Message ID | 20160301204056.GA18229@gmail.com |
---|---|
State | Changes Requested |
Headers | show |
On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: > Add translation for sctp to nftables. > Full translation of this match awaits the support for --chunk-types > option. Please, keep this documented in the wiki too so we remember there is a partial translation for this. > Examples: > > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP > nft add rule ip filter INPUT sctp dport 80 counter drop > > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT > nft add rule ip filter INPUT sctp sport != 80-100 counter accept Applied, thanks Shivani. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote: > On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: > > Add translation for sctp to nftables. > > Full translation of this match awaits the support for --chunk-types > > option. > > Please, keep this documented in the wiki too so we remember there is a > partial translation for this. > > > Examples: > > > > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP > > nft add rule ip filter INPUT sctp dport 80 counter drop > > > > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT > > nft add rule ip filter INPUT sctp sport != 80-100 counter accept > > Applied, thanks Shivani. Sorry, I have to keep this back. This crazy thing seems to be valid: iptables -I INPUT -p sctp -m sctp and this will be translated as: nft add rule filter INPUT ip protocol sctp sctp -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Mar 2, 2016 at 5:24 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote: >> On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: >> > Add translation for sctp to nftables. >> > Full translation of this match awaits the support for --chunk-types >> > option. >> >> Please, keep this documented in the wiki too so we remember there is a >> partial translation for this. >> >> > Examples: >> > >> > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP >> > nft add rule ip filter INPUT sctp dport 80 counter drop >> > >> > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT >> > nft add rule ip filter INPUT sctp sport != 80-100 counter accept >> >> Applied, thanks Shivani. > > Sorry, I have to keep this back. > > This crazy thing seems to be valid: > > iptables -I INPUT -p sctp -m sctp > > and this will be translated as: > > nft add rule filter INPUT ip protocol sctp sctp dmesg shows me x_tables: ip_tables: sctp match: only valid for protocol 132 means sctp match is valid for sctp protocol. There should not be an sctp match (correct me if I am wrong here), should this be on bugzilla? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wednesday 2016-03-02 15:14, Shivani Bhardwaj wrote: >> >> This crazy thing seems to be valid: >> >> iptables -I INPUT -p sctp -m sctp This is how all protocols are loaded. It can be readily seen in a iptables-save dump. One tests the L3 header field, the other loads the module for further options to do tests on L4 fields. >> >> and this will be translated as: >> >> nft add rule filter INPUT ip protocol sctp sctp that seems correct, does it not? "sctp" is just a shorthand representation for "sctp port 1:65535". -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Mar 02, 2016 at 03:47:32PM +0100, Jan Engelhardt wrote: > > On Wednesday 2016-03-02 15:14, Shivani Bhardwaj wrote: > >> > >> This crazy thing seems to be valid: > >> > >> iptables -I INPUT -p sctp -m sctp > > This is how all protocols are loaded. It can be readily seen > in a iptables-save dump. One tests the L3 header field, the other > loads the module for further options to do tests on L4 fields. > > >> > >> and this will be translated as: > >> > >> nft add rule filter INPUT ip protocol sctp sctp > > that seems correct, does it not? That translation is not correct in nft: # nft add rule filter INPUT ip protocol sctp sctp <cmdline>:1:44-44: Error: syntax error, unexpected end of file, expecting checksum or sport or dport or vtag add rule filter INPUT ip protocol sctp sctp -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Mar 02, 2016 at 07:44:51PM +0530, Shivani Bhardwaj wrote: > On Wed, Mar 2, 2016 at 5:24 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote: > >> On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: > >> > Add translation for sctp to nftables. > >> > Full translation of this match awaits the support for --chunk-types > >> > option. > >> > >> Please, keep this documented in the wiki too so we remember there is a > >> partial translation for this. > >> > >> > Examples: > >> > > >> > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP > >> > nft add rule ip filter INPUT sctp dport 80 counter drop > >> > > >> > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT > >> > nft add rule ip filter INPUT sctp sport != 80-100 counter accept > >> > >> Applied, thanks Shivani. > > > > Sorry, I have to keep this back. > > > > This crazy thing seems to be valid: > > > > iptables -I INPUT -p sctp -m sctp > > > > and this will be translated as: > > > > nft add rule filter INPUT ip protocol sctp sctp > > dmesg shows me > > x_tables: ip_tables: sctp match: only valid for protocol 132 This happens when: iptables -I INPUT -m sctp > means sctp match is valid for sctp protocol. There should not be an > sctp match (correct me if I am wrong here), should this be on > bugzilla? What I suggest is this: const struct xt_sctp_info *einfo = (const struct xt_sctp_info *)match->data; if (!einfo->flags) <------ return 0; xt_xlate_add(xl, "sctp "); if (einfo->flags & XT_SCTP_SRC_PORTS) { Just skip if there is not flags set. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c index 56a4cdf..626e873 100644 --- a/extensions/libxt_sctp.c +++ b/extensions/libxt_sctp.c @@ -485,6 +485,39 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match) } } +static int sctp_xlate(const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct xt_sctp_info *einfo = + (const struct xt_sctp_info *)match->data; + + xt_xlate_add(xl, "sctp "); + + if (einfo->flags & XT_SCTP_SRC_PORTS) { + if (einfo->spts[0] != einfo->spts[1]) + xt_xlate_add(xl, "sport%s %u-%u ", + einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", + einfo->spts[0], einfo->spts[1]); + else + xt_xlate_add(xl, "sport%s %u ", + einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", + einfo->spts[0]); + } + + if (einfo->flags & XT_SCTP_DEST_PORTS) { + if (einfo->dpts[0] != einfo->dpts[1]) + xt_xlate_add(xl, "dport%s %u-%u ", + einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", + einfo->dpts[0], einfo->dpts[1]); + else + xt_xlate_add(xl, "dport%s %u ", + einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", + einfo->dpts[0]); + } + + return 1; +} + static struct xtables_match sctp_match = { .name = "sctp", .family = NFPROTO_UNSPEC, @@ -497,6 +530,7 @@ static struct xtables_match sctp_match = { .print = sctp_print, .save = sctp_save, .extra_opts = sctp_opts, + .xlate = sctp_xlate, }; void _init(void)
Add translation for sctp to nftables. Full translation of this match awaits the support for --chunk-types option. Examples: $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP nft add rule ip filter INPUT sctp dport 80 counter drop $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT nft add rule ip filter INPUT sctp sport != 80-100 counter accept Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> --- extensions/libxt_sctp.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)