[PATCH iptables] extensions: LOG: add log flags translation to nft

[PATCH iptables] extensions: LOG: add log flags translation to nft

[Liping Zhang]

From: Liping Zhang <zlpnobody@gmail.com>

For example:
 # iptables-translate -A OUTPUT -j LOG --log-uid
 nft add rule ip filter OUTPUT counter log flags skuid

 # iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \
 --log-tcp-options
 nft add rule ip filter OUTPUT counter log flags tcp sequence,options

 # iptables-translate -A OUTPUT -j LOG --log-level debug --log-uid
 nft add rule ip filter OUTPUT counter log level debug flags skuid

 # ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-macdecode
 nft add rule ip6 filter OUTPUT counter log flags ip options flags ether

 # ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-uid \
 --log-tcp-sequence --log-tcp-options --log-macdecode
 nft add rule ip6 filter OUTPUT counter log flags all

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
---
 extensions/libip6t_LOG.c | 30 ++++++++++++++++++++++++++----
 extensions/libipt_LOG.c  | 30 ++++++++++++++++++++++++++----
 2 files changed, 52 insertions(+), 8 deletions(-)

diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index af77b9a..40adc69 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl,
 		(const struct ip6t_log_info *)params->target->data;
 	unsigned int i = 0;
 
-	xt_xlate_add(xl, "log ");
+	xt_xlate_add(xl, "log");
 	if (strcmp(loginfo->prefix, "") != 0) {
 		if (params->escape_quotes)
-			xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix);
 		else
-			xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix);
 	}
 
 	for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i)
 		if (loginfo->level == ip6t_log_xlate_names[i].level &&
 		    loginfo->level != LOG_DEFAULT_LEVEL) {
-			xt_xlate_add(xl, "level %s",
+			xt_xlate_add(xl, " level %s",
 				   ip6t_log_xlate_names[i].name);
 			break;
 		}
 
+	if ((loginfo->logflags & IP6T_LOG_MASK) == IP6T_LOG_MASK) {
+		xt_xlate_add(xl, " flags all");
+	} else {
+		if (loginfo->logflags & (IP6T_LOG_TCPSEQ | IP6T_LOG_TCPOPT)) {
+			const char *delim = " ";
+
+			xt_xlate_add(xl, " flags tcp");
+			if (loginfo->logflags & IP6T_LOG_TCPSEQ) {
+				xt_xlate_add(xl, " sequence");
+				delim = ",";
+			}
+			if (loginfo->logflags & IP6T_LOG_TCPOPT)
+				xt_xlate_add(xl, "%soptions", delim);
+		}
+		if (loginfo->logflags & IP6T_LOG_IPOPT)
+			xt_xlate_add(xl, " flags ip options");
+		if (loginfo->logflags & IP6T_LOG_UID)
+			xt_xlate_add(xl, " flags skuid");
+		if (loginfo->logflags & IP6T_LOG_MACDECODE)
+			xt_xlate_add(xl, " flags ether");
+	}
+
 	return 1;
 }
 static struct xtables_target log_tg6_reg = {
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 2784d9b..36e2e73 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl,
 		(const struct ipt_log_info *)params->target->data;
 	unsigned int i = 0;
 
-	xt_xlate_add(xl, "log ");
+	xt_xlate_add(xl, "log");
 	if (strcmp(loginfo->prefix, "") != 0) {
 		if (params->escape_quotes)
-			xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix);
 		else
-			xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix);
 	}
 
 	for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i)
 		if (loginfo->level != LOG_DEFAULT_LEVEL &&
 		    loginfo->level == ipt_log_xlate_names[i].level) {
-			xt_xlate_add(xl, "level %s ",
+			xt_xlate_add(xl, " level %s",
 				   ipt_log_xlate_names[i].name);
 			break;
 		}
 
+	if ((loginfo->logflags & IPT_LOG_MASK) == IPT_LOG_MASK) {
+		xt_xlate_add(xl, " flags all");
+	} else {
+		if (loginfo->logflags & (IPT_LOG_TCPSEQ | IPT_LOG_TCPOPT)) {
+			const char *delim = " ";
+
+			xt_xlate_add(xl, " flags tcp");
+			if (loginfo->logflags & IPT_LOG_TCPSEQ) {
+				xt_xlate_add(xl, " sequence");
+				delim = ",";
+			}
+			if (loginfo->logflags & IPT_LOG_TCPOPT)
+				xt_xlate_add(xl, "%soptions", delim);
+		}
+		if (loginfo->logflags & IPT_LOG_IPOPT)
+			xt_xlate_add(xl, " flags ip options");
+		if (loginfo->logflags & IPT_LOG_UID)
+			xt_xlate_add(xl, " flags skuid");
+		if (loginfo->logflags & IPT_LOG_MACDECODE)
+			xt_xlate_add(xl, " flags ether");
+	}
+
 	return 1;
 }
 static struct xtables_target log_tg_reg = {
-- 
2.5.5

Re: [PATCH iptables] extensions: LOG: add log flags translation to nft

[Pablo Neira Ayuso]

On Sun, Nov 27, 2016 at 08:08:29PM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
> 
> For example:
>  # iptables-translate -A OUTPUT -j LOG --log-uid
>  nft add rule ip filter OUTPUT counter log flags skuid
> 
>  # iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \
>  --log-tcp-options
>  nft add rule ip filter OUTPUT counter log flags tcp sequence,options
> 
>  # iptables-translate -A OUTPUT -j LOG --log-level debug --log-uid
>  nft add rule ip filter OUTPUT counter log level debug flags skuid
> 
>  # ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-macdecode
>  nft add rule ip6 filter OUTPUT counter log flags ip options flags ether
> 
>  # ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-uid \
>  --log-tcp-sequence --log-tcp-options --log-macdecode
>  nft add rule ip6 filter OUTPUT counter log flags all

Applied, thanks Liping.