* [iptables PATCH] xtables-translate: Leverage stored protocol names
@ 2024-02-29 17:08 Phil Sutter
2024-03-05 17:09 ` Phil Sutter
0 siblings, 1 reply; 2+ messages in thread
From: Phil Sutter @ 2024-02-29 17:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: matoro_bugzilla_netfilter
Align output of ip(6)tables-translate for --protocol arguments with that
of ip(6)tables -L/-S by calling proto_to_name() from xshared.c. The
latter will consult xtables_chain_protos list first to make sure (the
right) names are used for "common" protocol values and otherwise falls
back to getprotobynumber() which it replaces here.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1738
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
extensions/generic.txlate | 30 ++++++++++++++++++++++++++++++
iptables/nft-ipv4.c | 24 ++++++++++--------------
iptables/nft-ipv6.c | 25 ++++++++++---------------
iptables/xshared.c | 2 +-
iptables/xshared.h | 2 ++
5 files changed, 53 insertions(+), 30 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index b79239f1a0637..9ad1266dc623c 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -64,6 +64,36 @@ nft 'insert rule ip6 filter INPUT counter'
ip6tables-translate -I INPUT ! -s ::/0
nft 'insert rule ip6 filter INPUT ip6 saddr != ::/0 counter'
+iptables-translate -A FORWARD -p 132
+nft 'add rule ip filter FORWARD ip protocol sctp counter'
+
+ip6tables-translate -A FORWARD -p 132
+nft 'add rule ip6 filter FORWARD meta l4proto sctp counter'
+
+iptables-translate -A FORWARD ! -p 132
+nft 'add rule ip filter FORWARD ip protocol != sctp counter'
+
+ip6tables-translate -A FORWARD ! -p 132
+nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
+
+iptables-translate -A FORWARD -p 141
+nft 'add rule ip filter FORWARD ip protocol 141 counter'
+
+ip6tables-translate -A FORWARD -p 141
+nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
+
+iptables-translate -A FORWARD ! -p 141
+nft 'add rule ip filter FORWARD ip protocol != 141 counter'
+
+ip6tables-translate -A FORWARD ! -p 141
+nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
+
+iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
+nft 'add rule ip filter FORWARD tcp dport 22 counter'
+
+ip6tables-translate -A FORWARD -m tcp --dport 22 -p tcp
+nft 'add rule ip6 filter FORWARD tcp dport 22 counter'
+
ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
nft 'insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter'
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 979880a3e7702..0ce8477f76c2a 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -214,20 +214,16 @@ static int nft_ipv4_xlate(const struct iptables_command_state *cs,
}
if (cs->fw.ip.proto != 0) {
- const struct protoent *pent =
- getprotobynumber(cs->fw.ip.proto);
- char protonum[sizeof("65535")];
- const char *name = protonum;
-
- snprintf(protonum, sizeof(protonum), "%u",
- cs->fw.ip.proto);
-
- if (!pent || !xlate_find_match(cs, pent->p_name)) {
- if (pent)
- name = pent->p_name;
- xt_xlate_add(xl, "ip protocol %s%s ",
- cs->fw.ip.invflags & IPT_INV_PROTO ?
- "!= " : "", name);
+ const char *pname = proto_to_name(cs->fw.ip.proto, 0);
+
+ if (!pname || !xlate_find_match(cs, pname)) {
+ xt_xlate_add(xl, "ip protocol");
+ if (cs->fw.ip.invflags & IPT_INV_PROTO)
+ xt_xlate_add(xl, " !=");
+ if (pname)
+ xt_xlate_add(xl, "%s", pname);
+ else
+ xt_xlate_add(xl, "%hu", cs->fw.ip.proto);
}
}
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index e4b1714d00c2f..c371ba8c938c7 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -193,22 +193,17 @@ static int nft_ipv6_xlate(const struct iptables_command_state *cs,
cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT);
if (cs->fw6.ipv6.proto != 0) {
- const struct protoent *pent =
- getprotobynumber(cs->fw6.ipv6.proto);
- char protonum[sizeof("65535")];
- const char *name = protonum;
-
- snprintf(protonum, sizeof(protonum), "%u",
- cs->fw6.ipv6.proto);
-
- if (!pent || !xlate_find_match(cs, pent->p_name)) {
- if (pent)
- name = pent->p_name;
- xt_xlate_add(xl, "meta l4proto %s%s ",
- cs->fw6.ipv6.invflags & IP6T_INV_PROTO ?
- "!= " : "", name);
+ const char *pname = proto_to_name(cs->fw6.ipv6.proto, 0);
+
+ if (!pname || !xlate_find_match(cs, pname)) {
+ xt_xlate_add(xl, "meta l4proto");
+ if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO)
+ xt_xlate_add(xl, " !=");
+ if (pname)
+ xt_xlate_add(xl, "%s", pname);
+ else
+ xt_xlate_add(xl, "%hu", cs->fw6.ipv6.proto);
}
-
}
xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk,
diff --git a/iptables/xshared.c b/iptables/xshared.c
index bff7d60ce1390..b998dd75aaf05 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -62,7 +62,7 @@ static void print_extension_helps(const struct xtables_target *t,
}
}
-static const char *
+const char *
proto_to_name(uint16_t proto, int nolookup)
{
unsigned int i;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 7d4035ec03e52..26c492ebee9ec 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -335,4 +335,6 @@ void iface_to_mask(const char *ifname, unsigned char *mask);
void xtables_clear_args(struct xtables_args *args);
+const char *proto_to_name(uint16_t proto, int nolookup);
+
#endif /* IPTABLES_XSHARED_H */
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-03-05 17:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-29 17:08 [iptables PATCH] xtables-translate: Leverage stored protocol names Phil Sutter
2024-03-05 17:09 ` Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).