[PATCH iptables v2 1/2] xtables-translate: add escape_quotes option to comment_xlate

[PATCH iptables v2 1/2] xtables-translate: add escape_quotes option to comment_xlate

[Pablo M. Bermudo Garay]

The comment_xlate function was not supporting this option that is
necessary in some situations.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---

Changes in v2:
  - Ensure that the comment string is null-terminated.

 extensions/libxt_comment.c | 11 ++++++++++-
 iptables/nft-ipv4.c        |  2 +-
 iptables/nft-ipv6.c        |  2 +-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 0e31edd..b635d16 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -52,9 +52,18 @@ static int comment_xlate(struct xt_xlate *xl,
 			 const struct xt_xlate_mt_params *params)
 {
 	struct xt_comment_info *commentinfo = (void *)params->match->data;
+	char comment[XT_MAX_COMMENT_LEN];
 
 	commentinfo->comment[XT_MAX_COMMENT_LEN - 1] = '\0';
-	xt_xlate_add_comment(xl, commentinfo->comment);
+	if (params->escape_quotes)
+		snprintf(comment, XT_MAX_COMMENT_LEN, "\\\"%s\\\"",
+			 commentinfo->comment);
+	else
+		snprintf(comment, XT_MAX_COMMENT_LEN, "\"%s\"",
+			 commentinfo->comment);
+
+	comment[XT_MAX_COMMENT_LEN - 1] = '\0';
+	xt_xlate_add_comment(xl, comment);
 
 	return 1;
 }
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 50706cb..295dd42 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -490,7 +490,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
 
 	comment = xt_xlate_get_comment(xl);
 	if (comment)
-		xt_xlate_add(xl, "comment \\\"%s\\\" ", comment);
+		xt_xlate_add(xl, "comment %s", comment);
 
 	ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 8ca523c..8bebf6b 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -439,7 +439,7 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
 
 	comment = xt_xlate_get_comment(xl);
 	if (comment)
-		xt_xlate_add(xl, "comment \\\"%s\\\" ", comment);
+		xt_xlate_add(xl, "comment %s", comment);
 
 	ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
 
-- 
2.9.3

[PATCH iptables v2 2/2] xtables-translate-restore: do not escape quotes

[Pablo M. Bermudo Garay]

If quotes are escaped, nft -f is unable to parse and load the translated
ruleset.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---

Changes in v2:
  - Do not use strcmp against 'program_name' global, propagate 'bool restore'
    argument instead.

 iptables/nft-ipv4.c          |  6 +++---
 iptables/nft-ipv6.c          |  7 ++++---
 iptables/nft-shared.h        |  2 +-
 iptables/nft.h               |  5 +++--
 iptables/xtables-translate.c | 28 ++++++++++++++++++----------
 5 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 295dd42..362036c 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -438,7 +438,7 @@ static void nft_ipv4_save_counters(const void *data)
 	save_counters(cs->counters.pcnt, cs->counters.bcnt);
 }
 
-static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
+static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl, bool restore)
 {
 	const struct iptables_command_state *cs = data;
 	const char *comment;
@@ -481,7 +481,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
 			   inet_ntoa(cs->fw.ip.dst));
 	}
 
-	ret = xlate_matches(cs, xl);
+	ret = xlate_matches(cs, xl, restore);
 	if (!ret)
 		return ret;
 
@@ -492,7 +492,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
 	if (comment)
 		xt_xlate_add(xl, "comment %s", comment);
 
-	ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
+	ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl, restore);
 
 	return ret;
 }
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 8bebf6b..e24149e 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -398,7 +398,7 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
 	xt_xlate_add(xl, "%s %s%s ", selector, invert ? "!= " : "", addr_str);
 }
 
-static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
+static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl, bool restore)
 {
 	const struct iptables_command_state *cs = data;
 	const char *comment;
@@ -430,7 +430,7 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
 	xlate_ipv6_addr("ip6 daddr", &cs->fw6.ipv6.dst,
 			cs->fw6.ipv6.invflags & IP6T_INV_DSTIP, xl);
 
-	ret = xlate_matches(cs, xl);
+	ret = xlate_matches(cs, xl, restore);
 	if (!ret)
 		return ret;
 
@@ -441,7 +441,8 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
 	if (comment)
 		xt_xlate_add(xl, "comment %s", comment);
 
-	ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
+	ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl,
+				  restore);
 
 	return ret;
 }
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index c0948fd..489bad7 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -102,7 +102,7 @@ struct nft_family_ops {
 	void (*parse_target)(struct xtables_target *t, void *data);
 	bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r,
 			  void *data);
-	int (*xlate)(const void *data, struct xt_xlate *xl);
+	int (*xlate)(const void *data, struct xt_xlate *xl, bool restore);
 };
 
 void add_meta(struct nftnl_rule *r, uint32_t key);
diff --git a/iptables/nft.h b/iptables/nft.h
index 52f2136..641e347 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -163,9 +163,10 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename, uint32_t
 struct xt_buf;
 
 bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name);
-int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl);
+int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl,
+		  bool restore);
 int xlate_action(const struct iptables_command_state *cs, bool goto_set,
-		 struct xt_xlate *xl);
+		 struct xt_xlate *xl, bool restore);
 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
 		  bool invert);
 
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 3c577ed..94aebda 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -52,7 +52,7 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
 }
 
 int xlate_action(const struct iptables_command_state *cs, bool goto_set,
-		 struct xt_xlate *xl)
+		 struct xt_xlate *xl, bool restore)
 {
 	int ret = 1, numeric = cs->options & OPT_NUMERIC;
 
@@ -72,6 +72,8 @@ int xlate_action(const struct iptables_command_state *cs, bool goto_set,
 				.numeric	= numeric,
 				.escape_quotes	= true,
 			};
+			if (restore)
+				params.escape_quotes = false;
 			ret = cs->target->xlate(xl, &params);
 		}
 		else
@@ -87,7 +89,8 @@ int xlate_action(const struct iptables_command_state *cs, bool goto_set,
 	return ret;
 }
 
-int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl)
+int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl,
+		  bool restore)
 {
 	struct xtables_rule_match *matchp;
 	int ret = 1, numeric = cs->options & OPT_NUMERIC;
@@ -100,6 +103,9 @@ int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl)
 			.escape_quotes	= true,
 		};
 
+		if (restore)
+			params.escape_quotes = false;
+
 		if (!matchp->match->xlate)
 			return 0;
 
@@ -134,7 +140,7 @@ const char *family2str[] = {
 static int nft_rule_xlate_add(struct nft_handle *h,
 			      const struct nft_xt_cmd_parse *p,
 			      const struct iptables_command_state *cs,
-			      bool append)
+			      bool append, bool restore)
 {
 	struct xt_xlate *xl = xt_xlate_alloc(10240);
 	int ret;
@@ -147,7 +153,7 @@ static int nft_rule_xlate_add(struct nft_handle *h,
 			   family2str[h->family], p->table, p->chain);
 	}
 
-	ret = h->ops->xlate(cs, xl);
+	ret = h->ops->xlate(cs, xl, restore);
 	if (ret)
 		printf("%s\n", xt_xlate_get(xl));
 
@@ -157,11 +163,11 @@ static int nft_rule_xlate_add(struct nft_handle *h,
 
 static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p,
 		 struct iptables_command_state *cs,
-		 struct xtables_args *args, bool append,
+		 struct xtables_args *args, bool append, bool restore,
 		 int (*cb)(struct nft_handle *h,
 			   const struct nft_xt_cmd_parse *p,
 			   const struct iptables_command_state *cs,
-			   bool append))
+			   bool append, bool restore))
 {
 	unsigned int i, j;
 	int ret = 1;
@@ -176,7 +182,7 @@ static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p,
 					args->d.addr.v4[j].s_addr;
 				cs->fw.ip.dmsk.s_addr =
 					args->d.mask.v4[j].s_addr;
-				ret = cb(h, p, cs, append);
+				ret = cb(h, p, cs, append, restore);
 			}
 			break;
 		case AF_INET6:
@@ -191,7 +197,7 @@ static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p,
 				memcpy(&cs->fw6.ipv6.dmsk,
 				       &args->d.mask.v6[j],
 				       sizeof(struct in6_addr));
-				ret = cb(h, p, cs, append);
+				ret = cb(h, p, cs, append, restore);
 			}
 			break;
 		}
@@ -232,7 +238,8 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
 	switch (p.command) {
 	case CMD_APPEND:
 		ret = 1;
-		if (!xlate(h, &p, &cs, &args, true, nft_rule_xlate_add)) {
+		if (!xlate(h, &p, &cs, &args, true, restore,
+		    nft_rule_xlate_add)) {
 			print_ipt_cmd(argc, argv);
 		}
 		break;
@@ -246,7 +253,8 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
 		break;
 	case CMD_INSERT:
 		ret = 1;
-		if (!xlate(h, &p, &cs, &args, false, nft_rule_xlate_add)) {
+		if (!xlate(h, &p, &cs, &args, false, restore,
+		    nft_rule_xlate_add)) {
 			print_ipt_cmd(argc, argv);
 		}
 		break;
-- 
2.9.3

Re: [PATCH iptables v2 1/2] xtables-translate: add escape_quotes option to comment_xlate

[Pablo Neira Ayuso]

On Mon, Aug 22, 2016 at 12:56:14PM +0200, Pablo M. Bermudo Garay wrote:
> The comment_xlate function was not supporting this option that is
> necessary in some situations.

Applied, thanks.

Re: [PATCH iptables v2 2/2] xtables-translate-restore: do not escape quotes

[Pablo Neira Ayuso]

On Mon, Aug 22, 2016 at 12:56:15PM +0200, Pablo M. Bermudo Garay wrote:
> If quotes are escaped, nft -f is unable to parse and load the translated
> ruleset.
> 
> Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
> ---
> 
> Changes in v2:
>   - Do not use strcmp against 'program_name' global, propagate 'bool restore'
>     argument instead.
> 
>  iptables/nft-ipv4.c          |  6 +++---
>  iptables/nft-ipv6.c          |  7 ++++---
>  iptables/nft-shared.h        |  2 +-
>  iptables/nft.h               |  5 +++--
>  iptables/xtables-translate.c | 28 ++++++++++++++++++----------
>  5 files changed, 29 insertions(+), 19 deletions(-)
> 
> diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
> index 295dd42..362036c 100644
> --- a/iptables/nft-ipv4.c
> +++ b/iptables/nft-ipv4.c
> @@ -438,7 +438,7 @@ static void nft_ipv4_save_counters(const void *data)
>  	save_counters(cs->counters.pcnt, cs->counters.bcnt);
>  }
>  
> -static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
> +static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl, bool restore)

You better place this 'restore' as a field in iptables_command_state?

This would require a bit of changes in iptables and ip6tables, but
that sounds reasonable to me.