[iptables PATCH v3 1/2] extensions: libxt_conntrack: print xlate state as set

[iptables PATCH v3 1/2] extensions: libxt_conntrack: print xlate state as set

[Alexander Mikhalitsyn]

Currently, state_xlate_print function prints statemask
without { ... } around. But if ctstate condition is
negative, then we have to use { ... } after "!=" operator

Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop
...

it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
---
 extensions/libxt_conntrack.c      | 18 +++++++++++++++---
 extensions/libxt_conntrack.txlate |  5 ++++-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7734509..fe964aa 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1148,9 +1148,16 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
 	state_print_state(sinfo->statemask);
 }
 
-static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
+static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int afterinv)
 {
 	const char *sep = "";
+	int as_set;
+
+	/* print as set only after inversion and if more than one flag is set */
+	as_set = afterinv && (statemask & (statemask - 1));
+
+	if (as_set)
+		xt_xlate_add(xl, "{ ");
 
 	if (statemask & XT_CONNTRACK_STATE_INVALID) {
 		xt_xlate_add(xl, "%s%s", sep, "invalid");
@@ -1172,6 +1179,9 @@ static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
 		xt_xlate_add(xl, "%s%s", sep, "untracked");
 		sep = ",";
 	}
+
+	if (as_set)
+		xt_xlate_add(xl, " }");
 }
 
 static int state_xlate(struct xt_xlate *xl,
@@ -1182,7 +1192,8 @@ static int state_xlate(struct xt_xlate *xl,
 
 	xt_xlate_add(xl, "ct state %s", sinfo->invert_flags & XT_CONNTRACK_STATE ?
 					"!= " : "");
-	state_xlate_print(xl, sinfo->state_mask);
+	state_xlate_print(xl, sinfo->state_mask,
+			  sinfo->invert_flags & XT_CONNTRACK_STATE);
 	xt_xlate_add(xl, " ");
 	return 1;
 }
@@ -1259,7 +1270,8 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
 			xt_xlate_add(xl, "%sct state %s", space,
 				     sinfo->invert_flags & XT_CONNTRACK_STATE ?
 				     "!= " : "");
-			state_xlate_print(xl, sinfo->state_mask);
+			state_xlate_print(xl, sinfo->state_mask,
+					  sinfo->invert_flags & XT_CONNTRACK_STATE);
 			space = " ";
 		}
 	}
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index d374f8a..75b3daa 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -2,7 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE
 nft add rule ip filter INPUT ct state new,related counter accept
 
 ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
-nft add rule ip6 filter INPUT ct state != new,related counter accept
+nft add rule ip6 filter INPUT ct state != { new,related } counter accept
+
+ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT
+nft add rule ip6 filter INPUT ct state != new counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
 nft add rule ip filter INPUT ct original protocol 17 counter accept
-- 
1.8.3.1

[iptables PATCH v3 2/2] extensions: libxt_conntrack: print xlate status as set

[Alexander Mikhalitsyn]

At the moment, status_xlate_print function prints statusmask as comma-separated
sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
condition then we have to use more complex expression (if more than one flag enabled)
because nft not supports syntax like "ct status != expected,assured".

Examples:
! --ctstatus CONFIRMED,ASSURED
should be translated as
ct status & (assured|confirmed) == 0

! --ctstatus CONFIRMED
can be translated as
ct status != confirmed

See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference).

Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
...

it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
---
 extensions/libxt_conntrack.c      | 28 +++++++++++++++++++---------
 extensions/libxt_conntrack.txlate |  6 ++++++
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index fe964aa..48e7415 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1198,26 +1198,37 @@ static int state_xlate(struct xt_xlate *xl,
 	return 1;
 }
 
-static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
+static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
 {
 	const char *sep = "";
+	int one_flag_set;
+
+	one_flag_set = !(statusmask & (statusmask - 1));
+
+	if (inverted && !one_flag_set)
+		xt_xlate_add(xl, "& (");
+	else if (inverted)
+		xt_xlate_add(xl, "!= ");
 
 	if (statusmask & IPS_EXPECTED) {
 		xt_xlate_add(xl, "%s%s", sep, "expected");
-		sep = ",";
+		sep = inverted && !one_flag_set ? "|" : ",";
 	}
 	if (statusmask & IPS_SEEN_REPLY) {
 		xt_xlate_add(xl, "%s%s", sep, "seen-reply");
-		sep = ",";
+		sep = inverted && !one_flag_set ? "|" : ",";
 	}
 	if (statusmask & IPS_ASSURED) {
 		xt_xlate_add(xl, "%s%s", sep, "assured");
-		sep = ",";
+		sep = inverted && !one_flag_set ? "|" : ",";
 	}
 	if (statusmask & IPS_CONFIRMED) {
 		xt_xlate_add(xl, "%s%s", sep, "confirmed");
-		sep = ",";
+		sep = inverted && !one_flag_set ? "|" : ",";
 	}
+
+	if (inverted && !one_flag_set)
+		xt_xlate_add(xl, ") == 0");
 }
 
 static void addr_xlate_print(struct xt_xlate *xl,
@@ -1277,10 +1288,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
 	}
 
 	if (sinfo->match_flags & XT_CONNTRACK_STATUS) {
-		xt_xlate_add(xl, "%sct status %s", space,
-			     sinfo->invert_flags & XT_CONNTRACK_STATUS ?
-			     "!= " : "");
-		status_xlate_print(xl, sinfo->status_mask);
+		xt_xlate_add(xl, "%sct status ", space);
+		status_xlate_print(xl, sinfo->status_mask,
+				   sinfo->invert_flags & XT_CONNTRACK_STATUS);
 		space = " ";
 	}
 
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 75b3daa..3939d00 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -37,6 +37,12 @@ nft add rule ip filter INPUT ct status expected counter accept
 iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
 nft add rule ip filter INPUT ct status != confirmed counter accept
 
+iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
+nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT
+nft add rule ip filter INPUT ct status assured,confirmed counter accept
+
 iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
 nft add rule ip filter INPUT ct expiration 3 counter accept
 
-- 
1.8.3.1

Re: [iptables PATCH v3 2/2] extensions: libxt_conntrack: print xlate status as set

[Florian Westphal]

Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> wrote:
> At the moment, status_xlate_print function prints statusmask as comma-separated
> sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
> condition then we have to use more complex expression (if more than one flag enabled)
> because nft not supports syntax like "ct status != expected,assured".
> 
> Examples:
> ! --ctstatus CONFIRMED,ASSURED
> should be translated as
> ct status & (assured|confirmed) == 0
> 
> ! --ctstatus CONFIRMED
> can be translated as
> ct status != confirmed

"! --ctstatus CONFIRMED" means 'true if CONFIRMED bit is not set'
But "ct status != confirmed" means 'true if ct status contains any value
except confirmed.

Example: ct->status has confirmed and assured bits set.
Then:
"! --ctstatus CONFIRMED" won't match (the bit is set).
ct status != confirmed returns true (3 != 1)
ct (status & confirmed) == 0 won't match (the bit is set).

Re: [iptables PATCH v3 1/2] extensions: libxt_conntrack: print xlate state as set

[Florian Westphal]

Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> wrote:
> Currently, state_xlate_print function prints statemask
> without { ... } around. But if ctstate condition is
> negative, then we have to use { ... } after "!=" operator
> 
> Reproducer:
> $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP
> $ nft list ruleset
> ...
> meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop
> ...
> 
> it will fail if we try to load this rule:
> $ nft -f nft_test
> ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon

I'd suggest to use the 'foo & 1' notation just like for patch 2, it
avoids the set lookup.

Re: [iptables PATCH v3 2/2] extensions: libxt_conntrack: print xlate status as set

[Alexander Mikhalitsyn]

On Wed, 31 Mar 2021 12:58:52 +0200
Florian Westphal <fw@strlen.de> wrote:

> Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> wrote:
> > At the moment, status_xlate_print function prints statusmask as comma-separated
> > sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
> > condition then we have to use more complex expression (if more than one flag enabled)
> > because nft not supports syntax like "ct status != expected,assured".
> > 
> > Examples:
> > ! --ctstatus CONFIRMED,ASSURED
> > should be translated as
> > ct status & (assured|confirmed) == 0
> > 
> > ! --ctstatus CONFIRMED
> > can be translated as
> > ct status != confirmed
> 
> "! --ctstatus CONFIRMED" means 'true if CONFIRMED bit is not set'
> But "ct status != confirmed" means 'true if ct status contains any value
> except confirmed.
> 
> Example: ct->status has confirmed and assured bits set.
> Then:
> "! --ctstatus CONFIRMED" won't match (the bit is set).
> ct status != confirmed returns true (3 != 1)
> ct (status & confirmed) == 0 won't match (the bit is set).
> 

Ah, sure. Fixed ;)

Alex.