[PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names

[PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names

[Pablo Neira Ayuso]

We have to print nft at the very beginning for each rule that rules from
the expansion, otherwise the output is not correct:

 # iptables-translate -I INPUT -s yahoo.com
 nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
 insert rule ip filter INPUT ip saddr 98.138.253.109 counter
 insert rule ip filter INPUT ip saddr 98.139.183.24 counter

After this patch:

 # iptables-translate -I INPUT -s yahoo.com
 nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
 nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
 nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter

Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/xtables-translate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 153bd6503c59..1e35b90d77a2 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -195,6 +195,8 @@ static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p,
 			}
 			break;
 		}
+		if (!cs->restore)
+			printf("nft ");
 	}
 
 	return ret;
-- 
2.1.4

[PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo()

[Pablo Neira Ayuso]

According to man getaddrinfo(3):

If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses
are returned in the list pointed to by res only if the local system has
at least one IPv4 address configured, and IPv6 addresses are only
returned if the local system has at least one IPv6 address configured.
The loopback address is not considered for this case as valid as a
configured address.

This patch removes AI_CANONNAME since we don't need the ->ai_canonname
field set in this code.

hints.ai_family has been changed to AF_UNSPEC otherwise the
AI_ADDRCONFIG flag is ignored.

Originally reported as a problem for iptables-translate, but this also
affects iptables and ip6tables.

 $ iptables-translate -A INPUT -s localhost -j ACCEPT

gives duplicated rules:

 nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept
 nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept

Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 libxtables/xtables.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index d43f97066ea9..aa0b1eb71c0c 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1367,21 +1367,29 @@ static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr)
 	unsigned int i;
 
 	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags    = AI_CANONNAME;
-	hints.ai_family   = AF_INET;
+	hints.ai_flags    = AI_ADDRCONFIG;
+	hints.ai_family   = AF_UNSPEC;
 	hints.ai_socktype = SOCK_RAW;
 
 	*naddr = 0;
 	if ((err = getaddrinfo(name, NULL, &hints, &res)) != 0) {
 		return NULL;
 	} else {
-		for (p = res; p != NULL; p = p->ai_next)
+		for (p = res; p != NULL; p = p->ai_next) {
+			if (p->ai_family != AF_INET)
+				continue;
+
 			++*naddr;
+		}
 		addr = xtables_calloc(*naddr, sizeof(struct in_addr));
-		for (i = 0, p = res; p != NULL; p = p->ai_next)
+		for (i = 0, p = res; p != NULL; p = p->ai_next) {
+			if (p->ai_family != AF_INET)
+				continue;
+
 			memcpy(&addr[i++],
 			       &((const struct sockaddr_in *)p->ai_addr)->sin_addr,
 			       sizeof(struct in_addr));
+		}
 		freeaddrinfo(res);
 		return addr;
 	}
@@ -1657,8 +1665,8 @@ host_to_ip6addr(const char *name, unsigned int *naddr)
 	unsigned int i;
 
 	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags    = AI_CANONNAME;
-	hints.ai_family   = AF_INET6;
+	hints.ai_flags    = AI_ADDRCONFIG;
+	hints.ai_family   = AF_UNSPEC;
 	hints.ai_socktype = SOCK_RAW;
 
 	*naddr = 0;
@@ -1666,14 +1674,22 @@ host_to_ip6addr(const char *name, unsigned int *naddr)
 		return NULL;
 	} else {
 		/* Find length of address chain */
-		for (p = res; p != NULL; p = p->ai_next)
+		for (p = res; p != NULL; p = p->ai_next) {
+			if (p->ai_family != AF_INET6)
+				continue;
+
 			++*naddr;
+		}
 		/* Copy each element of the address chain */
 		addr = xtables_calloc(*naddr, sizeof(struct in6_addr));
-		for (i = 0, p = res; p != NULL; p = p->ai_next)
+		for (i = 0, p = res; p != NULL; p = p->ai_next) {
+			if (p->ai_family != AF_INET6)
+				continue;
+
 			memcpy(&addr[i++],
 			       &((const struct sockaddr_in6 *)p->ai_addr)->sin6_addr,
 			       sizeof(struct in6_addr));
+		}
 		freeaddrinfo(res);
 		return addr;
 	}
-- 
2.1.4

Re: [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo()

[Jan Engelhardt]

On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote:
>
>If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses
>are returned in the list pointed to by res only if the local system has
>at least one IPv4 address configured, and IPv6 addresses are only
>returned if the local system has at least one IPv6 address configured.

But even if a system has no IPv4 address - think of a bridge -, you may
want to resolve an `iptables -A FORWARD -s ... ` request.

IMO the more proper approach is to filter duplicates instead of trying to
massage the hints structure.

Re: [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo()

[Pablo Neira Ayuso]

On Wed, Mar 08, 2017 at 02:56:24PM +0100, Jan Engelhardt wrote:
> 
> On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote:
> >
> >If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses
> >are returned in the list pointed to by res only if the local system has
> >at least one IPv4 address configured, and IPv6 addresses are only
> >returned if the local system has at least one IPv6 address configured.
> 
> But even if a system has no IPv4 address - think of a bridge -, you may
> want to resolve an `iptables -A FORWARD -s ... ` request.

Right, the br_netfilter Frankenstein needs this. Will make a second
shot at this.

Re: [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names

[Alexander Alemayhu]

On Wed, Mar 08, 2017 at 02:16:09PM +0100, Pablo Neira Ayuso wrote:
> After this patch:
> 
>  # iptables-translate -I INPUT -s yahoo.com
>  nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
>  nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
>  nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
>
The first run returns similiar to above, but subsequent runs returns one
extra nft printed at the end.

# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter 
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter 
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter 
nft 
# git ll
48ad179bfdfd (libxtables: abolish AI_CANONNAME, 2017-03-08)
# git ll c6df55d6ebbe6102ac5136ae38813bea42d8c782
c6df55d6ebbe (iptables-translate: print nft command for each expand rules via dns names, 2017-03-08)

Thanks.
-- 
Mit freundlichen Grüßen

Alexander Alemayhu