diff mbox

[v2] libxt_multiport: Add translation to nft

Message ID 56E0359F.7060308@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Piyush Pangtey March 9, 2016, 2:39 p.m. UTC 
Added full translation for multiport.

Examples :
$ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4  -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport { 3-4 } tcp sport { 3-4 }
counter accept

$ iptables-translate -A input -p sctp -m multiport --dports 11:18  -j ACCEPT
nft add rule ip filter input ip protocol sctp sctp dport { 11-18 } counter
accept

$ iptables-translate -A input -p dccp -m multiport --ports 11:18  -j ACCEPT
nft add rule ip filter input ip protocol dccp dccp dport { 11-18 } dccp sport {
11-18 } counter accept

$ ip6tables-translate -A input -p dccp -m multiport --ports 11:18  -j ACCEPT
nft add rule ip6 filter input meta l4proto dccp dccp dport { 11-18 } dccp sport
{ 11-18 } counter accept

Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
v2:
	Corrected the translations , as suggested by Arturo Borrero González

 extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 170 insertions(+), 1 deletion(-)

Comments

Pablo Neira Ayuso March 9, 2016, 5:30 p.m. UTC | #1 
On Wed, Mar 09, 2016 at 08:09:27PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport.
> 
> Examples :
> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4  -j ACCEPT
> nft add rule ip filter INPUT ip protocol tcp tcp dport { 3-4 } tcp sport { 3-4 }
> counter accept
> 
> $ iptables-translate -A input -p sctp -m multiport --dports 11:18  -j ACCEPT
> nft add rule ip filter input ip protocol sctp sctp dport { 11-18 } counter
> accept
> 
> $ iptables-translate -A input -p dccp -m multiport --ports 11:18  -j ACCEPT
> nft add rule ip filter input ip protocol dccp dccp dport { 11-18 } dccp sport {
> 11-18 } counter accept
> 
> $ ip6tables-translate -A input -p dccp -m multiport --ports 11:18  -j ACCEPT
> nft add rule ip6 filter input meta l4proto dccp dccp dport { 11-18 } dccp sport
> { 11-18 } counter accept
> 
> Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
> ---
> v2:
> 	Corrected the translations , as suggested by Arturo Borrero González
> 
>  extensions/libxt_multiport.c | 171 ++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 170 insertions(+), 1 deletion(-)
> 
> diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
> index 03af5a9..6358ffd 100644
> --- a/extensions/libxt_multiport.c
> +++ b/extensions/libxt_multiport.c
> @@ -18,6 +18,8 @@ enum {
>  	F_ANY          = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS,
>  };
>  
> +static const char *xlate_proto;

I don't like this global variable trick.

Please, use the ipt_ip and ip6t_ip information instead, which is will
be now available through this patch, so we pass information as
parameter to functions.

http://patchwork.ozlabs.org/patch/595128/

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..6358ffd 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -18,6 +18,8 @@  enum {
 	F_ANY          = F_SOURCE_PORTS | F_DEST_PORTS | F_SD_PORTS,
 };
 
+static const char *xlate_proto;
+
 /* Function which prints out usage message. */
 static void multiport_help(void)
 {
@@ -150,8 +152,10 @@  check_proto(uint16_t pnum, uint8_t invflags)
 		xtables_error(PARAMETER_PROBLEM,
 			   "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
 
-	if ((proto = proto_to_name(pnum)) != NULL)
+	if ((proto = proto_to_name(pnum)) != NULL){
+		xlate_proto = proto;
 		return proto;
+	}
 	else if (!pnum)
 		xtables_error(PARAMETER_PROBLEM,
 			   "multiport needs `-p tcp', `-p udp', `-p udplite', "
@@ -468,6 +472,167 @@  static void multiport_save6_v1(const void *ip_void,
 	__multiport_save_v1(match, ip->proto);
 }
 
+static int multiport_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
+		       int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+	bool have_multiple = false, have_invert = false;
+
+	if(xlate_proto != NULL){
+		if (multiinfo->count > 1)
+			have_multiple = true;
+		if (multiinfo->invert)
+			have_invert = true;
+		if (xlate_proto == NULL || (have_multiple && have_invert))
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl,"sport %s%s",
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+			}
+			break;
+
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl,"dport %s%s",
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+			}
+			break;
+
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl,"dport %s%s",
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+			}
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+
+			xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+			}
+			break;
+
+
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+
+	return 1;
+}
+
+static int multiport_xlate_v1(const struct xt_entry_match *match, struct xt_xlate *xl,
+		       int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+	bool have_multiple = false, have_invert = false ;
+
+	if(xlate_proto != NULL){
+		if (multiinfo->count > 1)
+			have_multiple = true;
+		if (multiinfo->invert)
+			have_invert = true;
+		if (xlate_proto == NULL || (have_multiple && have_invert))
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+		 	        if (multiinfo->pflags[i]) {
+				            xt_xlate_add(xl,"-%u",
+				            		multiinfo->ports[++i]);
+				}
+			}
+			break;
+
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl,"%s dport %s%s", xlate_proto,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+		 	        if (multiinfo->pflags[i]) {
+				            xt_xlate_add(xl,"-%u",
+				            		multiinfo->ports[++i]);
+				}
+			}
+			break;
+
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl,"%s dport %s%s", xlate_proto,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+		 	        if (multiinfo->pflags[i]) {
+				            xt_xlate_add(xl,"-%u",
+				            		multiinfo->ports[++i]);
+				}
+			}
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+
+			xt_xlate_add(xl,"%s sport %s%s", xlate_proto,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			for (i = 0; i < multiinfo->count; i++) {
+				xt_xlate_add(xl, "%s", i ? "," : "");
+				xt_xlate_add(xl, "%u", multiinfo->ports[i]);
+		 	        if (multiinfo->pflags[i]) {
+				            xt_xlate_add(xl,"-%u",
+				            		multiinfo->ports[++i]);
+				}
+			}
+			break;
+
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+
+	return 1;
+}
+
 static struct xtables_match multiport_mt_reg[] = {
 	{
 		.family        = NFPROTO_IPV4,
@@ -482,6 +647,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print,
 		.save          = multiport_save,
 		.x6_options    = multiport_opts,
+		.xlate	       = multiport_xlate,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -496,6 +662,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6,
 		.save          = multiport_save6,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate,
 	},
 	{
 		.family        = NFPROTO_IPV4,
@@ -510,6 +677,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print_v1,
 		.save          = multiport_save_v1,
 		.x6_options    = multiport_opts,
+		.xlate 	       = multiport_xlate_v1,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -524,6 +692,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6_v1,
 		.save          = multiport_save6_v1,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate_v1,
 	},
 };