a;
+
+		a.s_addr = r->min_ip;
+		xt_buf_add(buf, "%s", xtables_ipaddr_to_numeric(&a));
+		if (r->max_ip != r->min_ip) {
+			a.s_addr = r->max_ip;
+			xt_buf_add(buf, "-%s", xtables_ipaddr_to_numeric(&a));
+		}
+	}
+	if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+		xt_buf_add(buf, ":");
+		xt_buf_add(buf, "%hu", ntohs(r->min.tcp.port));
+		if (r->max.tcp.port != r->min.tcp.port)
+			xt_buf_add(buf, "-%hu", ntohs(r->max.tcp.port));
+	}
+}
+
+static int SNAT_xlate(const struct xt_entry_target *target,
+		      struct xt_buf *buf, int numeric)
+{
+	const struct ipt_natinfo *info = (const void *)target;
+	unsigned int i = 0;
+	bool sep_need = false;
+	const char *sep = " ";
+
+	for (i = 0; i < info->mr.rangesize; i++) {
+		xt_buf_add(buf, "snat ");
+		print_range_xlate(&info->mr.range[i], buf);
+		if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) {
+			xt_buf_add(buf, " random");
+			sep_need = true;
+		}
+		if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
+			if (sep_need)
+				sep = ",";
+			xt_buf_add(buf, "%sfully-random", sep);
+			sep_need = true;
+		}
+		if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) {
+			if (sep_need)
+				sep = ",";
+			xt_buf_add(buf, "%spersistent", sep);
+		}
+	}
+
+	return 1;
+}
+
 static struct xtables_target snat_tg_reg = {
 	.name		= "SNAT",
 	.version	= XTABLES_VERSION,
@@ -264,6 +316,7 @@ static struct xtables_target snat_tg_reg = {
 	.print		= SNAT_print,
 	.save		= SNAT_save,
 	.x6_options	= SNAT_opts,
+	.xlate		= SNAT_xlate,
 };
 
 void _init(void)
-- 
1.9.1

Re: [PATCH] extensions: libipt_SNAT: Add translation to nft

[Pablo Neira Ayuso]

On Mon, Dec 28, 2015 at 09:05:02PM +0530, Shivani Bhardwaj wrote:
> Add translation for target SNAT to nftables.

Applied, thanks.