Re: [iptables PATCH v5 PATCH 2/2] extensions: libxt_conntrack: print xlate status as set

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
To: alexander@mihalicyn.com
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH v5 PATCH 2/2] extensions: libxt_conntrack: print xlate status as set
Date: Fri, 2 Apr 2021 12:21:48 +0300	[thread overview]
Message-ID: <20210402122148.db99e8db81adeea8b92a0ebd@virtuozzo.com> (raw)
In-Reply-To: <20210401125144.30306-2-alexander.mikhalitsyn@virtuozzo.com>

On Thu,  1 Apr 2021 15:51:44 +0300
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> wrote:

> At the moment, status_xlate_print function prints statusmask as comma-separated
> sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
> condition then we have to use more complex expression (if more than one flag enabled)
> because nft not supports syntax like "ct status != expected,assured".
> 
> Examples:
> ! --ctstatus CONFIRMED,ASSURED
> should be translated as
> ct status & (assured|confirmed) == 0
> 
> ! --ctstatus CONFIRMED
> can be translated as
> ct status & confirmed == 0
> 
> See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference).
> 
> Reproducer:
> $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
> $ nft list ruleset
> ...
> meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
> ...
> 
> it will fail if we try to load this rule:
> $ nft -f nft_test
> ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
> 
> Cc: Florian Westphal <fw@strlen.de>
> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
> ---
>  extensions/libxt_conntrack.c      | 30 +++++++++++++++++++++---------
>  extensions/libxt_conntrack.txlate |  8 +++++++-
>  2 files changed, 28 insertions(+), 10 deletions(-)
> 
> diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
> index 91f9e4a..7f7b45e 100644
> --- a/extensions/libxt_conntrack.c
> +++ b/extensions/libxt_conntrack.c
> @@ -1200,26 +1200,39 @@ static int state_xlate(struct xt_xlate *xl,
>  	return 1;
>  }
>  
> -static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
> +static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
>  {
>  	const char *sep = "";
> +	int one_flag_set;
> +
> +	one_flag_set = !(statusmask & (statusmask - 1));
> +
> +	if (inverted && !one_flag_set)
> +		xt_xlate_add(xl, "& (");
> +	else if (inverted)
> +		xt_xlate_add(xl, "& ");
>  
>  	if (statusmask & IPS_EXPECTED) {
>  		xt_xlate_add(xl, "%s%s", sep, "expected");
> -		sep = ",";
> +		sep = inverted && !one_flag_set ? "|" : ",";
>  	}
>  	if (statusmask & IPS_SEEN_REPLY) {
>  		xt_xlate_add(xl, "%s%s", sep, "seen-reply");
> -		sep = ",";
> +		sep = inverted && !one_flag_set ? "|" : ",";
>  	}
>  	if (statusmask & IPS_ASSURED) {
>  		xt_xlate_add(xl, "%s%s", sep, "assured");
> -		sep = ",";
> +		sep = inverted && !one_flag_set ? "|" : ",";
>  	}
>  	if (statusmask & IPS_CONFIRMED) {
>  		xt_xlate_add(xl, "%s%s", sep, "confirmed");
> -		sep = ",";
> +		sep = inverted && !one_flag_set ? "|" : ",";
>  	}
> +
> +	if (inverted && !one_flag_set)
> +		xt_xlate_add(xl, ") == 0");
> +	else if (inverted)
> +		xt_xlate_add(xl, " == 0");
>  }
>  
>  static void addr_xlate_print(struct xt_xlate *xl,
> @@ -1277,10 +1290,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
>  	}
>  
>  	if (sinfo->match_flags & XT_CONNTRACK_STATUS) {
> -		xt_xlate_add(xl, "%sct status %s", space,
> -			     sinfo->invert_flags & XT_CONNTRACK_STATUS ?
> -			     "!= " : "");
> -		status_xlate_print(xl, sinfo->status_mask);
> +		xt_xlate_add(xl, "%sct status ", space);
> +		status_xlate_print(xl, sinfo->status_mask,
> +				   sinfo->invert_flags & XT_CONNTRACK_STATUS);
>  		space = " ";
>  	}
>  
> diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
> index 5ab85b1..8cc7c50 100644
> --- a/extensions/libxt_conntrack.txlate
> +++ b/extensions/libxt_conntrack.txlate
> @@ -35,7 +35,13 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
>  nft add rule ip filter INPUT ct status expected counter accept
>  
>  iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
> -nft add rule ip filter INPUT ct status != confirmed counter accept
> +nft add rule ip filter INPUT ct status & confirmed == 0 counter accept
> +
> +iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
> +nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept
> +
> +iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT
> +nft add rule ip filter INPUT ct status assured,confirmed counter accept
>  
>  iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
>  nft add rule ip filter INPUT ct expiration 3 counter accept
> -- 
> 1.8.3.1
> 


please, ignore that. I've re-send PATCH v5 series with correct subject.

     prev parent reply	other threads:[~2021-04-02  9:21 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-01 12:51 [iptables PATCH v5 PATCH 1/2] extensions: libxt_conntrack: print xlate state as set Alexander Mikhalitsyn
2021-04-01 12:51 ` [iptables PATCH v5 PATCH 2/2] extensions: libxt_conntrack: print xlate status " Alexander Mikhalitsyn
2021-04-02  9:21   ` Alexander Mikhalitsyn [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210402122148.db99e8db81adeea8b92a0ebd@virtuozzo.com \
    --to=alexander.mikhalitsyn@virtuozzo.com \
    --cc=alexander@mihalicyn.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).