[v3] libxt_multiport: Add translation to nft

Message ID	56E16DA8.1060007@gmail.com
State	Changes Requested
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Subject: [PATCH v3] libxt_multiport: Add translation to nft To: Pablo Neira Ayuso <pablo@netfilter.org> References: <20160307212141.GA10594@sonyv> <20160308105346.GB4008@salvia> <56DFC995.7090009@gmail.com> <20160309123238.GA30363@salvia> <56E0359F.7060308@gmail.com> <20160309173032.GA10722@salvia> Cc: netfilter-devel@vger.kernel.org From: Piyush Pangtey <gokuvsvegita@gmail.com> Message-ID: <56E16DA8.1060007@gmail.com> Date: Thu, 10 Mar 2016 18:20:48 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <20160309173032.GA10722@salvia> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

56E16DA8.1060007@gmail.com

State

Changes Requested

Delegated to:

Pablo Neira

Headers

Subject: [PATCH v3] libxt_multiport: Add translation to nft
To: Pablo Neira Ayuso <pablo@netfilter.org>
References: <20160307212141.GA10594@sonyv> <20160308105346.GB4008@salvia>
	<56DFC995.7090009@gmail.com> <20160309123238.GA30363@salvia>
	<56E0359F.7060308@gmail.com> <20160309173032.GA10722@salvia>
Cc: netfilter-devel@vger.kernel.org
From: Piyush Pangtey <gokuvsvegita@gmail.com>
Message-ID: <56E16DA8.1060007@gmail.com>
Date: Thu, 10 Mar 2016 18:20:48 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <20160309173032.GA10722@salvia>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Piyush Pangtey March 10, 2016, 12:50 p.m. UTC

Added full translation for multiport

Examples :
$ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
{ ssh - http } counter accept

$ iptables-translate -A input -p sctp -m multiport --dports 11:18  -j ACCEPT
nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter
accept

$ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter
accept

$ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 }
counter accept

Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
v2:
	Corrected the translations , as suggested by Arturo Borrero González
v3:
	Removed static variable trick. Now utilizes ipt_ip and ip6t_ip which
	is now passed to xlate ,from the patch
	http://patchwork.ozlabs.org/patch/595128/

Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
---
 extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 199 insertions(+)

Comments

Pablo Neira Ayuso March 10, 2016, 6:31 p.m. UTC | #1

On Thu, Mar 10, 2016 at 06:20:48PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport
> 
> Examples :
> $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
> { ssh - http } counter accept
> 
> $ iptables-translate -A input -p sctp -m multiport --dports 11:18  -j ACCEPT
> nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter
> accept
> 
> $ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter
> accept
> 
> $ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 }
> counter accept
> 
> Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
> ---
> v2:
> 	Corrected the translations , as suggested by Arturo Borrero González
> v3:
> 	Removed static variable trick. Now utilizes ipt_ip and ip6t_ip which
> 	is now passed to xlate ,from the patch
> 	http://patchwork.ozlabs.org/patch/595128/
> 
> Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com>
> ---
>  extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 199 insertions(+)
> 
> diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
> index 03af5a9..4dccc1b 100644
> --- a/extensions/libxt_multiport.c
> +++ b/extensions/libxt_multiport.c
> @@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric)
>  }
>  
>  static void
> +print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
> +		int numeric)
> +{
> +	const char *service;
> +
> +	if (numeric || (service = port_to_service(port, protocol)) == NULL)
> +		xt_xlate_add(xl, "%u", port);
> +	else
> +		xt_xlate_add(xl, "%s", service);
> +}
> +
> +static void
>  __multiport_print(const struct xt_entry_match *match, int numeric,
>                    uint16_t proto)
>  {
> @@ -318,6 +330,20 @@ static void multiport_print(const void *ip_void,
>  	__multiport_print(match, numeric, ip->proto);
>  }
>  
> +static void multiport_print_xlate(const struct xt_entry_match *match,
> +				 struct xt_xlate *xl, uint16_t proto,
> +				 int numeric)
> +{
> +	const struct xt_multiport_v1 *multiinfo =
> +		(const struct xt_multiport_v1 *)match->data;
> +	unsigned int i;

Missing line break here.

> +	for (i = 0; i < multiinfo->count; i++) {
> +		xt_xlate_add(xl, "%s", i ? "," : "");
> +		print_port_xlate(xl, multiinfo->ports[i],
> +				proto, numeric);
> +	}
> +}
> +
>  static void multiport_print6(const void *ip_void,
>                               const struct xt_entry_match *match, int numeric)
>  {
> @@ -372,6 +398,24 @@ static void multiport_print_v1(const void *ip_void,
>  	__multiport_print_v1(match, numeric, ip->proto);
>  }
>  
> +static void multiport_print_v1_xlate(const struct xt_entry_match *match,
> +				    struct xt_xlate *xl, uint16_t proto,
> +				    int numeric)
> +{
> +	const struct xt_multiport_v1 *multiinfo =
> +		(const struct xt_multiport_v1 *)match->data;
> +	unsigned int i;

Missing line break here to separate variable declaration and function
body.

> +	for (i = 0; i < multiinfo->count; i++) {
> +		xt_xlate_add(xl, "%s", i ? "," : "");
> +		print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
> +		if (multiinfo->pflags[i]) {
> +			xt_xlate_add(xl, " - ");
> +			print_port_xlate(xl, multiinfo->ports[++i],
> +					proto, numeric);
> +		}
> +	}
> +}
> +
>  static void multiport_print6_v1(const void *ip_void,
>                                  const struct xt_entry_match *match, int numeric)
>  {
> @@ -468,6 +512,157 @@ static void multiport_save6_v1(const void *ip_void,
>  	__multiport_save_v1(match, ip->proto);
>  }
>  
> +static int __multiport_xlate(const struct xt_entry_match *match,
> +			    struct xt_xlate *xl, uint16_t protocol, int numeric)
> +{
> +	const struct xt_multiport_v1 *multiinfo =
> +		(const struct xt_multiport_v1 *)match->data;
> +	const char *proto_name;
> +	bool have_multiple = false, have_invert = false ;
                                                       ^
remove this space.

> +
> +	if((proto_name = proto_to_name(protocol)) != NULL){
          ^                                               ^

missing space after if.

> +		if (multiinfo->count > 1) have_multiple = true;

                if (multiinfo->count > 1)
                        have_multiple = true;

Please, review coding style and resubmit. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..4dccc1b 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -278,6 +278,18 @@  print_port(uint16_t port, uint8_t protocol, int numeric)
 }
 
 static void
+print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
+		int numeric)
+{
+	const char *service;
+
+	if (numeric || (service = port_to_service(port, protocol)) == NULL)
+		xt_xlate_add(xl, "%u", port);
+	else
+		xt_xlate_add(xl, "%s", service);
+}
+
+static void
 __multiport_print(const struct xt_entry_match *match, int numeric,
                   uint16_t proto)
 {
@@ -318,6 +330,20 @@  static void multiport_print(const void *ip_void,
 	__multiport_print(match, numeric, ip->proto);
 }
 
+static void multiport_print_xlate(const struct xt_entry_match *match,
+				 struct xt_xlate *xl, uint16_t proto,
+				 int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+	for (i = 0; i < multiinfo->count; i++) {
+		xt_xlate_add(xl, "%s", i ? "," : "");
+		print_port_xlate(xl, multiinfo->ports[i],
+				proto, numeric);
+	}
+}
+
 static void multiport_print6(const void *ip_void,
                              const struct xt_entry_match *match, int numeric)
 {
@@ -372,6 +398,24 @@  static void multiport_print_v1(const void *ip_void,
 	__multiport_print_v1(match, numeric, ip->proto);
 }
 
+static void multiport_print_v1_xlate(const struct xt_entry_match *match,
+				    struct xt_xlate *xl, uint16_t proto,
+				    int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	unsigned int i;
+	for (i = 0; i < multiinfo->count; i++) {
+		xt_xlate_add(xl, "%s", i ? "," : "");
+		print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
+		if (multiinfo->pflags[i]) {
+			xt_xlate_add(xl, " - ");
+			print_port_xlate(xl, multiinfo->ports[++i],
+					proto, numeric);
+		}
+	}
+}
+
 static void multiport_print6_v1(const void *ip_void,
                                 const struct xt_entry_match *match, int numeric)
 {
@@ -468,6 +512,157 @@  static void multiport_save6_v1(const void *ip_void,
 	__multiport_save_v1(match, ip->proto);
 }
 
+static int __multiport_xlate(const struct xt_entry_match *match,
+			    struct xt_xlate *xl, uint16_t protocol, int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	const char *proto_name;
+	bool have_multiple = false, have_invert = false ;
+
+	if((proto_name = proto_to_name(protocol)) != NULL){
+		if (multiinfo->count > 1) have_multiple = true;
+		if (multiinfo->invert) have_invert = true;
+		if (have_multiple && have_invert)
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol, 
+					     numeric);
+			break;
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol, 
+					     numeric);
+			break;
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol, 
+					     numeric);
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_xlate(match, xl, protocol, 
+					     numeric);
+			break;
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+	return 1;
+}
+
+static int __multiport_xlate_v1(const struct xt_entry_match *match,
+			    struct xt_xlate *xl, uint16_t protocol, int numeric)
+{
+	const struct xt_multiport_v1 *multiinfo =
+		(const struct xt_multiport_v1 *)match->data;
+	const char *proto_name;
+	bool have_multiple = false, have_invert = false ;
+
+	if((proto_name = proto_to_name(protocol)) != NULL){
+		if (multiinfo->count > 1) have_multiple = true;
+		if (multiinfo->invert) have_invert = true;
+		if (have_multiple && have_invert)
+			return 0;
+
+		switch (multiinfo->flags) {
+		case XT_MULTIPORT_SOURCE:
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						numeric);
+			break;
+		case XT_MULTIPORT_DESTINATION:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						numeric);
+			break;
+		case XT_MULTIPORT_EITHER:
+			xt_xlate_add(xl, "%s dport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						numeric);
+			if (have_multiple)
+				xt_xlate_add(xl, " } ");
+			else
+				xt_xlate_add(xl, " ");
+
+			xt_xlate_add(xl, "%s sport %s%s", proto_name,
+				    (have_invert == true) ? "!= " : "",
+				    (have_multiple == true) ? "{ " : "");
+			multiport_print_v1_xlate(match, xl, protocol,
+						numeric);
+			break;
+		default:
+			return 0;
+		}
+		if (have_multiple)
+			xt_xlate_add(xl, " } ");
+		else
+			xt_xlate_add(xl, " ");
+	}
+
+	return 1;
+}
+
+static int multiport_xlate(const void *ip_void,
+			  const struct xt_entry_match *match,
+			  struct xt_xlate *xl, int numeric)
+{
+	const struct ipt_ip *ip = ip_void;
+	return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6(const void *ip_void,
+			  const struct xt_entry_match *match,
+			  struct xt_xlate *xl, int numeric)
+{
+
+	const struct ip6t_ip6 *ip = ip_void;
+	return __multiport_xlate(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate_v1(const void *ip_void,
+			     const struct xt_entry_match *match,
+			     struct xt_xlate *xl, int numeric)
+{
+
+	const struct ipt_ip *ip = ip_void;
+	return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
+static int multiport_xlate6_v1(const void *ip_void,
+			      const struct xt_entry_match *match,
+			      struct xt_xlate *xl, int numeric)
+{
+
+	const struct ip6t_ip6 *ip = ip_void;
+	return __multiport_xlate_v1(match, xl, ip->proto, numeric);
+}
+
 static struct xtables_match multiport_mt_reg[] = {
 	{
 		.family        = NFPROTO_IPV4,
@@ -482,6 +677,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print,
 		.save          = multiport_save,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -496,6 +692,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6,
 		.save          = multiport_save6,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate6,
 	},
 	{
 		.family        = NFPROTO_IPV4,
@@ -510,6 +707,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print_v1,
 		.save          = multiport_save_v1,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate_v1,
 	},
 	{
 		.family        = NFPROTO_IPV6,
@@ -524,6 +722,7 @@  static struct xtables_match multiport_mt_reg[] = {
 		.print         = multiport_print6_v1,
 		.save          = multiport_save6_v1,
 		.x6_options    = multiport_opts,
+		.xlate         = multiport_xlate6_v1,
 	},
 };

[v3] libxt_multiport: Add translation to nft

Commit Message

Comments

Patch