[PATCH] extensions: libipt_icmp: Add translation to nft

[PATCH] extensions: libipt_icmp: Add translation to nft

[Laura Garcia Liebana]

Add translation for icmp to nftables.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j LOG
nft add rule ip filter INPUT icmp type any counter log level warn

$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3/1 -j LOG
nft add rule ip filter INPUT icmp type host-unreachable counter log level warn

$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
 extensions/libipt_icmp.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index 666e7da..795172f 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type,
 }
 
 static void icmp_print(const void *ip, const struct xt_entry_match *match,
-                       int numeric)
+		       int numeric)
 {
 	const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
 
@@ -249,6 +249,36 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
 	}
 }
 
+static void type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
+			     unsigned int code_min, unsigned int code_max)
+{
+	unsigned int i;
+
+	for (i = 0; ARRAY_SIZE(icmp_codes); i++)
+		if (icmp_codes[i].type == icmptype &&
+		    icmp_codes[i].code_min == code_min &&
+		    icmp_codes[i].code_max == code_max)
+			break;
+
+	xt_xlate_add(xl, icmp_codes[i].name);
+}
+
+static int icmp_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
+		       int numeric)
+{
+	const struct ipt_icmp *info = (struct ipt_icmp *)match->data;
+
+	xt_xlate_add(xl, "icmp type%s ",
+		     (info->invflags & IPT_ICMP_INV) ? " !=" : "");
+
+	type_xlate_print(xl, info->type, info->code[0], info->code[1]);
+
+	xt_xlate_add(xl, " ");
+
+	return 1;
+}
+
+
 static struct xtables_match icmp_mt_reg = {
 	.name		= "icmp",
 	.version	= XTABLES_VERSION,
@@ -261,6 +291,7 @@ static struct xtables_match icmp_mt_reg = {
 	.save		= icmp_save,
 	.x6_parse	= icmp_parse,
 	.x6_options	= icmp_opts,
+	.xlate		= icmp_xlate,
 };
 
 void _init(void)
-- 
2.7.0

Re: [PATCH] extensions: libipt_icmp: Add translation to nft

[Shivani Bhardwaj]

On Sun, Mar 6, 2016 at 1:30 AM, Laura Garcia Liebana <nevola@gmail.com> wrote:
> Add translation for icmp to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j LOG
> nft add rule ip filter INPUT icmp type any counter log level warn
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3/1 -j LOG
> nft add rule ip filter INPUT icmp type host-unreachable counter log level warn
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
> nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn
>

Hi Laura,

There are some icmp types that nftables does not support, have you
tried adding up rules corresponding to all the packet types?

$ sudo nft add table filter
$ sudo nft add chain filter INPUT { type filter hook input priority 0\;}
$ sudo <your generated rule goes here>

Please consider finding out such packet types and mention about them
in commit message.
Same for icmpv6.

> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
> ---
>  extensions/libipt_icmp.c | 33 ++++++++++++++++++++++++++++++++-
>  1 file changed, 32 insertions(+), 1 deletion(-)
>
> diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
> index 666e7da..795172f 100644
> --- a/extensions/libipt_icmp.c
> +++ b/extensions/libipt_icmp.c
> @@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type,
>  }
>
>  static void icmp_print(const void *ip, const struct xt_entry_match *match,
> -                       int numeric)
> +                      int numeric)
>  {
>         const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
>
> @@ -249,6 +249,36 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
>         }
>  }
>
> +static void type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
> +                            unsigned int code_min, unsigned int code_max)
> +{
> +       unsigned int i;
> +
> +       for (i = 0; ARRAY_SIZE(icmp_codes); i++)

Also, here you are using the array icmp_codes, this will give out the
same packet names as iptables. But, some packet names are different in
nftables. May be not in case of icmp but in case of icmp6. Please have
a look at this.

Thanks.

> +               if (icmp_codes[i].type == icmptype &&
> +                   icmp_codes[i].code_min == code_min &&
> +                   icmp_codes[i].code_max == code_max)
> +                       break;
> +
> +       xt_xlate_add(xl, icmp_codes[i].name);
> +}
> +
> +static int icmp_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
> +                      int numeric)
> +{
> +       const struct ipt_icmp *info = (struct ipt_icmp *)match->data;
> +
> +       xt_xlate_add(xl, "icmp type%s ",
> +                    (info->invflags & IPT_ICMP_INV) ? " !=" : "");
> +
> +       type_xlate_print(xl, info->type, info->code[0], info->code[1]);
> +
> +       xt_xlate_add(xl, " ");
> +
> +       return 1;
> +}
> +
> +
>  static struct xtables_match icmp_mt_reg = {
>         .name           = "icmp",
>         .version        = XTABLES_VERSION,
> @@ -261,6 +291,7 @@ static struct xtables_match icmp_mt_reg = {
>         .save           = icmp_save,
>         .x6_parse       = icmp_parse,
>         .x6_options     = icmp_opts,
> +       .xlate          = icmp_xlate,
>  };
>
>  void _init(void)
> --
> 2.7.0
>

Re: [PATCH] extensions: libipt_icmp: Add translation to nft

[Laura Garcia]

On Sun, Mar 06, 2016 at 03:31:15PM +0530, Shivani Bhardwaj wrote:
> There are some icmp types that nftables does not support, have you

And these types (and subtypes) are not supported yet or will never be supported?

> tried adding up rules corresponding to all the packet types?
> 

Yes, but not all of them.

> $ sudo nft add table filter
> $ sudo nft add chain filter INPUT { type filter hook input priority 0\;}
> $ sudo <your generated rule goes here>
> 
> Please consider finding out such packet types and mention about them
> in commit message.

Ok.

> Also, here you are using the array icmp_codes, this will give out the
> same packet names as iptables. But, some packet names are different in
> nftables. May be not in case of icmp but in case of icmp6. Please have
> a look at this.
> 

Ok, as there isn't a direct translation I'll provide a v2 with a list
of supported types.

Thanks!

Re: [PATCH] extensions: libipt_icmp: Add translation to nft

[Pablo Neira Ayuso]

On Sat, Mar 05, 2016 at 09:00:41PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables.
> 
> Examples:
> 
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j LOG
> nft add rule ip filter INPUT icmp type any counter log level warn
> 
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3/1 -j LOG
> nft add rule ip filter INPUT icmp type host-unreachable counter log level warn
> 
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
> nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn
> 
> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
> ---
>  extensions/libipt_icmp.c | 33 ++++++++++++++++++++++++++++++++-
>  1 file changed, 32 insertions(+), 1 deletion(-)
> 
> diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
> index 666e7da..795172f 100644
> --- a/extensions/libipt_icmp.c
> +++ b/extensions/libipt_icmp.c
> @@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type,
>  }
>  
>  static void icmp_print(const void *ip, const struct xt_entry_match *match,
> -                       int numeric)
> +		       int numeric)
>  {
>  	const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
>  
> @@ -249,6 +249,36 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
>  	}
>  }
>  
> +static void type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
> +			     unsigned int code_min, unsigned int code_max)
> +{
> +	unsigned int i;
> +
> +	for (i = 0; ARRAY_SIZE(icmp_codes); i++)
> +		if (icmp_codes[i].type == icmptype &&
> +		    icmp_codes[i].code_min == code_min &&
> +		    icmp_codes[i].code_max == code_max)
> +			break;
> +
> +	xt_xlate_add(xl, icmp_codes[i].name);
> +}
> +
> +static int icmp_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
> +		       int numeric)
> +{
> +	const struct ipt_icmp *info = (struct ipt_icmp *)match->data;
> +
> +	xt_xlate_add(xl, "icmp type%s ",
> +		     (info->invflags & IPT_ICMP_INV) ? " !=" : "");
> +
> +	type_xlate_print(xl, info->type, info->code[0], info->code[1]);
> +
> +	xt_xlate_add(xl, " ");
> +
> +	return 1;
> +}

icmpv6 codes matching can be translated to:

        icmpv6 code VALUE

I know this is still broken in nft when listing, but I have initial
a couple of patches to fix this here almost done.

So please provide the translation for this too, this will work soon.