From: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org, fw@strlen.de
Subject: [iptables PATCH v4 PATCH 1/2] extensions: libxt_conntrack: print xlate state as set
Date: Wed, 31 Mar 2021 16:02:36 +0300 [thread overview]
Message-ID: <20210331130237.860728-1-alexander.mikhalitsyn@virtuozzo.com> (raw)
Currently, state_xlate_print function prints statemask
without { ... } around. But if ctstate condition is
negative, then we have to use { ... } after "!=" operator
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
---
extensions/libxt_conntrack.c | 38 +++++++++++++++++++++++++-------------
extensions/libxt_conntrack.txlate | 5 ++++-
2 files changed, 29 insertions(+), 14 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7734509..91f9e4a 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1148,30 +1148,43 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
state_print_state(sinfo->statemask);
}
-static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
+static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted)
{
const char *sep = "";
+ int one_flag_set;
+
+ one_flag_set = !(statemask & (statemask - 1));
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, "& (");
+ else if (inverted)
+ xt_xlate_add(xl, "& ");
if (statemask & XT_CONNTRACK_STATE_INVALID) {
xt_xlate_add(xl, "%s%s", sep, "invalid");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
xt_xlate_add(xl, "%s%s", sep, "new");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
xt_xlate_add(xl, "%s%s", sep, "related");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
xt_xlate_add(xl, "%s%s", sep, "established");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
xt_xlate_add(xl, "%s%s", sep, "untracked");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, ") == 0");
+ else if (inverted)
+ xt_xlate_add(xl, " == 0");
}
static int state_xlate(struct xt_xlate *xl,
@@ -1180,9 +1193,9 @@ static int state_xlate(struct xt_xlate *xl,
const struct xt_conntrack_mtinfo3 *sinfo =
(const void *)params->match->data;
- xt_xlate_add(xl, "ct state %s", sinfo->invert_flags & XT_CONNTRACK_STATE ?
- "!= " : "");
- state_xlate_print(xl, sinfo->state_mask);
+ xt_xlate_add(xl, "ct state ");
+ state_xlate_print(xl, sinfo->state_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATE);
xt_xlate_add(xl, " ");
return 1;
}
@@ -1256,10 +1269,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
sinfo->state_mask & XT_CONNTRACK_STATE_SNAT ? "snat" : "dnat");
space = " ";
} else {
- xt_xlate_add(xl, "%sct state %s", space,
- sinfo->invert_flags & XT_CONNTRACK_STATE ?
- "!= " : "");
- state_xlate_print(xl, sinfo->state_mask);
+ xt_xlate_add(xl, "%sct state ", space);
+ state_xlate_print(xl, sinfo->state_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATE);
space = " ";
}
}
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index d374f8a..5ab85b1 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -2,7 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE
nft add rule ip filter INPUT ct state new,related counter accept
ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
-nft add rule ip6 filter INPUT ct state != new,related counter accept
+nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept
+
+ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT
+nft add rule ip6 filter INPUT ct state & new == 0 counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct original protocol 17 counter accept
--
1.8.3.1
next reply other threads:[~2021-03-31 13:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-31 13:02 Alexander Mikhalitsyn [this message]
2021-03-31 13:02 ` [iptables PATCH v4 PATCH 2/2] extensions: libxt_conntrack: print xlate status as set Alexander Mikhalitsyn
2021-03-31 13:20 ` [iptables PATCH v5 PATCH 1/2] extensions: libxt_conntrack: print xlate state " Alexander Mikhalitsyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210331130237.860728-1-alexander.mikhalitsyn@virtuozzo.com \
--to=alexander.mikhalitsyn@virtuozzo.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).