[PATCH v4] extensions: libxt_multiport: Add translation to nft

[PATCH v4] extensions: libxt_multiport: Add translation to nft

[Piyush Pangtey]

Added full translation for multiport

Examples :
$ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
{ ssh - http } counter accept

$ iptables-translate -A input -p sctp -m multiport --dports 11:18  -j ACCEPT
nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter
accept

$ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter
accept

$ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 }
counter accept

Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
v2:
	Corrected the translations , as suggested by Arturo Borrero González

v3:
	Removed static variable trick. Now utilizes ipt_ip and ip6t_ip
	which is now passed to xlate ,from the patch
	http://patchwork.ozlabs.org/patch/595128/

v4:
	Corrected code as per coding style.

Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
 extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 199 insertions(+)

diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..61b9917 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric)
 }
 
 static void
+print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
+		int numeric)
+{
+	const char *service;
+
+	if (numeric || (service = port_to_service(port, protocol)) == NULL)
+		xt_xlate_add(xl, "%u", port);
+	else
+		xt_xlate_add(xl, "%s", service);
+}
+
+static void
 __multiport_print(const struct xt_entry_match *match, int numeric,
                   uint16_t proto)
 {
@@ -318,6 +330,21 @@ static void multiport_print(const void *ip_void,
 	__multiport_print(match, numeric, ip->proto);
 }
 
+static void multiport_print_xlate(const struct xt_entry_match *match,
+				  struct xt_xlate *xl, uint16_t proto,
+				  int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+
+	for (i = 0; i < multiinfo->count; i++) {
+		xt_xlate_add(xl, "%s", i ? "," : "");
+		print_port_xlate(xl, multiinfo->ports[i],
+				 proto, numeric);
+	}
+}
+
 static void multiport_print6(const void *ip_void,
                              const struct xt_entry_match *match, int numeric)
 {
@@ -372,6 +399,25 @@ static void multiport_print_v1(const void *ip_void,
 	__multiport_print_v1(match, numeric, ip->proto);
 }
 
+static void multiport_print_v1_xlate(const struct xt_entry_match *match,
+				     struct xt_xlate *xl, uint16_t proto,
+				     int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+
+	for (i = 0; i < multiinfo->count; i++) {
+		xt_xlate_add(xl, "%s", i ? "," : "");
+		print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
+		if (multiinfo->pflags[i]) {
+			xt_xlate_add(xl, " - ");
+			print_port_xlate(xl, multiinfo->ports[++i],
+					 proto, numeric);
+		}
+	}
+}
+
 static void multiport_print6_v1(const void *ip_void,
                                 const struct xt_entry_match *match, int numeric)
 {
@@ -468,6 +514,155 @@ static void multiport_save6_v1(const void *ip_void,
 	__multiport_save_v1(match, ip->proto);
 }
 
+static int __multiport_xlate(const struct xt_entry_match *match,
+			    struct xt_xlate *xl, uint16_t protocol, int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	const char *proto_name;
+	bool have_multiple = false, have_invert = false;
+
+	if ((proto_name = proto_to_name(protocol)) != NULL) {
+		if (multiinfo->count > 1) have_multiple = true;
+		if (multiinfo->invert) have_invert = true;
+		if (have_multiple && have_invert)
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			break;
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			break;
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			break;
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+	return 1;
+}
+
+static int __multiport_xlate_v1(const struct xt_entry_match *match,
+			        struct xt_xlate *xl, uint16_t protocol,
+				int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	const char *proto_name;
+	bool have_multiple = false, have_invert = false;
+
+	if ((proto_name = proto_to_name(protocol)) != NULL) {
+		if (multiinfo->count > 1)
+			have_multiple = true;
+		if (multiinfo->invert)
+			have_invert = true;
+		if (have_multiple && have_invert)
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			break;
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			break;
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			break;
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+	return 1;
+}
+
+static int multiport_xlate(const void *ip_void,
+			   const struct xt_entry_match *match,
+			   struct xt_xlate *xl, int numeric)
+{
+	const struct ipt_ip *ip = ip_void;
+	return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6(const void *ip_void,
+			    const struct xt_entry_match *match,
+			    struct xt_xlate *xl, int numeric)
+{
+	const struct ip6t_ip6 *ip = ip_void;
+	return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate_v1(const void *ip_void,
+			      const struct xt_entry_match *match,
+			      struct xt_xlate *xl, int numeric)
+{
+	const struct ipt_ip *ip = ip_void;
+	return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6_v1(const void *ip_void,
+			       const struct xt_entry_match *match,
+			       struct xt_xlate *xl, int numeric)
+{
+	const struct ip6t_ip6 *ip = ip_void;
+	return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
 static struct xtables_match multiport_mt_reg[] = {
 	{
 		.family        = NFPROTO_IPV4,
@@ -482,6 +677,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print,
 		.save          = multiport_save,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -496,6 +692,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6,
 		.save          = multiport_save6,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate6,
 	},
 	{
 		.family        = NFPROTO_IPV4,
@@ -510,6 +707,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print_v1,
 		.save          = multiport_save_v1,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate_v1,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -524,6 +722,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6_v1,
 		.save          = multiport_save6_v1,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate6_v1,
 	},
 };
 
-- 
1.9.1


-- 

With regards,
Piyush Pangtey <gokuvsvegita@gmail.com>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v4] extensions: libxt_multiport: Add translation to nft

[Piyush Pangtey]

Added full translation for multiport

Examples :
$ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
{ ssh - http } counter accept

$ iptables-translate -A input -p sctp -m multiport --dports 11:18  -j ACCEPT
nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter
accept

$ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter
accept

$ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 }
counter accept

Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
v2:
	Corrected the translations , as suggested by Arturo Borrero González

v3:
	Removed static variable trick. Now utilizes ipt_ip and ip6t_ip
	which is now passed to xlate ,from the patch
	http://patchwork.ozlabs.org/patch/595128/

v4:
	Corrected code as per coding style.

Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
 extensions/libxt_multiport.c | 201 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 201 insertions(+)

diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..755d2a7 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric)
 }
 
 static void
+print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
+		 int numeric)
+{
+	const char *service;
+
+	if (numeric || (service = port_to_service(port, protocol)) == NULL)
+		xt_xlate_add(xl, "%u", port);
+	else
+		xt_xlate_add(xl, "%s", service);
+}
+
+static void
 __multiport_print(const struct xt_entry_match *match, int numeric,
                   uint16_t proto)
 {
@@ -318,6 +330,21 @@ static void multiport_print(const void *ip_void,
 	__multiport_print(match, numeric, ip->proto);
 }
 
+static void multiport_print_xlate(const struct xt_entry_match *match,
+				  struct xt_xlate *xl, uint16_t proto,
+				  int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+
+	for (i = 0; i < multiinfo->count; i++) {
+		xt_xlate_add(xl, "%s", i ? "," : "");
+		print_port_xlate(xl, multiinfo->ports[i],
+				 proto, numeric);
+	}
+}
+
 static void multiport_print6(const void *ip_void,
                              const struct xt_entry_match *match, int numeric)
 {
@@ -372,6 +399,25 @@ static void multiport_print_v1(const void *ip_void,
 	__multiport_print_v1(match, numeric, ip->proto);
 }
 
+static void multiport_print_v1_xlate(const struct xt_entry_match *match,
+				     struct xt_xlate *xl, uint16_t proto,
+				     int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+
+	for (i = 0; i < multiinfo->count; i++) {
+		xt_xlate_add(xl, "%s", i ? "," : "");
+		print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
+		if (multiinfo->pflags[i]) {
+			xt_xlate_add(xl, " - ");
+			print_port_xlate(xl, multiinfo->ports[++i],
+					 proto, numeric);
+		}
+	}
+}
+
 static void multiport_print6_v1(const void *ip_void,
                                 const struct xt_entry_match *match, int numeric)
 {
@@ -468,6 +514,157 @@ static void multiport_save6_v1(const void *ip_void,
 	__multiport_save_v1(match, ip->proto);
 }
 
+static int __multiport_xlate(const struct xt_entry_match *match,
+			    struct xt_xlate *xl, uint16_t protocol, int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	const char *proto_name;
+	bool have_multiple = false, have_invert = false;
+
+	if ((proto_name = proto_to_name(protocol)) != NULL) {
+		if (multiinfo->count > 1)
+			have_multiple = true;
+		if (multiinfo->invert)
+			have_invert = true;
+		if (have_multiple && have_invert)
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			break;
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			break;
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol,
+					      numeric);
+			break;
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+	return 1;
+}
+
+static int __multiport_xlate_v1(const struct xt_entry_match *match,
+			        struct xt_xlate *xl, uint16_t protocol,
+				int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	const char *proto_name;
+	bool have_multiple = false, have_invert = false;
+
+	if ((proto_name = proto_to_name(protocol)) != NULL) {
+		if (multiinfo->count > 1)
+			have_multiple = true;
+		if (multiinfo->invert)
+			have_invert = true;
+		if (have_multiple && have_invert)
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			break;
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			break;
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						 numeric);
+			break;
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+	return 1;
+}
+
+static int multiport_xlate(const void *ip_void,
+			   const struct xt_entry_match *match,
+			   struct xt_xlate *xl, int numeric)
+{
+	const struct ipt_ip *ip = ip_void;
+	return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6(const void *ip_void,
+			    const struct xt_entry_match *match,
+			    struct xt_xlate *xl, int numeric)
+{
+	const struct ip6t_ip6 *ip = ip_void;
+	return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate_v1(const void *ip_void,
+			      const struct xt_entry_match *match,
+			      struct xt_xlate *xl, int numeric)
+{
+	const struct ipt_ip *ip = ip_void;
+	return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6_v1(const void *ip_void,
+			       const struct xt_entry_match *match,
+			       struct xt_xlate *xl, int numeric)
+{
+	const struct ip6t_ip6 *ip = ip_void;
+	return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
 static struct xtables_match multiport_mt_reg[] = {
 	{
 		.family        = NFPROTO_IPV4,
@@ -482,6 +679,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print,
 		.save          = multiport_save,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -496,6 +694,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6,
 		.save          = multiport_save6,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate6,
 	},
 	{
 		.family        = NFPROTO_IPV4,
@@ -510,6 +709,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print_v1,
 		.save          = multiport_save_v1,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate_v1,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -524,6 +724,7 @@ static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6_v1,
 		.save          = multiport_save6_v1,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate6_v1,
 	},
 };
 
-- 
1.9.1


-- 

With regards,
Piyush Pangtey <gokuvsvegita@gmail.com>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] extensions: libxt_multiport: Add translation to nft

[Pablo Neira Ayuso]

On Fri, Mar 11, 2016 at 05:06:04PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport
> 
> Examples :
> $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
> { ssh - http } counter accept

You can translate this as:

        nft add rule ip filter input ip protocol tcp tcp dport ssh-http ...

without the brackets.

The brackets have special semantics, they mean that the kernel will
use the set infrastructure to define the range. However, we don't need
a set for this small range since we support ranges natively.

Please, fix and resubmit, thanks.