diff mbox

extensions: libip6t_hbh: Add translation to nft

Message ID 20160301215243.GA19576@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Shivani Bhardwaj March 1, 2016, 9:52 p.m. UTC 
Add translation for module hop-by-hop to nftables.
Full translation of this match awaits the support for --hbh-opts option.

Examples:

$ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
nft add rule ip6 filter INPUT hbh hdrlength 33 counter

$ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
nft add rule ip6 filter INPUT hbh hdrlength != 33 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
 extensions/libip6t_hbh.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Comments

Pablo Neira Ayuso March 2, 2016, 11:49 a.m. UTC | #1 
On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
> Add translation for module hop-by-hop to nftables.
> Full translation of this match awaits the support for --hbh-opts option.
> 
> Examples:
> 
> $ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
> nft add rule ip6 filter INPUT hbh hdrlength 33 counter
> 
> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
> nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
>
> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
> ---
>  extensions/libip6t_hbh.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
> index c0389ed..f968036 100644
> --- a/extensions/libip6t_hbh.c
> +++ b/extensions/libip6t_hbh.c
> @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
>  	print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
>  }
>  
> +static int hbh_xlate(const struct xt_entry_match *match,
> +		     struct xt_xlate *xl, int numeric)
> +{
> +	const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
> +
> +	xt_xlate_add(xl, "hbh ");
> +
> +	if (optinfo->flags & IP6T_OPTS_LEN) {

If no header length is passed, then this will print:

nft add rule ip6 filter INPUT hbh counter

which will not work.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Shivani Bhardwaj March 2, 2016, 1:47 p.m. UTC | #2 
On Wed, Mar 2, 2016 at 5:19 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
>> Add translation for module hop-by-hop to nftables.
>> Full translation of this match awaits the support for --hbh-opts option.
>>
>> Examples:
>>
>> $ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
>> nft add rule ip6 filter INPUT hbh hdrlength 33 counter
>>
>> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
>> nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
>>
>> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
>> ---
>>  extensions/libip6t_hbh.c | 17 +++++++++++++++++
>>  1 file changed, 17 insertions(+)
>>
>> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
>> index c0389ed..f968036 100644
>> --- a/extensions/libip6t_hbh.c
>> +++ b/extensions/libip6t_hbh.c
>> @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
>>       print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
>>  }
>>
>> +static int hbh_xlate(const struct xt_entry_match *match,
>> +                  struct xt_xlate *xl, int numeric)
>> +{
>> +     const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
>> +
>> +     xt_xlate_add(xl, "hbh ");
>> +
>> +     if (optinfo->flags & IP6T_OPTS_LEN) {
>
> If no header length is passed, then this will print:
>
> nft add rule ip6 filter INPUT hbh counter
>

What should be the rule generated in case none of the options is mentioned?

# iptables-translate -A INPUT -m hbh
?

> which will not work.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso March 9, 2016, 7:01 p.m. UTC | #3 
On Wed, Mar 02, 2016 at 07:17:36PM +0530, Shivani Bhardwaj wrote:
> On Wed, Mar 2, 2016 at 5:19 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
> >> Add translation for module hop-by-hop to nftables.
> >> Full translation of this match awaits the support for --hbh-opts option.
> >>
> >> Examples:
> >>
> >> $ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
> >> nft add rule ip6 filter INPUT hbh hdrlength 33 counter
> >>
> >> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
> >> nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
> >>
> >> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
> >> ---
> >>  extensions/libip6t_hbh.c | 17 +++++++++++++++++
> >>  1 file changed, 17 insertions(+)
> >>
> >> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
> >> index c0389ed..f968036 100644
> >> --- a/extensions/libip6t_hbh.c
> >> +++ b/extensions/libip6t_hbh.c
> >> @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
> >>       print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
> >>  }
> >>
> >> +static int hbh_xlate(const struct xt_entry_match *match,
> >> +                  struct xt_xlate *xl, int numeric)
> >> +{
> >> +     const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
> >> +
> >> +     xt_xlate_add(xl, "hbh ");
> >> +
> >> +     if (optinfo->flags & IP6T_OPTS_LEN) {
> >
> > If no header length is passed, then this will print:
> >
> > nft add rule ip6 filter INPUT hbh counter
> >
> 
> What should be the rule generated in case none of the options is mentioned?
> 
> # iptables-translate -A INPUT -m hbh
> ?

Please, have a look at linux/net/ipv6/netfilter/ip6t_hbh.c and
evaluate what is the behaviour in case -m hbh is passed with not
options.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..f968036 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -164,6 +164,22 @@  static void hbh_save(const void *ip, const struct xt_entry_match *match)
 	print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
 }
 
+static int hbh_xlate(const struct xt_entry_match *match,
+		     struct xt_xlate *xl, int numeric)
+{
+	const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+	xt_xlate_add(xl, "hbh ");
+
+	if (optinfo->flags & IP6T_OPTS_LEN) {
+		xt_xlate_add(xl, "hdrlength%s %u ",
+			     optinfo->invflags & IP6T_OPTS_INV_LEN ? " !=" : "",
+			     optinfo->hdrlen);
+	}
+
+	return 1;
+}
+
 static struct xtables_match hbh_mt6_reg = {
 	.name 		= "hbh",
 	.version	= XTABLES_VERSION,
@@ -175,6 +191,7 @@  static struct xtables_match hbh_mt6_reg = {
 	.save		= hbh_save,
 	.x6_parse	= hbh_parse,
 	.x6_options	= hbh_opts,
+	.xlate		= hbh_xlate,
 };
 
 void