From patchwork Fri Feb 2 13:52:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894566 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=NJI6dY1r; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-861-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLN3PR3z1yQ0 for ; Sat, 3 Feb 2024 00:53:48 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id F2CA21F2C46D for ; Fri, 2 Feb 2024 13:53:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 22F8A47768; Fri, 2 Feb 2024 13:53:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="NJI6dY1r" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4997547A48 for ; Fri, 2 Feb 2024 13:53:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; cv=none; b=fvrdWuYCAI1Oeww7zVmzVkq/G3Am3wrkSrCf6pZI18z4SFnTT1Ifg39tZSVSbEFoNU+NWXKbN7IeLwn2addJaSbzpa/XsxkkFanmPGCGSmWVLqX/f11rMxSe1JhMIdgjIyluLjzMYCs9d8nt9OXi5y6ur+66ZOvmnA/hTeL+Qyk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; c=relaxed/simple; bh=xMkA9Fk3uLo45mfdcaMPwWEGVwehog8WM6sYz1glbjs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mzd4OhdG3NTXl40IRAw2sGS9Qpsvr62lVGpAc1diaEU32EZAeNdccA16szYS5+LTChIRxOyLGKU9dD96vClu5RXgod1uphM/HI5TA/4Gxw9dRlhsNfKAYT8a1aJq0nv/p6yg7PciV9dC6jVpASz/P5ezXuPCVN8YLCdbaivRIT4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=NJI6dY1r; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XIq+VJN6/9H7oa2cLLLMZzIEs+eXyGLkpkNtcQ7swDA=; b=NJI6dY1rK2qvL+k4DTLv09aUwx COWWuonr+MT6zd4M1Y4ih3EODe3HZq+i1lAM/S0GUmT/cEqyo+etZZ6wtcvm7Xm4i/PztbfaWFXTZ 6GTlNYfSwZs3FbYuUlm0VkCX6tgcnoIETDFRH3lq+xyBQy5QUNGoFSdm3r0taKnHVm3tlmcCZUfOu lmIJr4u5q+P/diyeOq1ND60dUQEyJTzmPIZULPl7OqdyUWhGpoXGpxNNp+FEKRNGXWrzkl8J9A7Nh eTq/sZjy9GeQal1eb4XcFVdr3SukCOXVdMOGL0WAG2RNQrK/t58oq3Mb6bD0cNTVCbfPlF0BtwJBT cyYIi9RA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyg-000000003BZ-2OSM; Fri, 02 Feb 2024 14:53:10 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 01/12] extensions: *.t/*.txlate: Test range corner-cases Date: Fri, 2 Feb 2024 14:52:56 +0100 Message-ID: <20240202135307.25331-2-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 For every extension option accepting a range, test open and half-open as well as single element and invalid (negative) ranges. The added tests merely reflect the status quo, not the expected outcome. Following patches will fix results and the already existing test cases highlight the fixes' effects. Signed-off-by: Phil Sutter --- extensions/libebt_ip.t | 12 +++++++++ extensions/libebt_ip6.t | 12 +++++++++ extensions/libebt_stp.t | 45 ++++++++++++++++++++++++++++++++++ extensions/libip6t_ah.t | 6 +++++ extensions/libip6t_ah.txlate | 6 +++++ extensions/libip6t_frag.t | 6 +++++ extensions/libip6t_frag.txlate | 6 +++++ extensions/libip6t_mh.t | 6 +++++ extensions/libip6t_mh.txlate | 9 +++++++ extensions/libip6t_rt.t | 6 +++++ extensions/libip6t_rt.txlate | 9 +++++++ extensions/libipt_ah.t | 6 +++++ extensions/libipt_ah.txlate | 6 +++++ extensions/libxt_NFQUEUE.t | 7 ++++++ extensions/libxt_connbytes.t | 6 +++++ extensions/libxt_conntrack.t | 26 ++++++++++++++++++++ extensions/libxt_dccp.t | 10 ++++++++ extensions/libxt_esp.t | 7 ++++++ extensions/libxt_esp.txlate | 12 +++++++++ extensions/libxt_ipcomp.t | 7 ++++++ extensions/libxt_length.t | 3 +++ extensions/libxt_tcp.t | 12 +++++++++ extensions/libxt_tcp.txlate | 6 +++++ extensions/libxt_tcpmss.t | 4 +++ extensions/libxt_udp.t | 12 +++++++++ extensions/libxt_udp.txlate | 6 +++++ 26 files changed, 253 insertions(+) diff --git a/extensions/libebt_ip.t b/extensions/libebt_ip.t index cfe4f54db5f66..a9b5b8b5ea244 100644 --- a/extensions/libebt_ip.t +++ b/extensions/libebt_ip.t @@ -6,6 +6,18 @@ -p IPv4 ! --ip-tos 0xFF;=;OK -p IPv4 --ip-proto tcp --ip-dport 22;=;OK -p IPv4 --ip-proto udp --ip-sport 1024:65535;=;OK +-p IPv4 --ip-proto udp --ip-sport :;-p IPv4 --ip-proto udp --ip-sport 0:65535;OK +-p IPv4 --ip-proto udp --ip-sport :4;-p IPv4 --ip-proto udp --ip-sport 0:4;OK +-p IPv4 --ip-proto udp --ip-sport 4:;-p IPv4 --ip-proto udp --ip-sport 4:65535;OK +-p IPv4 --ip-proto udp --ip-sport 3:4;=;OK +-p IPv4 --ip-proto udp --ip-sport 4:4;-p IPv4 --ip-proto udp --ip-sport 4;OK +-p IPv4 --ip-proto udp --ip-sport 4:3;;FAIL +-p IPv4 --ip-proto udp --ip-dport :;-p IPv4 --ip-proto udp --ip-dport 0:65535;OK +-p IPv4 --ip-proto udp --ip-dport :4;-p IPv4 --ip-proto udp --ip-dport 0:4;OK +-p IPv4 --ip-proto udp --ip-dport 4:;-p IPv4 --ip-proto udp --ip-dport 4:65535;OK +-p IPv4 --ip-proto udp --ip-dport 3:4;=;OK +-p IPv4 --ip-proto udp --ip-dport 4:4;-p IPv4 --ip-proto udp --ip-dport 4;OK +-p IPv4 --ip-proto udp --ip-dport 4:3;;FAIL -p IPv4 --ip-proto 253;=;OK -p IPv4 ! --ip-proto 253;=;OK -p IPv4 --ip-proto icmp --ip-icmp-type echo-request;=;OK diff --git a/extensions/libebt_ip6.t b/extensions/libebt_ip6.t index 58e3c73c99409..cb1be9e355bac 100644 --- a/extensions/libebt_ip6.t +++ b/extensions/libebt_ip6.t @@ -10,6 +10,18 @@ -p IPv6 --ip6-proto tcp ! --ip6-dport 22;=;OK -p IPv6 --ip6-proto tcp ! --ip6-sport 22 --ip6-dport 22;=;OK -p IPv6 --ip6-proto udp --ip6-sport 1024:65535;=;OK +-p IPv6 --ip6-proto udp --ip6-sport :;-p IPv6 --ip6-proto udp --ip6-sport 0:65535;OK +-p IPv6 --ip6-proto udp --ip6-sport :4;-p IPv6 --ip6-proto udp --ip6-sport 0:4;OK +-p IPv6 --ip6-proto udp --ip6-sport 4:;-p IPv6 --ip6-proto udp --ip6-sport 4:65535;OK +-p IPv6 --ip6-proto udp --ip6-sport 3:4;=;OK +-p IPv6 --ip6-proto udp --ip6-sport 4:4;-p IPv6 --ip6-proto udp --ip6-sport 4;OK +-p IPv6 --ip6-proto udp --ip6-sport 4:3;;FAIL +-p IPv6 --ip6-proto udp --ip6-dport :;-p IPv6 --ip6-proto udp --ip6-dport 0:65535;OK +-p IPv6 --ip6-proto udp --ip6-dport :4;-p IPv6 --ip6-proto udp --ip6-dport 0:4;OK +-p IPv6 --ip6-proto udp --ip6-dport 4:;-p IPv6 --ip6-proto udp --ip6-dport 4:65535;OK +-p IPv6 --ip6-proto udp --ip6-dport 3:4;=;OK +-p IPv6 --ip6-proto udp --ip6-dport 4:4;-p IPv6 --ip6-proto udp --ip6-dport 4;OK +-p IPv6 --ip6-proto udp --ip6-dport 4:3;;FAIL -p IPv6 --ip6-proto 253;=;OK -p IPv6 ! --ip6-proto 253;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request -j CONTINUE;=;OK diff --git a/extensions/libebt_stp.t b/extensions/libebt_stp.t index 06df607379f2a..f72051ac27f57 100644 --- a/extensions/libebt_stp.t +++ b/extensions/libebt_stp.t @@ -27,3 +27,48 @@ ! --stp-hello-time 1;=;OK --stp-forward-delay 1;=;OK ! --stp-forward-delay 1;=;OK +--stp-root-prio :2;--stp-root-prio 0:2;OK +--stp-root-prio 2:;--stp-root-prio 2:65535;OK +--stp-root-prio 1:2;=;OK +--stp-root-prio 1:1;--stp-root-prio 1;OK +--stp-root-prio 2:1;;FAIL +--stp-root-cost :2;--stp-root-cost 0:2;OK +--stp-root-cost 2:;--stp-root-cost 2:4294967295;OK +--stp-root-cost 1:2;=;OK +--stp-root-cost 1:1;--stp-root-cost 1;OK +--stp-root-cost 2:1;;FAIL +--stp-sender-prio :2;--stp-sender-prio 0:2;OK +--stp-sender-prio 2:;--stp-sender-prio 2:65535;OK +--stp-sender-prio 1:2;=;OK +--stp-sender-prio 1:1;--stp-sender-prio 1;OK +--stp-sender-prio 2:1;;FAIL +--stp-port :;--stp-port 0:65535;OK +--stp-port :2;--stp-port 0:2;OK +--stp-port 2:;--stp-port 2:65535;OK +--stp-port 1:2;=;OK +--stp-port 1:1;--stp-port 1;OK +--stp-port 2:1;;FAIL +--stp-msg-age :;--stp-msg-age 0:65535;OK +--stp-msg-age :2;--stp-msg-age 0:2;OK +--stp-msg-age 2:;--stp-msg-age 2:65535;OK +--stp-msg-age 1:2;=;OK +--stp-msg-age 1:1;--stp-msg-age 1;OK +--stp-msg-age 2:1;;FAIL +--stp-max-age :;--stp-max-age 0:65535;OK +--stp-max-age :2;--stp-max-age 0:2;OK +--stp-max-age 2:;--stp-max-age 2:65535;OK +--stp-max-age 1:2;=;OK +--stp-max-age 1:1;--stp-max-age 1;OK +--stp-max-age 2:1;;FAIL +--stp-hello-time :;--stp-hello-time 0:65535;OK +--stp-hello-time :2;--stp-hello-time 0:2;OK +--stp-hello-time 2:;--stp-hello-time 2:65535;OK +--stp-hello-time 1:2;=;OK +--stp-hello-time 1:1;--stp-hello-time 1;OK +--stp-hello-time 2:1;;FAIL +--stp-forward-delay :;--stp-forward-delay 0:65535;OK +--stp-forward-delay :2;--stp-forward-delay 0:2;OK +--stp-forward-delay 2:;--stp-forward-delay 2:65535;OK +--stp-forward-delay 1:2;=;OK +--stp-forward-delay 1:1;--stp-forward-delay 1;OK +--stp-forward-delay 2:1;;FAIL diff --git a/extensions/libip6t_ah.t b/extensions/libip6t_ah.t index c1898d44cf193..77c5383c91a6d 100644 --- a/extensions/libip6t_ah.t +++ b/extensions/libip6t_ah.t @@ -13,3 +13,9 @@ -m ah --ahspi 0:invalid;;FAIL -m ah --ahspi;;FAIL -m ah;=;OK +-m ah --ahspi :;-m ah;OK +-m ah ! --ahspi :;-m ah;OK +-m ah --ahspi :3;-m ah --ahspi 0:3;OK +-m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK +-m ah --ahspi 3:3;-m ah --ahspi 3;OK +-m ah --ahspi 4:3;=;OK diff --git a/extensions/libip6t_ah.txlate b/extensions/libip6t_ah.txlate index cc33ac2718c0c..fc7248abba001 100644 --- a/extensions/libip6t_ah.txlate +++ b/extensions/libip6t_ah.txlate @@ -15,3 +15,9 @@ nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength != 120 counter drop' ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept' + +ip6tables-translate -A INPUT -m ah --ahspi 0:4294967295 +nft 'add rule ip6 filter INPUT meta l4proto ah counter' + +ip6tables-translate -A INPUT -m ah ! --ahspi 0:4294967295 +nft 'add rule ip6 filter INPUT meta l4proto ah counter' diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t index 299fa03f8845b..a89076708ea03 100644 --- a/extensions/libip6t_frag.t +++ b/extensions/libip6t_frag.t @@ -1,5 +1,11 @@ :INPUT,FORWARD,OUTPUT +-m frag --fragid :;-m frag;OK +-m frag ! --fragid :;-m frag;OK +-m frag --fragid :42;-m frag --fragid 0:42;OK +-m frag --fragid 42:;-m frag --fragid 42:4294967295;OK -m frag --fragid 1:42;=;OK +-m frag --fragid 3:3;-m frag --fragid 3;OK +-m frag --fragid 4:3;=;OK -m frag --fraglen 42;=;OK -m frag --fragres;=;OK -m frag --fragfirst;=;OK diff --git a/extensions/libip6t_frag.txlate b/extensions/libip6t_frag.txlate index 33fc0631dc792..2b6585afbc826 100644 --- a/extensions/libip6t_frag.txlate +++ b/extensions/libip6t_frag.txlate @@ -15,3 +15,9 @@ nft 'add rule ip6 filter INPUT frag id 100-200 frag frag-off 0 counter accept' ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept' + +ip6tables-translate -t filter -A INPUT -m frag --fragid 0:4294967295 +nft 'add rule ip6 filter INPUT counter' + +ip6tables-translate -t filter -A INPUT -m frag ! --fragid 0:4294967295 +nft 'add rule ip6 filter INPUT counter' diff --git a/extensions/libip6t_mh.t b/extensions/libip6t_mh.t index 6b76d13d0a00f..151eabe631f58 100644 --- a/extensions/libip6t_mh.t +++ b/extensions/libip6t_mh.t @@ -4,3 +4,9 @@ -p mobility-header -m mh --mh-type 1;=;OK -p mobility-header -m mh ! --mh-type 4;=;OK -p mobility-header -m mh --mh-type 4:123;=;OK +-p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK +-p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh;OK +-p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK +-p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK +-p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK +-p mobility-header -m mh --mh-type 4:3;;FAIL diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate index 4dfaf46a2b8d7..825c956905c22 100644 --- a/extensions/libip6t_mh.txlate +++ b/extensions/libip6t_mh.txlate @@ -3,3 +3,12 @@ nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter ac ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept' + +ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT +nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' + +ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT +nft 'add rule ip6 filter INPUT counter accept' + +ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT +nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t index 3c7b2d981324a..2699e800d528e 100644 --- a/extensions/libip6t_rt.t +++ b/extensions/libip6t_rt.t @@ -3,3 +3,9 @@ -m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK -m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK -m rt;=;OK +-m rt --rt-segsleft :;-m rt;OK +-m rt ! --rt-segsleft :;-m rt;OK +-m rt --rt-segsleft :3;-m rt --rt-segsleft 0:3;OK +-m rt --rt-segsleft 3:;-m rt --rt-segsleft 3:4294967295;OK +-m rt --rt-segsleft 3:3;-m rt --rt-segsleft 3;OK +-m rt --rt-segsleft 4:3;=;OK diff --git a/extensions/libip6t_rt.txlate b/extensions/libip6t_rt.txlate index 3578bcba0157e..67d88d07732cc 100644 --- a/extensions/libip6t_rt.txlate +++ b/extensions/libip6t_rt.txlate @@ -12,3 +12,12 @@ nft 'add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop' ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT nft 'add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept' + +ip6tables-translate -A INPUT -m rt --rt-segsleft 13:42 -j ACCEPT +nft 'add rule ip6 filter INPUT rt seg-left 13-42 counter accept' + +ip6tables-translate -A INPUT -m rt --rt-segsleft 0:4294967295 -j ACCEPT +nft 'add rule ip6 filter INPUT counter accept' + +ip6tables-translate -A INPUT -m rt ! --rt-segsleft 0:4294967295 -j ACCEPT +nft 'add rule ip6 filter INPUT counter accept' diff --git a/extensions/libipt_ah.t b/extensions/libipt_ah.t index cd853865638e8..a2aa338fef9c5 100644 --- a/extensions/libipt_ah.t +++ b/extensions/libipt_ah.t @@ -11,3 +11,9 @@ -m ah --ahspi;;FAIL -m ah;;FAIL -p ah -m ah;=;OK +-p ah -m ah --ahspi :;-p ah -m ah;OK +-p ah -m ah ! --ahspi :;-p ah -m ah;OK +-p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK +-p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK +-p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK +-p ah -m ah --ahspi 4:3;=;OK diff --git a/extensions/libipt_ah.txlate b/extensions/libipt_ah.txlate index 897c82b5f95c6..e35ac17ab6c64 100644 --- a/extensions/libipt_ah.txlate +++ b/extensions/libipt_ah.txlate @@ -6,3 +6,9 @@ nft 'add rule ip filter INPUT ah spi 500-600 counter drop' iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP nft 'add rule ip filter INPUT ah spi != 50 counter drop' + +iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' + +iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t index 8fb2b760a13bc..1adb8e4023099 100644 --- a/extensions/libxt_NFQUEUE.t +++ b/extensions/libxt_NFQUEUE.t @@ -8,6 +8,13 @@ -j NFQUEUE --queue-balance 0:65535;;FAIL -j NFQUEUE --queue-balance 0:65536;;FAIL -j NFQUEUE --queue-balance -1:65535;;FAIL +-j NFQUEUE --queue-balance 4;;FAIL +-j NFQUEUE --queue-balance :;;FAIL +-j NFQUEUE --queue-balance :4;-j NFQUEUE --queue-balance 0:4;OK +-j NFQUEUE --queue-balance 4:;-j NFQUEUE --queue-balance 4:65535;OK +-j NFQUEUE --queue-balance 3:4;=;OK +-j NFQUEUE --queue-balance 4:4;;FAIL +-j NFQUEUE --queue-balance 4:3;;FAIL -j NFQUEUE --queue-num 10 --queue-bypass;=;OK -j NFQUEUE --queue-balance 0:6 --queue-cpu-fanout --queue-bypass;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK -j NFQUEUE --queue-bypass --queue-balance 0:6 --queue-cpu-fanout;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK diff --git a/extensions/libxt_connbytes.t b/extensions/libxt_connbytes.t index 6b24e266c1a04..60209c697dc91 100644 --- a/extensions/libxt_connbytes.t +++ b/extensions/libxt_connbytes.t @@ -10,6 +10,12 @@ -m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir both;=;OK -m connbytes --connbytes -1:0 --connbytes-mode packets --connbytes-dir original;;FAIL -m connbytes --connbytes 0:-1 --connbytes-mode packets --connbytes-dir original;;FAIL +-m connbytes --connbytes : --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 0 --connbytes-mode packets --connbytes-dir original;OK +-m connbytes --connbytes :1000 --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir original;OK +-m connbytes --connbytes 1000 --connbytes-mode packets --connbytes-dir original;=;OK +-m connbytes --connbytes 1000: --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 1000 --connbytes-mode packets --connbytes-dir original;OK +-m connbytes --connbytes 1000:1000 --connbytes-mode packets --connbytes-dir original;=;OK +-m connbytes --connbytes 1000:0 --connbytes-mode packets --connbytes-dir original;;FAIL # ERROR: cannot find: iptables -I INPUT -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both # -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both;=;OK -m connbytes --connbytes 0:18446744073709551616 --connbytes-mode avgpkt --connbytes-dir both;;FAIL diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t index 2b3c5de9cd3ab..399d70abbe707 100644 --- a/extensions/libxt_conntrack.t +++ b/extensions/libxt_conntrack.t @@ -17,6 +17,8 @@ -m conntrack --ctexpire 0:4294967295;=;OK -m conntrack --ctexpire 42949672956;;FAIL -m conntrack --ctexpire -1;;FAIL +-m conntrack --ctexpire 3:3;-m conntrack --ctexpire 3;OK +-m conntrack --ctexpire 4:3;=;OK -m conntrack --ctdir ORIGINAL;=;OK -m conntrack --ctdir REPLY;=;OK -m conntrack --ctstatus NONE;=;OK @@ -27,3 +29,27 @@ -m conntrack;;FAIL -m conntrack --ctproto 0;;FAIL -m conntrack ! --ctproto 0;;FAIL +-m conntrack --ctorigsrcport :;-m conntrack --ctorigsrcport 0:65535;OK +-m conntrack --ctorigsrcport :4;-m conntrack --ctorigsrcport 0:4;OK +-m conntrack --ctorigsrcport 4:;-m conntrack --ctorigsrcport 4:65535;OK +-m conntrack --ctorigsrcport 3:4;=;OK +-m conntrack --ctorigsrcport 4:4;-m conntrack --ctorigsrcport 4;OK +-m conntrack --ctorigsrcport 4:3;=;OK +-m conntrack --ctreplsrcport :;-m conntrack --ctreplsrcport 0:65535;OK +-m conntrack --ctreplsrcport :4;-m conntrack --ctreplsrcport 0:4;OK +-m conntrack --ctreplsrcport 4:;-m conntrack --ctreplsrcport 4:65535;OK +-m conntrack --ctreplsrcport 3:4;=;OK +-m conntrack --ctreplsrcport 4:4;-m conntrack --ctreplsrcport 4;OK +-m conntrack --ctreplsrcport 4:3;=;OK +-m conntrack --ctorigdstport :;-m conntrack --ctorigdstport 0:65535;OK +-m conntrack --ctorigdstport :4;-m conntrack --ctorigdstport 0:4;OK +-m conntrack --ctorigdstport 4:;-m conntrack --ctorigdstport 4:65535;OK +-m conntrack --ctorigdstport 3:4;=;OK +-m conntrack --ctorigdstport 4:4;-m conntrack --ctorigdstport 4;OK +-m conntrack --ctorigdstport 4:3;=;OK +-m conntrack --ctrepldstport :;-m conntrack --ctrepldstport 0:65535;OK +-m conntrack --ctrepldstport :4;-m conntrack --ctrepldstport 0:4;OK +-m conntrack --ctrepldstport 4:;-m conntrack --ctrepldstport 4:65535;OK +-m conntrack --ctrepldstport 3:4;=;OK +-m conntrack --ctrepldstport 4:4;-m conntrack --ctrepldstport 4;OK +-m conntrack --ctrepldstport 4:3;=;OK diff --git a/extensions/libxt_dccp.t b/extensions/libxt_dccp.t index f60b480fb6fc7..535891a556394 100644 --- a/extensions/libxt_dccp.t +++ b/extensions/libxt_dccp.t @@ -6,6 +6,16 @@ -p dccp -m dccp --sport 1:1023;=;OK -p dccp -m dccp --sport 1024:65535;=;OK -p dccp -m dccp --sport 1024:;-p dccp -m dccp --sport 1024:65535;OK +-p dccp -m dccp --sport :;-p dccp -m dccp --sport 0:65535;OK +-p dccp -m dccp --sport :4;-p dccp -m dccp --sport 0:4;OK +-p dccp -m dccp --sport 4:;-p dccp -m dccp --sport 4:65535;OK +-p dccp -m dccp --sport 4:4;-p dccp -m dccp --sport 4;OK +-p dccp -m dccp --sport 4:3;=;OK +-p dccp -m dccp --dport :;-p dccp -m dccp --dport 0:65535;OK +-p dccp -m dccp --dport :4;-p dccp -m dccp --dport 0:4;OK +-p dccp -m dccp --dport 4:;-p dccp -m dccp --dport 4:65535;OK +-p dccp -m dccp --dport 4:4;-p dccp -m dccp --dport 4;OK +-p dccp -m dccp --dport 4:3;=;OK -p dccp -m dccp ! --sport 1;=;OK -p dccp -m dccp ! --sport 65535;=;OK -p dccp -m dccp ! --dport 1;=;OK diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t index 92c5779f860f1..a8bc5287dd089 100644 --- a/extensions/libxt_esp.t +++ b/extensions/libxt_esp.t @@ -4,5 +4,12 @@ -p esp -m esp --espspi 0:4294967295;-p esp -m esp;OK -p esp -m esp ! --espspi 0:4294967294;=;OK -p esp -m esp --espspi -1;;FAIL +-p esp -m esp --espspi :;-p esp -m esp;OK +-p esp -m esp ! --espspi :;-p esp -m esp;OK +-p esp -m esp --espspi :4;-p esp -m esp --espspi 0:4;OK +-p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK +-p esp -m esp --espspi 3:4;=;OK +-p esp -m esp --espspi 4:4;-p esp -m esp --espspi 4;OK +-p esp -m esp --espspi 4:3;=;OK -p esp -m esp;=;OK -m esp;;FAIL diff --git a/extensions/libxt_esp.txlate b/extensions/libxt_esp.txlate index f6aba52f52235..3b1d5718057b1 100644 --- a/extensions/libxt_esp.txlate +++ b/extensions/libxt_esp.txlate @@ -9,3 +9,15 @@ nft 'add rule ip filter INPUT esp spi 500 counter drop' iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP nft 'add rule ip filter INPUT esp spi 500-600 counter drop' + +iptables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' + +iptables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' + +ip6tables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP +nft 'add rule ip6 filter INPUT counter drop' + +ip6tables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP +nft 'add rule ip6 filter INPUT counter drop' diff --git a/extensions/libxt_ipcomp.t b/extensions/libxt_ipcomp.t index 8546ba9ce416f..f62144ae8fec8 100644 --- a/extensions/libxt_ipcomp.t +++ b/extensions/libxt_ipcomp.t @@ -1,3 +1,10 @@ :INPUT,OUTPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK +-p ipcomp -m ipcomp --ipcompspi :;-p ipcomp -m ipcomp;OK +-p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp;OK +-p ipcomp -m ipcomp --ipcompspi :4;-p ipcomp -m ipcomp --ipcompspi 0:4;OK +-p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK +-p ipcomp -m ipcomp --ipcompspi 3:4;=;OK +-p ipcomp -m ipcomp --ipcompspi 4:4;-p ipcomp -m ipcomp --ipcompspi 4;OK +-p ipcomp -m ipcomp --ipcompspi 4:3;=;OK diff --git a/extensions/libxt_length.t b/extensions/libxt_length.t index 8b70fc317485c..3905d2d05feec 100644 --- a/extensions/libxt_length.t +++ b/extensions/libxt_length.t @@ -3,8 +3,11 @@ -m length --length :2;-m length --length 0:2;OK -m length --length 0:3;=;OK -m length --length 4:;-m length --length 4:65535;OK +-m length --length :;-m length --length 0:65535;OK -m length --length 0:65535;=;OK -m length ! --length 0:65535;=;OK -m length --length 0:65536;;FAIL -m length --length -1:65535;;FAIL +-m length --length 4:4;-m length --length 4;OK +-m length --length 4:3;=;OK -m length;;FAIL diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t index 7a3bbd08952f0..baa41615b11a6 100644 --- a/extensions/libxt_tcp.t +++ b/extensions/libxt_tcp.t @@ -6,6 +6,18 @@ -p tcp -m tcp --sport 1:1023;=;OK -p tcp -m tcp --sport 1024:65535;=;OK -p tcp -m tcp --sport 1024:;-p tcp -m tcp --sport 1024:65535;OK +-p tcp -m tcp --sport :;-p tcp -m tcp;OK +-p tcp -m tcp ! --sport :;-p tcp -m tcp;OK;LEGACY;-p tcp +-p tcp -m tcp --sport :4;-p tcp -m tcp --sport 0:4;OK +-p tcp -m tcp --sport 4:;-p tcp -m tcp --sport 4:65535;OK +-p tcp -m tcp --sport 4:4;-p tcp -m tcp --sport 4;OK +-p tcp -m tcp --sport 4:3;;FAIL +-p tcp -m tcp --dport :;-p tcp -m tcp;OK +-p tcp -m tcp ! --dport :;-p tcp -m tcp;OK;LEGACY;-p tcp +-p tcp -m tcp --dport :4;-p tcp -m tcp --dport 0:4;OK +-p tcp -m tcp --dport 4:;-p tcp -m tcp --dport 4:65535;OK +-p tcp -m tcp --dport 4:4;-p tcp -m tcp --dport 4;OK +-p tcp -m tcp --dport 4:3;;FAIL -p tcp -m tcp ! --sport 1;=;OK -p tcp -m tcp ! --sport 65535;=;OK -p tcp -m tcp ! --dport 1;=;OK diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate index 9802ddfe0039e..a7e921bff2ca0 100644 --- a/extensions/libxt_tcp.txlate +++ b/extensions/libxt_tcp.txlate @@ -30,3 +30,9 @@ nft 'add rule ip filter INPUT tcp option 23 exists counter' iptables-translate -A INPUT -p tcp ! --tcp-option 23 nft 'add rule ip filter INPUT tcp option 23 missing counter' + +iptables-translate -I OUTPUT -p tcp --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' + +iptables-translate -I OUTPUT -p tcp ! --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' diff --git a/extensions/libxt_tcpmss.t b/extensions/libxt_tcpmss.t index 2b415957ffd00..d0fb52fab33b7 100644 --- a/extensions/libxt_tcpmss.t +++ b/extensions/libxt_tcpmss.t @@ -1,6 +1,10 @@ :INPUT,FORWARD,OUTPUT -m tcpmss --mss 42;;FAIL -p tcp -m tcpmss --mss 42;=;OK +-p tcp -m tcpmss --mss :;-p tcp -m tcpmss --mss 0:65535;OK +-p tcp -m tcpmss --mss :42;-p tcp -m tcpmss --mss 0:42;OK +-p tcp -m tcpmss --mss 42:;-p tcp -m tcpmss --mss 42:65535;OK +-p tcp -m tcpmss --mss 42:42;-p tcp -m tcpmss --mss 42;OK -p tcp -m tcpmss --mss 42:12345;=;OK -p tcp -m tcpmss --mss 42:65536;;FAIL -p tcp -m tcpmss --mss 65535:1000;;FAIL diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t index f534770191a6e..d62dd5e3f830e 100644 --- a/extensions/libxt_udp.t +++ b/extensions/libxt_udp.t @@ -6,6 +6,18 @@ -p udp -m udp --sport 1:1023;=;OK -p udp -m udp --sport 1024:65535;=;OK -p udp -m udp --sport 1024:;-p udp -m udp --sport 1024:65535;OK +-p udp -m udp --sport :;-p udp -m udp;OK +-p udp -m udp ! --sport :;-p udp -m udp;OK;LEGACY;-p udp +-p udp -m udp --sport :4;-p udp -m udp --sport 0:4;OK +-p udp -m udp --sport 4:;-p udp -m udp --sport 4:65535;OK +-p udp -m udp --sport 4:4;-p udp -m udp --sport 4;OK +-p udp -m udp --sport 4:3;=;OK +-p udp -m udp --dport :;-p udp -m udp;OK +-p udp -m udp ! --dport :;-p udp -m udp;OK;LEGACY;-p udp +-p udp -m udp --dport :4;-p udp -m udp --dport 0:4;OK +-p udp -m udp --dport 4:;-p udp -m udp --dport 4:65535;OK +-p udp -m udp --dport 4:4;-p udp -m udp --dport 4;OK +-p udp -m udp --dport 4:3;=;OK -p udp -m udp ! --sport 1;=;OK -p udp -m udp ! --sport 65535;=;OK -p udp -m udp ! --dport 1;=;OK diff --git a/extensions/libxt_udp.txlate b/extensions/libxt_udp.txlate index 28e7ca206b26b..3aed7cd15dbd7 100644 --- a/extensions/libxt_udp.txlate +++ b/extensions/libxt_udp.txlate @@ -9,3 +9,9 @@ nft 'insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accep iptables-translate -I OUTPUT -p udp --dport 1020:1023 --sport 53 -j ACCEPT nft 'insert rule ip filter OUTPUT udp sport 53 udp dport 1020-1023 counter accept' + +iptables-translate -I OUTPUT -p udp --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' + +iptables-translate -I OUTPUT -p udp ! --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' From patchwork Fri Feb 2 13:52:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894569 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=nRWggShv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-865-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLX4Rdjz1yQ0 for ; Sat, 3 Feb 2024 00:53:56 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 875821C24F40 for ; Fri, 2 Feb 2024 13:53:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 526DD13541C; Fri, 2 Feb 2024 13:53:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="nRWggShv" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3465D7F7EF for ; Fri, 2 Feb 2024 13:53:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882000; cv=none; b=kNkrCQeP7aZ1aeurcBu0ta6Is3pmAzDKVoWCwQCW/hXQK+2FlrJg8hSU1Rw6COq1Bw2go2Hd5+/0IDPSERXu2S7o7AZ62W+ySXbsiCeS9xnYUkrsVu5ESGSGtc5Uhjk9zPQrEimhcYVDqOZk6FkvWgCsEzbcJM1tjnJmJNNwGFA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882000; c=relaxed/simple; bh=CW4A4aPJhi7XvLltcY634LycGGhVd1opR7LkXTkosCE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aqnQIKODnekZP1RXJINEWN7H2e6q2k1XsWr3sYI3J903iAIgLUqagIi8YzbZbs1ld8HsPLxEtPtDzi9r7JIfN94GSpgEFAqRnMrM599gHvbWM5GDgMY5tTGwGAU3rtarJO8CelC4YaMBReJXEoHleomB5blEBGXrXkB1AlxbnWk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=nRWggShv; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FqYvGh0cIM6CT3uQJ0A0Z9zUBa79p4eMErNyhntzAa8=; b=nRWggShvv07g/x1IGazymmsAAk Eex0KQ9HKbuTQCIl/LYZkvbF+uIxTxAQR7j4UGq5+djxB7KPnrXj6DTmgrQ98DCCbGhD9+KM+HAmP bkq7GIjbASMVkHGyBcXV7EIS4G9W0WhVng/bBZUEsIpIiE56IMxYNDKFBH3Zd7sQj0j3JeM744kI4 bEAMF/xw5YpFHsUlxLeAzyhLZlGobwTQ2HJThukpuof7R0AUXZJlaUZD3sIZtwUrNCwghIPSKbW5D MrtmgCyUmRkPieuMpWMXf5y4ftx4TuU5suxijz1J3ZQetxMBC810aFwlEmuYIWe6YeQ6uAIxkClNt u8r+z+fA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyh-000000003Bl-3cPy; Fri, 02 Feb 2024 14:53:11 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 02/12] libxtables: xtoptions: Assert ranges are monotonic increasing Date: Fri, 2 Feb 2024 14:52:57 +0100 Message-ID: <20240202135307.25331-3-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Extensions commonly require the upper range value to be larger or equal to the lower one. Performing this check in the parser is easier and covers all extensions at once. One notable exception is NFQUEUE which requires strict monotonicity. Hence leave its checks in place. Signed-off-by: Phil Sutter --- extensions/libebt_stp.c | 21 +++++++++------------ extensions/libip6t_ah.t | 2 +- extensions/libip6t_frag.t | 2 +- extensions/libip6t_rt.t | 2 +- extensions/libipt_ah.t | 2 +- extensions/libxt_connbytes.c | 4 ---- extensions/libxt_conntrack.t | 2 +- extensions/libxt_esp.t | 2 +- extensions/libxt_ipcomp.t | 2 +- extensions/libxt_length.t | 2 +- libxtables/xtoptions.c | 9 +++++---- 11 files changed, 22 insertions(+), 28 deletions(-) diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c index 371fa04c870fe..189e36a529f26 100644 --- a/extensions/libebt_stp.c +++ b/extensions/libebt_stp.c @@ -139,36 +139,33 @@ static void brstp_parse(struct xt_option_call *cb) cb->val.ethermacmask, ETH_ALEN); break; -#define RANGE_ASSIGN(name, fname, val) { \ +#define RANGE_ASSIGN(fname, val) { \ stpinfo->config.fname##l = val[0]; \ stpinfo->config.fname##u = cb->nvals > 1 ? val[1] : val[0]; \ - if (stpinfo->config.fname##u < stpinfo->config.fname##l) \ - xtables_error(PARAMETER_PROBLEM, \ - "Bad --stp-" name " range"); \ } case O_RPRIO: - RANGE_ASSIGN("root-prio", root_prio, cb->val.u16_range); + RANGE_ASSIGN(root_prio, cb->val.u16_range); break; case O_RCOST: - RANGE_ASSIGN("root-cost", root_cost, cb->val.u32_range); + RANGE_ASSIGN(root_cost, cb->val.u32_range); break; case O_SPRIO: - RANGE_ASSIGN("sender-prio", sender_prio, cb->val.u16_range); + RANGE_ASSIGN(sender_prio, cb->val.u16_range); break; case O_PORT: - RANGE_ASSIGN("port", port, cb->val.u16_range); + RANGE_ASSIGN(port, cb->val.u16_range); break; case O_MSGAGE: - RANGE_ASSIGN("msg-age", msg_age, cb->val.u16_range); + RANGE_ASSIGN(msg_age, cb->val.u16_range); break; case O_MAXAGE: - RANGE_ASSIGN("max-age", max_age, cb->val.u16_range); + RANGE_ASSIGN(max_age, cb->val.u16_range); break; case O_HTIME: - RANGE_ASSIGN("hello-time", hello_time, cb->val.u16_range); + RANGE_ASSIGN(hello_time, cb->val.u16_range); break; case O_FWDD: - RANGE_ASSIGN("forward-delay", forward_delay, cb->val.u16_range); + RANGE_ASSIGN(forward_delay, cb->val.u16_range); break; #undef RANGE_ASSIGN } diff --git a/extensions/libip6t_ah.t b/extensions/libip6t_ah.t index 77c5383c91a6d..eeba7b451fc6d 100644 --- a/extensions/libip6t_ah.t +++ b/extensions/libip6t_ah.t @@ -18,4 +18,4 @@ -m ah --ahspi :3;-m ah --ahspi 0:3;OK -m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK -m ah --ahspi 3:3;-m ah --ahspi 3;OK --m ah --ahspi 4:3;=;OK +-m ah --ahspi 4:3;;FAIL diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t index a89076708ea03..57f7da27d5e1d 100644 --- a/extensions/libip6t_frag.t +++ b/extensions/libip6t_frag.t @@ -5,7 +5,7 @@ -m frag --fragid 42:;-m frag --fragid 42:4294967295;OK -m frag --fragid 1:42;=;OK -m frag --fragid 3:3;-m frag --fragid 3;OK --m frag --fragid 4:3;=;OK +-m frag --fragid 4:3;;FAIL -m frag --fraglen 42;=;OK -m frag --fragres;=;OK -m frag --fragfirst;=;OK diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t index 2699e800d528e..56c8b077267ce 100644 --- a/extensions/libip6t_rt.t +++ b/extensions/libip6t_rt.t @@ -8,4 +8,4 @@ -m rt --rt-segsleft :3;-m rt --rt-segsleft 0:3;OK -m rt --rt-segsleft 3:;-m rt --rt-segsleft 3:4294967295;OK -m rt --rt-segsleft 3:3;-m rt --rt-segsleft 3;OK --m rt --rt-segsleft 4:3;=;OK +-m rt --rt-segsleft 4:3;;FAIL diff --git a/extensions/libipt_ah.t b/extensions/libipt_ah.t index a2aa338fef9c5..d86ede60970ac 100644 --- a/extensions/libipt_ah.t +++ b/extensions/libipt_ah.t @@ -16,4 +16,4 @@ -p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK -p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK -p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK --p ah -m ah --ahspi 4:3;=;OK +-p ah -m ah --ahspi 4:3;;FAIL diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c index b57f0fc0d28c2..2f1108572e8a9 100644 --- a/extensions/libxt_connbytes.c +++ b/extensions/libxt_connbytes.c @@ -41,10 +41,6 @@ static void connbytes_parse(struct xt_option_call *cb) if (cb->nvals == 2) sinfo->count.to = cb->val.u64_range[1]; - if (sinfo->count.to < sinfo->count.from) - xtables_error(PARAMETER_PROBLEM, "%llu should be less than %llu", - (unsigned long long)sinfo->count.from, - (unsigned long long)sinfo->count.to); if (cb->invert) { i = sinfo->count.from; sinfo->count.from = sinfo->count.to; diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t index 399d70abbe707..620e7b5436e88 100644 --- a/extensions/libxt_conntrack.t +++ b/extensions/libxt_conntrack.t @@ -18,7 +18,7 @@ -m conntrack --ctexpire 42949672956;;FAIL -m conntrack --ctexpire -1;;FAIL -m conntrack --ctexpire 3:3;-m conntrack --ctexpire 3;OK --m conntrack --ctexpire 4:3;=;OK +-m conntrack --ctexpire 4:3;;FAIL -m conntrack --ctdir ORIGINAL;=;OK -m conntrack --ctdir REPLY;=;OK -m conntrack --ctstatus NONE;=;OK diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t index a8bc5287dd089..686611f22b457 100644 --- a/extensions/libxt_esp.t +++ b/extensions/libxt_esp.t @@ -10,6 +10,6 @@ -p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK -p esp -m esp --espspi 3:4;=;OK -p esp -m esp --espspi 4:4;-p esp -m esp --espspi 4;OK --p esp -m esp --espspi 4:3;=;OK +-p esp -m esp --espspi 4:3;;FAIL -p esp -m esp;=;OK -m esp;;FAIL diff --git a/extensions/libxt_ipcomp.t b/extensions/libxt_ipcomp.t index f62144ae8fec8..375f885a708d9 100644 --- a/extensions/libxt_ipcomp.t +++ b/extensions/libxt_ipcomp.t @@ -7,4 +7,4 @@ -p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK -p ipcomp -m ipcomp --ipcompspi 3:4;=;OK -p ipcomp -m ipcomp --ipcompspi 4:4;-p ipcomp -m ipcomp --ipcompspi 4;OK --p ipcomp -m ipcomp --ipcompspi 4:3;=;OK +-p ipcomp -m ipcomp --ipcompspi 4:3;;FAIL diff --git a/extensions/libxt_length.t b/extensions/libxt_length.t index 3905d2d05feec..bae313b4072c8 100644 --- a/extensions/libxt_length.t +++ b/extensions/libxt_length.t @@ -9,5 +9,5 @@ -m length --length 0:65536;;FAIL -m length --length -1:65535;;FAIL -m length --length 4:4;-m length --length 4;OK --m length --length 4:3;=;OK +-m length --length 4:3;;FAIL -m length;;FAIL diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index f622f4c6ea328..cecf7d3526112 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -291,8 +291,8 @@ static void xtopt_parse_mint(struct xt_option_call *cb) size_t esize = xtopt_esize_by_type(entry->type); const uintmax_t lmax = xtopt_max_by_type(entry->type); void *put = XTOPT_MKPTR(cb); + uintmax_t value, lmin = 0; unsigned int maxiter; - uintmax_t value; char *end = ""; char sep = ':'; @@ -314,16 +314,17 @@ static void xtopt_parse_mint(struct xt_option_call *cb) end = (char *)arg; value = (cb->nvals == 1) ? lmax : 0; } else { - if (!xtables_strtoul(arg, &end, &value, 0, lmax)) + if (!xtables_strtoul(arg, &end, &value, lmin, lmax)) xt_params->exit_err(PARAMETER_PROBLEM, "%s: bad value for option \"--%s\" near " - "\"%s\", or out of range (0-%ju).\n", - cb->ext_name, entry->name, arg, lmax); + "\"%s\", or out of range (%ju-%ju).\n", + cb->ext_name, entry->name, arg, lmin, lmax); if (*end != '\0' && *end != sep) xt_params->exit_err(PARAMETER_PROBLEM, "%s: Argument to \"--%s\" has " "unexpected characters near \"%s\".\n", cb->ext_name, entry->name, end); + lmin = value; } xtopt_mint_value_to_cb(cb, value); ++cb->nvals; From patchwork Fri Feb 2 13:52:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894564 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=bthhZoPN; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-859-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLH3mpbz1yQ0 for ; Sat, 3 Feb 2024 00:53:43 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 0580D1F2C323 for ; Fri, 2 Feb 2024 13:53:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 958BF13E214; Fri, 2 Feb 2024 13:53:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="bthhZoPN" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EE5146B9B for ; Fri, 2 Feb 2024 13:53:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; cv=none; b=tw9bfXggikJmE3i5e1dxAyJTtU4XlEfSv3/hky2lwXWUVHDcMoE/FgXzRULv+FbtSZtIsnq+Va+gNEpRFefla6b0KPySMOug63YwLEDpxT/0rBg7WYfVwX6XZ2ky0SL808lw58gFtqCHp2UehhzIMjYnaIwVGcexQ5zQi4GQJdU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; c=relaxed/simple; bh=gZX2rIjryXfa9Lf9h/pv8vnnHgzFWnP4GnLD1gGCMuA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IHhE4dEKHv/PgpaCR4b+f/gt/a+mAiKXbKeb6DuTpgnlTZee0zbQyalz7/mEmvWlDG7hUZVaUbtDbpxpN/HpKCK7tRqLCFg1kkubl0H1m3pfAzZrg3KZUDZggFO5plSBXEd8IbO8D017RXJvmaFQXCyp3EzInnSxlLwUDrREJCY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=bthhZoPN; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lpZDlpbaBQCaRBTP/hDAme1s4fShQnxXRxb8CPj0xcE=; b=bthhZoPNnedz4EjXICmQOiXSBp yumNuAi3ZBJNEhwFYMNOAwhhQjIIL+6qe0xyQs+PUqHGI4A7bsAbqBObJfFiUkI8WxKy4L7FSG/Pn /vUUJ2ZqhytsGbG2MCW3RtueD6ICAIeSyWawe+lWGEFBJyj+xcLJwbVaW4PaQDlnkqoqQPN3vHYg+ mllM7hMtAeozUzZ5qY3rfLNfZWJ09tFy2iR6LZvHnrkWSJa/hUNzSjTedb5mwJVKFMB4salBHdlIQ qMmxnnN23+HFpxP7nGwaO8V5aGqKdrtOq9qDJQjcR4nqs94imHeNnf/JfIkfkl9bzsRsuIcU0uqMU 3DLpgndg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyf-000000003BP-1upe; Fri, 02 Feb 2024 14:53:09 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 03/12] libxtables: Reject negative port ranges Date: Fri, 2 Feb 2024 14:52:58 +0100 Message-ID: <20240202135307.25331-4-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Analogous to XTTYPE_UINT*RC value parsing, assert consecutive port values are not lower than previous ones. Signed-off-by: Phil Sutter --- extensions/libxt_conntrack.t | 8 ++++---- extensions/libxt_dccp.t | 4 ++-- extensions/libxt_udp.t | 4 ++-- libxtables/xtoptions.c | 7 ++++++- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t index 620e7b5436e88..5e27ddce4fe6e 100644 --- a/extensions/libxt_conntrack.t +++ b/extensions/libxt_conntrack.t @@ -34,22 +34,22 @@ -m conntrack --ctorigsrcport 4:;-m conntrack --ctorigsrcport 4:65535;OK -m conntrack --ctorigsrcport 3:4;=;OK -m conntrack --ctorigsrcport 4:4;-m conntrack --ctorigsrcport 4;OK --m conntrack --ctorigsrcport 4:3;=;OK +-m conntrack --ctorigsrcport 4:3;;FAIL -m conntrack --ctreplsrcport :;-m conntrack --ctreplsrcport 0:65535;OK -m conntrack --ctreplsrcport :4;-m conntrack --ctreplsrcport 0:4;OK -m conntrack --ctreplsrcport 4:;-m conntrack --ctreplsrcport 4:65535;OK -m conntrack --ctreplsrcport 3:4;=;OK -m conntrack --ctreplsrcport 4:4;-m conntrack --ctreplsrcport 4;OK --m conntrack --ctreplsrcport 4:3;=;OK +-m conntrack --ctreplsrcport 4:3;;FAIL -m conntrack --ctorigdstport :;-m conntrack --ctorigdstport 0:65535;OK -m conntrack --ctorigdstport :4;-m conntrack --ctorigdstport 0:4;OK -m conntrack --ctorigdstport 4:;-m conntrack --ctorigdstport 4:65535;OK -m conntrack --ctorigdstport 3:4;=;OK -m conntrack --ctorigdstport 4:4;-m conntrack --ctorigdstport 4;OK --m conntrack --ctorigdstport 4:3;=;OK +-m conntrack --ctorigdstport 4:3;;FAIL -m conntrack --ctrepldstport :;-m conntrack --ctrepldstport 0:65535;OK -m conntrack --ctrepldstport :4;-m conntrack --ctrepldstport 0:4;OK -m conntrack --ctrepldstport 4:;-m conntrack --ctrepldstport 4:65535;OK -m conntrack --ctrepldstport 3:4;=;OK -m conntrack --ctrepldstport 4:4;-m conntrack --ctrepldstport 4;OK --m conntrack --ctrepldstport 4:3;=;OK +-m conntrack --ctrepldstport 4:3;;FAIL diff --git a/extensions/libxt_dccp.t b/extensions/libxt_dccp.t index 535891a556394..3655ab6f4b7fc 100644 --- a/extensions/libxt_dccp.t +++ b/extensions/libxt_dccp.t @@ -10,12 +10,12 @@ -p dccp -m dccp --sport :4;-p dccp -m dccp --sport 0:4;OK -p dccp -m dccp --sport 4:;-p dccp -m dccp --sport 4:65535;OK -p dccp -m dccp --sport 4:4;-p dccp -m dccp --sport 4;OK --p dccp -m dccp --sport 4:3;=;OK +-p dccp -m dccp --sport 4:3;;FAIL -p dccp -m dccp --dport :;-p dccp -m dccp --dport 0:65535;OK -p dccp -m dccp --dport :4;-p dccp -m dccp --dport 0:4;OK -p dccp -m dccp --dport 4:;-p dccp -m dccp --dport 4:65535;OK -p dccp -m dccp --dport 4:4;-p dccp -m dccp --dport 4;OK --p dccp -m dccp --dport 4:3;=;OK +-p dccp -m dccp --dport 4:3;;FAIL -p dccp -m dccp ! --sport 1;=;OK -p dccp -m dccp ! --sport 65535;=;OK -p dccp -m dccp ! --dport 1;=;OK diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t index d62dd5e3f830e..09dff363fc21a 100644 --- a/extensions/libxt_udp.t +++ b/extensions/libxt_udp.t @@ -11,13 +11,13 @@ -p udp -m udp --sport :4;-p udp -m udp --sport 0:4;OK -p udp -m udp --sport 4:;-p udp -m udp --sport 4:65535;OK -p udp -m udp --sport 4:4;-p udp -m udp --sport 4;OK --p udp -m udp --sport 4:3;=;OK +-p udp -m udp --sport 4:3;;FAIL -p udp -m udp --dport :;-p udp -m udp;OK -p udp -m udp ! --dport :;-p udp -m udp;OK;LEGACY;-p udp -p udp -m udp --dport :4;-p udp -m udp --dport 0:4;OK -p udp -m udp --dport 4:;-p udp -m udp --dport 4:65535;OK -p udp -m udp --dport 4:4;-p udp -m udp --dport 4;OK --p udp -m udp --dport 4:3;=;OK +-p udp -m udp --dport 4:3;;FAIL -p udp -m udp ! --sport 1;=;OK -p udp -m udp ! --sport 65535;=;OK -p udp -m udp ! --dport 1;=;OK diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index cecf7d3526112..0a995a63a2a88 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -604,7 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb) const struct xt_option_entry *entry = cb->entry; char *lo_arg, *wp_arg, *arg; unsigned int maxiter; - int value; + int value, prev = 0; wp_arg = lo_arg = xtables_strdup(cb->arg); @@ -634,6 +634,11 @@ static void xtopt_parse_mport(struct xt_option_call *cb) xt_params->exit_err(PARAMETER_PROBLEM, "Port \"%s\" does not resolve to " "anything.\n", arg); + if (value < prev) + xt_params->exit_err(PARAMETER_PROBLEM, + "Port range %d-%d is negative.\n", + prev, value); + prev = value; if (entry->flags & XTOPT_NBO) value = htons(value); if (cb->nvals < ARRAY_SIZE(cb->val.port_range)) From patchwork Fri Feb 2 13:52:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894567 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=oKfI+2zw; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.48.161; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-862-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [147.75.48.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLQ5dmrz1yQ0 for ; Sat, 3 Feb 2024 00:53:50 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 1F877B25B6C for ; Fri, 2 Feb 2024 13:53:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B09941420CB; Fri, 2 Feb 2024 13:53:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="oKfI+2zw" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CFF060249 for ; Fri, 2 Feb 2024 13:53:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882000; cv=none; b=AV47XYRT5uKtpwPkuR1NXgcIq6vlVZTJCgTg5z6V5Cad4y32VTIkJ3twmz0pRCiRNkQ/k5x86ORFggsOIkp0uu2ZXQjdxHQI9XEws8SiLZT1MqsF6KPxsn2LDHV57ZgECxHQW3d6JFMnLdnzJypauLN5CAAM6s2KE+nrCYcSC7Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882000; c=relaxed/simple; bh=ouwbM3tCttkuXMRvYLecLiRBd2xTpdUwUcX+7M0o5AM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=T4uy+OBzYFpF7pmm7utLcBuJvopM5RZLngowi5V3T+/hpSm0Aq9h5uKJKtFPC3zFzaI5bWznFcvfazYkzrfh1j4Lr9lH4Zane6GicuNiPFEz/qP8Kz6M1GIMDtjBG/vW5SsixFJafofrvJazO9FWJosJIdXf1vqYmg8HyigawDE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=oKfI+2zw; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lG5gc6miByE/7KaolWk7clDf+RA3GfoKDEY1CxRVMmE=; b=oKfI+2zwCOE/J+PZ9DU35nvOJy y8ruRsKvfRkO5sHQOGH6Adycc/0BG08xENukY8WZlxjnKhZGDhXabwK92M5BL5UfKt/o0rnoHc3uI qnAs7pHb54GPWScioAdJfyzMTu5GvsefV0hLes507vjZIzS/MdfNk8/FSoXgG3XQliJDiRgNhVtoC mh1qkNXcrmapFTw5MxDQzNjH7rXUiCM9n8kcT1uaq+Bf0z0lRb3+YTEIrIRmF1/sz/cg7cH2fQMCz Ci+hC1X2dcS3a/NEdqnR/10F8lF30fJxDfewULXvp4AlA/8O2WS3mY54orDFY+u3ua6iX0PgGqvMI iDhjTriw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyh-000000003Bg-0cYP; Fri, 02 Feb 2024 14:53:11 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 04/12] extensions: ah: Save/xlate inverted full ranges Date: Fri, 2 Feb 2024 14:52:59 +0100 Message-ID: <20240202135307.25331-5-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 While at it, fix xlate output for plain '-m ah' matches: With ip6tables-translate, one should emit an extdhr exists match since ip6t_ah.c in kernel also uses ipv6_find_hdr(). With iptables-translate, a simple 'meta l4proto ah' was missing. Fixes: bb498c8ba7bb3 ("extensions: libip6t_ah: Fix translation of plain '-m ah'") Fixes: b9a46ee406165 ("extensions: libipt_ah: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libip6t_ah.c | 22 +++++++++++++--------- extensions/libip6t_ah.t | 2 +- extensions/libip6t_ah.txlate | 4 ++-- extensions/libipt_ah.c | 22 ++++++++++++++-------- extensions/libipt_ah.t | 2 +- extensions/libipt_ah.txlate | 4 ++-- 6 files changed, 33 insertions(+), 23 deletions(-) diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c index f35982f379d76..0f95c4735eabd 100644 --- a/extensions/libip6t_ah.c +++ b/extensions/libip6t_ah.c @@ -58,13 +58,18 @@ static void ah_parse(struct xt_option_call *cb) } } +static bool skip_spi_match(uint32_t min, uint32_t max, bool inv) +{ + return min == 0 && max == UINT32_MAX && !inv; +} + static void print_spis(const char *name, uint32_t min, uint32_t max, int invert) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFFFFFF || invert) { + if (!skip_spi_match(min, max, invert)) { if (min == max) printf("%s:%s%u", name, inv, min); else @@ -103,11 +108,10 @@ static void ah_print(const void *ip, const struct xt_entry_match *match, static void ah_save(const void *ip, const struct xt_entry_match *match) { const struct ip6t_ah *ahinfo = (struct ip6t_ah *)match->data; + bool inv_spi = ahinfo->invflags & IP6T_AH_INV_SPI; - if (!(ahinfo->spis[0] == 0 - && ahinfo->spis[1] == 0xFFFFFFFF)) { - printf("%s --ahspi ", - (ahinfo->invflags & IP6T_AH_INV_SPI) ? " !" : ""); + if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) { + printf("%s --ahspi ", inv_spi ? " !" : ""); if (ahinfo->spis[0] != ahinfo->spis[1]) printf("%u:%u", @@ -132,11 +136,11 @@ static int ah_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct ip6t_ah *ahinfo = (struct ip6t_ah *)params->match->data; + bool inv_spi = ahinfo->invflags & IP6T_AH_INV_SPI; char *space = ""; - if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) { - xt_xlate_add(xl, "ah spi%s ", - (ahinfo->invflags & IP6T_AH_INV_SPI) ? " !=" : ""); + if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) { + xt_xlate_add(xl, "ah spi%s ", inv_spi ? " !=" : ""); if (ahinfo->spis[0] != ahinfo->spis[1]) xt_xlate_add(xl, "%u-%u", ahinfo->spis[0], ahinfo->spis[1]); @@ -158,7 +162,7 @@ static int ah_xlate(struct xt_xlate *xl, } if (!space[0]) /* plain '-m ah' */ - xt_xlate_add(xl, "meta l4proto ah"); + xt_xlate_add(xl, "exthdr ah exists"); return 1; } diff --git a/extensions/libip6t_ah.t b/extensions/libip6t_ah.t index eeba7b451fc6d..19aa6f55ec0e9 100644 --- a/extensions/libip6t_ah.t +++ b/extensions/libip6t_ah.t @@ -14,7 +14,7 @@ -m ah --ahspi;;FAIL -m ah;=;OK -m ah --ahspi :;-m ah;OK --m ah ! --ahspi :;-m ah;OK +-m ah ! --ahspi :;-m ah ! --ahspi 0:4294967295;OK -m ah --ahspi :3;-m ah --ahspi 0:3;OK -m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK -m ah --ahspi 3:3;-m ah --ahspi 3;OK diff --git a/extensions/libip6t_ah.txlate b/extensions/libip6t_ah.txlate index fc7248abba001..32c6b7de00937 100644 --- a/extensions/libip6t_ah.txlate +++ b/extensions/libip6t_ah.txlate @@ -17,7 +17,7 @@ ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept' ip6tables-translate -A INPUT -m ah --ahspi 0:4294967295 -nft 'add rule ip6 filter INPUT meta l4proto ah counter' +nft 'add rule ip6 filter INPUT exthdr ah exists counter' ip6tables-translate -A INPUT -m ah ! --ahspi 0:4294967295 -nft 'add rule ip6 filter INPUT meta l4proto ah counter' +nft 'add rule ip6 filter INPUT ah spi != 0-4294967295 counter' diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c index fec5705ce6f53..39e3013d3e74b 100644 --- a/extensions/libipt_ah.c +++ b/extensions/libipt_ah.c @@ -39,13 +39,18 @@ static void ah_parse(struct xt_option_call *cb) ahinfo->invflags |= IPT_AH_INV_SPI; } +static bool skip_spi_match(uint32_t min, uint32_t max, bool inv) +{ + return min == 0 && max == UINT32_MAX && !inv; +} + static void print_spis(const char *name, uint32_t min, uint32_t max, int invert) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFFFFFF || invert) { + if (!skip_spi_match(min, max, invert)) { printf("%s", name); if (min == max) { printf(":%s", inv); @@ -75,11 +80,10 @@ static void ah_print(const void *ip, const struct xt_entry_match *match, static void ah_save(const void *ip, const struct xt_entry_match *match) { const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data; + bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI; - if (!(ahinfo->spis[0] == 0 - && ahinfo->spis[1] == 0xFFFFFFFF)) { - printf("%s --ahspi ", - (ahinfo->invflags & IPT_AH_INV_SPI) ? " !" : ""); + if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) { + printf("%s --ahspi ", inv_spi ? " !" : ""); if (ahinfo->spis[0] != ahinfo->spis[1]) printf("%u:%u", @@ -96,15 +100,17 @@ static int ah_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct ipt_ah *ahinfo = (struct ipt_ah *)params->match->data; + bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI; - if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) { - xt_xlate_add(xl, "ah spi%s ", - (ahinfo->invflags & IPT_AH_INV_SPI) ? " !=" : ""); + if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) { + xt_xlate_add(xl, "ah spi%s ", inv_spi ? " !=" : ""); if (ahinfo->spis[0] != ahinfo->spis[1]) xt_xlate_add(xl, "%u-%u", ahinfo->spis[0], ahinfo->spis[1]); else xt_xlate_add(xl, "%u", ahinfo->spis[0]); + } else { + xt_xlate_add(xl, "meta l4proto ah"); } return 1; diff --git a/extensions/libipt_ah.t b/extensions/libipt_ah.t index d86ede60970ac..6059366013ad7 100644 --- a/extensions/libipt_ah.t +++ b/extensions/libipt_ah.t @@ -12,7 +12,7 @@ -m ah;;FAIL -p ah -m ah;=;OK -p ah -m ah --ahspi :;-p ah -m ah;OK --p ah -m ah ! --ahspi :;-p ah -m ah;OK +-p ah -m ah ! --ahspi :;-p ah -m ah ! --ahspi 0:4294967295;OK -p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK -p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK -p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK diff --git a/extensions/libipt_ah.txlate b/extensions/libipt_ah.txlate index e35ac17ab6c64..baf5a0ae6182a 100644 --- a/extensions/libipt_ah.txlate +++ b/extensions/libipt_ah.txlate @@ -8,7 +8,7 @@ iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP nft 'add rule ip filter INPUT ah spi != 50 counter drop' iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP -nft 'add rule ip filter INPUT counter drop' +nft 'add rule ip filter INPUT meta l4proto ah counter drop' iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP -nft 'add rule ip filter INPUT counter drop' +nft 'add rule ip filter INPUT ah spi != 0-4294967295 counter drop' From patchwork Fri Feb 2 13:53:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894565 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=nLfFtTNO; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-860-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLK14xPz1yQ0 for ; Sat, 3 Feb 2024 00:53:45 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id BA578B24C8E for ; Fri, 2 Feb 2024 13:53:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 06E4D140795; Fri, 2 Feb 2024 13:53:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="nLfFtTNO" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F1F047768 for ; Fri, 2 Feb 2024 13:53:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; cv=none; b=I7mXlasDGmrWrezz670y04wVX0ED7EWQ4vDtLi+Ofi5aZW5OxB5YVmLFD+Ht1IGkH+fYXQ+71oQ142q4UZPsynHZk5+qSduivDTQcXs1acFHxHP+dPlnuEasftnDnvZifXDnclENensHksuCxaHKIlYA8jej2rKv6pkbpjh69K0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; c=relaxed/simple; bh=b689QcH7smJBy7/yvzuaG3UDWHMFsZKVALl8w/5k1fM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y3eRt7lXSG/e7zyk8Lq9FvSSrsOvk0APfci/EJrad0FCFgmoNQmJGw6fzM9/Sydi0h323HObPvKflGy7QuzKostb8uC1kOv1j8AJ8VTgVtZ5beOwpUCtqrdVEM6GeQKV0qq3FBR1JyHWTRRluoHEW9KC0cId8Jd8SJNuqAa1juk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=nLfFtTNO; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=trVW2SFRkOe9IZFWFkZhYcBv0WOHU0ccJUQUbQNoJ98=; b=nLfFtTNOXOVF1JWBHBxIx+zn3u FdqwdHihfLKd6CqEW0kqjwI0ArLs1h/NZ0+TvNLXDWz7Q9T0DdLL1i6dHEWGTJLFfqSXrr53ouRHK CbbMD+Me7Myx+7HJcS1XKaunmtv1Ehupv3cmQQnM5RX9x9VhgZldZRlstLxUX8cugDtD5Do0T3s14 Bp9AzMCbj668AOAkNBPHY3w8CPfV4/+Z0jJagxwZy5+Ai5N0cwmBl0FoNau4KR8Pg5Hxq0KXOCCOo PCfW3ae5ZRdw2lwoasgHHXUAorWc8WA4R7DUzeVCSUYGMAoigII7up9/cXzkFwAHwts+z/poz1By5 e3MunWYg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyk-000000003C8-3A6t; Fri, 02 Feb 2024 14:53:14 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 05/12] extensions: frag: Save/xlate inverted full ranges Date: Fri, 2 Feb 2024 14:53:00 +0100 Message-ID: <20240202135307.25331-6-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Also translate plain '-m frag' match into an exthdr exists one. Fixes: bd5bbc7a0fbd8 ("extensions: libip6t_frag: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libip6t_frag.c | 27 ++++++++++++++++++--------- extensions/libip6t_frag.t | 2 +- extensions/libip6t_frag.txlate | 4 ++-- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c index 49c787e709a9e..ed7fe10a4716d 100644 --- a/extensions/libip6t_frag.c +++ b/extensions/libip6t_frag.c @@ -89,13 +89,18 @@ static void frag_parse(struct xt_option_call *cb) } } +static bool skip_ids_match(uint32_t min, uint32_t max, bool inv) +{ + return min == 0 && max == UINT32_MAX && !inv; +} + static void print_ids(const char *name, uint32_t min, uint32_t max, int invert) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFFFFFF || invert) { + if (!skip_ids_match(min, max, invert)) { printf("%s", name); if (min == max) printf(":%s%u", inv, min); @@ -139,11 +144,10 @@ static void frag_print(const void *ip, const struct xt_entry_match *match, static void frag_save(const void *ip, const struct xt_entry_match *match) { const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data; + bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS; - if (!(fraginfo->ids[0] == 0 - && fraginfo->ids[1] == 0xFFFFFFFF)) { - printf("%s --fragid ", - (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? " !" : ""); + if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) { + printf("%s --fragid ", inv_ids ? " !" : ""); if (fraginfo->ids[0] != fraginfo->ids[1]) printf("%u:%u", @@ -173,22 +177,27 @@ static void frag_save(const void *ip, const struct xt_entry_match *match) printf(" --fraglast"); } +#define XLATE_FLAGS (IP6T_FRAG_RES | IP6T_FRAG_FST | \ + IP6T_FRAG_MF | IP6T_FRAG_NMF) + static int frag_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct ip6t_frag *fraginfo = (struct ip6t_frag *)params->match->data; + bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS; - if (!(fraginfo->ids[0] == 0 && fraginfo->ids[1] == 0xFFFFFFFF)) { - xt_xlate_add(xl, "frag id %s", - (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? - "!= " : ""); + if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) { + xt_xlate_add(xl, "frag id %s", inv_ids ? "!= " : ""); if (fraginfo->ids[0] != fraginfo->ids[1]) xt_xlate_add(xl, "%u-%u", fraginfo->ids[0], fraginfo->ids[1]); else xt_xlate_add(xl, "%u", fraginfo->ids[0]); + } else if (!(fraginfo->flags & XLATE_FLAGS)) { + xt_xlate_add(xl, "exthdr frag exists"); + return 1; } /* ignore ineffective IP6T_FRAG_LEN bit */ diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t index 57f7da27d5e1d..ea7ac8995c27c 100644 --- a/extensions/libip6t_frag.t +++ b/extensions/libip6t_frag.t @@ -1,6 +1,6 @@ :INPUT,FORWARD,OUTPUT -m frag --fragid :;-m frag;OK --m frag ! --fragid :;-m frag;OK +-m frag ! --fragid :;-m frag ! --fragid 0:4294967295;OK -m frag --fragid :42;-m frag --fragid 0:42;OK -m frag --fragid 42:;-m frag --fragid 42:4294967295;OK -m frag --fragid 1:42;=;OK diff --git a/extensions/libip6t_frag.txlate b/extensions/libip6t_frag.txlate index 2b6585afbc826..e250587e7682c 100644 --- a/extensions/libip6t_frag.txlate +++ b/extensions/libip6t_frag.txlate @@ -17,7 +17,7 @@ ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept' ip6tables-translate -t filter -A INPUT -m frag --fragid 0:4294967295 -nft 'add rule ip6 filter INPUT counter' +nft 'add rule ip6 filter INPUT exthdr frag exists counter' ip6tables-translate -t filter -A INPUT -m frag ! --fragid 0:4294967295 -nft 'add rule ip6 filter INPUT counter' +nft 'add rule ip6 filter INPUT frag id != 0-4294967295 counter' From patchwork Fri Feb 2 13:53:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894562 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=LTHYs9RI; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-857-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLB6K8Yz1yQ0 for ; Sat, 3 Feb 2024 00:53:38 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 10DF61C20F37 for ; Fri, 2 Feb 2024 13:53:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4B7EE13DBBC; Fri, 2 Feb 2024 13:53:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="LTHYs9RI" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CBDE4779C for ; Fri, 2 Feb 2024 13:53:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; cv=none; b=MwrVQaPBRBJAmN7twGOf44bjfc+lWkDaNw/TklWWB4jSpwD1M0XkcKx4OXezjMfLsgoHZGp7VOSgP26OF8UXYNplpOUP3/ftM9XqbMVEmir0yZOKptAcgQ3goo2ZJ78naZ3yBHuPh9q2n01ZsvQ3+3ZpDqGf0YxYeYCDrHhHve0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; c=relaxed/simple; bh=k4mZA8xK8/PT/L+JrHBYXxP7soBzL32rEk9yIRFqcv4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=da54ENsglxJFDgyz2dK7J6YrroioNaYZrVE/Vh23r50kXxxN+ysSuZX/VQkyXNIho/Jd+T5fVNmn7kH641WTZCcnzaIpEEHv9SuQzLBdEtp85hKoD+eT3ZaOnNxA6QB2S3YpncOoACMFE3z4cYvY2fp7zWqBOX52Vb8xjR1dOUY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=LTHYs9RI; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=slmBxg7IT+jpN9T5Q4fjaFI+q2WmZb9AMpdH7IbUae0=; b=LTHYs9RIbg1CLGur2spMyTvG1r snOMF7yG1E/uA1xQhEy0b4WmXSwup3ZF6vslcyMuEBX96EC2OOMluUn4/uMwAkB0rOvgF2KVg7hlJ 9qF8SPwzmTrQ/51EtpXLyvTr+ZVXCh9SheS+sU30Zn/5zzOboDebH5lNdSqsDu6BnwWlx7sXZ4a+4 gM48WV4Z782gLMljOqcoHMCdw++JmJmKAsKxoI4qorF8He2PdGVP8eNJP/GF4sTqyAOm64/JtBP08 nx+kB2TH5SLc55wQmfvYJfsY/6swmL9a0F7JCMeIPvyjzyd/YZEPTs+Xnbj42kKjJ7Gam09JUKnjn TAWkqVpQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyl-000000003CE-1Q8i; Fri, 02 Feb 2024 14:53:15 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 06/12] extensions: mh: Save/xlate inverted full ranges Date: Fri, 2 Feb 2024 14:53:01 +0100 Message-ID: <20240202135307.25331-7-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Also translate '-m mh' into an exthdr exists match unless '-p mh' is also present. The latter is converted into 'meta l4proto mh' which might need fixing itself at a later point. Fixes: 6d4b93485055a ("extensions: libip6t_mh: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libip6t_mh.c | 20 ++++++++++++++++---- extensions/libip6t_mh.t | 2 +- extensions/libip6t_mh.txlate | 4 ++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c index 1410d324b5d42..3f80e28ec94c8 100644 --- a/extensions/libip6t_mh.c +++ b/extensions/libip6t_mh.c @@ -17,6 +17,7 @@ #include #include #include +#include enum { O_MH_TYPE = 0, @@ -154,11 +155,16 @@ static void print_type(uint8_t type, int numeric) printf("%s", name); } +static bool skip_types_match(uint8_t min, uint8_t max, bool inv) +{ + return min == 0 && max == UINT8_MAX && !inv; +} + static void print_types(uint8_t min, uint8_t max, int invert, int numeric) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFF || invert) { + if (!skip_types_match(min, max, invert)) { printf(" "); if (min == max) { printf("%s", inv); @@ -189,11 +195,12 @@ static void mh_print(const void *ip, const struct xt_entry_match *match, static void mh_save(const void *ip, const struct xt_entry_match *match) { const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data; + bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE; - if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF) + if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) return; - if (mhinfo->invflags & IP6T_MH_INV_TYPE) + if (inv_type) printf(" !"); if (mhinfo->types[0] != mhinfo->types[1]) @@ -206,9 +213,14 @@ static int mh_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data; + bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE; + uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto; - if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xff) + if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) { + if (proto != IPPROTO_MH) + xt_xlate_add(xl, "exthdr mh exists"); return 1; + } if (mhinfo->types[0] != mhinfo->types[1]) xt_xlate_add(xl, "mh type %s%u-%u", diff --git a/extensions/libip6t_mh.t b/extensions/libip6t_mh.t index 151eabe631f58..b628e9e33fd3e 100644 --- a/extensions/libip6t_mh.t +++ b/extensions/libip6t_mh.t @@ -5,7 +5,7 @@ -p mobility-header -m mh ! --mh-type 4;=;OK -p mobility-header -m mh --mh-type 4:123;=;OK -p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK --p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh;OK +-p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh ! --mh-type 0:255;OK -p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK -p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK -p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate index 825c956905c22..3364ce574468f 100644 --- a/extensions/libip6t_mh.txlate +++ b/extensions/libip6t_mh.txlate @@ -8,7 +8,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT -nft 'add rule ip6 filter INPUT counter accept' +nft 'add rule ip6 filter INPUT exthdr mh exists counter accept' ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' +nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept' From patchwork Fri Feb 2 13:53:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894563 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=EBwhO9Eg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-858-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLD4K4nz1yQ0 for ; Sat, 3 Feb 2024 00:53:40 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id BA348B24881 for ; Fri, 2 Feb 2024 13:53:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 79A5D4779C; Fri, 2 Feb 2024 13:53:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="EBwhO9Eg" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 499AC47A4C for ; Fri, 2 Feb 2024 13:53:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; cv=none; b=nl9P7DuIiSeK51CHVlh4Dmly05p4RUiz3BIoG7oRjieogd4yu+hTSmthOb3CLwiOsPdeLbMkCyuiphu+1GpSPifTqH6wl1iDCgVDDfmO0ZW4BhlJ/tEWMuaXohnKG3PVdFh5Yb/yxUrbGcp1857DLYxJdCoZ/STFG1OQ5WCM02w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881999; c=relaxed/simple; bh=T66u9flDxSHzypb1uBh1ccZEVQy7uz+uwMndQ5lxyEs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jg1EpJzwj06u9mVbWykK9klrlQ5MauiWpdtbpw5pZE5oN3nVY0FyxWvvnqgHsR0qWEyj7PSOO8BceMTGM7OcEAvhSLEcHz9+v7tdPkrbJIm1Rwi0MvT285KruoMftk8joMijqeByAfe0dKNsrG1k3e6kEEkVWiPAcMDdV4PvFb0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=EBwhO9Eg; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CpLoSQVzMGi7hxZcl319SntBYAKRO7qQe0bV/qo0nOY=; b=EBwhO9EgH4erAnZkSQJ6nbvY0K NaSVjWZDKlD4pKra8Eb+OccLBC+E5dX1cTfkbyNYIB1RHBQMpVCQlg6PuEe8kib+J5rIKRTX6rV/L itDp3EATWzum0M1sBTGHgH9HYr2lcKSmrtJata7Z1ubhvdt46TUja428Wxp7C42Um2BCp/W1KrUkQ gCBy+iaP3NPhPpYql3M7TQVlQ0w+W6s5lrNUfsjxZaBWEBfRF4v82RtoKt3DpUrZM/X5JIVJdXsVc IAVv7Adm16VByyPB9BOaM8v5lsa3zjsULGqDY3vURibYPeApFAiL/gJq/19PWjb6AW7beet+uu4B6 W5uvCeeQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyf-000000003BU-3z6v; Fri, 02 Feb 2024 14:53:10 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 07/12] extensions: rt: Save/xlate inverted full ranges Date: Fri, 2 Feb 2024 14:53:02 +0100 Message-ID: <20240202135307.25331-8-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Also translate plain '-m rt' match into an exthdr exists one. Fixes: 9dbb616c2f0c3 ("extensions: libip6t_rt.c: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libip6t_rt.c | 28 ++++++++++++++++++++-------- extensions/libip6t_rt.t | 2 +- extensions/libip6t_rt.txlate | 4 ++-- 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c index d5b0458bb397e..6db09f0b2cdc8 100644 --- a/extensions/libip6t_rt.c +++ b/extensions/libip6t_rt.c @@ -152,13 +152,18 @@ static void rt_parse(struct xt_option_call *cb) } } +static bool skip_segsleft_match(uint32_t min, uint32_t max, bool inv) +{ + return min == 0 && max == UINT32_MAX && !inv; +} + static void print_nums(const char *name, uint32_t min, uint32_t max, int invert) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFFFFFF || invert) { + if (!skip_segsleft_match(min, max, invert)) { printf(" %s", name); if (min == max) { printf(":%s", inv); @@ -210,6 +215,7 @@ static void rt_print(const void *ip, const struct xt_entry_match *match, static void rt_save(const void *ip, const struct xt_entry_match *match) { const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data; + bool inv_sgs = rtinfo->invflags & IP6T_RT_INV_SGS; if (rtinfo->flags & IP6T_RT_TYP) { printf("%s --rt-type %u", @@ -217,10 +223,9 @@ static void rt_save(const void *ip, const struct xt_entry_match *match) rtinfo->rt_type); } - if (!(rtinfo->segsleft[0] == 0 - && rtinfo->segsleft[1] == 0xFFFFFFFF)) { - printf("%s --rt-segsleft ", - (rtinfo->invflags & IP6T_RT_INV_SGS) ? " !" : ""); + if (!skip_segsleft_match(rtinfo->segsleft[0], + rtinfo->segsleft[1], inv_sgs)) { + printf("%s --rt-segsleft ", inv_sgs ? " !" : ""); if (rtinfo->segsleft[0] != rtinfo->segsleft[1]) printf("%u:%u", @@ -244,10 +249,14 @@ static void rt_save(const void *ip, const struct xt_entry_match *match) } +#define XLATE_FLAGS (IP6T_RT_TYP | IP6T_RT_LEN | \ + IP6T_RT_RES | IP6T_RT_FST | IP6T_RT_FST_NSTRICT) + static int rt_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct ip6t_rt *rtinfo = (struct ip6t_rt *)params->match->data; + bool inv_sgs = rtinfo->invflags & IP6T_RT_INV_SGS; if (rtinfo->flags & IP6T_RT_TYP) { xt_xlate_add(xl, "rt type%s %u", @@ -255,15 +264,18 @@ static int rt_xlate(struct xt_xlate *xl, rtinfo->rt_type); } - if (!(rtinfo->segsleft[0] == 0 && rtinfo->segsleft[1] == 0xFFFFFFFF)) { - xt_xlate_add(xl, "rt seg-left%s ", - (rtinfo->invflags & IP6T_RT_INV_SGS) ? " !=" : ""); + if (!skip_segsleft_match(rtinfo->segsleft[0], + rtinfo->segsleft[1], inv_sgs)) { + xt_xlate_add(xl, "rt seg-left%s ", inv_sgs ? " !=" : ""); if (rtinfo->segsleft[0] != rtinfo->segsleft[1]) xt_xlate_add(xl, "%u-%u", rtinfo->segsleft[0], rtinfo->segsleft[1]); else xt_xlate_add(xl, "%u", rtinfo->segsleft[0]); + } else if (!(rtinfo->flags & XLATE_FLAGS)) { + xt_xlate_add(xl, "exthdr rt exists"); + return 1; } if (rtinfo->flags & IP6T_RT_LEN) { diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t index 56c8b077267ce..1c219d664bff7 100644 --- a/extensions/libip6t_rt.t +++ b/extensions/libip6t_rt.t @@ -4,7 +4,7 @@ -m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK -m rt;=;OK -m rt --rt-segsleft :;-m rt;OK --m rt ! --rt-segsleft :;-m rt;OK +-m rt ! --rt-segsleft :;-m rt ! --rt-segsleft 0:4294967295;OK -m rt --rt-segsleft :3;-m rt --rt-segsleft 0:3;OK -m rt --rt-segsleft 3:;-m rt --rt-segsleft 3:4294967295;OK -m rt --rt-segsleft 3:3;-m rt --rt-segsleft 3;OK diff --git a/extensions/libip6t_rt.txlate b/extensions/libip6t_rt.txlate index 67d88d07732cc..1c2f74a588750 100644 --- a/extensions/libip6t_rt.txlate +++ b/extensions/libip6t_rt.txlate @@ -17,7 +17,7 @@ ip6tables-translate -A INPUT -m rt --rt-segsleft 13:42 -j ACCEPT nft 'add rule ip6 filter INPUT rt seg-left 13-42 counter accept' ip6tables-translate -A INPUT -m rt --rt-segsleft 0:4294967295 -j ACCEPT -nft 'add rule ip6 filter INPUT counter accept' +nft 'add rule ip6 filter INPUT exthdr rt exists counter accept' ip6tables-translate -A INPUT -m rt ! --rt-segsleft 0:4294967295 -j ACCEPT -nft 'add rule ip6 filter INPUT counter accept' +nft 'add rule ip6 filter INPUT rt seg-left != 0-4294967295 counter accept' From patchwork Fri Feb 2 13:53:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894571 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=B8ayaoRT; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-866-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLZ0MXnz1yQ0 for ; Sat, 3 Feb 2024 00:53:58 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id C1788B25A78 for ; Fri, 2 Feb 2024 13:53:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 73909144627; Fri, 2 Feb 2024 13:53:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="B8ayaoRT" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FA8C1420A1 for ; Fri, 2 Feb 2024 13:53:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882002; cv=none; b=jA3ZNOofYsRHpgwzD4r8pYVHhuuWv9NNaFEuXoe6i9VKDIYsz/AnRaccG5eeDw1ZJCdsv070R2c3IzpYuUxLb9ANZT8kFyo8D9sK6yzdVb5pfKFgFuUyvN71/AZjTMsC+ztWNR3IfGpubF7deaXgLvQcoBz05pdFNFjTZwNCI0U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882002; c=relaxed/simple; bh=ZDv445iWkl+Z++7Yb/TepD0p/wGim9s6+pRQlMfWfJk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hAnE5Vq6m2XWOlR7jmERaNMybsR4XEeVAnG8ogMQKuRU95C8BSPIHtg3L2ew1ephgSjdpE2xZ/853hrDYmZ4Hsrz8T6YPbEuRfcRwDl6ChciTabAxDEDquv/AVEdyok4zYhxA+o69Pw1GgxBZZ7JXUZAiUhdVndtbhMM3fp8m10= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=B8ayaoRT; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+43oNp3yeC6mKtobgfL+kFbf5P0uWePoTdNQOi4X4Es=; b=B8ayaoRTGGcs4RSKg0b0ihZAWM C0OPNluCcfpRla7wUhIEcrsAMnJdhxNBs00NWZAAXoBGAQsqFx1qaFtQtU8REdr5XpVXMpMHigJr/ fJw/bPhm7/xNFm5kHORlouQdHuhldrtQA4FeD0wmWTGNn0n3Qb8BOvgzkVOcpfYBu63UHSc9RqbmP fFWKKbwCEttNQ8g3sz9IUpWcHvHUEF6b2BH+/C9hwBVjsJF6pvKyv/trEsvxnIS9LNPzL2SyumoIX H1IbRNZGfCPWkNJtygvj1S9oV3m1RhM7Xvj+FU+pDgIfCi+oYcLRplFc3l/qqBnuZ8fnYF1EBjKxy wQPHpXSA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyj-000000003Bx-2b9v; Fri, 02 Feb 2024 14:53:13 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 08/12] extensions: esp: Save/xlate inverted full ranges Date: Fri, 2 Feb 2024 14:53:03 +0100 Message-ID: <20240202135307.25331-9-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Also add a translation for plain '-m esp' match which depends on the address family: While ip6tables-translate may emit an exthdr exists match, iptables-translate must stick to meta l4proto. Fixes: 6cfa723a83d45 ("extensions: libxt_esp: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libxt_esp.c | 26 ++++++++++++++++++-------- extensions/libxt_esp.t | 2 +- extensions/libxt_esp.txlate | 8 ++++---- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c index 2c7ff942cb9e0..8e9766d71ed57 100644 --- a/extensions/libxt_esp.c +++ b/extensions/libxt_esp.c @@ -39,13 +39,18 @@ static void esp_parse(struct xt_option_call *cb) espinfo->invflags |= XT_ESP_INV_SPI; } +static bool skip_spis_match(uint32_t min, uint32_t max, bool inv) +{ + return min == 0 && max == UINT32_MAX && !inv; +} + static void print_spis(const char *name, uint32_t min, uint32_t max, int invert) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFFFFFF || invert) { + if (!skip_spis_match(min, max, invert)) { if (min == max) printf(" %s:%s%u", name, inv, min); else @@ -69,11 +74,10 @@ esp_print(const void *ip, const struct xt_entry_match *match, int numeric) static void esp_save(const void *ip, const struct xt_entry_match *match) { const struct xt_esp *espinfo = (struct xt_esp *)match->data; + bool inv_spi = espinfo->invflags & XT_ESP_INV_SPI; - if (!(espinfo->spis[0] == 0 - && espinfo->spis[1] == 0xFFFFFFFF)) { - printf("%s --espspi ", - (espinfo->invflags & XT_ESP_INV_SPI) ? " !" : ""); + if (!skip_spis_match(espinfo->spis[0], espinfo->spis[1], inv_spi)) { + printf("%s --espspi ", inv_spi ? " !" : ""); if (espinfo->spis[0] != espinfo->spis[1]) printf("%u:%u", @@ -90,15 +94,21 @@ static int esp_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct xt_esp *espinfo = (struct xt_esp *)params->match->data; + bool inv_spi = espinfo->invflags & XT_ESP_INV_SPI; - if (!(espinfo->spis[0] == 0 && espinfo->spis[1] == 0xFFFFFFFF)) { - xt_xlate_add(xl, "esp spi%s", - (espinfo->invflags & XT_ESP_INV_SPI) ? " !=" : ""); + if (!skip_spis_match(espinfo->spis[0], espinfo->spis[1], inv_spi)) { + xt_xlate_add(xl, "esp spi%s", inv_spi ? " !=" : ""); if (espinfo->spis[0] != espinfo->spis[1]) xt_xlate_add(xl, " %u-%u", espinfo->spis[0], espinfo->spis[1]); else xt_xlate_add(xl, " %u", espinfo->spis[0]); + } else if (afinfo->family == NFPROTO_IPV4) { + xt_xlate_add(xl, "meta l4proto esp"); + } else if (afinfo->family == NFPROTO_IPV6) { + xt_xlate_add(xl, "exthdr esp exists"); + } else { + return 0; } return 1; diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t index 686611f22b457..ece131c934b90 100644 --- a/extensions/libxt_esp.t +++ b/extensions/libxt_esp.t @@ -5,7 +5,7 @@ -p esp -m esp ! --espspi 0:4294967294;=;OK -p esp -m esp --espspi -1;;FAIL -p esp -m esp --espspi :;-p esp -m esp;OK --p esp -m esp ! --espspi :;-p esp -m esp;OK +-p esp -m esp ! --espspi :;-p esp -m esp ! --espspi 0:4294967295;OK -p esp -m esp --espspi :4;-p esp -m esp --espspi 0:4;OK -p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK -p esp -m esp --espspi 3:4;=;OK diff --git a/extensions/libxt_esp.txlate b/extensions/libxt_esp.txlate index 3b1d5718057b1..5e8fb241beaf4 100644 --- a/extensions/libxt_esp.txlate +++ b/extensions/libxt_esp.txlate @@ -11,13 +11,13 @@ iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP nft 'add rule ip filter INPUT esp spi 500-600 counter drop' iptables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP -nft 'add rule ip filter INPUT counter drop' +nft 'add rule ip filter INPUT meta l4proto esp counter drop' iptables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP -nft 'add rule ip filter INPUT counter drop' +nft 'add rule ip filter INPUT esp spi != 0-4294967295 counter drop' ip6tables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP -nft 'add rule ip6 filter INPUT counter drop' +nft 'add rule ip6 filter INPUT exthdr esp exists counter drop' ip6tables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP -nft 'add rule ip6 filter INPUT counter drop' +nft 'add rule ip6 filter INPUT esp spi != 0-4294967295 counter drop' From patchwork Fri Feb 2 13:53:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894560 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=o5z8Dchd; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-854-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHL55Trlz1yQ0 for ; Sat, 3 Feb 2024 00:53:33 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D68581C21883 for ; Fri, 2 Feb 2024 13:53:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AF4997C086; Fri, 2 Feb 2024 13:53:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="o5z8Dchd" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C41A923C5 for ; Fri, 2 Feb 2024 13:53:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; cv=none; b=DYdSMSrRaUHaEde8u83noHJvhdXyZv++qJcnqCGjObAMQIGe83hCI4fgfILAboZNFvXfekCrzNRwSP5/6mewSwdSYnw0tAh0pC6VB7ZR2yeEld9kKoTa656CIyP1LhXElBN3TZ+NvRj+7l671Y6vIW2MxZKdKLdqNq7i692h0fI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; c=relaxed/simple; bh=0JlAXB8X4JpPVcMuQCROpKHXLO+TNzrjSPv3NKqZlhM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K84QOSMD6JmANOAnV4G/LdoJT4Av7l8KDk72oc1G1ig3kgcV174cgRFV4dedhxTI5rSF1zaFcRZOP+BShZusxOXy2zZaP2vLbUxDFGfi81+mWy0nulsngHp3ZipuJiq2tSqkA4n8LyLJ60sNl+QF9reXbsALuJ29BY3Zbz+/3vs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=o5z8Dchd; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8XaP0LiTppFyTAI3jlue/xLeY+9qXgjKw3/yPjbbveI=; b=o5z8DchdJRFVLDiIu8UGNn+91R g1sSX5LsamlDhhafS43hKbPe73qwOfEY/2ih5gWgb6qhVMYs2aQwKXQnro3XbAZB6GEk2Uxx+KfVN iii7m6YRbjYAUyBowSS0uPKsHcoztrowffjF2o8AbRUdn2gsj7UtkTGCy/g67mFfAd2bYY6W+fEHF gg6UCxMgkxdlVVTHMy20MhHuV0FPFCGfB1hPM1taibe2ln5YGVdWqRgSiz6ABYYeX7WNnnfni/Mk8 HEDCOXfNxNmKHlrc2r86zl0LLYfRF7NG3ccOlXM7VRezzQN05a47o4UVkawXkKtVSz5SoenO9zbmq GAp9pPkA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtye-000000003BE-1MQU; Fri, 02 Feb 2024 14:53:08 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 09/12] extensions: ipcomp: Save inverted full ranges Date: Fri, 2 Feb 2024 14:53:04 +0100 Message-ID: <20240202135307.25331-10-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Fixes: 0bb8765cc28cf ("iptables: Add IPv4/6 IPcomp match support") Signed-off-by: Phil Sutter --- extensions/libxt_ipcomp.c | 7 ++++--- extensions/libxt_ipcomp.t | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c index 4171c4a1c4eb7..961c17e584933 100644 --- a/extensions/libxt_ipcomp.c +++ b/extensions/libxt_ipcomp.c @@ -76,11 +76,12 @@ static void comp_print(const void *ip, const struct xt_entry_match *match, static void comp_save(const void *ip, const struct xt_entry_match *match) { const struct xt_ipcomp *compinfo = (struct xt_ipcomp *)match->data; + bool inv_spi = compinfo->invflags & XT_IPCOMP_INV_SPI; if (!(compinfo->spis[0] == 0 - && compinfo->spis[1] == 0xFFFFFFFF)) { - printf("%s --ipcompspi ", - (compinfo->invflags & XT_IPCOMP_INV_SPI) ? " !" : ""); + && compinfo->spis[1] == UINT32_MAX + && !inv_spi)) { + printf("%s --ipcompspi ", inv_spi ? " !" : ""); if (compinfo->spis[0] != compinfo->spis[1]) printf("%u:%u", diff --git a/extensions/libxt_ipcomp.t b/extensions/libxt_ipcomp.t index 375f885a708d9..e25695c6912be 100644 --- a/extensions/libxt_ipcomp.t +++ b/extensions/libxt_ipcomp.t @@ -2,7 +2,7 @@ -p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK -p ipcomp -m ipcomp --ipcompspi :;-p ipcomp -m ipcomp;OK --p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp;OK +-p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp ! --ipcompspi 0:4294967295;OK -p ipcomp -m ipcomp --ipcompspi :4;-p ipcomp -m ipcomp --ipcompspi 0:4;OK -p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK -p ipcomp -m ipcomp --ipcompspi 3:4;=;OK From patchwork Fri Feb 2 13:53:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894570 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=UmZtvXNk; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-864-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHLX6nB0z23g7 for ; Sat, 3 Feb 2024 00:53:56 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 440381F2C5EE for ; Fri, 2 Feb 2024 13:53:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2D18B144613; Fri, 2 Feb 2024 13:53:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="UmZtvXNk" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 346BA13541C for ; Fri, 2 Feb 2024 13:53:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882000; cv=none; b=nL4ODb7zR+X/U6TNJdACvLDUk5dxuiwDA+zmORP6gkt9zJ03oJVhLNerG18MRrrapuXFkMPH55EnyKtpYjjibhqbfHK8iWapfW+Ur6wG83BuSb00YBQ+6Fz3rKfXmOfg8PViJixWFE29AefTaiX8LF6hqxcNFoMsMV0HiJ6zlMk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706882000; c=relaxed/simple; bh=eB3AsazPsiSUe1jf/8mWUrKsBQIY6Ce+kRkH65LZoHY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Oz0yfD+lWkXtHiTKMFpfZV+xNvpOCxp4ZCgqh+0Xt5RMVlnfejlJn8sIUzoaW3ME+setFT4q9qMugWgKolRxJ3LGmurVb2LC1KXLanbXORHrbkoYo8zGp2T8l9kzgTBqdDUcOKUsVR7hkR2e1rdn18T7NoDHA+PjH0lsDNAMUWo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=UmZtvXNk; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lYC9MnOqhuPdDSeFq9CNPyYcz+EY09sUSMmnseUX1Uc=; b=UmZtvXNk/yEObnW2GnQcJzZeKB sLbKlY+81fMNoPi/LK2v4CpsgHTV71pHQnXhDbFGTi/6gUNcgNL+770a2QFME+uMnUHg9IVZ7CrCB Ra3QoS6gft8jzv9mr8Vd7nhq7bGdzf2gOf43VwtxKGR3Y4u+XPgKOXweKmEB2OXlsv4C2VJ+1iWVG AWATLCaqhlKktSNR7ye0L1eSHw30TCNw9f2Aqy3JqCbsORQsRXQlkd33hfEKrMUy0ANA2fGthAyY7 cQ56zK+bsrs5Ckp7lfP8Dhx4yS68eBnC38x1iZxIb6x+JybbXMZVRR+YBeVElq2MqTUN2KCLaIeMe /vFsCwdA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyi-000000003Bq-1fP4; Fri, 02 Feb 2024 14:53:12 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 10/12] nft: Do not omit full ranges if inverted Date: Fri, 2 Feb 2024 14:53:05 +0100 Message-ID: <20240202135307.25331-11-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Otherwise this turns a never matching rule into an always matching one. Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match") Signed-off-by: Phil Sutter --- extensions/libxt_tcp.t | 4 ++-- extensions/libxt_udp.t | 4 ++-- iptables/nft.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t index baa41615b11a6..911c51113cf2a 100644 --- a/extensions/libxt_tcp.t +++ b/extensions/libxt_tcp.t @@ -7,13 +7,13 @@ -p tcp -m tcp --sport 1024:65535;=;OK -p tcp -m tcp --sport 1024:;-p tcp -m tcp --sport 1024:65535;OK -p tcp -m tcp --sport :;-p tcp -m tcp;OK --p tcp -m tcp ! --sport :;-p tcp -m tcp;OK;LEGACY;-p tcp +-p tcp -m tcp ! --sport :;-p tcp -m tcp;OK -p tcp -m tcp --sport :4;-p tcp -m tcp --sport 0:4;OK -p tcp -m tcp --sport 4:;-p tcp -m tcp --sport 4:65535;OK -p tcp -m tcp --sport 4:4;-p tcp -m tcp --sport 4;OK -p tcp -m tcp --sport 4:3;;FAIL -p tcp -m tcp --dport :;-p tcp -m tcp;OK --p tcp -m tcp ! --dport :;-p tcp -m tcp;OK;LEGACY;-p tcp +-p tcp -m tcp ! --dport :;-p tcp -m tcp;OK -p tcp -m tcp --dport :4;-p tcp -m tcp --dport 0:4;OK -p tcp -m tcp --dport 4:;-p tcp -m tcp --dport 4:65535;OK -p tcp -m tcp --dport 4:4;-p tcp -m tcp --dport 4;OK diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t index 09dff363fc21a..3c85b09f871da 100644 --- a/extensions/libxt_udp.t +++ b/extensions/libxt_udp.t @@ -7,13 +7,13 @@ -p udp -m udp --sport 1024:65535;=;OK -p udp -m udp --sport 1024:;-p udp -m udp --sport 1024:65535;OK -p udp -m udp --sport :;-p udp -m udp;OK --p udp -m udp ! --sport :;-p udp -m udp;OK;LEGACY;-p udp +-p udp -m udp ! --sport :;-p udp -m udp;OK -p udp -m udp --sport :4;-p udp -m udp --sport 0:4;OK -p udp -m udp --sport 4:;-p udp -m udp --sport 4:65535;OK -p udp -m udp --sport 4:4;-p udp -m udp --sport 4;OK -p udp -m udp --sport 4:3;;FAIL -p udp -m udp --dport :;-p udp -m udp;OK --p udp -m udp ! --dport :;-p udp -m udp;OK;LEGACY;-p udp +-p udp -m udp ! --dport :;-p udp -m udp;OK -p udp -m udp --dport :4;-p udp -m udp --dport 0:4;OK -p udp -m udp --dport 4:;-p udp -m udp --dport 4:65535;OK -p udp -m udp --dport 4:4;-p udp -m udp --dport 4;OK diff --git a/iptables/nft.c b/iptables/nft.c index c2cbc9d72ef0c..dae6698d3234a 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1324,7 +1324,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, return 0; } - if (src[0] || src[1] < 0xffff) { + if (src[0] || src[1] < UINT16_MAX || invert_src) { expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 2, ®); if (!expr) return -ENOMEM; @@ -1335,7 +1335,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, return ret; } - if (dst[0] || dst[1] < 0xffff) { + if (dst[0] || dst[1] < UINT16_MAX || invert_dst) { expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 2, 2, ®); if (!expr) return -ENOMEM; From patchwork Fri Feb 2 13:53:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894561 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Kev2a1Nk; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-855-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHL66kngz23h9 for ; Sat, 3 Feb 2024 00:53:34 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 25DB51F2C0CD for ; Fri, 2 Feb 2024 13:53:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AF4607AE4C; Fri, 2 Feb 2024 13:53:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Kev2a1Nk" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 01C1E45C07 for ; Fri, 2 Feb 2024 13:53:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; cv=none; b=rdbqJT2gSPdcHkrNprwy6bEzydi8LLFTCW/Hd57JB2M6j1B7j5sVlyhR/OprHe2ZxIAElPyityRnOTVQvVZ55ellbSAtDe2PM+zQOauIpjALlBOciRLJmjSltuqHiHDS+tuyYLwOjKpitHgJzlKCc2eRoBZfXYBBGfUVkwD6UHI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; c=relaxed/simple; bh=gKIEu3jiSXKdFoqZwYiIQ8OnJBDU0+l7WUBwxnaOpok=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=o7I+kpzynLa4HJ2DAZUh2EFy5KCzepNu4bemZ8jzDIZZhxj2aXII9FlYxuHC5ociPkunNrGKu6xvW5AC5UaFTZJIkrX4O++xB3OYHbK6gQYm7ni6g72aWJumvlk5Yu73e5+mRBEr3oL/yEKrt45vGg4hWa7Q3ALNBl+AkEifIJA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Kev2a1Nk; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=aGvekk9GI63sQodndU6XqoyyerOMJ38nXaSI/t7AUnw=; b=Kev2a1NkxOz8askoTAXjTd1KY/ vvvzpQVYW+hyTpFib1UTusnBPBdikdpLfEithGSwZtRLOXJ72GssEZqTf8H+RZ6X8O5icpyHr5hHI Tai90NqipVFh6pkU5osBd19h5fZIvIzfkx1BwqeRmjqqp9v48c0iWp3fSlUgWLeqAoUn/BFPVRW/Y VpSLW30pItTNwfKp70Y4UdwS+hAhviuAdNnoPxMxVfVRRcZAq0klKo2BFf5F5pgwV4pGd072BvtSV 8Eiy4t6QimI+YfEebYdCo/W80PoPXPJqWqgkPicWvouugFq17OWYRT5TDdcjGqPO1+eqLGJDW6HnY R0v7mQAQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtyk-000000003C3-0kRl; Fri, 02 Feb 2024 14:53:14 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 11/12] extensions: tcp/udp: Save/xlate inverted full ranges Date: Fri, 2 Feb 2024 14:53:06 +0100 Message-ID: <20240202135307.25331-12-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Also translate a bare '-m tcp/udp' to 'meta l4proto' match. Fixes: 04f569ded54a7 ("extensions: libxt_udp: add translation to nft") Fixes: fb2593ebbf656 ("extensions: libxt_tcp: add translation to nft") Signed-off-by: Phil Sutter --- extensions/libxt_tcp.c | 48 +++++++++++++++++++++++-------------- extensions/libxt_tcp.t | 4 ++-- extensions/libxt_tcp.txlate | 4 ++-- extensions/libxt_udp.c | 43 ++++++++++++++++++++------------- extensions/libxt_udp.t | 4 ++-- extensions/libxt_udp.txlate | 4 ++-- 6 files changed, 64 insertions(+), 43 deletions(-) diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index f82572828649b..32bbd684fd5d7 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -225,13 +225,18 @@ print_port(uint16_t port, int numeric) printf("%s", service); } +static bool skip_ports_match(uint16_t min, uint16_t max, bool inv) +{ + return min == 0 && max == UINT16_MAX && !inv; +} + static void print_ports(const char *name, uint16_t min, uint16_t max, int invert, int numeric) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFF || invert) { + if (!skip_ports_match(min, max, invert)) { printf(" %s", name); if (min == max) { printf(":%s", inv); @@ -315,10 +320,11 @@ tcp_print(const void *ip, const struct xt_entry_match *match, int numeric) static void tcp_save(const void *ip, const struct xt_entry_match *match) { const struct xt_tcp *tcpinfo = (struct xt_tcp *)match->data; + bool inv_srcpt = tcpinfo->invflags & XT_TCP_INV_SRCPT; + bool inv_dstpt = tcpinfo->invflags & XT_TCP_INV_DSTPT; - if (tcpinfo->spts[0] != 0 - || tcpinfo->spts[1] != 0xFFFF) { - if (tcpinfo->invflags & XT_TCP_INV_SRCPT) + if (!skip_ports_match(tcpinfo->spts[0], tcpinfo->spts[1], inv_srcpt)) { + if (inv_srcpt) printf(" !"); if (tcpinfo->spts[0] != tcpinfo->spts[1]) @@ -330,9 +336,8 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match) tcpinfo->spts[0]); } - if (tcpinfo->dpts[0] != 0 - || tcpinfo->dpts[1] != 0xFFFF) { - if (tcpinfo->invflags & XT_TCP_INV_DSTPT) + if (!skip_ports_match(tcpinfo->dpts[0], tcpinfo->dpts[1], inv_dstpt)) { + if (inv_dstpt) printf(" !"); if (tcpinfo->dpts[0] != tcpinfo->dpts[1]) @@ -397,39 +402,42 @@ static int tcp_xlate(struct xt_xlate *xl, { const struct xt_tcp *tcpinfo = (const struct xt_tcp *)params->match->data; + bool inv_srcpt = tcpinfo->invflags & XT_TCP_INV_SRCPT; + bool inv_dstpt = tcpinfo->invflags & XT_TCP_INV_DSTPT; + bool xlated = false; - if (tcpinfo->spts[0] != 0 || tcpinfo->spts[1] != 0xffff) { + if (!skip_ports_match(tcpinfo->spts[0], tcpinfo->spts[1], inv_srcpt)) { if (tcpinfo->spts[0] != tcpinfo->spts[1]) { xt_xlate_add(xl, "tcp sport %s%u-%u", - tcpinfo->invflags & XT_TCP_INV_SRCPT ? - "!= " : "", + inv_srcpt ? "!= " : "", tcpinfo->spts[0], tcpinfo->spts[1]); } else { xt_xlate_add(xl, "tcp sport %s%u", - tcpinfo->invflags & XT_TCP_INV_SRCPT ? - "!= " : "", + inv_srcpt ? "!= " : "", tcpinfo->spts[0]); } + xlated = true; } - if (tcpinfo->dpts[0] != 0 || tcpinfo->dpts[1] != 0xffff) { + if (!skip_ports_match(tcpinfo->dpts[0], tcpinfo->dpts[1], inv_dstpt)) { if (tcpinfo->dpts[0] != tcpinfo->dpts[1]) { xt_xlate_add(xl, "tcp dport %s%u-%u", - tcpinfo->invflags & XT_TCP_INV_DSTPT ? - "!= " : "", + inv_dstpt ? "!= " : "", tcpinfo->dpts[0], tcpinfo->dpts[1]); } else { xt_xlate_add(xl, "tcp dport %s%u", - tcpinfo->invflags & XT_TCP_INV_DSTPT ? - "!= " : "", + inv_dstpt ? "!= " : "", tcpinfo->dpts[0]); } + xlated = true; } - if (tcpinfo->option) + if (tcpinfo->option) { xt_xlate_add(xl, "tcp option %u %s", tcpinfo->option, tcpinfo->invflags & XT_TCP_INV_OPTION ? "missing" : "exists"); + xlated = true; + } if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) { xt_xlate_add(xl, "tcp flags %s", @@ -437,8 +445,12 @@ static int tcp_xlate(struct xt_xlate *xl, print_tcp_xlate(xl, tcpinfo->flg_cmp); xt_xlate_add(xl, " / "); print_tcp_xlate(xl, tcpinfo->flg_mask); + xlated = true; } + if (!xlated) + xt_xlate_add(xl, "meta l4proto tcp"); + return 1; } diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t index 911c51113cf2a..75d5b1ed90996 100644 --- a/extensions/libxt_tcp.t +++ b/extensions/libxt_tcp.t @@ -7,13 +7,13 @@ -p tcp -m tcp --sport 1024:65535;=;OK -p tcp -m tcp --sport 1024:;-p tcp -m tcp --sport 1024:65535;OK -p tcp -m tcp --sport :;-p tcp -m tcp;OK --p tcp -m tcp ! --sport :;-p tcp -m tcp;OK +-p tcp -m tcp ! --sport :;-p tcp -m tcp ! --sport 0:65535;OK -p tcp -m tcp --sport :4;-p tcp -m tcp --sport 0:4;OK -p tcp -m tcp --sport 4:;-p tcp -m tcp --sport 4:65535;OK -p tcp -m tcp --sport 4:4;-p tcp -m tcp --sport 4;OK -p tcp -m tcp --sport 4:3;;FAIL -p tcp -m tcp --dport :;-p tcp -m tcp;OK --p tcp -m tcp ! --dport :;-p tcp -m tcp;OK +-p tcp -m tcp ! --dport :;-p tcp -m tcp ! --dport 0:65535;OK -p tcp -m tcp --dport :4;-p tcp -m tcp --dport 0:4;OK -p tcp -m tcp --dport 4:;-p tcp -m tcp --dport 4:65535;OK -p tcp -m tcp --dport 4:4;-p tcp -m tcp --dport 4;OK diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate index a7e921bff2ca0..b3ddcc15833cf 100644 --- a/extensions/libxt_tcp.txlate +++ b/extensions/libxt_tcp.txlate @@ -32,7 +32,7 @@ iptables-translate -A INPUT -p tcp ! --tcp-option 23 nft 'add rule ip filter INPUT tcp option 23 missing counter' iptables-translate -I OUTPUT -p tcp --sport 0:65535 -j ACCEPT -nft 'insert rule ip filter OUTPUT counter accept' +nft 'insert rule ip filter OUTPUT meta l4proto tcp counter accept' iptables-translate -I OUTPUT -p tcp ! --sport 0:65535 -j ACCEPT -nft 'insert rule ip filter OUTPUT counter accept' +nft 'insert rule ip filter OUTPUT tcp sport != 0-65535 counter accept' diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c index ba1c3eb768592..748d418039c3a 100644 --- a/extensions/libxt_udp.c +++ b/extensions/libxt_udp.c @@ -82,13 +82,18 @@ print_port(uint16_t port, int numeric) printf("%s", service); } +static bool skip_ports_match(uint16_t min, uint16_t max, bool inv) +{ + return min == 0 && max == UINT16_MAX && !inv; +} + static void print_ports(const char *name, uint16_t min, uint16_t max, int invert, int numeric) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFF || invert) { + if (!skip_ports_match(min, max, invert)) { printf(" %s", name); if (min == max) { printf(":%s", inv); @@ -122,10 +127,11 @@ udp_print(const void *ip, const struct xt_entry_match *match, int numeric) static void udp_save(const void *ip, const struct xt_entry_match *match) { const struct xt_udp *udpinfo = (struct xt_udp *)match->data; + bool inv_srcpt = udpinfo->invflags & XT_UDP_INV_SRCPT; + bool inv_dstpt = udpinfo->invflags & XT_UDP_INV_DSTPT; - if (udpinfo->spts[0] != 0 - || udpinfo->spts[1] != 0xFFFF) { - if (udpinfo->invflags & XT_UDP_INV_SRCPT) + if (!skip_ports_match(udpinfo->spts[0], udpinfo->spts[1], inv_srcpt)) { + if (inv_srcpt) printf(" !"); if (udpinfo->spts[0] != udpinfo->spts[1]) @@ -137,9 +143,8 @@ static void udp_save(const void *ip, const struct xt_entry_match *match) udpinfo->spts[0]); } - if (udpinfo->dpts[0] != 0 - || udpinfo->dpts[1] != 0xFFFF) { - if (udpinfo->invflags & XT_UDP_INV_DSTPT) + if (!skip_ports_match(udpinfo->dpts[0], udpinfo->dpts[1], inv_dstpt)) { + if (inv_dstpt) printf(" !"); if (udpinfo->dpts[0] != udpinfo->dpts[1]) @@ -156,35 +161,39 @@ static int udp_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct xt_udp *udpinfo = (struct xt_udp *)params->match->data; + bool inv_srcpt = udpinfo->invflags & XT_UDP_INV_SRCPT; + bool inv_dstpt = udpinfo->invflags & XT_UDP_INV_DSTPT; + bool xlated = false; - if (udpinfo->spts[0] != 0 || udpinfo->spts[1] != 0xFFFF) { + if (!skip_ports_match(udpinfo->spts[0], udpinfo->spts[1], inv_srcpt)) { if (udpinfo->spts[0] != udpinfo->spts[1]) { xt_xlate_add(xl,"udp sport %s%u-%u", - udpinfo->invflags & XT_UDP_INV_SRCPT ? - "!= ": "", + inv_srcpt ? "!= ": "", udpinfo->spts[0], udpinfo->spts[1]); } else { xt_xlate_add(xl, "udp sport %s%u", - udpinfo->invflags & XT_UDP_INV_SRCPT ? - "!= ": "", + inv_srcpt ? "!= ": "", udpinfo->spts[0]); } + xlated = true; } - if (udpinfo->dpts[0] != 0 || udpinfo->dpts[1] != 0xFFFF) { + if (!skip_ports_match(udpinfo->dpts[0], udpinfo->dpts[1], inv_dstpt)) { if (udpinfo->dpts[0] != udpinfo->dpts[1]) { xt_xlate_add(xl,"udp dport %s%u-%u", - udpinfo->invflags & XT_UDP_INV_SRCPT ? - "!= ": "", + inv_dstpt ? "!= ": "", udpinfo->dpts[0], udpinfo->dpts[1]); } else { xt_xlate_add(xl,"udp dport %s%u", - udpinfo->invflags & XT_UDP_INV_SRCPT ? - "!= ": "", + inv_dstpt ? "!= ": "", udpinfo->dpts[0]); } + xlated = true; } + if (!xlated) + xt_xlate_add(xl, "meta l4proto udp"); + return 1; } diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t index 3c85b09f871da..6a2c9d07e3576 100644 --- a/extensions/libxt_udp.t +++ b/extensions/libxt_udp.t @@ -7,13 +7,13 @@ -p udp -m udp --sport 1024:65535;=;OK -p udp -m udp --sport 1024:;-p udp -m udp --sport 1024:65535;OK -p udp -m udp --sport :;-p udp -m udp;OK --p udp -m udp ! --sport :;-p udp -m udp;OK +-p udp -m udp ! --sport :;-p udp -m udp ! --sport 0:65535;OK -p udp -m udp --sport :4;-p udp -m udp --sport 0:4;OK -p udp -m udp --sport 4:;-p udp -m udp --sport 4:65535;OK -p udp -m udp --sport 4:4;-p udp -m udp --sport 4;OK -p udp -m udp --sport 4:3;;FAIL -p udp -m udp --dport :;-p udp -m udp;OK --p udp -m udp ! --dport :;-p udp -m udp;OK +-p udp -m udp ! --dport :;-p udp -m udp ! --dport 0:65535;OK -p udp -m udp --dport :4;-p udp -m udp --dport 0:4;OK -p udp -m udp --dport 4:;-p udp -m udp --dport 4:65535;OK -p udp -m udp --dport 4:4;-p udp -m udp --dport 4;OK diff --git a/extensions/libxt_udp.txlate b/extensions/libxt_udp.txlate index 3aed7cd15dbd7..d6bbb96f5d744 100644 --- a/extensions/libxt_udp.txlate +++ b/extensions/libxt_udp.txlate @@ -11,7 +11,7 @@ iptables-translate -I OUTPUT -p udp --dport 1020:1023 --sport 53 -j ACCEPT nft 'insert rule ip filter OUTPUT udp sport 53 udp dport 1020-1023 counter accept' iptables-translate -I OUTPUT -p udp --sport 0:65535 -j ACCEPT -nft 'insert rule ip filter OUTPUT counter accept' +nft 'insert rule ip filter OUTPUT meta l4proto udp counter accept' iptables-translate -I OUTPUT -p udp ! --sport 0:65535 -j ACCEPT -nft 'insert rule ip filter OUTPUT counter accept' +nft 'insert rule ip filter OUTPUT udp sport != 0-65535 counter accept' From patchwork Fri Feb 2 13:53:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1894559 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Jnuzp6Rm; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-856-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TRHL66gpxz23g7 for ; Sat, 3 Feb 2024 00:53:34 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C72531C2151C for ; Fri, 2 Feb 2024 13:53:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DB17423C5; Fri, 2 Feb 2024 13:53:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Jnuzp6Rm" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F2354776F for ; Fri, 2 Feb 2024 13:53:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; cv=none; b=bErqoeyZqxf62jPDovnrlIu5oB3+tskROi7wB2vaewTPycgb6NSxPw6BkTAfzyujR/UVBJ67AYFeeD3XbOQQs/96bfty9CUnu7DPwHS5Wr7lh1jDAxqNyuKjxo7molD5Oh6QdJpbkXsf6EVT3Hz+jMX57yvPnb44KHCQ0bDe4uQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706881998; c=relaxed/simple; bh=DW6eVpYcLs/TdGjPIa61/D1RImR9yqERQineTMHqEGU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dQzQb6i0Ip0HkO0tenbKOZ183FaAVd2fUZR9hSYkDRGv/ma9IA4y2ouQOHrZwhCLRJne+dS1eFRPvbnKNOrXIasFGBPrMuYPsMWnf9+8cEd+QZ4NkzO2yb6vxW0r/MW4nqKyHxiUotahyLBPthaF2i3NoOFi7LSP5LJz3w8gOmI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Jnuzp6Rm; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yXL4k6B7mfZQNCFRR7kEJehBdo5wVpaVbNrE3akc1Gw=; b=Jnuzp6RmdioFvIvc8/41fHBWhq QiaVZUg26ATqWUdOH/bv6WDb0dUEyWJ4Xj6IzHGUVaWkmE/T/CWv/ugE7Vya9d6QT161I6OR8LAJg GEnTgF40UqhbHtMkSmif0+JothoCgcD9yKfQAFVX78yOh1vccguleigco7K3q/5SggF6Jsc3SrqgA 4A7pXv2b/b6NseTc1q3hX/jZSmmOOYvphJqg/ihW9VaJ3qLgHh3a07Xaeojc2URK++3jx2zZ0k3Bq fKGYNMJIw6bvgEBE/Uf1farc5yQ/fEAZL8UUSf5BFrDRQE41HJ9P+ZThLg/DUhN53/jf74aqgFMXe mJas7w9g==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97) (envelope-from ) id 1rVtye-000000003BK-3hn3; Fri, 02 Feb 2024 14:53:08 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [iptables PATCH 12/12] libxtables: xtoptions: Respect min/max values when completing ranges Date: Fri, 2 Feb 2024 14:53:07 +0100 Message-ID: <20240202135307.25331-13-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240202135307.25331-1-phil@nwl.cc> References: <20240202135307.25331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 If an extension defines a minimum/maximum valid value for an option's range argument, treat this as the lower/upper boundary to use when completing (half) open ranges. Signed-off-by: Phil Sutter --- extensions/libxt_NFQUEUE.t | 4 ++-- libxtables/xtoptions.c | 9 ++++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t index 1adb8e4023099..94050500d195b 100644 --- a/extensions/libxt_NFQUEUE.t +++ b/extensions/libxt_NFQUEUE.t @@ -9,9 +9,9 @@ -j NFQUEUE --queue-balance 0:65536;;FAIL -j NFQUEUE --queue-balance -1:65535;;FAIL -j NFQUEUE --queue-balance 4;;FAIL --j NFQUEUE --queue-balance :;;FAIL +-j NFQUEUE --queue-balance :;-j NFQUEUE --queue-balance 0:65534;OK -j NFQUEUE --queue-balance :4;-j NFQUEUE --queue-balance 0:4;OK --j NFQUEUE --queue-balance 4:;-j NFQUEUE --queue-balance 4:65535;OK +-j NFQUEUE --queue-balance 4:;-j NFQUEUE --queue-balance 4:65534;OK -j NFQUEUE --queue-balance 3:4;=;OK -j NFQUEUE --queue-balance 4:4;;FAIL -j NFQUEUE --queue-balance 4:3;;FAIL diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index 0a995a63a2a88..774d0ee655ba7 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -289,13 +289,16 @@ static void xtopt_parse_mint(struct xt_option_call *cb) const struct xt_option_entry *entry = cb->entry; const char *arg; size_t esize = xtopt_esize_by_type(entry->type); - const uintmax_t lmax = xtopt_max_by_type(entry->type); + uintmax_t lmax = xtopt_max_by_type(entry->type); + uintmax_t value, lmin = entry->min; void *put = XTOPT_MKPTR(cb); - uintmax_t value, lmin = 0; unsigned int maxiter; char *end = ""; char sep = ':'; + if (entry->max && entry->max < lmax) + lmax = entry->max; + maxiter = entry->size / esize; if (maxiter == 0) maxiter = ARRAY_SIZE(cb->val.u32_range); @@ -312,7 +315,7 @@ static void xtopt_parse_mint(struct xt_option_call *cb) if (*arg == '\0' || *arg == sep) { /* Default range components when field not spec'd. */ end = (char *)arg; - value = (cb->nvals == 1) ? lmax : 0; + value = (cb->nvals == 1) ? lmax : lmin; } else { if (!xtables_strtoul(arg, &end, &value, lmin, lmax)) xt_params->exit_err(PARAMETER_PROBLEM,