* [PATCHv3] extensions: libipt_icmp: Add translation to nft @ 2016-03-07 21:21 Laura Garcia Liebana 2016-03-08 10:53 ` Pablo Neira Ayuso 0 siblings, 1 reply; 14+ messages in thread From: Laura Garcia Liebana @ 2016-03-07 21:21 UTC (permalink / raw) To: netfilter-devel; +Cc: shivanib134, pablo, outreachy-kernel Add translation for icmp to nftables. Not supported types in nftables are: any, network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, router-advertisement, router-solicitation, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing. Examples: $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j LOG nft add rule ip filter INPUT icmp type echo-reply counter log level warn $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j LOG nft add rule ip filter INPUT icmp type destination-unreachable counter log level warn $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> --- v2: - Detection of not supported types in nftables, as Shivani suggested. v3: - Fix array iteration protection. extensions/libipt_icmp.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c index 666e7da..2c8be87 100644 --- a/extensions/libipt_icmp.c +++ b/extensions/libipt_icmp.c @@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type, } static void icmp_print(const void *ip, const struct xt_entry_match *match, - int numeric) + int numeric) { const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data; @@ -249,6 +249,52 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match) } } +static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + unsigned int code_min, unsigned int code_max) +{ + unsigned int i; + + if (code_min == code_max) + return 0; + + switch (icmptype) { + case 0xFF: + case 9: + case 10: + return 0; + default: + for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i) + if (icmp_codes[i].type == icmptype && + icmp_codes[i].code_min == code_min && + icmp_codes[i].code_max == code_max) + break; + + if (i != ARRAY_SIZE(icmp_codes)) + xt_xlate_add(xl, icmp_codes[i].name); + else + return 0; + } + + return 1; +} + +static int icmp_xlate(const struct xt_entry_match *match, struct xt_xlate *xl, + int numeric) +{ + const struct ipt_icmp *info = (struct ipt_icmp *)match->data; + + xt_xlate_add(xl, "icmp type%s ", + (info->invflags & IPT_ICMP_INV) ? " !=" : ""); + + if (!type_xlate_print(xl, info->type, info->code[0], info->code[1])) + return 0; + + xt_xlate_add(xl, " "); + + return 1; +} + + static struct xtables_match icmp_mt_reg = { .name = "icmp", .version = XTABLES_VERSION, @@ -261,6 +307,7 @@ static struct xtables_match icmp_mt_reg = { .save = icmp_save, .x6_parse = icmp_parse, .x6_options = icmp_opts, + .xlate = icmp_xlate, }; void _init(void) -- 2.7.0 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCHv3] extensions: libipt_icmp: Add translation to nft 2016-03-07 21:21 [PATCHv3] extensions: libipt_icmp: Add translation to nft Laura Garcia Liebana @ 2016-03-08 10:53 ` Pablo Neira Ayuso 2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe ` (2 more replies) 0 siblings, 3 replies; 14+ messages in thread From: Pablo Neira Ayuso @ 2016-03-08 10:53 UTC (permalink / raw) To: Laura Garcia Liebana; +Cc: netfilter-devel, shivanib134, outreachy-kernel On Mon, Mar 07, 2016 at 10:21:44PM +0100, Laura Garcia Liebana wrote: > Add translation for icmp to nftables. Not supported types in nftables These are actually icmp codes that we don't support yet, right? > are: any, network-unreachable, host-unreachable, protocol-unreachable, > port-unreachable, fragmentation-needed, source-route-failed, > network-unknown, host-unknown, network-prohibited, host-prohibited, > TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, > host-precedence-violation, precedence-cutoff, network-redirect, > host-redirect, TOS-network-redirect, TOS-host-redirect, > router-advertisement, router-solicitation, ttl-zero-during-transit, > ttl-zero-during-reassembly, ip-header-bad and required-option-missing. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j LOG > nft add rule ip filter INPUT icmp type echo-reply counter log level warn > > $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j LOG > nft add rule ip filter INPUT icmp type destination-unreachable counter log level warn > > $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG > nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn > > Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> > --- > v2: > - Detection of not supported types in nftables, as Shivani suggested. > v3: > - Fix array iteration protection. > > extensions/libipt_icmp.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 48 insertions(+), 1 deletion(-) > > diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c > index 666e7da..2c8be87 100644 > --- a/extensions/libipt_icmp.c > +++ b/extensions/libipt_icmp.c > @@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type, > } > > static void icmp_print(const void *ip, const struct xt_entry_match *match, > - int numeric) > + int numeric) I think this change doesn't below this patch. > { > const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data; > > @@ -249,6 +249,52 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match) > } > } > > +static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, > + unsigned int code_min, unsigned int code_max) ^^^^^^ This should be aligned with the line above: static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, unsigned int code_min, unsigned int code_max) > +{ > + unsigned int i; > + > + if (code_min == code_max) > + return 0; > + > + switch (icmptype) { > + case 0xFF: You can skip the 0xff case by adding nothing. > + case 9: > + case 10: You can send me a two-liner for this for nft, so we don't need this I think. > + return 0; > + default: > + for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i) > + if (icmp_codes[i].type == icmptype && > + icmp_codes[i].code_min == code_min && > + icmp_codes[i].code_max == code_max) > + break; > + > + if (i != ARRAY_SIZE(icmp_codes)) > + xt_xlate_add(xl, icmp_codes[i].name); > + else > + return 0; > + } > + > + return 1; > +} ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] libxt_multiport: Add translation to nft 2016-03-08 10:53 ` Pablo Neira Ayuso @ 2016-03-09 6:58 ` FaTe 2016-03-09 12:32 ` Pablo Neira Ayuso 2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe 2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe 2 siblings, 1 reply; 14+ messages in thread From: FaTe @ 2016-03-09 6:58 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel Added translation for the match multiport. Example : $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept $ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j ACCEPT nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept $ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept $ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 } counter accept Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> --- extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 170 insertions(+), 1 deletion(-) diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c index 03af5a9..41e1e2b 100644 --- a/extensions/libxt_multiport.c +++ b/extensions/libxt_multiport.c @@ -18,6 +18,8 @@ enum { F_ANY = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS, }; +static const char *xlate_proto; + /* Function which prints out usage message. */ static void multiport_help(void) { @@ -150,8 +152,10 @@ check_proto(uint16_t pnum, uint8_t invflags) xtables_error(PARAMETER_PROBLEM, "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"); - if ((proto = proto_to_name(pnum)) != NULL) + if ((proto = proto_to_name(pnum)) != NULL){ + xlate_proto = proto; return proto; + } else if (!pnum) xtables_error(PARAMETER_PROBLEM, "multiport needs `-p tcp', `-p udp', `-p udplite', " @@ -468,6 +472,167 @@ static void multiport_save6_v1(const void *ip_void, __multiport_save_v1(match, ip->proto); } +static int multiport_xlate(const struct xt_entry_match *match, struct xt_xlate *xl, + int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + unsigned int i; + bool have_multiple = false, have_invert = false; + + if(xlate_proto != NULL){ + if (multiinfo->count > 1) + have_multiple = true; + if (multiinfo->invert) + have_invert = true; + if (xlate_proto == NULL || (have_multiple && have_invert)) + return 0; + + switch (multiinfo->flags) { + case XT_MULTIPORT_SOURCE: + xt_xlate_add(xl,"sport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + break; + + case XT_MULTIPORT_DESTINATION: + xt_xlate_add(xl,"dport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + break; + + case XT_MULTIPORT_EITHER: + xt_xlate_add(xl,"dport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + + xt_xlate_add(xl,"%s sport %s%s", xlate_proto, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + break; + + + default: + return 0; + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + } + + + return 1; +} + +static int multiport_xlate_v1(const struct xt_entry_match *match, struct xt_xlate *xl, + int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + unsigned int i; + bool have_multiple = false, have_invert = false ; + + if(xlate_proto != NULL){ + if (multiinfo->count > 1) + have_multiple = true; + if (multiinfo->invert) + have_invert = true; + if (xlate_proto == NULL || (have_multiple && have_invert)) + return 0; + + switch (multiinfo->flags) { + case XT_MULTIPORT_SOURCE: + xt_xlate_add(xl,"sport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + break; + + case XT_MULTIPORT_DESTINATION: + xt_xlate_add(xl,"dport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + break; + + case XT_MULTIPORT_EITHER: + xt_xlate_add(xl,"dport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + + xt_xlate_add(xl,"%s sport %s%s", xlate_proto, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + break; + + default: + return 0; + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + } + + + return 1; +} + static struct xtables_match multiport_mt_reg[] = { { .family = NFPROTO_IPV4, @@ -482,6 +647,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print, .save = multiport_save, .x6_options = multiport_opts, + .xlate = multiport_xlate, }, { .family = NFPROTO_IPV6, @@ -496,6 +662,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print6, .save = multiport_save6, .x6_options = multiport_opts, + .xlate = multiport_xlate, }, { .family = NFPROTO_IPV4, @@ -510,6 +677,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print_v1, .save = multiport_save_v1, .x6_options = multiport_opts, + .xlate = multiport_xlate_v1, }, { .family = NFPROTO_IPV6, @@ -524,6 +692,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print6_v1, .save = multiport_save6_v1, .x6_options = multiport_opts, + .xlate = multiport_xlate_v1, }, }; -- 1.9.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] libxt_multiport: Add translation to nft 2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe @ 2016-03-09 12:32 ` Pablo Neira Ayuso 2016-03-09 14:37 ` Piyush Pangtey 2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey 0 siblings, 2 replies; 14+ messages in thread From: Pablo Neira Ayuso @ 2016-03-09 12:32 UTC (permalink / raw) To: FaTe; +Cc: netfilter-devel On Wed, Mar 09, 2016 at 12:28:29PM +0530, FaTe wrote: > Added translation for the match multiport. > > Example : > $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT > nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } > counter accept > > $ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j > ACCEPT > nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept > > $ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT > nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept > > $ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 > -j ACCEPT > nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 } > counter accept This translation is not correct as it's been discussed in a different thread. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] libxt_multiport: Add translation to nft 2016-03-09 12:32 ` Pablo Neira Ayuso @ 2016-03-09 14:37 ` Piyush Pangtey 2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey 1 sibling, 0 replies; 14+ messages in thread From: Piyush Pangtey @ 2016-03-09 14:37 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel On Wednesday 09 March 2016 06:02 PM, Pablo Neira Ayuso wrote: > On Wed, Mar 09, 2016 at 12:28:29PM +0530, FaTe wrote: >> Added translation for the match multiport. >> >> Example : >> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT >> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } >> counter accept >> >> $ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j >> ACCEPT >> nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept >> >> $ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT >> nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept >> >> $ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 >> -j ACCEPT >> nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 } >> counter accept > > This translation is not correct as it's been discussed in a different > thread. > I am unable to find that thread :( . BTW i'm sending v2 for multiport translation which works correctly. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2] libxt_multiport: Add translation to nft 2016-03-09 12:32 ` Pablo Neira Ayuso 2016-03-09 14:37 ` Piyush Pangtey @ 2016-03-09 14:39 ` Piyush Pangtey 2016-03-09 17:30 ` Pablo Neira Ayuso 1 sibling, 1 reply; 14+ messages in thread From: Piyush Pangtey @ 2016-03-09 14:39 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel Added full translation for multiport. Examples : $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT nft add rule ip filter INPUT ip protocol tcp tcp dport { 3-4 } tcp sport { 3-4 } counter accept $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT nft add rule ip filter input ip protocol sctp sctp dport { 11-18 } counter accept $ iptables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT nft add rule ip filter input ip protocol dccp dccp dport { 11-18 } dccp sport { 11-18 } counter accept $ ip6tables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT nft add rule ip6 filter input meta l4proto dccp dccp dport { 11-18 } dccp sport { 11-18 } counter accept Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> --- v2: Corrected the translations , as suggested by Arturo Borrero González extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 170 insertions(+), 1 deletion(-) diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c index 03af5a9..6358ffd 100644 --- a/extensions/libxt_multiport.c +++ b/extensions/libxt_multiport.c @@ -18,6 +18,8 @@ enum { F_ANY = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS, }; +static const char *xlate_proto; + /* Function which prints out usage message. */ static void multiport_help(void) { @@ -150,8 +152,10 @@ check_proto(uint16_t pnum, uint8_t invflags) xtables_error(PARAMETER_PROBLEM, "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"); - if ((proto = proto_to_name(pnum)) != NULL) + if ((proto = proto_to_name(pnum)) != NULL){ + xlate_proto = proto; return proto; + } else if (!pnum) xtables_error(PARAMETER_PROBLEM, "multiport needs `-p tcp', `-p udp', `-p udplite', " @@ -468,6 +472,167 @@ static void multiport_save6_v1(const void *ip_void, __multiport_save_v1(match, ip->proto); } +static int multiport_xlate(const struct xt_entry_match *match, struct xt_xlate *xl, + int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + unsigned int i; + bool have_multiple = false, have_invert = false; + + if(xlate_proto != NULL){ + if (multiinfo->count > 1) + have_multiple = true; + if (multiinfo->invert) + have_invert = true; + if (xlate_proto == NULL || (have_multiple && have_invert)) + return 0; + + switch (multiinfo->flags) { + case XT_MULTIPORT_SOURCE: + xt_xlate_add(xl,"sport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + break; + + case XT_MULTIPORT_DESTINATION: + xt_xlate_add(xl,"dport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + break; + + case XT_MULTIPORT_EITHER: + xt_xlate_add(xl,"dport %s%s", + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + + xt_xlate_add(xl,"%s sport %s%s", xlate_proto, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + } + break; + + + default: + return 0; + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + } + + + return 1; +} + +static int multiport_xlate_v1(const struct xt_entry_match *match, struct xt_xlate *xl, + int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + unsigned int i; + bool have_multiple = false, have_invert = false ; + + if(xlate_proto != NULL){ + if (multiinfo->count > 1) + have_multiple = true; + if (multiinfo->invert) + have_invert = true; + if (xlate_proto == NULL || (have_multiple && have_invert)) + return 0; + + switch (multiinfo->flags) { + case XT_MULTIPORT_SOURCE: + xt_xlate_add(xl,"%s sport %s%s", xlate_proto, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + break; + + case XT_MULTIPORT_DESTINATION: + xt_xlate_add(xl,"%s dport %s%s", xlate_proto, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + break; + + case XT_MULTIPORT_EITHER: + xt_xlate_add(xl,"%s dport %s%s", xlate_proto, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + + xt_xlate_add(xl,"%s sport %s%s", xlate_proto, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + xt_xlate_add(xl, "%u", multiinfo->ports[i]); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl,"-%u", + multiinfo->ports[++i]); + } + } + break; + + default: + return 0; + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + } + + + return 1; +} + static struct xtables_match multiport_mt_reg[] = { { .family = NFPROTO_IPV4, @@ -482,6 +647,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print, .save = multiport_save, .x6_options = multiport_opts, + .xlate = multiport_xlate, }, { .family = NFPROTO_IPV6, @@ -496,6 +662,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print6, .save = multiport_save6, .x6_options = multiport_opts, + .xlate = multiport_xlate, }, { .family = NFPROTO_IPV4, @@ -510,6 +677,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print_v1, .save = multiport_save_v1, .x6_options = multiport_opts, + .xlate = multiport_xlate_v1, }, { .family = NFPROTO_IPV6, @@ -524,6 +692,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print6_v1, .save = multiport_save6_v1, .x6_options = multiport_opts, + .xlate = multiport_xlate_v1, }, }; -- 1.9.1 On Wednesday 09 March 2016 06:02 PM, Pablo Neira Ayuso wrote: > On Wed, Mar 09, 2016 at 12:28:29PM +0530, FaTe wrote: >> Added translation for the match multiport. >> >> Example : >> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT >> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } >> counter accept >> >> $ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j >> ACCEPT >> nft add rule ip filter INPUT ip protocol tcp sport { 80,22,21 } counter accept >> >> $ iptables-translate -A INPUT -p tcp -m multiport --dports 1024:2048 -j ACCEPT >> nft add rule ip filter INPUT ip protocol tcp dport { 1024-2048 } counter accept >> >> $ iptables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 >> -j ACCEPT >> nft add rule ip filter input ip protocol tcp dport { 1024-2048,2049-3333 } >> counter accept > > This translation is not correct as it's been discussed in a different > thread. > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2] libxt_multiport: Add translation to nft 2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey @ 2016-03-09 17:30 ` Pablo Neira Ayuso 2016-03-10 12:50 ` [PATCH v3] " Piyush Pangtey 0 siblings, 1 reply; 14+ messages in thread From: Pablo Neira Ayuso @ 2016-03-09 17:30 UTC (permalink / raw) To: Piyush Pangtey; +Cc: netfilter-devel On Wed, Mar 09, 2016 at 08:09:27PM +0530, Piyush Pangtey wrote: > Added full translation for multiport. > > Examples : > $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT > nft add rule ip filter INPUT ip protocol tcp tcp dport { 3-4 } tcp sport { 3-4 } > counter accept > > $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT > nft add rule ip filter input ip protocol sctp sctp dport { 11-18 } counter > accept > > $ iptables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT > nft add rule ip filter input ip protocol dccp dccp dport { 11-18 } dccp sport { > 11-18 } counter accept > > $ ip6tables-translate -A input -p dccp -m multiport --ports 11:18 -j ACCEPT > nft add rule ip6 filter input meta l4proto dccp dccp dport { 11-18 } dccp sport > { 11-18 } counter accept > > Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> > --- > v2: > Corrected the translations , as suggested by Arturo Borrero González > > extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 170 insertions(+), 1 deletion(-) > > diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c > index 03af5a9..6358ffd 100644 > --- a/extensions/libxt_multiport.c > +++ b/extensions/libxt_multiport.c > @@ -18,6 +18,8 @@ enum { > F_ANY = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS, > }; > > +static const char *xlate_proto; I don't like this global variable trick. Please, use the ipt_ip and ip6t_ip information instead, which is will be now available through this patch, so we pass information as parameter to functions. http://patchwork.ozlabs.org/patch/595128/ Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v3] libxt_multiport: Add translation to nft 2016-03-09 17:30 ` Pablo Neira Ayuso @ 2016-03-10 12:50 ` Piyush Pangtey 2016-03-10 18:31 ` Pablo Neira Ayuso 0 siblings, 1 reply; 14+ messages in thread From: Piyush Pangtey @ 2016-03-10 12:50 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel Added full translation for multiport Examples : $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport { ssh - http } counter accept $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter accept $ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter accept $ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 } counter accept Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> --- v2: Corrected the translations , as suggested by Arturo Borrero González v3: Removed static variable trick. Now utilizes ipt_ip and ip6t_ip which is now passed to xlate ,from the patch http://patchwork.ozlabs.org/patch/595128/ Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> --- extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 199 insertions(+) diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c index 03af5a9..4dccc1b 100644 --- a/extensions/libxt_multiport.c +++ b/extensions/libxt_multiport.c @@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric) } static void +print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol, + int numeric) +{ + const char *service; + + if (numeric || (service = port_to_service(port, protocol)) == NULL) + xt_xlate_add(xl, "%u", port); + else + xt_xlate_add(xl, "%s", service); +} + +static void __multiport_print(const struct xt_entry_match *match, int numeric, uint16_t proto) { @@ -318,6 +330,20 @@ static void multiport_print(const void *ip_void, __multiport_print(match, numeric, ip->proto); } +static void multiport_print_xlate(const struct xt_entry_match *match, + struct xt_xlate *xl, uint16_t proto, + int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + unsigned int i; + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + print_port_xlate(xl, multiinfo->ports[i], + proto, numeric); + } +} + static void multiport_print6(const void *ip_void, const struct xt_entry_match *match, int numeric) { @@ -372,6 +398,24 @@ static void multiport_print_v1(const void *ip_void, __multiport_print_v1(match, numeric, ip->proto); } +static void multiport_print_v1_xlate(const struct xt_entry_match *match, + struct xt_xlate *xl, uint16_t proto, + int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + unsigned int i; + for (i = 0; i < multiinfo->count; i++) { + xt_xlate_add(xl, "%s", i ? "," : ""); + print_port_xlate(xl, multiinfo->ports[i], proto, numeric); + if (multiinfo->pflags[i]) { + xt_xlate_add(xl, " - "); + print_port_xlate(xl, multiinfo->ports[++i], + proto, numeric); + } + } +} + static void multiport_print6_v1(const void *ip_void, const struct xt_entry_match *match, int numeric) { @@ -468,6 +512,157 @@ static void multiport_save6_v1(const void *ip_void, __multiport_save_v1(match, ip->proto); } +static int __multiport_xlate(const struct xt_entry_match *match, + struct xt_xlate *xl, uint16_t protocol, int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + const char *proto_name; + bool have_multiple = false, have_invert = false ; + + if((proto_name = proto_to_name(protocol)) != NULL){ + if (multiinfo->count > 1) have_multiple = true; + if (multiinfo->invert) have_invert = true; + if (have_multiple && have_invert) + return 0; + + switch (multiinfo->flags) { + case XT_MULTIPORT_SOURCE: + xt_xlate_add(xl, "%s sport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_xlate(match, xl, protocol, + numeric); + break; + case XT_MULTIPORT_DESTINATION: + xt_xlate_add(xl, "%s dport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_xlate(match, xl, protocol, + numeric); + break; + case XT_MULTIPORT_EITHER: + xt_xlate_add(xl, "%s dport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_xlate(match, xl, protocol, + numeric); + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + + xt_xlate_add(xl, "%s sport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_xlate(match, xl, protocol, + numeric); + break; + default: + return 0; + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + } + + return 1; +} + +static int __multiport_xlate_v1(const struct xt_entry_match *match, + struct xt_xlate *xl, uint16_t protocol, int numeric) +{ + const struct xt_multiport_v1 *multiinfo = + (const struct xt_multiport_v1 *)match->data; + const char *proto_name; + bool have_multiple = false, have_invert = false ; + + if((proto_name = proto_to_name(protocol)) != NULL){ + if (multiinfo->count > 1) have_multiple = true; + if (multiinfo->invert) have_invert = true; + if (have_multiple && have_invert) + return 0; + + switch (multiinfo->flags) { + case XT_MULTIPORT_SOURCE: + xt_xlate_add(xl, "%s sport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_v1_xlate(match, xl, protocol, + numeric); + break; + case XT_MULTIPORT_DESTINATION: + xt_xlate_add(xl, "%s dport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_v1_xlate(match, xl, protocol, + numeric); + break; + case XT_MULTIPORT_EITHER: + xt_xlate_add(xl, "%s dport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_v1_xlate(match, xl, protocol, + numeric); + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + + xt_xlate_add(xl, "%s sport %s%s", proto_name, + (have_invert == true) ? "!= " : "", + (have_multiple == true) ? "{ " : ""); + multiport_print_v1_xlate(match, xl, protocol, + numeric); + break; + default: + return 0; + } + if (have_multiple) + xt_xlate_add(xl, " } "); + else + xt_xlate_add(xl, " "); + } + + return 1; +} + +static int multiport_xlate(const void *ip_void, + const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct ipt_ip *ip = ip_void; + return __multiport_xlate(match, xl, ip->proto, numeric); +} + +static int multiport_xlate6(const void *ip_void, + const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + + const struct ip6t_ip6 *ip = ip_void; + return __multiport_xlate(match, xl, ip->proto, numeric); +} + +static int multiport_xlate_v1(const void *ip_void, + const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + + const struct ipt_ip *ip = ip_void; + return __multiport_xlate_v1(match, xl, ip->proto, numeric); +} + +static int multiport_xlate6_v1(const void *ip_void, + const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + + const struct ip6t_ip6 *ip = ip_void; + return __multiport_xlate_v1(match, xl, ip->proto, numeric); +} + static struct xtables_match multiport_mt_reg[] = { { .family = NFPROTO_IPV4, @@ -482,6 +677,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print, .save = multiport_save, .x6_options = multiport_opts, + .xlate = multiport_xlate, }, { .family = NFPROTO_IPV6, @@ -496,6 +692,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print6, .save = multiport_save6, .x6_options = multiport_opts, + .xlate = multiport_xlate6, }, { .family = NFPROTO_IPV4, @@ -510,6 +707,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print_v1, .save = multiport_save_v1, .x6_options = multiport_opts, + .xlate = multiport_xlate_v1, }, { .family = NFPROTO_IPV6, @@ -524,6 +722,7 @@ static struct xtables_match multiport_mt_reg[] = { .print = multiport_print6_v1, .save = multiport_save6_v1, .x6_options = multiport_opts, + .xlate = multiport_xlate6_v1, }, }; -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v3] libxt_multiport: Add translation to nft 2016-03-10 12:50 ` [PATCH v3] " Piyush Pangtey @ 2016-03-10 18:31 ` Pablo Neira Ayuso 0 siblings, 0 replies; 14+ messages in thread From: Pablo Neira Ayuso @ 2016-03-10 18:31 UTC (permalink / raw) To: Piyush Pangtey; +Cc: netfilter-devel On Thu, Mar 10, 2016 at 06:20:48PM +0530, Piyush Pangtey wrote: > Added full translation for multiport > > Examples : > $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT > nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport > { ssh - http } counter accept > > $ iptables-translate -A input -p sctp -m multiport --dports 11:18 -j ACCEPT > nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter > accept > > $ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT > nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter > accept > > $ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT > nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 } > counter accept > > Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> > --- > v2: > Corrected the translations , as suggested by Arturo Borrero González > v3: > Removed static variable trick. Now utilizes ipt_ip and ip6t_ip which > is now passed to xlate ,from the patch > http://patchwork.ozlabs.org/patch/595128/ > > Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> > --- > extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 199 insertions(+) > > diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c > index 03af5a9..4dccc1b 100644 > --- a/extensions/libxt_multiport.c > +++ b/extensions/libxt_multiport.c > @@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric) > } > > static void > +print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol, > + int numeric) > +{ > + const char *service; > + > + if (numeric || (service = port_to_service(port, protocol)) == NULL) > + xt_xlate_add(xl, "%u", port); > + else > + xt_xlate_add(xl, "%s", service); > +} > + > +static void > __multiport_print(const struct xt_entry_match *match, int numeric, > uint16_t proto) > { > @@ -318,6 +330,20 @@ static void multiport_print(const void *ip_void, > __multiport_print(match, numeric, ip->proto); > } > > +static void multiport_print_xlate(const struct xt_entry_match *match, > + struct xt_xlate *xl, uint16_t proto, > + int numeric) > +{ > + const struct xt_multiport_v1 *multiinfo = > + (const struct xt_multiport_v1 *)match->data; > + unsigned int i; Missing line break here. > + for (i = 0; i < multiinfo->count; i++) { > + xt_xlate_add(xl, "%s", i ? "," : ""); > + print_port_xlate(xl, multiinfo->ports[i], > + proto, numeric); > + } > +} > + > static void multiport_print6(const void *ip_void, > const struct xt_entry_match *match, int numeric) > { > @@ -372,6 +398,24 @@ static void multiport_print_v1(const void *ip_void, > __multiport_print_v1(match, numeric, ip->proto); > } > > +static void multiport_print_v1_xlate(const struct xt_entry_match *match, > + struct xt_xlate *xl, uint16_t proto, > + int numeric) > +{ > + const struct xt_multiport_v1 *multiinfo = > + (const struct xt_multiport_v1 *)match->data; > + unsigned int i; Missing line break here to separate variable declaration and function body. > + for (i = 0; i < multiinfo->count; i++) { > + xt_xlate_add(xl, "%s", i ? "," : ""); > + print_port_xlate(xl, multiinfo->ports[i], proto, numeric); > + if (multiinfo->pflags[i]) { > + xt_xlate_add(xl, " - "); > + print_port_xlate(xl, multiinfo->ports[++i], > + proto, numeric); > + } > + } > +} > + > static void multiport_print6_v1(const void *ip_void, > const struct xt_entry_match *match, int numeric) > { > @@ -468,6 +512,157 @@ static void multiport_save6_v1(const void *ip_void, > __multiport_save_v1(match, ip->proto); > } > > +static int __multiport_xlate(const struct xt_entry_match *match, > + struct xt_xlate *xl, uint16_t protocol, int numeric) > +{ > + const struct xt_multiport_v1 *multiinfo = > + (const struct xt_multiport_v1 *)match->data; > + const char *proto_name; > + bool have_multiple = false, have_invert = false ; ^ remove this space. > + > + if((proto_name = proto_to_name(protocol)) != NULL){ ^ ^ missing space after if. > + if (multiinfo->count > 1) have_multiple = true; if (multiinfo->count > 1) have_multiple = true; Please, review coding style and resubmit. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* Regarding libxt_multiport translation in nft 2016-03-08 10:53 ` Pablo Neira Ayuso 2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe @ 2016-03-09 7:05 ` FaTe 2016-03-09 10:06 ` Arturo Borrero Gonzalez 2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe 2 siblings, 1 reply; 14+ messages in thread From: FaTe @ 2016-03-09 7:05 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel Hello Pablo, I would require some guidance regarding the libxt_multiport translation in nft. If the translation is over ip4 family : $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept ^^^^^^^^^^^ this causes problem. Similarly for ipv6 : $ ip6tables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT nft add rule ip6 filter input meta l4proto tcp dport { 1024-2048,2049-3333 } counter accept ^^^^^^^^^^^^ this is causing problem. both the strings "ip protocol" and "meta l4proto" is not introduced by libxt_multiport. And in the absence of both , the command works. For example , $ nft add rule ip filter INPUT tcp dport { 3-4 } tcp sport { 3-4 } counter accept $ nft add rule ip6 filter input tcp dport { 1024-2048,2049-3333 } counter accept Any comment regarding this behaviour ? ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Regarding libxt_multiport translation in nft 2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe @ 2016-03-09 10:06 ` Arturo Borrero Gonzalez 2016-03-09 14:34 ` Piyush Pangtey 0 siblings, 1 reply; 14+ messages in thread From: Arturo Borrero Gonzalez @ 2016-03-09 10:06 UTC (permalink / raw) To: FaTe; +Cc: Pablo Neira Ayuso, Netfilter Development Mailing list On 9 March 2016 at 08:05, FaTe <gokuvsvegita@gmail.com> wrote: > Hello Pablo, > > I would require some guidance regarding the libxt_multiport translation in nft. > > If the translation is over ip4 family : > $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT > nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept > ^^^^^^^^^^^ > this causes problem. > Similarly for ipv6 : > $ ip6tables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT > nft add rule ip6 filter input meta l4proto tcp dport { 1024-2048,2049-3333 } counter accept > ^^^^^^^^^^^^ > this is causing problem. > > both the strings "ip protocol" and "meta l4proto" is not introduced by libxt_multiport. > And in the absence of both , the command works. > > For example , > $ nft add rule ip filter INPUT tcp dport { 3-4 } tcp sport { 3-4 } counter accept > > $ nft add rule ip6 filter input tcp dport { 1024-2048,2049-3333 } counter accept > > Any comment regarding this behaviour ? They are different statements, rules should be something like: * meta l4proto tcp tcp dport XX * ip protocol tcp tcp dport XX However, the two statements are redundants... the second implies the first. -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Regarding libxt_multiport translation in nft 2016-03-09 10:06 ` Arturo Borrero Gonzalez @ 2016-03-09 14:34 ` Piyush Pangtey 0 siblings, 0 replies; 14+ messages in thread From: Piyush Pangtey @ 2016-03-09 14:34 UTC (permalink / raw) To: Arturo Borrero Gonzalez; +Cc: netfilter-devel On Wednesday 09 March 2016 03:36 PM, Arturo Borrero Gonzalez wrote: > On 9 March 2016 at 08:05, FaTe <gokuvsvegita@gmail.com> wrote: >> Hello Pablo, >> >> I would require some guidance regarding the libxt_multiport translation in nft. >> >> If the translation is over ip4 family : >> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT >> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept >> ^^^^^^^^^^^ >> this causes problem. >> Similarly for ipv6 : >> $ ip6tables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT >> nft add rule ip6 filter input meta l4proto tcp dport { 1024-2048,2049-3333 } counter accept >> ^^^^^^^^^^^^ >> this is causing problem. >> >> both the strings "ip protocol" and "meta l4proto" is not introduced by libxt_multiport. >> And in the absence of both , the command works. >> >> For example , >> $ nft add rule ip filter INPUT tcp dport { 3-4 } tcp sport { 3-4 } counter accept >> >> $ nft add rule ip6 filter input tcp dport { 1024-2048,2049-3333 } counter accept >> >> Any comment regarding this behaviour ? > > They are different statements, rules should be something like: > * meta l4proto tcp tcp dport XX > * ip protocol tcp tcp dport XX > > However, the two statements are redundants... the second implies the first. Thanks Arturo ! It works. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] libip6t_hbh: Add translation to nft 2016-03-08 10:53 ` Pablo Neira Ayuso 2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe 2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe @ 2016-03-09 7:12 ` FaTe 2016-03-10 18:47 ` Pablo Neira Ayuso 2 siblings, 1 reply; 14+ messages in thread From: FaTe @ 2016-03-09 7:12 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel Added translation for hbh module . Note: Currently, --hbh-opts support dont exist in nftables . Example : $ ip6tables-translate -A INPUT -m hbh --hbh-len 40 nft add rule ip6 filter INPUT hbh hdrlength 40 counter $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 40 nft add rule ip6 filter INPUT hbh hdrlength != 40 counter Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> --- extensions/libip6t_hbh.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c index c0389ed..98dcade 100644 --- a/extensions/libip6t_hbh.c +++ b/extensions/libip6t_hbh.c @@ -164,6 +164,27 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match) print_options(optinfo->optsnr, (uint16_t *)optinfo->opts); } +static int hbh_xlate(const struct xt_entry_match *match, struct xt_xlate *xl, + int numeric) +{ + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data; + + if (optinfo->flags & IP6T_OPTS_LEN) { + xt_xlate_add(xl," hbh hdrlength %s %u", + (optinfo->invflags & IP6T_OPTS_INV_LEN) ? " !=" : + "", optinfo->hdrlen); + } else { + return 0; + } + + if (optinfo->flags & IP6T_OPTS_OPTS) + return 0; + + xt_xlate_add(xl, " "); + + return 1; + +} static struct xtables_match hbh_mt6_reg = { .name = "hbh", .version = XTABLES_VERSION, @@ -175,6 +196,7 @@ static struct xtables_match hbh_mt6_reg = { .save = hbh_save, .x6_parse = hbh_parse, .x6_options = hbh_opts, + .xlate = hbh_xlate, }; void -- 1.9.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] libip6t_hbh: Add translation to nft 2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe @ 2016-03-10 18:47 ` Pablo Neira Ayuso 0 siblings, 0 replies; 14+ messages in thread From: Pablo Neira Ayuso @ 2016-03-10 18:47 UTC (permalink / raw) To: FaTe; +Cc: netfilter-devel On Wed, Mar 09, 2016 at 12:42:45PM +0530, FaTe wrote: > Added translation for hbh module . > > Note: Currently, --hbh-opts support dont exist in nftables . > > Example : > $ ip6tables-translate -A INPUT -m hbh --hbh-len 40 > nft add rule ip6 filter INPUT hbh hdrlength 40 counter > > $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 40 > nft add rule ip6 filter INPUT hbh hdrlength != 40 counter > > Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> > --- > extensions/libip6t_hbh.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c > index c0389ed..98dcade 100644 > --- a/extensions/libip6t_hbh.c > +++ b/extensions/libip6t_hbh.c > @@ -164,6 +164,27 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match) > print_options(optinfo->optsnr, (uint16_t *)optinfo->opts); > } > > +static int hbh_xlate(const struct xt_entry_match *match, struct xt_xlate *xl, > + int numeric) > +{ > + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data; > + > + if (optinfo->flags & IP6T_OPTS_LEN) { > + xt_xlate_add(xl," hbh hdrlength %s %u", > + (optinfo->invflags & IP6T_OPTS_INV_LEN) ? " !=" : > + "", optinfo->hdrlen); I suggested Shivani you check how to translate: ip6tables -I INPUT -m hbh which seems to be value too. http://www.spinics.net/lists/netfilter-devel/msg41045.html So we make sure we provide a right translation for that too. ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2016-03-10 18:47 UTC | newest] Thread overview: 14+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-03-07 21:21 [PATCHv3] extensions: libipt_icmp: Add translation to nft Laura Garcia Liebana 2016-03-08 10:53 ` Pablo Neira Ayuso 2016-03-09 6:58 ` [PATCH] libxt_multiport: " FaTe 2016-03-09 12:32 ` Pablo Neira Ayuso 2016-03-09 14:37 ` Piyush Pangtey 2016-03-09 14:39 ` [PATCH v2] " Piyush Pangtey 2016-03-09 17:30 ` Pablo Neira Ayuso 2016-03-10 12:50 ` [PATCH v3] " Piyush Pangtey 2016-03-10 18:31 ` Pablo Neira Ayuso 2016-03-09 7:05 ` Regarding libxt_multiport translation in nft FaTe 2016-03-09 10:06 ` Arturo Borrero Gonzalez 2016-03-09 14:34 ` Piyush Pangtey 2016-03-09 7:12 ` [PATCH] libip6t_hbh: Add translation to nft FaTe 2016-03-10 18:47 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).