From patchwork Mon Jun 20 15:16:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: nevola X-Patchwork-Id: 638062 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3rYDz21jmLz9sCk for ; Tue, 21 Jun 2016 01:18:54 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=P/Ss6Iau; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753980AbcFTPSS (ORCPT ); Mon, 20 Jun 2016 11:18:18 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:34851 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752209AbcFTPRg (ORCPT ); Mon, 20 Jun 2016 11:17:36 -0400 Received: by mail-wm0-f65.google.com with SMTP id a66so9775547wme.2 for ; Mon, 20 Jun 2016 08:16:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=tgmzEWp6hGoDnaEGoMYHZGCIF9zPNBUZS/fQWcAgagY=; b=P/Ss6IauJAUAfgMhfT/zSACoG5tSVJF7vrrYfc8kmQv3FtY5E4cFwHhYULa/Jg2ww1 SXhnavX5EgpxhfzBXrHla6TV38IG5b7N5MgFJF/Q4rD+jO21oke3sJ8CaurxRKx3Tu1g kWLYiB0WywdpRfOZ12jUwjlEZZT87MrPw0FUB+4ahLtPz3rcao35XOPzcKP+Sa0ijo5z asRb3GvoSUDSQPZYQ/u7Ohc/cN+WmHMZfpuk/17RJdnRAjgmp4Hg+2iwvxwxxf/FTJEY IVOp5Md9AbEUbeeK8v6BxIuCKEmbaEbOuD6xedaQ4oay89UeRo/8pS66x46DMXRVj/1m F0ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=tgmzEWp6hGoDnaEGoMYHZGCIF9zPNBUZS/fQWcAgagY=; b=ZKX9ob0tIaRMMnHyKMWG89q9HsdWyz7lxKnN76vr4sb696aJXrDnxqs5gj9o7huL3v 3oKbpWTSXMoXGHQ/dyU29VaheI4/V4b0ct3b8YJPk6NxpVcAXPFI7ohu2FjDjISGflpV 5PHyFcbf+JJtAz0dx9n4Wb+ZG5NZLbnwm/L6t3gEO+Z1yhNVc+DB7IDCyjWFJ+p6Vrh6 2YAI38fdlbDTeo5+DtuboEgWPyh5YuzqGRPAY2WK+hMj02SdLtgrW0vktXKx8mWyZG6w nAByUI+GAemUOdenZEN+4wgN7GBdlcBf6Pq3HOdNOyQBVQZbghndBsCD63pEVEIRNMCr ZvVw== X-Gm-Message-State: ALyK8tJS2sKNm6LnlC6peXTfrvW/y99/MQEf9eFRBBdtEguk2GFgZ3w4AFRdP/fdNW+ejg== X-Received: by 10.194.104.134 with SMTP id ge6mr7353795wjb.157.1466435781088; Mon, 20 Jun 2016 08:16:21 -0700 (PDT) Received: from sonyv (cli-5b7e49a2.wholesale.adamo.es. [91.126.73.162]) by smtp.gmail.com with ESMTPSA id q71sm14134762wme.17.2016.06.20.08.16.20 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 20 Jun 2016 08:16:20 -0700 (PDT) Date: Mon, 20 Jun 2016 17:16:18 +0200 From: Laura Garcia Liebana To: netfilter-devel@vger.kernel.org Subject: [PATCHv2] extensions: libxt_conntrack: Add translation to nft Message-ID: <20160620151614.GA23386@sonyv> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Add translation of conntrack to nftables. Examples: $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT nft add rule ip filter INPUT ct state new,related counter accept $ sudo ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT nft add rule ip6 filter INPUT ct state != new,related counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT nft add rule ip filter INPUT ct proto 17 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctproto UDP -j ACCEPT nft add rule ip filter INPUT ct proto != 17 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.0.0/255.255.0.0 -j ACCEPT nft add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctorigdst 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctreplsrc 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctrepldst 10.100.2.131 -j ACCEPT nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT nft add rule ip filter INPUT ct status != confirmed counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT nft add rule ip filter INPUT ct expiration 3 counter accept $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctdir ORIGINAL -j ACCEPT nft add rule ip filter INPUT ct direction original counter accept Signed-off-by: Laura Garcia Liebana --- Changes in v2: - A list of states are valid without creating a set. extensions/libxt_conntrack.c | 197 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 310a468..2242489 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -1194,6 +1194,201 @@ static int state_xlate(const void *ip, const struct xt_entry_match *match, return 1; } +static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask) +{ + const char *sep = ""; + + if (statusmask & IPS_EXPECTED) { + xt_xlate_add(xl, "%s%s", sep, "expected"); + sep = ","; + } + if (statusmask & IPS_SEEN_REPLY) { + xt_xlate_add(xl, "%s%s", sep, "seen-reply"); + sep = ","; + } + if (statusmask & IPS_ASSURED) { + xt_xlate_add(xl, "%s%s", sep, "assured"); + sep = ","; + } + if (statusmask & IPS_CONFIRMED) { + xt_xlate_add(xl, "%s%s", sep, "confirmed"); + sep = ","; + } +} + +static void addr_xlate_print(struct xt_xlate *xl, + const union nf_inet_addr *addr, + const union nf_inet_addr *mask, + unsigned int family) +{ + if (family == NFPROTO_IPV4) { + xt_xlate_add(xl, "%s%s", xtables_ipaddr_to_numeric(&addr->in), + xtables_ipmask_to_numeric(&mask->in)); + } else if (family == NFPROTO_IPV6) { + xt_xlate_add(xl, "%s%s", xtables_ip6addr_to_numeric(&addr->in6), + xtables_ip6mask_to_numeric(&mask->in6)); + } +} + +static int _conntrack3_mt_xlate(const void *ip, + const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric, + int family) +{ + const struct xt_conntrack_mtinfo3 *sinfo = (const void *)match->data; + + if (sinfo->match_flags & XT_CONNTRACK_DIRECTION) + xt_xlate_add(xl, "ct direction %s ", + sinfo->invert_flags & XT_CONNTRACK_DIRECTION ? + "reply" : "original"); + + if (sinfo->match_flags & XT_CONNTRACK_PROTO) + xt_xlate_add(xl, "ct %s protocol %s%u ", + sinfo->invert_flags & XT_CONNTRACK_DIRECTION ? + "reply" : "original", + sinfo->invert_flags & XT_CONNTRACK_PROTO ? + "!= " : "", + sinfo->l4proto); + + if (sinfo->match_flags & XT_CONNTRACK_STATE) { + xt_xlate_add(xl, "ct state %s", + sinfo->invert_flags & XT_CONNTRACK_STATE ? + "!= " : ""); + state_xlate_print(xl, sinfo->state_mask); + xt_xlate_add(xl, " "); + } + + if (sinfo->match_flags & XT_CONNTRACK_STATUS) { + if (sinfo->status_mask == 1) + return 0; + xt_xlate_add(xl, "ct status %s", + sinfo->invert_flags & XT_CONNTRACK_STATUS ? + "!= " : ""); + status_xlate_print(xl, sinfo->status_mask); + xt_xlate_add(xl, " "); + } + + if (sinfo->match_flags & XT_CONNTRACK_EXPIRES) { + xt_xlate_add(xl, "ct expiration %s", + sinfo->invert_flags & XT_CONNTRACK_EXPIRES ? + "!= " : ""); + if (sinfo->expires_max == sinfo->expires_min) + xt_xlate_add(xl, "%lu", sinfo->expires_min); + else + xt_xlate_add(xl, "%lu-%lu", sinfo->expires_min, + sinfo->expires_max); + xt_xlate_add(xl, " "); + } + + if (sinfo->match_flags & XT_CONNTRACK_ORIGSRC) { + if (&sinfo->origsrc_addr == 0L) + return 0; + + xt_xlate_add(xl, "ct original saddr %s", + sinfo->invert_flags & XT_CONNTRACK_ORIGSRC ? + "!= " : ""); + addr_xlate_print(xl, &sinfo->origsrc_addr, + &sinfo->origsrc_mask, family); + xt_xlate_add(xl, " "); + } + + if (sinfo->match_flags & XT_CONNTRACK_ORIGDST) { + if (&sinfo->origdst_addr == 0L) + return 0; + + xt_xlate_add(xl, "ct original daddr %s", + sinfo->invert_flags & XT_CONNTRACK_ORIGDST ? + "!= " : ""); + addr_xlate_print(xl, &sinfo->origdst_addr, + &sinfo->origdst_mask, family); + xt_xlate_add(xl, " "); + } + + if (sinfo->match_flags & XT_CONNTRACK_REPLSRC) { + if (&sinfo->replsrc_addr == 0L) + return 0; + + xt_xlate_add(xl, "ct reply saddr %s", + sinfo->invert_flags & XT_CONNTRACK_REPLSRC ? + "!= " : ""); + addr_xlate_print(xl, &sinfo->replsrc_addr, + &sinfo->replsrc_mask, family); + xt_xlate_add(xl, " "); + } + + if (sinfo->match_flags & XT_CONNTRACK_REPLDST) { + if (&sinfo->repldst_addr == 0L) + return 0; + + xt_xlate_add(xl, "ct reply daddr %s", + sinfo->invert_flags & XT_CONNTRACK_REPLDST ? + "!= " : ""); + addr_xlate_print(xl, &sinfo->repldst_addr, + &sinfo->repldst_mask, family); + xt_xlate_add(xl, " "); + } + + if (sinfo->match_flags & XT_CONNTRACK_ORIGSRC_PORT) { + xt_xlate_add(xl, "ct original proto-src %s", + sinfo->invert_flags & XT_CONNTRACK_ORIGSRC_PORT ? + "!= " : ""); + if (sinfo->origsrc_port == sinfo->origsrc_port_high) + xt_xlate_add(xl, "%u ", sinfo->origsrc_port); + else + xt_xlate_add(xl, "%u-%u ", sinfo->origsrc_port, + sinfo->origsrc_port_high); + } + + if (sinfo->match_flags & XT_CONNTRACK_ORIGDST_PORT) { + xt_xlate_add(xl, "ct original proto-dst %s", + sinfo->invert_flags & XT_CONNTRACK_ORIGDST_PORT ? + "!= " : ""); + if (sinfo->origdst_port == sinfo->origdst_port_high) + xt_xlate_add(xl, "%u ", sinfo->origdst_port); + else + xt_xlate_add(xl, "%u-%u ", sinfo->origdst_port, + sinfo->origdst_port_high); + } + + if (sinfo->match_flags & XT_CONNTRACK_REPLSRC_PORT) { + xt_xlate_add(xl, "ct reply proto-src %s", + sinfo->invert_flags & XT_CONNTRACK_REPLSRC_PORT ? + "!= " : ""); + if (sinfo->replsrc_port == sinfo->replsrc_port_high) + xt_xlate_add(xl, "%u ", sinfo->replsrc_port); + else + xt_xlate_add(xl, "%u-%u ", sinfo->replsrc_port, + sinfo->replsrc_port_high); + } + + if (sinfo->match_flags & XT_CONNTRACK_REPLDST_PORT) { + xt_xlate_add(xl, "ct reply proto-dst %s", + sinfo->invert_flags & XT_CONNTRACK_REPLDST_PORT ? + "!= " : "", sinfo->repldst_port); + if (sinfo->repldst_port == sinfo->repldst_port_high) + xt_xlate_add(xl, "%u ", sinfo->repldst_port); + else + xt_xlate_add(xl, "%u-%u ", sinfo->repldst_port, + sinfo->repldst_port_high); + } + + return 1; +} + +static int conntrack3_mt4_xlate(const void *ip, + const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + return _conntrack3_mt_xlate(ip, match, xl, numeric, NFPROTO_IPV4); +} + +static int conntrack3_mt6_xlate(const void *ip, + const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + return _conntrack3_mt_xlate(ip, match, xl, numeric, NFPROTO_IPV6); +} + static struct xtables_match conntrack_mt_reg[] = { { .version = XTABLES_VERSION, @@ -1284,6 +1479,7 @@ static struct xtables_match conntrack_mt_reg[] = { .save = conntrack3_mt_save, .alias = conntrack_print_name_alias, .x6_options = conntrack3_mt_opts, + .xlate = conntrack3_mt4_xlate, }, { .version = XTABLES_VERSION, @@ -1299,6 +1495,7 @@ static struct xtables_match conntrack_mt_reg[] = { .save = conntrack3_mt6_save, .alias = conntrack_print_name_alias, .x6_options = conntrack3_mt_opts, + .xlate = conntrack3_mt6_xlate, }, { .family = NFPROTO_UNSPEC,