From patchwork Wed Nov 23 16:43:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708407 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=qjmIvbFB; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRmc3cS6z23mg for ; Thu, 24 Nov 2022 03:44:32 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239080AbiKWQob (ORCPT ); Wed, 23 Nov 2022 11:44:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239078AbiKWQo1 (ORCPT ); Wed, 23 Nov 2022 11:44:27 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17271898E8 for ; Wed, 23 Nov 2022 08:44:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GOWiQbQOQ+2o52YVLjf8u3nHc5K5C7t8su9rwGC/4bI=; b=qjmIvbFBMm4qg8dxlrtzB4NIO9 LncQqqXBbVqKh9eg9P6MeuYmaoUrIAcCsixavEmSje4hJIy/NEpx4Xf59IpbBi3kt9wMJGVkQOL/a ZXdnyW12/iBGrx5I3PNONXG//ullhiPEJsUNjTNiD2zgdnQ6XD/V4GmteX4jZrOKHUt4IIB+bM8cp MAZOY0BQV9gAo/8P7E4NyQ/kFROQpFmiaQCbq+RM7Q7H6gDs422QXSyeeITlksBZfKaB3JTbNFFga eLicHUbDZVJ/CMJ0hTsBxgD/eNwvKPq4ydb+OVCcBIs0JZkb1Uzd/b90rvPVOCwWojqnfasuQOcJv 4t2vci9Q==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsrJ-0003xF-DM for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:25 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 01/13] extensions: libebt_mark: Fix mark target xlate Date: Wed, 23 Nov 2022 17:43:38 +0100 Message-Id: <20221123164350.10502-2-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Target value is constructed setting all non-target bits to one instead of zero. Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations") Signed-off-by: Phil Sutter --- extensions/libebt_mark.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/libebt_mark.c b/extensions/libebt_mark.c index 423c5c9133d0d..40e49618e0215 100644 --- a/extensions/libebt_mark.c +++ b/extensions/libebt_mark.c @@ -201,7 +201,7 @@ static int brmark_xlate(struct xt_xlate *xl, return 0; } - tmp = info->target & EBT_VERDICT_BITS; + tmp = info->target | ~EBT_VERDICT_BITS; xt_xlate_add(xl, "0x%lx %s ", info->mark, brmark_verdict(tmp)); return 1; } From patchwork Wed Nov 23 16:43:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708404 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Dmu7lKGG; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRmG6VBXz23mf for ; Thu, 24 Nov 2022 03:44:14 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239135AbiKWQoN (ORCPT ); Wed, 23 Nov 2022 11:44:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239137AbiKWQoM (ORCPT ); Wed, 23 Nov 2022 11:44:12 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18B316DFC7 for ; Wed, 23 Nov 2022 08:44:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GS0aX4nQY8lJOJKQYG4K4gNHK+g8bZKO0CDAGZILbcw=; b=Dmu7lKGGusnmWjAOWdIHrQ11pf vXYxl02BOZp23jUaDSD9d06yLykAY6z/VZZ1TiZLe8UK0YG/xxrUoXyazn2tRgv08ARs1zTqBs7tv xzORRgDqSIFqkdDe4BZV7q5bKZbsTlyRFxZcHHMotQFLEO1klcuagFVl/JdoHzb1uiKeXTYlZ3XbV b+lTj+kdK4ZuUvkrNdTeKoLvTkcs8wxv1VF1REWpqtHoz64QC32faZ4Q5YkpMhnlQQXdENABaxHdC dS08g8DLtdE1EXUagl1FN6R6Ckle6kd5Dp+tt+KG+iLDZD4lbptx7s0mUC7D5dK/CudA0PCQnq1rY UEd0Kpew==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsr3-0003x3-EN for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:09 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 02/13] extensions: libebt_mark: Fix xlate test case Date: Wed, 23 Nov 2022 17:43:39 +0100 Message-Id: <20221123164350.10502-3-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org The false suffix effectively disabled this test file, but it also has problems: Apart from brmark_xlate() printing 'meta mark' instead of just 'mark', target is printed in the wrong position (like with any other target-possessing extension. Fixes: e67c08880961f ("ebtables-translate: add initial test cases") Signed-off-by: Phil Sutter --- extensions/libebt_mark.txlate | 11 +++++++++++ extensions/libebt_mark.xlate | 11 ----------- 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 extensions/libebt_mark.txlate delete mode 100644 extensions/libebt_mark.xlate diff --git a/extensions/libebt_mark.txlate b/extensions/libebt_mark.txlate new file mode 100644 index 0000000000000..7529302d9a444 --- /dev/null +++ b/extensions/libebt_mark.txlate @@ -0,0 +1,11 @@ +ebtables-translate -A INPUT --mark-set 42 +nft add rule bridge filter INPUT meta mark set 0x2a accept counter + +ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN +nft add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter + +ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT +nft add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter + +ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP +nft add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter diff --git a/extensions/libebt_mark.xlate b/extensions/libebt_mark.xlate deleted file mode 100644 index e0982a1e8ebd7..0000000000000 --- a/extensions/libebt_mark.xlate +++ /dev/null @@ -1,11 +0,0 @@ -ebtables-translate -A INPUT --mark-set 42 -nft add rule bridge filter INPUT mark set 0x2a counter - -ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN -nft add rule bridge filter INPUT mark set mark or 0x2a counter return - -ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT -nft add rule bridge filter INPUT mark set mark and 0x2a counter accept - -ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP -nft add rule bridge filter INPUT mark set mark xor 0x2a counter drop From patchwork Wed Nov 23 16:43:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708405 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=SOPY3SNL; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRmM0nxmz23mf for ; Thu, 24 Nov 2022 03:44:19 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239139AbiKWQoS (ORCPT ); Wed, 23 Nov 2022 11:44:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239137AbiKWQoR (ORCPT ); Wed, 23 Nov 2022 11:44:17 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 647E1686B6 for ; Wed, 23 Nov 2022 08:44:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Cp2sy9HhZmY0uODe+U2UNif4AtnadXo4Jwgeb9yX1HQ=; b=SOPY3SNLsFuRaPwowjqetaa3Wv S0JNKaYEJ+R3Q5W/ucGBTxkBXIjH8fQVK/MvjX+iElymdBzI5wXUd+tnhXgOcgIplrqKrfagveiYM LtB6k8GMXbShj6lUFMzenLwIgjIWTRA2p6oBf9tvyfiKqM210DDUf2w9Mu1EPYLGJIjW8raFWaHOo IOQqCjkcUXiehN1YDZ9ma6vt9F1XGbQcpZig5CIRKWAW9UpMiXwxm19fX/ONielAwf2lW4Y8fDi9s nmcws1JqpFNTTzeeWZ8iQsrmQQdXLa3pUntRq5GSQHQ9Z/jy8e3qzyTzA/jmtRzWAPd5iKrmZ+Xbl 0nPFH3ig==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsr8-0003x7-Pd for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:14 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 03/13] extensions: libebt_redirect: Fix xlate return code Date: Wed, 23 Nov 2022 17:43:40 +0100 Message-Id: <20221123164350.10502-4-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org The callback is supposed to return 1 on success, not 0. Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension") Signed-off-by: Phil Sutter --- extensions/libebt_redirect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c index 6e653997ee99e..4d4c7a02cea89 100644 --- a/extensions/libebt_redirect.c +++ b/extensions/libebt_redirect.c @@ -86,7 +86,7 @@ static int brredir_xlate(struct xt_xlate *xl, xt_xlate_add(xl, "meta set pkttype host"); if (red->target != EBT_ACCEPT) xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); - return 0; + return 1; } static struct xtables_target brredirect_target = { From patchwork Wed Nov 23 16:43:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708413 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=NF7PyqjW; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRnG1SHYz23lT for ; Thu, 24 Nov 2022 03:45:06 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239087AbiKWQpF (ORCPT ); Wed, 23 Nov 2022 11:45:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239170AbiKWQpA (ORCPT ); Wed, 23 Nov 2022 11:45:00 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 092BD90386 for ; Wed, 23 Nov 2022 08:44:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=wijOBQMwMhiz/NiD6q5oMMRq92gL2hDTRhFWHCjxaDo=; b=NF7PyqjWX5+gKSdyUUwGh4CjDv h0tdxkCg6y4svfn6Z2J5M4ahFa9aINbJD4ZYddHJqfDQJ2njoaKhd+yjrlbAIwA/zNMSpDJLBGvVj 2Fb/lT10vNCxG0zkfzaM1ozDUjz+BUUVEg+A05NHwKmUgLfpiAV0h5p0dF6xMtWt6rNeDpEhcDVzY gEPu0BCt8M3CluobdFGvIETHL2iKSdCUWhtif//zvSyDAuB4i3CEbw8PqWgIcXeQ/4Nfcg104VSs4 OxNp/+DlsN4b13EA/wEJnAz+AvmJiCQIqVrXoI6nedecPl+q9++IdixZIr3YEXIL8OmDoTehKeVeY 75mB9OPQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsrp-0003zF-EW for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:57 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 04/13] extensions: libipt_ttl: Sanitize xlate callback Date: Wed, 23 Nov 2022 17:43:41 +0100 Message-Id: <20221123164350.10502-5-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Catch unexpected values in info->mode, also fix indenting. Fixes: 1b320a1a1dc1f ("extensions: libipt_ttl: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libipt_ttl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c index 6bdd219618091..86ba554ef92a8 100644 --- a/extensions/libipt_ttl.c +++ b/extensions/libipt_ttl.c @@ -106,7 +106,7 @@ static int ttl_xlate(struct xt_xlate *xl, const struct ipt_ttl_info *info = (struct ipt_ttl_info *) params->match->data; - switch (info->mode) { + switch (info->mode) { case IPT_TTL_EQ: xt_xlate_add(xl, "ip ttl"); break; @@ -121,7 +121,7 @@ static int ttl_xlate(struct xt_xlate *xl, break; default: /* Should not happen. */ - break; + return 0; } xt_xlate_add(xl, " %u", info->ttl); From patchwork Wed Nov 23 16:43:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708415 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=eFNYDsyD; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRnR5nSvz23mR for ; Thu, 24 Nov 2022 03:45:15 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239092AbiKWQpN (ORCPT ); Wed, 23 Nov 2022 11:45:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239110AbiKWQpL (ORCPT ); Wed, 23 Nov 2022 11:45:11 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3525C285B for ; Wed, 23 Nov 2022 08:45:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=c3XIb962xjAo/rwMUQTOM8G33P8LTpfhat6Z2toE/bA=; b=eFNYDsyDnbXKB8paxUk6E0biwc P3fErtgFXyhdOPKtv6Ctt7vs7Zdz8L4pCKIvqbs+WsqS5MiB2xkw4awGqNJvM5SsnKfKIP6KbM9MH U8e5kwEcLbfMTwQ02ITQrFQwgfSMjxSizOzNCRdV0sjTCSllEdP2Cy5PCEbTY3532Uk2UnwIMbrSn ZPeM6+v3+nFPQTIctP1GuqI0Tg5mtQRPqFKeeIFMRLYcTT9O54Ee1j4iqFjh3xI7D2zJ5a0z2Hfnb 8/i6mDES7ElIzS8uEJDNpUgzz0kYW1fbJTmIgzcx9Gg5Kx7TXnkkljnPd4SYSaAVXYC9XeqMT/8lQ hcJ5vvoA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxss0-00040H-2y for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:45:08 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 05/13] extensions: CONNMARK: Fix xlate callback Date: Wed, 23 Nov 2022 17:43:42 +0100 Message-Id: <20221123164350.10502-6-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Bail out if nfmask != ctmask with XT_CONNMARK_SAVE and XT_CONNMARK_RESTORE. Looks like this needs a similar implementation to the one for XT_CONNMARK_SET. Fix shift mark translation: xt_connmark_shift_ops does not contain useful strings for nftables. Also add needed braces around the term being shifted. Fixes: db7b4e0de960c ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark") Signed-off-by: Phil Sutter --- extensions/libxt_CONNMARK.c | 15 ++++++++++----- extensions/libxt_CONNMARK.txlate | 3 +++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c index 21e1091386294..a6568c99b6c4d 100644 --- a/extensions/libxt_CONNMARK.c +++ b/extensions/libxt_CONNMARK.c @@ -595,11 +595,11 @@ static int connmark_tg_xlate_v2(struct xt_xlate *xl, { const struct xt_connmark_tginfo2 *info = (const void *)params->target->data; - const char *shift_op = xt_connmark_shift_ops[info->shift_dir]; + const char *braces = info->shift_bits ? "( " : ""; switch (info->mode) { case XT_CONNMARK_SET: - xt_xlate_add(xl, "ct mark set "); + xt_xlate_add(xl, "ct mark set %s", braces); if (info->ctmask == 0xFFFFFFFFU) xt_xlate_add(xl, "0x%x ", info->ctmark); else if (info->ctmark == 0) @@ -615,26 +615,31 @@ static int connmark_tg_xlate_v2(struct xt_xlate *xl, info->ctmark, ~info->ctmask); break; case XT_CONNMARK_SAVE: - xt_xlate_add(xl, "ct mark set mark"); + xt_xlate_add(xl, "ct mark set %smark", braces); if (!(info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)) { if (info->nfmask == info->ctmask) xt_xlate_add(xl, " and 0x%x", info->nfmask); + else + return 0; } break; case XT_CONNMARK_RESTORE: - xt_xlate_add(xl, "meta mark set ct mark"); + xt_xlate_add(xl, "meta mark set %sct mark", braces); if (!(info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)) { if (info->nfmask == info->ctmask) xt_xlate_add(xl, " and 0x%x", info->nfmask); + else + return 0; } break; } if (info->mode <= XT_CONNMARK_RESTORE && info->shift_bits != 0) { - xt_xlate_add(xl, " %s %u", shift_op, info->shift_bits); + xt_xlate_add(xl, " ) %s %u", + info->shift_dir ? ">>" : "<<", info->shift_bits); } return 1; diff --git a/extensions/libxt_CONNMARK.txlate b/extensions/libxt_CONNMARK.txlate index ce40ae5ea65e0..99627c2b05d45 100644 --- a/extensions/libxt_CONNMARK.txlate +++ b/extensions/libxt_CONNMARK.txlate @@ -18,3 +18,6 @@ nft add rule ip mangle PREROUTING counter ct mark set mark iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark nft add rule ip mangle PREROUTING counter meta mark set ct mark + +iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x23/0x42 --right-shift-mark 5 +nft add rule ip mangle PREROUTING counter ct mark set ( ct mark xor 0x23 and 0xffffff9c ) >> 5 From patchwork Wed Nov 23 16:43:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708412 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=nH2L0n/f; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRnB2zCfz23mf for ; Thu, 24 Nov 2022 03:45:02 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239171AbiKWQpB (ORCPT ); Wed, 23 Nov 2022 11:45:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40138 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239172AbiKWQoz (ORCPT ); Wed, 23 Nov 2022 11:44:55 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96A5FC1F72 for ; Wed, 23 Nov 2022 08:44:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CU0dArQo13p4Rb68hCWCzlX0Y1cuivbXOQfmaNosR0Y=; b=nH2L0n/fSb3Imk9Jwz3QlmEJrs /F4ljG2ou0ztpIsJvetH6w9C1U7pXiK2FehSLHy7ZEiHsrFrXEL3nZTJNn9C5C9dd2eYmfOxsws3Z rtqAhZd4yVwE7nlF6UkXv0ITPrkESekfAYdbqaMbQzRTAcWl6Gnf/PJ/gTRQBwc1/5G4m9licSLun /KdzEdCS3bnKTuvRfN90p7iPsWhbhaqoQGdv1NboKiIIWa/24EmXdzfymkjb4FdJhn6XWdLTLS7JE LAFR4D99xaiWXPMqN6U0XoSnFv7dFcw8ReQowRrTNUmvQwxzVqvNvzwqO6tasWfNU6pKsLQLVpRub zIzLD8KQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsrk-0003zB-5w for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:52 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 06/13] extensions: MARK: Sanitize MARK_xlate() Date: Wed, 23 Nov 2022 17:43:43 +0100 Message-Id: <20221123164350.10502-7-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Since markinfo->mode might contain unexpected values, add a default case returning zero. Fixes: afefc7a134ca0 ("extensions: libxt_MARK: Add translation for revision 1 to nft") Signed-off-by: Phil Sutter --- extensions/libxt_MARK.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c index 1536563d0f4c7..100f6a38996ac 100644 --- a/extensions/libxt_MARK.c +++ b/extensions/libxt_MARK.c @@ -366,6 +366,8 @@ static int MARK_xlate(struct xt_xlate *xl, case XT_MARK_OR: xt_xlate_add(xl, "mark or 0x%x ", (uint32_t)markinfo->mark); break; + default: + return 0; } return 1; From patchwork Wed Nov 23 16:43:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708402 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=A6lGPnH1; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRm823VLz23mf for ; Thu, 24 Nov 2022 03:44:08 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239067AbiKWQoF (ORCPT ); Wed, 23 Nov 2022 11:44:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239137AbiKWQoE (ORCPT ); Wed, 23 Nov 2022 11:44:04 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C40522B24B for ; Wed, 23 Nov 2022 08:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bxMthyCTYh1HhEfaqaJ7ErvVwBiuQZvO4lzCcKHTj8c=; b=A6lGPnH1VhM15NFUedWX2P6YGs cr6r9132IuEOGDeCAJ7LpN+rhWhsGPc8+rB+5RvVkDbdPjKgKv6bXL9+4t4GdS5hcFZW/vACXeGW7 zxZqJyz9v58WaaL3GjBFrMew9CQKMPMnsLTL3893bY+hH2sDwHg8tyh+zpgZAi/3hjeytnGjTKoKa qniGadcy2RISeZC165Y0RvM+LJgJ4PlTCf4aqM7x+9JhKrcz5z6VohkV9Dw6dqSg5isqptO8orGvu 8qUhX9UTc9K2BIuQ7sw01CWijOlBQxCjbGPmwLFCv7z3qiIQupNk6P5iWkxrvvbVun0FUDQg31sng QHXLaDbA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsqs-0003wm-Qz for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:43:58 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 07/13] extensions: TCPMSS: Use xlate callback for IPv6, too Date: Wed, 23 Nov 2022 17:43:44 +0100 Message-Id: <20221123164350.10502-8-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Data structures are identical and the translation is layer3-agnostic. Fixes: bebce197adb42 ("iptables: iptables-compat translation for TCPMSS") Signed-off-by: Phil Sutter --- extensions/libxt_TCPMSS.c | 1 + 1 file changed, 1 insertion(+) diff --git a/extensions/libxt_TCPMSS.c b/extensions/libxt_TCPMSS.c index 0d9b200ebc72f..251a5532a838b 100644 --- a/extensions/libxt_TCPMSS.c +++ b/extensions/libxt_TCPMSS.c @@ -131,6 +131,7 @@ static struct xtables_target tcpmss_tg_reg[] = { .x6_parse = TCPMSS_parse, .x6_fcheck = TCPMSS_check, .x6_options = TCPMSS6_opts, + .xlate = TCPMSS_xlate, }, }; From patchwork Wed Nov 23 16:43:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708403 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=i7o6ETqz; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRmB23MLz23mg for ; Thu, 24 Nov 2022 03:44:10 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239136AbiKWQoH (ORCPT ); Wed, 23 Nov 2022 11:44:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239135AbiKWQoG (ORCPT ); Wed, 23 Nov 2022 11:44:06 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B13B22B24B for ; Wed, 23 Nov 2022 08:44:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fxjqytuhL89AwINGjTeljG4JcsQUJgDOlcQtcCw5Txo=; b=i7o6ETqzGs11SaVB79WF/5nZsC dBx2djzrGmBAg0DNqAlBbotIIOdcibzoh/rrQAKyOG1Rh3an68TiM3lasuwf97vGhChDSaNA8zrz4 BvQ9VO4juQpRxQxsRjgA9nFyz6/kBLX8biAKFx1RiWNBwcJMosMe7l9Az0Mg5IXpz3ZlUYrz3BGAx S6ZXSVNAd1gAD3GL+uoIh/MF5cjkWQ6HddngPE8rbtNTbzkMVQeRRDK4lX2NB8je8GaYynQcYU/yE 2tFy544KzYZsg2198s8GLkMjSC4EwdkkaSDNZiMv6NWMZHzoSD6b+ly6mM68+0yKjKpbSpNtuXoP/ 9vP6nNaw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsqy-0003wz-3f for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:04 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 08/13] extensions: TOS: Fix v1 xlate callback Date: Wed, 23 Nov 2022 17:43:45 +0100 Message-Id: <20221123164350.10502-9-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Translation entirely ignored tos_mask field. Fixes: b669e18489709 ("extensions: libxt_TOS: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libxt_TOS.c | 33 +++++++++++++++++++++++---------- extensions/libxt_TOS.txlate | 9 ++++++--- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c index b66fa329f4150..4fc849bd2468b 100644 --- a/extensions/libxt_TOS.c +++ b/extensions/libxt_TOS.c @@ -183,28 +183,41 @@ static void tos_tg_save(const void *ip, const struct xt_entry_target *target) printf(" --set-tos 0x%02x/0x%02x", info->tos_value, info->tos_mask); } +static int __tos_xlate(struct xt_xlate *xl, const char *ip, + uint8_t tos, uint8_t tosmask) +{ + xt_xlate_add(xl, "%s dscp set ", ip); + if ((tosmask & 0x3f) == 0x3f) + xt_xlate_add(xl, "0x%02x", tos >> 2); + else if (!tos) + xt_xlate_add(xl, "%s dscp and 0x%02x", + ip, (uint8_t)~tosmask >> 2); + else if (tos == tosmask) + xt_xlate_add(xl, "%s dscp or 0x%02x", ip, tos >> 2); + else if (!tosmask) + xt_xlate_add(xl, "%s dscp xor 0x%02x", ip, tos >> 2); + else + xt_xlate_add(xl, "%s dscp and 0x%02x xor 0x%02x", + ip, (uint8_t)~tosmask >> 2, tos >> 2); + return 1; +} + static int tos_xlate(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { const struct ipt_tos_target_info *info = (struct ipt_tos_target_info *) params->target->data; - uint8_t dscp = info->tos >> 2; - - xt_xlate_add(xl, "ip dscp set 0x%02x", dscp); - return 1; + return __tos_xlate(xl, "ip", info->tos, UINT8_MAX); } static int tos_xlate6(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { - const struct ipt_tos_target_info *info = - (struct ipt_tos_target_info *) params->target->data; - uint8_t dscp = info->tos >> 2; + const struct xt_tos_target_info *info = + (struct xt_tos_target_info *)params->target->data; - xt_xlate_add(xl, "ip6 dscp set 0x%02x", dscp); - - return 1; + return __tos_xlate(xl, "ip6", info->tos_value, info->tos_mask); } static struct xtables_target tos_tg_reg[] = { diff --git a/extensions/libxt_TOS.txlate b/extensions/libxt_TOS.txlate index 0952310edc4ac..9c12674299359 100644 --- a/extensions/libxt_TOS.txlate +++ b/extensions/libxt_TOS.txlate @@ -14,10 +14,13 @@ ip6tables-translate -A INPUT -j TOS --set-tos Normal-Service nft add rule ip6 filter INPUT counter ip6 dscp set 0x00 ip6tables-translate -A INPUT -j TOS --and-tos 0x12 -nft add rule ip6 filter INPUT counter ip6 dscp set 0x00 +nft add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp and 0x04 ip6tables-translate -A INPUT -j TOS --or-tos 0x12 -nft add rule ip6 filter INPUT counter ip6 dscp set 0x04 +nft add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp or 0x04 ip6tables-translate -A INPUT -j TOS --xor-tos 0x12 -nft add rule ip6 filter INPUT counter ip6 dscp set 0x04 +nft add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp xor 0x04 + +ip6tables-translate -A INPUT -j TOS --set-tos 0x12/0x34 +nft add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp and 0x32 xor 0x04 From patchwork Wed Nov 23 16:43:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708406 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=EHThgDoM; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRmc2Jcqz23mf for ; Thu, 24 Nov 2022 03:44:32 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239082AbiKWQoa (ORCPT ); Wed, 23 Nov 2022 11:44:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239140AbiKWQoW (ORCPT ); Wed, 23 Nov 2022 11:44:22 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A056488F82 for ; Wed, 23 Nov 2022 08:44:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uPOaYyEpjRmI/CcWzxez884C3cOLcpwwgqRrl5LaA08=; b=EHThgDoMv3mGWv8MCgTLQHj1wU wR15BLf+A7ba2B7vQvjwBJHNU1snZst5qugC1JKmm1lHcVzqMJaKykOZjuxYfTF4hII/aWLZs6mxj vJSA00V+X3w9qSMgeCzu4IT1lGR2GZzwAEqLxWG2Uc70sZeGJtgx0d+IFwFwR1K3H41NORPTtr0rk YzSB5wV93tyuZLNC7u/jlURVLtGzyD670OaqlkUBNpw/OTK7PXkx4g+e6n/ewYFBxyNlRE7/xWQis g37+/W2xDRl0GKwJ4KEI5y97GUciSwBRwJlCPnUSK7EYfBllRNxlkgFmDWZR/XJfTAS/2wWd2Praq RR5DZtew==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsrE-0003xB-3T for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:20 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 09/13] extensions: ecn: Sanitize xlate callback Date: Wed, 23 Nov 2022 17:43:46 +0100 Message-Id: <20221123164350.10502-10-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Catch unexpected values in einfo->ip_ect. Fixes: ca42442093d3d ("iptables: extensions: libxt_ecn: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libxt_ecn.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c index ad3c7a0307a0d..83a4acfab7da7 100644 --- a/extensions/libxt_ecn.c +++ b/extensions/libxt_ecn.c @@ -156,6 +156,8 @@ static int ecn_xlate(struct xt_xlate *xl, case 3: xt_xlate_add(xl, "ce"); break; + default: + return 0; } } return 1; From patchwork Wed Nov 23 16:43:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708409 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=IrIYDa0n; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRmn3B2mz23mf for ; Thu, 24 Nov 2022 03:44:41 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239044AbiKWQoj (ORCPT ); Wed, 23 Nov 2022 11:44:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239081AbiKWQoi (ORCPT ); Wed, 23 Nov 2022 11:44:38 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E6916D975 for ; Wed, 23 Nov 2022 08:44:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KJZ0nEO1VBlWJ2KeVCjw/8w9I7aYSpIIsBbb6aomuao=; b=IrIYDa0n2n7vlzcf9bRcqA3Dlr YAvWwJjf2sC/+NlM24oLDfYsFIY9AlpHaful4b2ti0u6HMIJyXWZCbOpKfM8MKZXn3ngFMkrAGxId 4372020LgSG8prP6Ufkddw/Lx/6XgMoWAcSwh6c1EalUSK+WBjW3WIoW2q32GanKDitfgF9JMjOPK 175HY6lWsHmLTLB8thSMVqVE4CGdmd9lfWuaaXFlokJVDYLAJCb+Dcw5To1zo2Yx27qPSNPiljwGb WAIPViyezxMp4/MJOqtmhWE6r+D9nvcX8fj4R7TAqy+wfRZJpOXk8ivP57UaZ7z+6gkFeiPzsZKbL KkRAbiaw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsrU-0003xN-0h for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:36 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 10/13] extensions: tcp: Translate TCP option match Date: Wed, 23 Nov 2022 17:43:47 +0100 Message-Id: <20221123164350.10502-11-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org A simple task since 'tcp option' expression exists. Signed-off-by: Phil Sutter --- extensions/libxt_tcp.c | 9 ++++++--- extensions/libxt_tcp.txlate | 6 ++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index 0b115cddf15d9..043382d47b8ba 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -430,9 +430,12 @@ static int tcp_xlate(struct xt_xlate *xl, space = " "; } - /* XXX not yet implemented */ - if (tcpinfo->option || (tcpinfo->invflags & XT_TCP_INV_OPTION)) - return 0; + if (tcpinfo->option) { + xt_xlate_add(xl, "%stcp option %u %s", space, tcpinfo->option, + tcpinfo->invflags & XT_TCP_INV_OPTION ? + "missing" : "exists"); + space = " "; + } if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) { xt_xlate_add(xl, "%stcp flags %s", space, diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate index 921d4af024d32..a1f0e909bb46c 100644 --- a/extensions/libxt_tcp.txlate +++ b/extensions/libxt_tcp.txlate @@ -24,3 +24,9 @@ nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter iptables-translate -A INPUT ! -f -p tcp --dport 22 nft add rule ip filter INPUT ip frag-off & 0x1fff 0 tcp dport 22 counter + +iptables-translate -A INPUT -p tcp --tcp-option 23 +nft add rule ip filter INPUT tcp option 23 exists counter + +iptables-translate -A INPUT -p tcp ! --tcp-option 23 +nft add rule ip filter INPUT tcp option 23 missing counter From patchwork Wed Nov 23 16:43:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708408 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=IZL3rGDS; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRmf2qgLz23mf for ; Thu, 24 Nov 2022 03:44:34 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239078AbiKWQod (ORCPT ); Wed, 23 Nov 2022 11:44:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239044AbiKWQoc (ORCPT ); Wed, 23 Nov 2022 11:44:32 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44F9B922EA for ; Wed, 23 Nov 2022 08:44:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qZE5Y3m8KBTr5X0Ylr5tHDPh90uNcPS/2dVw9tbuakg=; b=IZL3rGDSQpycaQubr0W2YsGR8e /KBzTJiO0Hg49Q5Ho7CDnHHzVBuXewQK9irM/TEAtC6imgSxLyeorXY9ypLxJJrDIq+X++Mh7TcBw 0jqy+NLroccGDopHBl2RXAWb0uGLbvuhqg2McpUVXuP20GudYOC39uSMzsWB5+kULnItNEulzr8Ry TWlkog0UJgKve4aR42aEei0/+l7Z4gem0KBMKBfhVzsnSmVAAYfAU+CYRhDFMx/vkOY1U8IG6AeDN qRUJLXom/AKppdFRw31myURVNcPuRz7fjO6DBuAXi6MtF9uKVE3RkFNrpU+5DfY+4zeky7X/ZX2dr IRgxlrZQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsrO-0003xJ-Ns for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:30 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 11/13] extensions: libebt_log: Add comment to clarify xlate callback Date: Wed, 23 Nov 2022 17:43:48 +0100 Message-Id: <20221123164350.10502-12-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Several log flags are ignored by the function. Add a comment explaining why this is correct. Signed-off-by: Phil Sutter --- extensions/libebt_log.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c index 47708d79310e0..13c7fafecb11e 100644 --- a/extensions/libebt_log.c +++ b/extensions/libebt_log.c @@ -191,6 +191,8 @@ static int brlog_xlate(struct xt_xlate *xl, if (loginfo->loglevel != LOG_DEFAULT_LEVEL) xt_xlate_add(xl, " level %s", eight_priority[loginfo->loglevel].c_name); + /* ebt_log always decodes MAC header, nft_log always decodes upper header - + * so set flags ether and ignore EBT_LOG_IP, EBT_LOG_ARP and EBT_LOG_IP6 */ xt_xlate_add(xl, " flags ether "); return 1; From patchwork Wed Nov 23 16:43:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708414 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=EimcPyL+; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRnL38hDz23mR for ; Thu, 24 Nov 2022 03:45:10 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239168AbiKWQpJ (ORCPT ); Wed, 23 Nov 2022 11:45:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239111AbiKWQpF (ORCPT ); Wed, 23 Nov 2022 11:45:05 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 622AFC1F43 for ; Wed, 23 Nov 2022 08:45:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g/RRYL2LWx3RWpQWQdUIN3geABVFbLiKr8jA1hZByqE=; b=EimcPyL+vGn3pHf+rDKwevx1BM QojbW5cNlIu59sclsJJVzGPMW2dK7mV64iBpvkNjKM3PwHGQ+D+qfkCUsCBvIjvy5CNmIHAXr4QR/ cFcFW0BC/t6bGzLvP4OXzkVg7qHgKuSAzt40QmeD676mW6c2vBB7npN3d8BDXzQ0C24HV80z4A6iP 31zrWrAUKxTlZF21pu8bxt2U527S/5tWP6peTGbyft0bouzOuRx3cXT9t0SjE+DSwSecOWQynPlHp OLLBX4yOCeiV3gsRrXAayxYVe2DqcXsG3hCkYnmRvcNhge5GWe6XO2TSnDYmpjGKAkjcesfddoZUL TJs9ojPw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsru-00040D-Oi for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:45:02 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 12/13] extensions: frag: Add comment to clarify xlate callback Date: Wed, 23 Nov 2022 17:43:49 +0100 Message-Id: <20221123164350.10502-13-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Matching on fragmentation header length is ineffective in kernel, xlate callback correctly ignores it. Add a comment as a hint for reviewers. Signed-off-by: Phil Sutter --- extensions/libip6t_frag.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c index 3842496e56a55..72a43153c53dc 100644 --- a/extensions/libip6t_frag.c +++ b/extensions/libip6t_frag.c @@ -193,6 +193,8 @@ static int frag_xlate(struct xt_xlate *xl, space = " "; } + /* ignore ineffective IP6T_FRAG_LEN bit */ + if (fraginfo->flags & IP6T_FRAG_RES) { xt_xlate_add(xl, "%sfrag reserved 1", space); space = " "; From patchwork Wed Nov 23 16:43:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1708411 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=qT2W98Cr; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NHRn84tXKz23mg for ; Thu, 24 Nov 2022 03:45:00 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239106AbiKWQo7 (ORCPT ); Wed, 23 Nov 2022 11:44:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239110AbiKWQot (ORCPT ); Wed, 23 Nov 2022 11:44:49 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7656A90386 for ; Wed, 23 Nov 2022 08:44:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2M8deBPSvhp1v9lBZb2pX8GtjDn79jy6VKN6ktGBIvY=; b=qT2W98Cru1kUCMwG3o+YL6FkFn DE3Qgh3WMj4wmPU89LDeZeojMh9CAZzYfArkRcgYKIwkJJK8i7rbT56KO25ZW3qTgk8q0gHemGtqH Tt7uT4XaXGssASseKxZACHz4l36zl4lZNLK9HTTOSH3rwaLDmDf/waNws6V+iaC3GSJNFo6/oYC0k +NbVas2nPCqxLLidilqJPukHjXs/LTqFNtFqZlNlHkqf0WIJpyqt5y6ye2HTVbjLp8r7FJrKqJ31M nkFuR2VGLDZURfH7iEwswq4DjosowgopS6ROX384qaZ/r0k5id3iVmWpDtMep5aifjikAF2ptOy9L hO76Hirg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1oxsre-0003z7-ST for netfilter-devel@vger.kernel.org; Wed, 23 Nov 2022 17:44:46 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 13/13] extensions: ipcomp: Add comment to clarify xlate callback Date: Wed, 23 Nov 2022 17:43:50 +0100 Message-Id: <20221123164350.10502-14-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221123164350.10502-1-phil@nwl.cc> References: <20221123164350.10502-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Kernel ignores 'hdrres' field, this matching on reserved field value was never effective. While being at it, drop its description from man page. Continue to parse and print it for compatibility reasons, but avoid attracting new users. Signed-off-by: Phil Sutter --- extensions/libxt_ipcomp.c | 2 ++ extensions/libxt_ipcomp.c.man | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c index b5c43128466fb..4171c4a1c4eb7 100644 --- a/extensions/libxt_ipcomp.c +++ b/extensions/libxt_ipcomp.c @@ -101,6 +101,8 @@ static int comp_xlate(struct xt_xlate *xl, const struct xt_ipcomp *compinfo = (struct xt_ipcomp *)params->match->data; + /* ignore compinfo->hdrres like kernel's xt_ipcomp.c does */ + xt_xlate_add(xl, "comp cpi %s", compinfo->invflags & XT_IPCOMP_INV_SPI ? "!= " : ""); if (compinfo->spis[0] != compinfo->spis[1]) diff --git a/extensions/libxt_ipcomp.c.man b/extensions/libxt_ipcomp.c.man index f3b17d2167697..824f5b3d9dbb4 100644 --- a/extensions/libxt_ipcomp.c.man +++ b/extensions/libxt_ipcomp.c.man @@ -2,6 +2,3 @@ This module matches the parameters in IPcomp header of IPsec packets. .TP [\fB!\fP] \fB\-\-ipcompspi\fP \fIspi\fP[\fB:\fP\fIspi\fP] Matches IPcomp header CPI value. -.TP -\fB\-\-compres\fP -Matches if the reserved field is filled with zero.