* [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names @ 2017-03-08 13:16 Pablo Neira Ayuso 2017-03-08 13:16 ` [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo() Pablo Neira Ayuso 2017-03-09 7:23 ` [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names Alexander Alemayhu 0 siblings, 2 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2017-03-08 13:16 UTC (permalink / raw) To: netfilter-devel; +Cc: alexander We have to print nft at the very beginning for each rule that rules from the expansion, otherwise the output is not correct: # iptables-translate -I INPUT -s yahoo.com nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter insert rule ip filter INPUT ip saddr 98.138.253.109 counter insert rule ip filter INPUT ip saddr 98.139.183.24 counter After this patch: # iptables-translate -I INPUT -s yahoo.com nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter Reported-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- iptables/xtables-translate.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 153bd6503c59..1e35b90d77a2 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -195,6 +195,8 @@ static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p, } break; } + if (!cs->restore) + printf("nft "); } return ret; -- 2.1.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo() 2017-03-08 13:16 [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names Pablo Neira Ayuso @ 2017-03-08 13:16 ` Pablo Neira Ayuso 2017-03-08 13:56 ` Jan Engelhardt 2017-03-09 7:23 ` [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names Alexander Alemayhu 1 sibling, 1 reply; 5+ messages in thread From: Pablo Neira Ayuso @ 2017-03-08 13:16 UTC (permalink / raw) To: netfilter-devel; +Cc: alexander According to man getaddrinfo(3): If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses are returned in the list pointed to by res only if the local system has at least one IPv4 address configured, and IPv6 addresses are only returned if the local system has at least one IPv6 address configured. The loopback address is not considered for this case as valid as a configured address. This patch removes AI_CANONNAME since we don't need the ->ai_canonname field set in this code. hints.ai_family has been changed to AF_UNSPEC otherwise the AI_ADDRCONFIG flag is ignored. Originally reported as a problem for iptables-translate, but this also affects iptables and ip6tables. $ iptables-translate -A INPUT -s localhost -j ACCEPT gives duplicated rules: nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept Reported-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- libxtables/xtables.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index d43f97066ea9..aa0b1eb71c0c 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -1367,21 +1367,29 @@ static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr) unsigned int i; memset(&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - hints.ai_family = AF_INET; + hints.ai_flags = AI_ADDRCONFIG; + hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_RAW; *naddr = 0; if ((err = getaddrinfo(name, NULL, &hints, &res)) != 0) { return NULL; } else { - for (p = res; p != NULL; p = p->ai_next) + for (p = res; p != NULL; p = p->ai_next) { + if (p->ai_family != AF_INET) + continue; + ++*naddr; + } addr = xtables_calloc(*naddr, sizeof(struct in_addr)); - for (i = 0, p = res; p != NULL; p = p->ai_next) + for (i = 0, p = res; p != NULL; p = p->ai_next) { + if (p->ai_family != AF_INET) + continue; + memcpy(&addr[i++], &((const struct sockaddr_in *)p->ai_addr)->sin_addr, sizeof(struct in_addr)); + } freeaddrinfo(res); return addr; } @@ -1657,8 +1665,8 @@ host_to_ip6addr(const char *name, unsigned int *naddr) unsigned int i; memset(&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - hints.ai_family = AF_INET6; + hints.ai_flags = AI_ADDRCONFIG; + hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_RAW; *naddr = 0; @@ -1666,14 +1674,22 @@ host_to_ip6addr(const char *name, unsigned int *naddr) return NULL; } else { /* Find length of address chain */ - for (p = res; p != NULL; p = p->ai_next) + for (p = res; p != NULL; p = p->ai_next) { + if (p->ai_family != AF_INET6) + continue; + ++*naddr; + } /* Copy each element of the address chain */ addr = xtables_calloc(*naddr, sizeof(struct in6_addr)); - for (i = 0, p = res; p != NULL; p = p->ai_next) + for (i = 0, p = res; p != NULL; p = p->ai_next) { + if (p->ai_family != AF_INET6) + continue; + memcpy(&addr[i++], &((const struct sockaddr_in6 *)p->ai_addr)->sin6_addr, sizeof(struct in6_addr)); + } freeaddrinfo(res); return addr; } -- 2.1.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo() 2017-03-08 13:16 ` [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo() Pablo Neira Ayuso @ 2017-03-08 13:56 ` Jan Engelhardt 2017-03-08 14:00 ` Pablo Neira Ayuso 0 siblings, 1 reply; 5+ messages in thread From: Jan Engelhardt @ 2017-03-08 13:56 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel, alexander On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote: > >If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses >are returned in the list pointed to by res only if the local system has >at least one IPv4 address configured, and IPv6 addresses are only >returned if the local system has at least one IPv6 address configured. But even if a system has no IPv4 address - think of a bridge -, you may want to resolve an `iptables -A FORWARD -s ... ` request. IMO the more proper approach is to filter duplicates instead of trying to massage the hints structure. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo() 2017-03-08 13:56 ` Jan Engelhardt @ 2017-03-08 14:00 ` Pablo Neira Ayuso 0 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2017-03-08 14:00 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter-devel, alexander On Wed, Mar 08, 2017 at 02:56:24PM +0100, Jan Engelhardt wrote: > > On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote: > > > >If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses > >are returned in the list pointed to by res only if the local system has > >at least one IPv4 address configured, and IPv6 addresses are only > >returned if the local system has at least one IPv6 address configured. > > But even if a system has no IPv4 address - think of a bridge -, you may > want to resolve an `iptables -A FORWARD -s ... ` request. Right, the br_netfilter Frankenstein needs this. Will make a second shot at this. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names 2017-03-08 13:16 [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names Pablo Neira Ayuso 2017-03-08 13:16 ` [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo() Pablo Neira Ayuso @ 2017-03-09 7:23 ` Alexander Alemayhu 1 sibling, 0 replies; 5+ messages in thread From: Alexander Alemayhu @ 2017-03-09 7:23 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel On Wed, Mar 08, 2017 at 02:16:09PM +0100, Pablo Neira Ayuso wrote: > After this patch: > > # iptables-translate -I INPUT -s yahoo.com > nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter > nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter > nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter > The first run returns similiar to above, but subsequent runs returns one extra nft printed at the end. # iptables-translate -I INPUT -s yahoo.com nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter nft # git ll 48ad179bfdfd (libxtables: abolish AI_CANONNAME, 2017-03-08) # git ll c6df55d6ebbe6102ac5136ae38813bea42d8c782 c6df55d6ebbe (iptables-translate: print nft command for each expand rules via dns names, 2017-03-08) Thanks. -- Mit freundlichen Grüßen Alexander Alemayhu ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-03-09 7:31 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-03-08 13:16 [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names Pablo Neira Ayuso 2017-03-08 13:16 ` [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo() Pablo Neira Ayuso 2017-03-08 13:56 ` Jan Engelhardt 2017-03-08 14:00 ` Pablo Neira Ayuso 2017-03-09 7:23 ` [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names Alexander Alemayhu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).